Innovation through participation Attributes Release Working Group European data protection directive REFEDS meeting 22th Apr, 2012

Slides:



Advertisements
Similar presentations
Re-use of PSI Data Protection Issues Cécile de Terwangne Professor at the Law Faculty, Research Director at CRIDS University of Namur (Belgium) 2 nd LAPSI.
Advertisements

PRIVACY ASPECTS OF RE-USE OF PSI: BETWEEN PRIVATE AND PUBLIC SECTOR
Innovation through participation Data Protection Code of Conduct (DP CoC) REFEDS Helsinki Mikael Linden, CSC – IT Center for Science
Data Protection & Privacy in the Information Age COMNET – Legal Frameworks for ICTs Malta 2013 Dr Antonio Ghio Dr Jeanine Rizzo.
Innovation through participation GÉANT Data Protection Code of Conduct (DP CoC) FIM for research collaboration workshop Mikael Linden,
Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.
Protection of Personal Data, Historical context In 1982, Iceland signed the Council of Europe Convention nr. 108 from 1981 for the Protection.
Not legally binding FP7 Rules for Participation and Grant agreement FP7 Helpdesk 
DATA PROTECTION and Research University Research Ethics Committee – David Cauchi Office of the Data Protection Commissioner.
Data Protection and Records Management
Innovation through participation eduGAIN federation operator training eduGAIN policy eduGAIN training in Vienna Oct 2011
REFEDS RESEARCH AND EDUCATION (R&S) ENTITY CATEGORY NICOLE HARRIS.
Anomalous Aspects of Transfer of Personal Data from the E.U. to the U.S. Stephen R. Bell Willkie Farr & Gallagher ABA Section of International Law New.
Data Protection: International. Data Protection: a Human Right Part of Right to Personal Privacy Personal Privacy : necessary in a Democratic Society.
Class 13 Internet Privacy Law European Privacy.
Data Protection Overview
 The Data Protection Act 1998 is an Act of Parliament which defines UK law on the processing of data on identifiable living people and it is the main.
SWITCHaai Team Federated Identity Management.
Privacy Codes of Conduct as a self- regulatory approach to cope with restrictions on transborder data flow Dr. Anja Miedbrodt Exemplified with the help.
LexisNexis Confidential EU Privacy Framework Michael Lamb LexisNexis Risk Solutions Vice President and Lead Counsel: Regulatory, Privacy & Policy May 19,
Innovation through participation Interfederation through eduGAIN - steps and challenges eduGAIN interfederation service Federated Identity Systems.
The ReFEDS/GÉANT Code of Conduct (CoC) An Approach to Compliance with the EU Data Protection Directive Steve Carmody April 23, 2012.
The Data Protection Act 1998 The Eight Principles.
Data Protection Corporate training Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.
The Data Protection Act [1998]
INTERNATIONAL E-DISCOVERY: WHEN CULTURES COLLIDE Alvin F. Lindsay Hogan & Hartson LLP.
10/25/2015 AEB/Yleisesittely Organising Federated Identity in Finnish Higher Education TNC2005 Mikael Linden June 8th, 2005.
Innovation through participation eduGAIN interfederation service for research and education Cern FedID workshop in RAL, UK 2-3 Nov 2011 Mikael Linden,
Authentication and Authorisation for Research and Collaboration David Kelsey AARC AHM Milan And mechanisms NA3 Task 4 – Scalable.
Innovation through participation eduGAIN policy: A worm report TF-EMC2 Vienna Mikael Linden, CSC The worm farmer.
Data Protection Act The Data Protection Act (DPA) is a balance between rights of the DATA SUBJECT and obligations of the DATA CONTROLLER DATA CONTROLLER.
Innovation through participation EduGAIN policy (working draft) Status update REFEDs 30th May 2010
Data Protection Philip Reed. Introduction What is data? What is data protection? Who needs your data? Who wants your data? Who does not need your data?
DATA PROTECTION ACT INTRODUCTION The Data Protection Act 1998 came into force on the 1 st March It is more far reaching than its predecessor,
Innovation through participation Expectations on eduGAIN and next steps Valter Nordh, NORDUnet / GU 1.
Networks ∙ Services ∙ People Nicole Harris UK federation meeting eduGAIN, REFEDS and the UK 23 June 2015 Project Development Officer GÉANT.
1 TAIEX JHA Workshop on data protection and cloud computing Data transfers to third countries and standard contractual clauses Skopje, 29 May 2014.
Data protection—training materials [Name and details of speaker]
Sharing Information Legally Lindsay Ould London Borough of Lewisham.
M O N T E N E G R O Negotiating Team for the Accession of Montenegro to the European Union Working Group for Chapter 2– Freedom Movement for Workers Bilateral.
Presented by Ms. Teki Akuetteh LLM (IT and Telecom Law) 16/07/2013Data Protection Act, 2012: A call for Action1.
Protection of Personal Information Act An Analysis on the impact.
Clark Holt Limited (Co. No ), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.
Designing Identity Federation Policy, the right way Marina Vermezović, Academic Network of Serbia TNC2013 conference 4 May 2013.
Introduction to Data Protection Plan »Brief Introduction to Data Protection  Example  Principles  P3, 4, 7  Sensitive Data  Conditions for Processing.
František Nonnemann Skopje, 10th October 2012 JHA Data protection and re-use of PSI as a tool for public control–CZ approach.
TRANSBORDER DATA FLOWS INA MEIRING. THE PROTECTION OF PERSONAL INFORMATION ACT (“POPI”) > 'personal information' means information relating to an identifiable,
Authentication and Authorisation for Research and Collaboration Taipei - Taiwan Mechanisms of Interfederation 13th March 2016 Alessandra.
Data Protection Laws in the European Union John Armstrong CMS Cameron McKenna.
Innovation through participation Data Protection Code of Conduct (DP CoC) TNC2013 conference, 4 June 2013 Mikael Linden, CSC – IT Center for Science
GÉANT Data Protection Code of Conduct (CoCo)
Data Protection: EU & International
National Contact Points (NCP) Training
Data Protection The Current Regime
Museums + Heritage webinar, 30 November 2017
GEANT Code of Conduct and REFEDS Research and Scholarship compared
EU Directive 95/46/EC (Paragraph 2) “Whereas data-processing systems are designed to serve man; whereas they must Respect their fundamental rights.
Data Protection & Freedom of Information- An Introduction
GENERAL DATA PROTECTION REGULATION (GDPR)
New Data Protection Legislation
Protection of Personal Information Bill: An International Perspective
GDPR – Practical Implementation Managing contracts, procurement and relationships with suppliers Terry Brewer Chief Executive.
GDPR Overview and Use Cases.
Data Protection What’s new about The General Data Protection Regulation (GDPR) May 2018? Call Kerry on Or .
The activity of Art. 29. Working Party György Halmos
Federated Identity and Data Protection Law
Dr Elizabeth Lomas The General Data Protection Regulation (GDPR): Changing the data protection landscape Dr Elizabeth Lomas
Privacy & Interfederation
EU Data Protection Legislation
GEANT Data protection Code of Conduct 2.0 REFEDS meeting 16 June 2019
Presentation transcript:

Innovation through participation Attributes Release Working Group European data protection directive REFEDS meeting 22th Apr, 2012

Innovation through participation Introduction Inform on our current progress Seeking use cases where SPs are outside of EU/EEA Summary of background and the problem space Proposed solution, from a lawyerish perspective, Code of Conduct

Innovation through participation European legal system European Union (EU) gives Directives Member States (27) implement them to national legislation With some national freedom, depending on the directive Data protection directive (95/46/EC) The most significant European law regulating attribute release between an IdP and SP Lawyer’s legal analysis for the eduGAIN project: For comparison of the DP directive and FERPA, see

Innovation through participation Definitions Personal data: ” any information relating to an identified or identifiable natural person” Lawyer: assume any attribute (ePTID and even eduPersonAffiliation) counts as personal data Processing of personal data: ”any operation or set of operations on personal data, such as collection, …, dissemination,… etc” Both IdP and SP processes personal data Data Controller: organisation which alone or jointly with others determines the purposes and means of the processing of personal data IdP and SP (usually) are data controllers Federation (and interfederation) may be joint data controller

Innovation through participation Obligations to data controllers (1/3) Security of processing The controller must protect personal data properly Level of security depends e.g. on the sensitivity of attributes Sensitive=health, race, ethnic origin, religion, political opinions… => Federation policies, use of TLS and endpoint authentication… Purpose of processing Must be defined beforehand You must stick to that purpose => Purpose of processing in IdPs: ~to support research and education => SPs’ purpose of processing must not conflict with this

Innovation through participation Obligations to data controllers (2/3) Relevance of personal data Personal data processed must be adequate, relevant and not excessive SPs must request and IdPs must release only relevant attributes => md:RequestedAttribute Inform the end user when attributes are released for the first time SP’s name and identity (=>mdui:Displayname, mdui:Logo) SP’s purpose (=>mdui:Description) Categories of attributes processed (=> uApprove or similar) Any other information (mdui:PrivacyStatementURL) Layered notice!

Innovation through participation Criteria for making data processing legitimate (3/3) a. User consents (freely given, informed, specific), or b. Necessary for performance of a contract to which the user is a subject, or c. Necessary for the controller’s legal obligation, or d. Necessary for vital interests of the user, or e. Necessary for a task carried out in public interest, or f. Necessary for the legitimate interests of the data controller Lawyer: Use (f): the SP has legitimate interests to provide service to the user When the user expresses his willingness to use the service by clicking ”log in” link

Innovation through participation Attribute release to SPs outside EU To release attributes out of EU + EEA(Norway, Iceland and Lichenstein) 1. The law in SP’s country quarantees adequate data protection - Switzerland, Argentina, some sectoral laws in Canada, … 2. The SP has voluntarily committed to good enough data protection - US Safe Harbour (not applicable to universities) - EU’s model Contractual Clauses EU’s Contractual Clauses is a bilateral contract Bilaterals scale poorly if there are thousands of IdPs and SPs Lawer: translate Contractual Clauses into a multilateral agreement signed by IdPs (in EU) and SPs (in the US)

Innovation through participation Towards a new European data protection framework On 25th Jan 2012, European commission published a proposal on the General Data Protection Regulation Repeals the Data protection directive Updates, no fundamental changes Applied to a non-EU controllers providing services to end users in EU If an SP consumes a European IdP’s metadata, it provides services to end users in EU?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.