Presentation is loading. Please wait.

Presentation is loading. Please wait.

The ReFEDS/GÉANT Code of Conduct (CoC) An Approach to Compliance with the EU Data Protection Directive Steve Carmody April 23, 2012.

Published byKatrina Webster Modified over 8 years ago

Similar presentations

Presentation on theme: "The ReFEDS/GÉANT Code of Conduct (CoC) An Approach to Compliance with the EU Data Protection Directive Steve Carmody April 23, 2012."— Presentation transcript:

1 The ReFEDS/GÉANT Code of Conduct (CoC) An Approach to Compliance with the EU Data Protection Directive Steve Carmody April 23, 2012

2 Steven Carmody What is the Code of Conduct? An Approach to simplify interoperation when releasing attributes Allow IDPs and SPs to become confident that partners are operating in compliance with the EU data protection 2

3 Steven Carmody3 Goals of the Code of Conduct Make it as simple as possible for campus users to easily access remote sites requiring attributes Find an appropriate balance between risk and value for all parties. Provide suggestions to Federations, IDPs, and SPs on Business Practices that are believed to be consistent with the EU data protection directive and its interpretations. Provide suggestions that would allow interoperation between parties around the world, not just within the EU.

4 Steven Carmody4 Approach Use the EU data protection law as the starting point Develop a design that provides all parties with sufficient assurance that parties they interoperate with are meeting their privacy-related responsibilities, is able to tolerate and recover from incidents and misbehaving entities, is scaleable (avoids requiring bilateral contracts between all parties) Note -- in the absence of a contract that defines responsibilities for each party there will be non-zero risk for all parties.

5 Steven Carmody5 When you think about the EU data protection… What image comes to mind ?

6 Steven Carmody6 A Mass of Snakes ?

7 Steven Carmody7 Something about which there is no consensus ?

8 Steven Carmody8 A Opportunity to Get Away From the Office ?

9 Steven Carmody9 EU Data Protection Requirements Both parties have specific responsibilities under the Directive Both parties MAY need to be assured that the other party has met its obligations IDPs need to "implement appropriate... organizational measures" to ensure that release does not result in unlawful processing by others v1 of the CoC has been constructed so that SPs do NOT need any assurance from the IDP about what it has done

10 Steven Carmody10 The General Idea SP commits to meeting its requirements under the CoC The CoC is a set of specific operating requirements derived from the EU Data Protection Directive SP indicates this commitment in its metadata element This is self-declared by the SP (self-audit) SP only asks for attributes that are adequate, relevant and not excessive to the Service IdPs can make a decision to release attributes based on their local risk management procedures

11 Steven Carmody11 Specific Steps Both the IDP and the SP must comply with specific requirements. (Introduction to Data protection directive, section 12) The SP signs and publishes the Code of Conduct for Service Providers. If the SP is located within the EU/EEA, this does NOT impose any additional restrictions or constraints on the SP. The SP is stating that it is operating in compliance with those requirements.

12 Steven Carmody12 Specific Steps (more) The SP asks, via its SAML 2.0 metadata elements, for Attributes that are required for the legitimate operation of the SP. It indicates this legal grounds by labeling these attributes as "isRequired=true". The SP includes a prominent link on its front page to its Privacy Policy, which lists the required Attributes, and describes how they are used. This INFORMs the user about attribute release. The SP's signed Code of Conduct document may convince the IdP that the risk of releasing attributes to such an SP is acceptable.

13 Steven Carmody13 Specific Steps (more) The IDP may also decide to INFORM the user. SP’s name and identity (=>mdui:Displayname, mdui:Logo) SP’s purpose (=>mdui:Description) mdui:PrivacyStatementURL a list of attribute names/values (c.f. uApprove)

14 Steven Carmody14

15 Steven Carmody15 The Documents …. Required Code of Conduct for Service Providers. SAML 2 Profile for the Code of Conduct. Describes how to use various elements in order to remain compliant with the CoC

16 Steven Carmody16 The Documents … Suggestions Privacy policy guidelines for Service Providers. What attributes are relevant for a Service Provider. Data protection good practice for Identity Providers.

17 Steven Carmody17 The Documents … Suggestions Federation operator's guidelines. Handling non-compliance. Notes on Implementation of INFORM/CONSENT GUI Interfaces.

18 Steven Carmody18 The Documents … Suggestions The REFEDS survey on the use of MDUI elements

19 Steven Carmody19 Process for Adoption The eduGAIN project and REFEDS attribute release workgroup have developed the Code of Conduct as a joint project process. The process is open, including public commenting, workshops and consultations. The goal is to make the CoC generally approved among the community. The eduGAIN project is initiating discussions with the Article 29 working party (WP29) of EU on the possibility of submitting the CoC to the working party for approval or comment. The generally approved CoC would then be made available for federations, Home Organisations and Service Providers.

20 Steven Carmody20 Process for Adoption Adopting the CoC would be purely optional for federations. Service Providers and Home Organisations are always able to use whatever alternative means (e.g. bilateral agreements) to fulfill the obligations imposed by the data protection laws. The goal of having the CoC generally approved is to remove obstacles to wide adoption avoid the eduGAIN project and REFEDS attribute release workgroup being held liable for the contents of the CoC. further legitimize the use of the CoC in EU.

21 Steven Carmody21 Status Public commenting, workshops and consultations are underway At the REFEDS meeting, May 2012, we will open the Official Public Comment period, through August 1 Publish v1.0 in the Fall, 2012

22 Steven Carmody22 We Are All in this Together ….. But it's not so difficult!

23 Steven Carmody23 Comments, Feedback: https://refeds.terena.org/index.php/Data_ protection_cochttps://refeds.terena.org/index.php/Data_ protection_coc Send email to: refeds-attribute-release@refeds.org edugain-policy@geant.net

24 Steven Carmody24

Download ppt "The ReFEDS/GÉANT Code of Conduct (CoC) An Approach to Compliance with the EU Data Protection Directive Steve Carmody April 23, 2012."

Similar presentations

Commentary and exploration of the MINERVA 10 Quality Principles Antonella FresaBerlin, 31 August 2004 Ministerial NEtwoRk for Valorising Activising in.

Commentary and exploration of the MINERVA 10 Quality Principles Antonella FresaBerlin, 31 August 2004 Ministerial NEtwoRk for Valorising Activising in.
GEOSS Data Sharing Principles. GEOSS 10-Year Implementation Plan 5.4 Data Sharing The societal benefits of Earth observations cannot be achieved without.

GEOSS Data Sharing Principles. GEOSS 10-Year Implementation Plan 5.4 Data Sharing The societal benefits of Earth observations cannot be achieved without.
ONS Research Data Access Strategy AGENDA Background and context Confidentiality The Strategy.

ONS Research Data Access Strategy AGENDA Background and context Confidentiality The Strategy.
Innovation through participation Data Protection Code of Conduct (DP CoC) REFEDS Helsinki 2.10.2013 Mikael Linden, CSC – IT Center for Science

Innovation through participation Data Protection Code of Conduct (DP CoC) REFEDS Helsinki Mikael Linden, CSC – IT Center for Science
Intro. Website Purposes  Provide templates and resources for developing early childhood interagency agreements and collaborative procedures among multiple.

Intro. Website Purposes  Provide templates and resources for developing early childhood interagency agreements and collaborative procedures among multiple.
Innovation through participation GÉANT Data Protection Code of Conduct (DP CoC) 21.6.2012 FIM for research collaboration workshop Mikael Linden,

Innovation through participation GÉANT Data Protection Code of Conduct (DP CoC) FIM for research collaboration workshop Mikael Linden,
Innovation through participation Attributes Release Working Group European data protection directive REFEDS meeting 22th Apr, 2012

Innovation through participation Attributes Release Working Group European data protection directive REFEDS meeting 22th Apr, 2012
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS.

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS.
Federated Identity Management for Research Communities (FIM4R) David Kelsey (STFC-RAL) EGI TF, AAI workshop 19 Sep 2012.

Federated Identity Management for Research Communities (FIM4R) David Kelsey (STFC-RAL) EGI TF, AAI workshop 19 Sep 2012.
Innovation through participation eduGAIN federation operator training eduGAIN policy eduGAIN training in Vienna 17-18 Oct 2011

Innovation through participation eduGAIN federation operator training eduGAIN policy eduGAIN training in Vienna Oct 2011
Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.

Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.
Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.

Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.
REFEDS RESEARCH AND EDUCATION (R&S) ENTITY CATEGORY NICOLE HARRIS.

REFEDS RESEARCH AND EDUCATION (R&S) ENTITY CATEGORY NICOLE HARRIS.
Property of Common Sense Privacy - all rights reserved 01875340890 THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.

Property of Common Sense Privacy - all rights reserved THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.
Www.england.nhs.uk NHS England Interoperability Programme Workshop Information Governance 16 th December 2014.

NHS England Interoperability Programme Workshop Information Governance 16 th December 2014.
Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.

Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.
Internal Auditing and Outsourcing

Internal Auditing and Outsourcing
Www.nationalsmartcardproject.org.uk www.scnf.org.uk National Smartcard Project Work Package 8 – Security Issues Report.

National Smartcard Project Work Package 8 – Security Issues Report.
SWITCHaai Team Federated Identity Management.

SWITCHaai Team Federated Identity Management.
Planning and submitting a shadow report Charlotte Gage Women’s Resource Centre.

Planning and submitting a shadow report Charlotte Gage Women’s Resource Centre.

Similar presentations

Ads by Google