Presentation is loading. Please wait.

Presentation is loading. Please wait.

Innovation through participation GÉANT Data Protection Code of Conduct (DP CoC) 21.6.2012 FIM for research collaboration workshop Mikael Linden,

Published byCaitlyn Marian Modified over 9 years ago

Similar presentations

Presentation on theme: "Innovation through participation GÉANT Data Protection Code of Conduct (DP CoC) 21.6.2012 FIM for research collaboration workshop Mikael Linden,"— Presentation transcript:

1 Innovation through participation GÉANT Data Protection Code of Conduct (DP CoC) 21.6.2012 FIM for research collaboration workshop Mikael Linden, Mikael.Linden@csc.fi

2 Innovation through participation Federated Identity Management for Research Collaborations Date of this version: 23rd April 2012 Common requirements “Flexible and scalable IdP attribute release policy. Different communities and indeed SPs within a community are likely to require a different set of attributes from the IdPs. The IdP policy related to the release of user attributes and the negotiation mechanism needs to be able to provide this flexibility. Bilateral negotiations between all SPs and all IdPs is not a scalable solution.” “Attributes must be able to cross national borders. Data protection considerations must allow this to happen.” Federated Identity Management for Research Collaborations Date of this version: 23rd April 2012 Common requirements “Flexible and scalable IdP attribute release policy. Different communities and indeed SPs within a community are likely to require a different set of attributes from the IdPs. The IdP policy related to the release of user attributes and the negotiation mechanism needs to be able to provide this flexibility. Bilateral negotiations between all SPs and all IdPs is not a scalable solution.” “Attributes must be able to cross national borders. Data protection considerations must allow this to happen.” The Issue

3 Innovation through participation Goal of the Data Protection Code of Conduct Ease the release of attributes from Home Organisations (HO) to Service Providers (SP) => Make it easier for end users to log into SPs (in different identity federations/countries/jurisdictions) Try to make it in a way which is sufficiently compliant with the EU data protection directive Balance the risk of non-compliance with value of easy collaboration Sharing related responsibilities between the HO and SP Remain scalable when the # of HOs and SPs grows Try to reduce Home Organisations’ hesitation to release attributes Seek for ways to avoid HOs becoming liable for SP’s misbehaviour

4 Innovation through participation The data protection risk (by the Data protection directive) A Home organisation takes a risk when it releases attributes to an SP Home organisation may become partly liable if e.g. the SP is hacked and personal data is spilled to the Internet => Home Organisations hesitate to release attributes Home organisation (IdP) Service Provider (SP) Attributes = personal data (unique ID, name, mail, eduPersonAffiliation…)

5 Innovation through participation Managing Home Organisations’ data protection risk 1. Reduce the Home Organisations risks By Data Protection Code of Conduct 2. Let the Home organisations assess the residual risk Balance the risk of data protection problems with the benefits of easy collaboration for researchers, teachers and students The Home Organisation needs to decide if the Code of Conduct provides good enough guarantees for attribute release

6 Innovation through participation Data Protection Code of Conduct approach Voluntary to SPs (but SPs have interest to sign to receive attributes) Voluntary to Home Orgs to rely on (but may ease IdP admin’s work) Nothing binds to GEANT/eduGAIN only could be used internally in a federation, too It’s not so difficult! SP Sign&publish SP Sign&publish SP Sign&publish HO Learn SP’s commitment SP Code of Conduct relating to personal data processing

7 Innovation through participation The SP Code of Conduct details https://refeds.terena.org/index.php/Code_of_Conduct_for_Service_Provi ders

8 Innovation through participation Public consultation starts now Target of the call for comments Service Providers (e.g. FIM for research collaborations) Home Organisations (represented by and the comments gathered by the identity federation operators) All material for the public consultation available in https://refeds.terena.org/index.php/Code_of_Conduct_for_Service_Providers https://refeds.terena.org/index.php/Code_of_Conduct_for_Service_Providers Code of Conduct for the Service Providers Short introduction/cover letter Template for your comments Deadline for comments: 12th of Aug, 2012

9 Innovation through participation Technical implementation using SAML2 metadata SPs MUST populate in their SAML2 metadata Mdui:DisplayName, mdui: Description, mdui:PrivacyStatementURL (Mdui:Logo is MAY) Md:RequestedAttributes (with isRequired=”true”) EntityAttribute: link to a signed copy of the Code of Conduct for SPs EntityAttribute: identifier for the SP’s jurisdiction SP’s Home Federation makes some sanity checks Links resolve to proper existing documents etc Identity federations just mediate SPs’ SAML2 metadata to the IdPs IdPs SHOULD present a GUI to inform the user of the attribute release

10 Innovation through participation Documentation supporting the Data protection Code of Conduct General documents Introduction to Data protection directive Managing data protection risks GEANT Data protection Code of Conduct Service Provider Code of Conduct (”the Document”) Privacy Policy guidelines for Service Providers What attributes are relevant for Service Providers Data protection good practice for Home Organisations Federation operator’s guidelines Handling non-compliance SAML2 profile for the Code of Conduct Notes on implementation on the inform/consent UI

11 Innovation through participation Piloting the CoC CLARIN and eduGAIN going to have a practical pilot on the Data Protection Code of Conduct Kick-off on Monday Pilot takes place in Autumn Some CLARIN SPs from several countries Some Home Organisations from several countries

12 Innovation through participation Questions?

13 Innovation through participation Backup slides

14 Innovation through participation EU Data protection directive Definitions Personal data: ” any information relating to an identified or identifiable natural person” Lawyer: assume any attribute (ePTID and even eduPersonAffiliation) counts as personal data Processing of personal data: ”any operation or set of operations on personal data, such as collection, …, dissemination,… etc” Both IdP and SP processes personal data Data Controller: organisation which alone or jointly with others determines the purposes and means of the processing of personal data IdP and SP (usually) are data controllers Federation (and interfederation) may be joint data controller

15 Innovation through participation EU Data protection directive Obligations to data controllers (1/3) Security of processing The controller must protect personal data properly Level of security depends e.g. on the sensitivity of attributes => Federation policies, use of TLS and endpoint authentication, federation operator’s practices… Purpose of processing Must be defined beforehand You must stick to that purpose => Purpose of processing in IdPs: ~to support research and education => SPs’ purpose of processing must not conflict with this

16 Innovation through participation EU Data protection directive Obligations to data controllers (2/3) Relevance of personal data Personal data processed must be adequate, relevant and not excessive SPs must request and IdPs must release only relevant attributes => md:RequestedAttribute Controller must inform the end user when attributes are released for the first time SP’s name and identity (=>mdui:Displayname, mdui:Logo) SP’s purpose (=>mdui:Description) Categories of attributes processed (=> uApprove or similar) Any other information (mdui:PrivacyStatementURL) Layered notice!

17 Innovation through participation EU Data protection directive Making data processing legitimate a. User consents, or b. Processing is necessary for performance of a contract to which the user is a subject, or c. The controller has a legal obligation to process personal data, or d. Necessary for vital interests of the user, or e. Necessary for a task carried out in public interest, or f. Necessary for the legitimate interests of the data controller Lawyer: Use (f): the SP has legitimate interests to provide service to the user When the user expresses his willingness to use the service (e.g. by clicking ”log in” link)

18 Innovation through participation Summary: EU data protection directive in very short Process personal data securely Use personal data only for a pre-defined purpose Inform the user Data minimisation (Minimal disclosure) Service Provider’s legitimate interests as the legal grounds If attributes released out of EU/EEA, some more paperwork needed We seem to be coverging on these interpretations The proposed General Data Protection Regulation does not change the big picture, but there are some updates

Download ppt "Innovation through participation GÉANT Data Protection Code of Conduct (DP CoC) 21.6.2012 FIM for research collaboration workshop Mikael Linden,"

Similar presentations

1 Long term changes to P3P Long Term Future of P3P Workshop Giles Hogben Joint Research Centre European Commission.

1 Long term changes to P3P Long Term Future of P3P Workshop Giles Hogben Joint Research Centre European Commission.
Eurostat T HE E UROPEAN PROCESS OF ENHANCING ACCESS TO E UROSTAT DATA A LEKSANDRA B UJNOWSKA E UROSTAT.

Eurostat T HE E UROPEAN PROCESS OF ENHANCING ACCESS TO E UROSTAT DATA A LEKSANDRA B UJNOWSKA E UROSTAT.
Innovation through participation Data Protection Code of Conduct (DP CoC) REFEDS Helsinki 2.10.2013 Mikael Linden, CSC – IT Center for Science

Innovation through participation Data Protection Code of Conduct (DP CoC) REFEDS Helsinki Mikael Linden, CSC – IT Center for Science
Innovation through participation eduGAIN federation operator training Operations Team, OT, how to join eduGAIN 2011-10-17/18 Valter Nordh, NORDUnet / GU.

Innovation through participation eduGAIN federation operator training Operations Team, OT, how to join eduGAIN /18 Valter Nordh, NORDUnet / GU.
The Gathering Cloud computing - Legal considerations David Goodbrand, Partner 28 February 2013 Aberdeen Edinburgh Glasgow.

The Gathering Cloud computing - Legal considerations David Goodbrand, Partner 28 February 2013 Aberdeen Edinburgh Glasgow.
Innovation through participation Attributes Release Working Group European data protection directive REFEDS meeting 22th Apr, 2012

Innovation through participation Attributes Release Working Group European data protection directive REFEDS meeting 22th Apr, 2012
Federated Identity Management for Research Communities (FIM4R) David Kelsey (STFC-RAL) EGI TF, AAI workshop 19 Sep 2012.

Federated Identity Management for Research Communities (FIM4R) David Kelsey (STFC-RAL) EGI TF, AAI workshop 19 Sep 2012.
Innovation through participation eduGAIN federation operator training eduGAIN policy eduGAIN training in Vienna 17-18 Oct 2011

Innovation through participation eduGAIN federation operator training eduGAIN policy eduGAIN training in Vienna Oct 2011
REFEDS RESEARCH AND EDUCATION (R&S) ENTITY CATEGORY NICOLE HARRIS.

REFEDS RESEARCH AND EDUCATION (R&S) ENTITY CATEGORY NICOLE HARRIS.
Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.

Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.
SWITCHaai Team Federated Identity Management.

SWITCHaai Team Federated Identity Management.
EduGAIN Code of Conduct Workshop, 2012-02-09, Brussels GEANT eduGAIN Data Protection Code of Conduct Workshop Dieter Van Uytvanck

EduGAIN Code of Conduct Workshop, , Brussels GEANT eduGAIN Data Protection "Code of Conduct" Workshop Dieter Van Uytvanck
Trust and Security for FIM (Sirtfi/SCI) David Kelsey (STFC-RAL) FIM4R at CERN 4 Feb 2015.

Trust and Security for FIM (Sirtfi/SCI) David Kelsey (STFC-RAL) FIM4R at CERN 4 Feb 2015.
BoF: Federated Identity Management for Researchers David Kelsey (STFC-RAL) TNC2014, Dublin 20 May 2014.

BoF: Federated Identity Management for Researchers David Kelsey (STFC-RAL) TNC2014, Dublin 20 May 2014.
Innovation through participation Interfederation through eduGAIN - steps and challenges eduGAIN interfederation service 2012-02-27 Federated Identity Systems.

Innovation through participation Interfederation through eduGAIN - steps and challenges eduGAIN interfederation service Federated Identity Systems.
Www.geant.org AARC Overview Licia Florio, David Groep 21 Jan 2015 presented by David Groep, Nikhef.

AARC Overview Licia Florio, David Groep 21 Jan 2015 presented by David Groep, Nikhef.
The ReFEDS/GÉANT Code of Conduct (CoC) An Approach to Compliance with the EU Data Protection Directive Steve Carmody April 23, 2012.

The ReFEDS/GÉANT Code of Conduct (CoC) An Approach to Compliance with the EU Data Protection Directive Steve Carmody April 23, 2012.
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
Identity Federation Policy Marina Vermezović, AMRES Federated Identity Technology Workshop Sofia, Bulgaria, 20. Jun 2014.

Identity Federation Policy Marina Vermezović, AMRES Federated Identity Technology Workshop Sofia, Bulgaria, 20. Jun 2014.
Belnet Federation Belnet – Loriau Nicolas Brussels – 12 th of June 2014.

Belnet Federation Belnet – Loriau Nicolas Brussels – 12 th of June 2014.

Similar presentations

Ads by Google