FederationPrivacy

From REFEDs

Jump to: navigation, search

Federations

Contents

Federation ACOnet Identity Federation (.at)

Purpose of processing personal data
According to the EU data protection directive article 6, personal data may be collected only for specified, explicit and legitime purposes and not further processed in a way incompatible with those purposes.
*what is the purpose of processing personal data in the IDPs of federation?
*how do you make sure that the SPs don't process personal data in an incompatible way?
Relevance of attributes
According to the EU data protection directive article 6, personal data must be adequate, relevant and not excessive in relation to the purposes for which they are collected
*how do you make sure, that the attributes released by the IDPs are adequate, relevant and not excessive in relation to the SP in question?
User consent
Accordin to the EU data protection directive article 7, end user's consent is the basis for attribute release from an IDP to an SP
*how do you cover user consent?
Informed consent
According to the EU data protection directive article 11, when an IDP releases personal data to an SP, the end user must be informed at least with following information: identity of the SP and its representative; purpose of processing personal data in the SP; categories of attributes provided; recipients of attributes; right of access and rectify etc
*how do you make sure that this information is provided to the end user no later than the time when the attributes are first disclosed to the SP?
Attribute release to 3rd countries
According to the EU data protection directive article 26, an IDP may release personal data to an SP in the 3rd country without adequate level of data protection, if the SP adduces adequate safeguards with respect to the protection of the privacy of the end user
*how does the federation handle attribute release to 3rd countries (e.g. to the US)?

--Mikael.Linden@csc.fi 06:46, 22 October 2010 (UTC)

Federation AAF (.au)

Purpose of processing personal data

A Participant must, when acting in its capacity as a Participant of the Australian Access Federation, comply with any applicable legislation in relation to data protection and privacy, including without limitation, the Australian Privacy Act 1988. (See http://www.efa.org.au/Issues/Privacy/privacy.html)

Relevance of attributes

The AAF dictates that every IdP must support 10 Core attributes. The AAF Federation Registry manages the release of attributes from IdPs to SPs throught the generation of attribute-filters that are consumed by IdPs.

User consent

uApprove is the current recommended approach for the AAF.

Informed consent

uApprove is the current recommended approach for the AAF.

Attribute release to 3rd countries
According to the EU data protection directive article 26, an IDP may release
personal data to an SP in the 3rd country without adequate level of data 
protection, if the SP adduces adequate safeguards with respect to the protection
of the privacy of the end user
*how does the federation handle attribute release to 3rd countries (e.g. to the US)?
--enquiries@aaf.edu.au 05 November 2012

Federation CAFe (.br)

Purpose of processing personal data
According to the EU data protection directive article 6, personal data may be collected only for specified, explicit and legitime purposes and not further processed in a way incompatible with those purposes.
*what is the purpose of processing personal data in the IDPs of federation?
*how do you make sure that the SPs don't process personal data in an incompatible way?
Relevance of attributes
According to the EU data protection directive article 6, personal data must be adequate, relevant and not excessive in relation to the purposes for which they are collected
*how do you make sure, that the attributes released by the IDPs are adequate, relevant and not excessive in relation to the SP in question?
User consent
Accordin to the EU data protection directive article 7, end user's consent is the basis for attribute release from an IDP to an SP
*how do you cover user consent?
Informed consent
According to the EU data protection directive article 11, when an IDP releases personal data to an SP, the end user must be informed at least with following information: identity of the SP and its representative; purpose of processing personal data in the SP; categories of attributes provided; recipients of attributes; right of access and rectify etc
*how do you make sure that this information is provided to the end user no later than the time when the attributes are first disclosed to the SP?
Attribute release to 3rd countries
According to the EU data protection directive article 26, an IDP may release personal data to an SP in the 3rd country without adequate level of data protection, if the SP adduces adequate safeguards with respect to the protection of the privacy of the end user
*how does the federation handle attribute release to 3rd countries (e.g. to the US)?

--Mikael.Linden@csc.fi 06:46, 22 October 2010 (UTC)

Federation CAF (.ca)

Purpose of processing personal data

No explicit policy, other than having participants warrant that they will comply with federal and provincial privacy legislation.

Relevance of attributes

General guidance provided by the CAF, but up to individual SPs.

User consent

No policy. Covered by Canadian privacy legislation.

Informed consent

No policy.

Attribute release to 3rd countries

No policy, and no current examples.

Federation SWITCHaai (.ch)

Purpose of processing personal data

See 9.6 of the SWITCHaai Service Description

Relevance of attributes
  • Within the Resource Registry, the SP admin configures the attribute requirements for the resource.
  • The Resource Registration Authority of the correspronding SWITCHaai Participant reviews and approves it.
  • Admins using Shibboleth 2.x IdP can influence the default attribute release through the Resource Registry and retrieve the customized attribute filter file automatically from the Resource Registry.
User consent

SWITCH provides uApprove as a method to implement user consent at the IdP.

Informed consent

SWITCH provides uApprove as a method to implement informed consent.

Attribute release to 3rd countries

According to the Swiss federal data protection regulation.

--Thomas Lenggenhager 18. April 2012

Federation COFRE (.cl)

Purpose of processing personal data According to the EU data protection directive article 6, personal data may be collected only for specified, explicit and legitime purposes and not further processed in a way incompatible with those purposes.
*what is the purpose of processing personal data in the IDPs of federation?
*how do you make sure that the SPs don't process personal data in an incompatible way?
Relevance of attributes According to the EU data protection directive article 6, personal data must be adequate, relevant and not excessive in relation to the purposes for which they are collected
*how do you make sure, that the attributes released by the IDPs are adequate, relevant and not excessive in relation to the SP in question?
User consent Accordin to the EU data protection directive article 7, end user's consent is the basis for attribute release from an IDP to an SP
*how do you cover user consent?
Informed consent According to the EU data protection directive article 11, when an IDP releases personal data to an SP, the end user must be informed at least with following information: identity of the SP and its representative; purpose of processing personal data in the SP; categories of attributes provided; recipients of attributes; right of access and rectify etc
*how do you make sure that this information is provided to the end user no later than the time when the attributes are first disclosed to the SP?
Attribute release to 3rd countries

According to the EU data protection directive article 26, an IDP may release personal data to an SP in the 3rd country without adequate level of data protection, if the SP adduces adequate safeguards with respect to the protection of the privacy of the end user

*how does the federation handle attribute release to 3rd countries (e.g. to the US)?

--Brook Schofield 13:36, 30 July 2012 (UTC)

Federation CARSI (.cn)

Purpose of processing personal data
Not currently a central federation matter
Relevance of attributes
Dependent on each collaboration
User consent
Not required
Informed consent
Not required
Attribute release to 3rd countries
Not yet

--lvjie@pku.edu.cn 07:00, 24 August 2011 (UTC)

Federation eduID.cz (.cz)

Purpose of processing personal data
* IdPs are instructed to realease only approriate personal data for SPs to provide services.
Relevance of attributes
Guaranteed by IdPs according to eduID.cz policy.
User consent
eduID.cz advice SWITCH uApprove as a method to implement user consent at the IdP.
Informed consent
eduID.cz advice SWITCH uApprove as a method to implement informed consent.
Attribute release to 3rd countries
Up to IdP decision.

--jpavlik@cesnet.cz 23:41, 7 April 2013 (UTC)

Federation DFN-AAI (.de)

Purpose of processing personal data According to the EU data protection directive article 6, personal data may be collected only for specified, explicit and legitime purposes and not further processed in a way incompatible with those purposes.
*what is the purpose of processing personal data in the IDPs of federation?
*how do you make sure that the SPs don't process personal data in an incompatible way?
Relevance of attributes According to the EU data protection directive article 6, personal data must be adequate, relevant and not excessive in relation to the purposes for which they are collected
*how do you make sure, that the attributes released by the IDPs are adequate, relevant and not excessive in relation to the SP in question?
User consent Accordin to the EU data protection directive article 7, end user's consent is the basis for attribute release from an IDP to an SP
*how do you cover user consent?
Informed consent According to the EU data protection directive article 11, when an IDP releases personal data to an SP, the end user must be informed at least with following information: identity of the SP and its representative; purpose of processing personal data in the SP; categories of attributes provided; recipients of attributes; right of access and rectify etc
*how do you make sure that this information is provided to the end user no later than the time when the attributes are first disclosed to the SP?
Attribute release to 3rd countries

According to the EU data protection directive article 26, an IDP may release personal data to an SP in the 3rd country without adequate level of data protection, if the SP adduces adequate safeguards with respect to the protection of the privacy of the end user

*how does the federation handle attribute release to 3rd countries (e.g. to the US)?

Federation WAYF (.dk)

Purpose of processing personal data
According to the EU data protection directive article 6, personal data may be collected only for specified, explicit and legitime purposes and not further processed in a way incompatible with those purposes.
*what is the purpose of processing personal data in the IDPs of federation?

The primary purpose is to run education, research or other (public) institutions.

*how do you make sure that the SPs don't process personal data in an incompatible way?

All connected service providers sign a contract in which they state that no recieved personal information about the users will be used for other purposes than the one written in the contract regarding the service in question. Both the service's purpose and the attribute release policy (ARP) is stated in the contract.

Relevance of attributes
According to the EU data protection directive article 6, personal data must be adequate, relevant and not excessive in relation to the purposes for which they are collected
*how do you make sure, that the attributes released by the IDPs are adequate, relevant and not excessive in relation to the SP in question?

As part of the process of connecting a SP to WAYF, the attribute release policy is negotiated centrally, observing the above mentioned principals. The starting point for the negotiations is the documented purpose of the service in question. All institutions deliver the same set of attributes to a given service, as the release is technically originating from the central federating component, WAYF.

User consent
According to the EU data protection directive article 7, end user's consent is the basis for attribute release from an IDP to an SP
*how do you cover user consent?

Before *any* data is sent to *any* SP in the federation, each individual user must concent to the attribute release. As part of the process of collecting the users' consent, the purpose of the service is presented to the user.

Informed consent
According to the EU data protection directive article 11, when an IDP releases personal data to an SP, the end user must be informed at least with following information: identity of the SP and its representative; purpose of processing personal data in the SP; categories of attributes provided; recipients of attributes; right of access and rectify etc
*how do you make sure that this information is provided to the end user no later than the time when the attributes are first disclosed to the SP?

See above.

Attribute release to 3rd countries
According to the EU data protection directive article 26, an IDP may release personal data to an SP in the 3rd country without adequate level of data protection, if the SP adduces adequate safeguards with respect to the protection of the privacy of the end user
*how does the federation handle attribute release to 3rd countries (e.g. to the US)?

Yet, nothing is done to point to which country the service i placed in.

--David Simonsen 29 September 2009

Federation TAAT (.ee)

Purpose of processing personal data According to the EU data protection directive article 6, personal data may be collected only for specified, explicit and legitime purposes and not further processed in a way incompatible with those purposes.
*what is the purpose of processing personal data in the IDPs of federation?
*how do you make sure that the SPs don't process personal data in an incompatible way?
Relevance of attributes According to the EU data protection directive article 6, personal data must be adequate, relevant and not excessive in relation to the purposes for which they are collected
*how do you make sure, that the attributes released by the IDPs are adequate, relevant and not excessive in relation to the SP in question?
User consent Accordin to the EU data protection directive article 7, end user's consent is the basis for attribute release from an IDP to an SP
*how do you cover user consent?
Informed consent According to the EU data protection directive article 11, when an IDP releases personal data to an SP, the end user must be informed at least with following information: identity of the SP and its representative; purpose of processing personal data in the SP; categories of attributes provided; recipients of attributes; right of access and rectify etc
*how do you make sure that this information is provided to the end user no later than the time when the attributes are first disclosed to the SP?
Attribute release to 3rd countries

According to the EU data protection directive article 26, an IDP may release personal data to an SP in the 3rd country without adequate level of data protection, if the SP adduces adequate safeguards with respect to the protection of the privacy of the end user

*how does the federation handle attribute release to 3rd countries (e.g. to the US)?

--Mikael.Linden@csc.fi 14:07, 13 June 2012 (UTC)

Federation SIR (.es)

Purpose of processing personal data The purpose of processing personal data is to support research activities. Only SPs compatible with this purpose are accepted in the federation
Relevance of attributes During registration new SPs have to declare the relevant attributes. Based on this initial request and the appropriate rationale for it the operator grants the SP access to the claimed information
User consent Users have knowledge about the SPs and the attributes they are using. Specific actions can be requested from the operators.
Informed consent Users have knowledge about the SPs and the attributes they are using. Specific actions can be requested from the operators.
Attribute release to 3rd countries Federation partners outside of EU/EEA must adhere to the stipulations of the currently valid EU Directive on Data Protection regarding processing of personal data

--Drlopez 08:29, 27 June 2008 (CEST)

Federation Haka (.fi)

Purpose of processing personal data Purpose of processing personal data in Haka is to support higher education and research institutions. Only SPs compatible with this purpose are accepted to the federation
Relevance of attributes When a new SP is registered to the federation, the SP administrator claims for attributes s/he thinks are relevant for the Sp. Based on that, the operator constructs the Shibboleth site-ARP (Attribute release policy) and provides it to the IdPs as part of the federation metadata
User consent If the attributes identify an indivitual, IdPs must ask user consent for attribute release
Informed consent The operator gathers links to the SPs' privacy policies. To make sure the end user is informed what s/he consents to, the end user is provided with the Privacy policy of the SP when giving his/her consent.
Attribute release to 3rd countries For Federation Partners outside of EU and EEA, the federation agreement has an obligation that the partner shall adhere to the stipulations of the currently valid EU Directive on Data Protection regarding processing of personal data.
--Mlinden@csc.fi 15:33, 21 March 2008 (CET)

Fédération Éducation Recherche (.fr)

Purpose of processing personal data
  • Purpose of processing data is to provide services to the French higher education community
  • How do you make sure that the SPs don't process personal data in an incompatible way: it is commitment of their agreement
Relevance of attributes
  • When a new SP is registered to the federation, the SP administrator claims for attributes he thinks are relevant for the SP. IdP may then construct their filters based on this information.
User consent
  • Currently nothing is done to ensured the user consent right, we plan to promote the uApprove tool.
Informed consent
  • Currently nothing is done to ensured the user consent right, we plan to promote the uApprove tool.
Attribute release to 3rd countries
  • SP located in the 3rd countries must comply with French data & privacy laws.
--Mlinden@csc.fi 18:10, 24 March 2008 (CET)

Federation GRNET (.gr)

Purpose of processing personal data According to the EU data protection directive article 6, personal data may be collected only for specified, explicit and legitime purposes and not further processed in a way incompatible with those purposes.
  • no processing of personal data at the federation level
  • SPs declare to the federation their required attributes and those are announced

to the end-users through the WAYF. The user proceeds to enter an SP at his own informed risk

Relevance of attributes According to the EU data protection directive article 6, personal data must be adequate, relevant and not excessive in relation to the purposes for which they are collected
  • at the federation level, each new SP negotiates its required attributes with

the Federation Operators, who make sure they understand the reason for the requirements

User consent Accordin to the EU data protection directive article 7, end user's consent is the basis for attribute release from an IDP to an SP
  • SPs declare to the federation their required attributes and those are announced

to the end-users through the WAYF. At the IdP level, policies are not enforced by the federation.

Informed consent According to the EU data protection directive article 11, when an IDP releases personal data to an SP, the end user must be informed at least with following information: identity of the SP and its representative; purpose of processing personal data in the SP; categories of attributes provided; recipients of attributes; right of access and rectify etc
  • SPs declare to the federation their required attributes and those are announced

to the end-users through the WAYF. At the IdP level, policies are not enforced by the federation.

Attribute release to 3rd countries

According to the EU data protection directive article 26, an IDP may release personal data to an SP in the 3rd country without adequate level of data protection, if the SP adduces adequate safeguards with respect to the protection of the privacy of the end user

N/A

Federation AAI@EduHr (.hr)

Purpose of processing personal data purpose of processing data is to provide services to the the higher education and research community in Croatia
Relevance of attributes during registration new SP has to claim the relevant attributes (explanation is needed). Based on the initial request operator grants the access to the claimed information to the SP.
User consent users have info about the SPs and the attributes they are using; user can ask for "being unlisted"
Informed consent users have info about the SPs and the attributes they are using; user can ask for "being unlisted"
Attribute release to 3rd countries upon specific request; for eduroam & eduGAIN following the respective policy
--Miro@srce.hr 19 September 2010

Federation NIIF AAI (.hu)

Purpose of processing personal data According to the EU data protection directive article 6, personal data may be collected only for specified, explicit and legitime purposes and not further processed in a way incompatible with those purposes.
*what is the purpose of processing personal data in the IDPs of federation?
*how do you make sure that the SPs don't process personal data in an incompatible way?
Relevance of attributes According to the EU data protection directive article 6, personal data must be adequate, relevant and not excessive in relation to the purposes for which they are collected
*how do you make sure, that the attributes released by the IDPs are adequate, relevant and not excessive in relation to the SP in question?
User consent Accordin to the EU data protection directive article 7, end user's consent is the basis for attribute release from an IDP to an SP
*how do you cover user consent?
Informed consent According to the EU data protection directive article 11, when an IDP releases personal data to an SP, the end user must be informed at least with following information: identity of the SP and its representative; purpose of processing personal data in the SP; categories of attributes provided; recipients of attributes; right of access and rectify etc
*how do you make sure that this information is provided to the end user no later than the time when the attributes are first disclosed to the SP?
Attribute release to 3rd countries

According to the EU data protection directive article 26, an IDP may release personal data to an SP in the 3rd country without adequate level of data protection, if the SP adduces adequate safeguards with respect to the protection of the privacy of the end user

*how does the federation handle attribute release to 3rd countries (e.g. to the US)?

--Linden.mikael@rediris.es 20:40, 12 October 2009 (UTC)

Federation Edugate (.ie)

Purpose of processing personal data

None defined.

Relevance of attributes SP's must justify their attribute needs to the federation operator, these are evaluated by each individual institutuion.
User consent it is at the IdP's discreation to use a consent module, no federation policy.
Informed consent it is at the IdP's discreation to use a consent module, no federation policy.
Attribute release to 3rd countries

No SP's from third countries are members of the federation, a policy will be derived as the need arises

Federation IsraGrid Federation (.il)

Template:FederationIsraelPrivacy

Federation INFLIBNET Access Management Federation (.in)

Purpose of processing personal data According to the EU data protection directive article 6, personal data may be collected only for specified, explicit and legitime purposes and not further processed in a way incompatible with those purposes.
*what is the purpose of processing personal data in the IDPs of federation?
*how do you make sure that the SPs don't process personal data in an incompatible way?
Relevance of attributes According to the EU data protection directive article 6, personal data must be adequate, relevant and not excessive in relation to the purposes for which they are collected
*how do you make sure, that the attributes released by the IDPs are adequate, relevant and not excessive in relation to the SP in question?
User consent Accordin to the EU data protection directive article 7, end user's consent is the basis for attribute release from an IDP to an SP
*how do you cover user consent?
Informed consent According to the EU data protection directive article 11, when an IDP releases personal data to an SP, the end user must be informed at least with following information: identity of the SP and its representative; purpose of processing personal data in the SP; categories of attributes provided; recipients of attributes; right of access and rectify etc
*how do you make sure that this information is provided to the end user no later than the time when the attributes are first disclosed to the SP?
Attribute release to 3rd countries

According to the EU data protection directive article 26, an IDP may release personal data to an SP in the 3rd country without adequate level of data protection, if the SP adduces adequate safeguards with respect to the protection of the privacy of the end user

*how does the federation handle attribute release to 3rd countries (e.g. to the US)?

--Mikael.Linden@csc.fi 07:22, 15 June 2012 (UTC)

Federation IDEM (.it)

Purpose of processing personal data

The pourpose for personal data processing is, of course, to provide useful services to the GARR community.
The Federation requires the personal data exchange is reduced to the minimum necessary.
SP's sign a document in which they explicitly declare to use users' attributes only for the service for which they were provided

Relevance of attributes

The Federation verifies that IdP and SP comply to the requirements of EU data protection directive article 6.

User consent

We require that SP and IdP obtain informed consent from users before releasing personal attributes
We provide uApprove as a method to implement this.

Informed consent

We provide uApprove

Attribute release to 3rd countries

SP's must declare to follow the current European data protection directive.

--Marialaura.mantovani@garr.it 15:07, 27 June 2013 (UTC)

Federation GakuNin (.jp)

Purpose of processing personal data According to the Act concerning Protection of Personal Information and other related legislation, all participants of GakuNin must specify the purpose of use of personal information as much as possible.
Relevance of attributes According to the Act concerning Protection of Personal Information and other related legislation, all participants of GakuNin must endeavor to maintain personal data accurate and up to date within the scope necessary for the achievement of the Purpose of Use.
User consent According to the Act concerning Protection of Personal Information and other related legislation, all IdPs of GakuNin must not, except in the cases stipulated in the Act and other legislation, provide personal data to SPs without obtaining the prior consent of the person.
Informed consent In order to obtain user concent, Gakunin provides uApprove as a method to implement it.
Attribute release to 3rd countries
*how does the federation handle attribute release to 3rd countries (e.g. to the US)?

--Linden.mikael@rediris.es 20:45, 12 October 2009 (UTC)

Federation LAIFE (.lv)

Purpose of processing personal data
According to the EU data protection directive article 6, personal data may be collected only for specified, explicit and legitime purposes and not further processed in a way incompatible with those purposes.
*what is the purpose of processing personal data in the IDPs of federation?
*how do you make sure that the SPs don't process personal data in an incompatible way?
Relevance of attributes
According to the EU data protection directive article 6, personal data must be adequate, relevant and not excessive in relation to the purposes for which they are collected
*how do you make sure, that the attributes released by the IDPs are adequate, relevant and not excessive in relation to the SP in question?
User consent
Accordin to the EU data protection directive article 7, end user's consent is the basis for attribute release from an IDP to an SP
*how do you cover user consent?
Informed consent
According to the EU data protection directive article 11, when an IDP releases personal data to an SP, the end user must be informed at least with following information: identity of the SP and its representative; purpose of processing personal data in the SP; categories of attributes provided; recipients of attributes; right of access and rectify etc
*how do you make sure that this information is provided to the end user no later than the time when the attributes are first disclosed to the SP?
Attribute release to 3rd countries
According to the EU data protection directive article 26, an IDP may release personal data to an SP in the 3rd country without adequate level of data protection, if the SP adduces adequate safeguards with respect to the protection of the privacy of the end user
*how does the federation handle attribute release to 3rd countries (e.g. to the US)?
--Mikael.Linden@csc.fi 19:04, 8 April 2010 (UTC)

Federation SIFULAN (.my)

Template:FederationSIFULANPrivacy

Federation SURFnet (.nl)

Purpose of processing personal data

According to the EU data protection directive article 6, personal data may be collected only for specified, explicit and legitime purposes and not further processed in a way incompatible with those purposes.

*what is the purpose of processing personal data in the IDPs of federation?
*how do you make sure that the SPs don't process personal data in an incompatible way?
Relevance of attributes According to the EU data protection directive article 6, personal data must be adequate, relevant and not excessive in relation to the purposes for which they are collected
*how do you make sure, that the attributes released by the IDPs are adequate, relevant and not excessive in relation to the SP in question?
User consent

Accordin to the EU data protection directive article 7, end user's consent is the basis for attribute release from an IDP to an SP

*how do you cover user consent?
Informed consent

According to the EU data protection directive article 11, when an IDP releases personal data to an SP, the end user must be informed at least with following information: identity of the SP and its representative; purpose of processing personal data in the SP; categories of attributes provided; recipients of attributes; right of access and rectify etc

*how do you make sure that this information is provided to the end user no later than the time when the attributes are first disclosed to the SP?
Attribute release to 3rd countries According to the EU data protection directive article 26, an IDP may release personal data to an SP in the 3rd country without adequate level of data protection, if the SP adduces adequate safeguards with respect to the protection of the privacy of the end user
*how does the federation handle attribute release to 3rd countries (e.g. to the US)?

--Mlinden@csc.fi 22:03, 24 March 2008 (CET)

Federation FEIDE (.no)

Purpose of processing personal data
  • Campus IdM: education and research, including support services for such
  • Login service: Authentication and attribute release
  • Service Providers: authentication
  • Service Providers: attribute release purpose varies, depending on the nature of the application.

All Service Providers must comply with privacy regulation on purposes of processing personal data

Relevance of attributes Must be evaluated by both institutions and service providers
User consent First login provides information at the login page about the service and what attributes may be released by the IdP to services

http://identitynetworks.wordpress.com/2009/03/09/ready-able-and-willing-federated-consent/

Informed consent Yes, full transparency on what attributes are requested by each service.

There is a user page with release policy and user friendly information (Min Feide-side)

Attribute release to 3rd countries See Kalmar2 Memorandum of Understanding http://www.kalmar2.org/kalmar2web/members_attchmt/kalmar_-_memorandum_of_understanding.pdf

--

--Ingrid.Melve@uninett.no 09:15, 8 July 2010 (UTC)

Federation Tuakiri New Zealand Access Federation (.nz)

Purpose of processing personal data To increase communication and collaboration across the research and higher education sectors in New Zealand.
Relevance of attributes
According to the EU data protection directive article 6, personal data must be adequate, relevant and not excessive in relation to the purposes for which they are collected
*how do you make sure, that the attributes released by the IDPs are adequate, relevant and not excessive in relation to the SP in question?
User consent NA
Informed consent NA
Attribute release to 3rd countries NA
--Dm.dunn@auckland.ac.nz 23:49, 30 July 2013 (UTC)

Federation Polish Identity Federation PIONIER.Id (.pl)

Purpose of processing personal data According to the EU data protection directive article 6, personal data may be collected only for specified, explicit and legitime purposes and not further processed in a way incompatible with those purposes.
*what is the purpose of processing personal data in the IDPs of federation?
*how do you make sure that the SPs don't process personal data in an incompatible way?
Relevance of attributes According to the EU data protection directive article 6, personal data must be adequate, relevant and not excessive in relation to the purposes for which they are collected
*how do you make sure, that the attributes released by the IDPs are adequate, relevant and not excessive in relation to the SP in question?
User consent Accordin to the EU data protection directive article 7, end user's consent is the basis for attribute release from an IDP to an SP
*how do you cover user consent?
Informed consent According to the EU data protection directive article 11, when an IDP releases personal data to an SP, the end user must be informed at least with following information: identity of the SP and its representative; purpose of processing personal data in the SP; categories of attributes provided; recipients of attributes; right of access and rectify etc
*how do you make sure that this information is provided to the end user no later than the time when the attributes are first disclosed to the SP?
Attribute release to 3rd countries

According to the EU data protection directive article 26, an IDP may release personal data to an SP in the 3rd country without adequate level of data protection, if the SP adduces adequate safeguards with respect to the protection of the privacy of the end user

*how does the federation handle attribute release to 3rd countries (e.g. to the US)?

--Mikael.Linden@csc.fi 13:51, 15 November 2013 (UTC)

Federation RCTSaai (.pt)

Purpose of processing personal data According to the EU data protection directive article 6, personal data may be collected only for specified, explicit and legitime purposes and not further processed in a way incompatible with those purposes.
*what is the purpose of processing personal data in the IDPs of federation?
*how do you make sure that the SPs don't process personal data in an incompatible way?
Relevance of attributes According to the EU data protection directive article 6, personal data must be adequate, relevant and not excessive in relation to the purposes for which they are collected
*how do you make sure, that the attributes released by the IDPs are adequate, relevant and not excessive in relation to the SP in question?
User consent Accordin to the EU data protection directive article 7, end user's consent is the basis for attribute release from an IDP to an SP
*how do you cover user consent?
Informed consent According to the EU data protection directive article 11, when an IDP releases personal data to an SP, the end user must be informed at least with following information: identity of the SP and its representative; purpose of processing personal data in the SP; categories of attributes provided; recipients of attributes; right of access and rectify etc
*how do you make sure that this information is provided to the end user no later than the time when the attributes are first disclosed to the SP?
Attribute release to 3rd countries

According to the EU data protection directive article 26, an IDP may release personal data to an SP in the 3rd country without adequate level of data protection, if the SP adduces adequate safeguards with respect to the protection of the privacy of the end user

*how does the federation handle attribute release to 3rd countries (e.g. to the US)?

-- --Linden.mikael@rediris.es 10:13, 4 June 2009 (UTC)

FederationSwamid (.se)

Purpose of processing personal data According to the EU data protection directive article 6, personal data may be collected only for specified, explicit and legitime purposes and not further processed in a way incompatible with those purposes.
* each federation member and each SP is bound by policy and metadata terms of use to comply with all applicable law including PUL (Swedish personal data protection law).
Relevance of attributes According to the EU data protection directive article 6, personal data must be adequate, relevant and not excessive in relation to the purposes for which they are collected
* Not stipulated by the federation.
User consent According to the EU data protection directive article 7, end user's consent is the basis for attribute release from an IDP to an SP
* Not stipulated by the federation, cf point 1 above.
Informed consent According to the EU data protection directive article 11, when an IDP releases personal data to an SP, the end user must be informed at least with following information: identity of the SP and its representative; purpose of processing personal data in the SP; categories of attributes provided; recipients of attributes; right of access and rectify etc
* Not stipulated by the federation, cf point 1 above.
Attribute release to 3rd countries

According to the EU data protection directive article 26, an IDP may release personal data to an SP in the 3rd country without adequate level of data protection, if the SP adduces adequate safeguards with respect to the protection of the privacy of the end user

* Not stipulated by the federation, cf point 1 above.

FederationArnesAAI (.si)

Purpose of processing personal data

Purpose of processing data is to provide services to the the higher education and research community in Slovenia.

Relevance of attributes

During registration new SP has to claim the relevant attributes (explanation is needed). Based on the initial request operator grants the access to the claimed information to the SP.

User consent

Before *any* data is sent to *any* SP in the federation, each individual user must consent to the attribute release. As part of the process of collecting the users' consent, the purpose of the service is presented to the user.

Informed consent

Yes, full transparency on what attributes are requested by each service. There is a web page with list of services and their release polices: http://aai.arnes.si/seznam.html

Attribute release to 3rd countries

According to the EU data protection directive article 26, an IDP may release personal data to an SP in the 3rd country without adequate level of data protection, if the SP adduces adequate safeguards with respect to the protection of the privacy of the end user

--alexm@arnes.si 12:13, 12. July 2012 (UTC)

Federation ULAKAAI (.tr)

Purpose of processing personal data
According to the EU data protection directive article 6, personal data may be collected only for specified, explicit and legitime purposes and not further processed in a way incompatible with those purposes.
*what is the purpose of processing personal data in the IDPs of federation?
*how do you make sure that the SPs don't process personal data in an incompatible way?
Relevance of attributes
According to the EU data protection directive article 6, personal data must be adequate, relevant and not excessive in relation to the purposes for which they are collected
*how do you make sure, that the attributes released by the IDPs are adequate, relevant and not excessive in relation to the SP in question?
User consent
Accordin to the EU data protection directive article 7, end user's consent is the basis for attribute release from an IDP to an SP
*how do you cover user consent?
Informed consent
According to the EU data protection directive article 11, when an IDP releases personal data to an SP, the end user must be informed at least with following information: identity of the SP and its representative; purpose of processing personal data in the SP; categories of attributes provided; recipients of attributes; right of access and rectify etc
*how do you make sure that this information is provided to the end user no later than the time when the attributes are first disclosed to the SP?
Attribute release to 3rd countries
According to the EU data protection directive article 26, an IDP may release personal data to an SP in the 3rd country without adequate level of data protection, if the SP adduces adequate safeguards with respect to the protection of the privacy of the end user
*how does the federation handle attribute release to 3rd countries (e.g. to the US)?

--Mikael.Linden@csc.fi 09:22, 5 February 2011 (UTC)

FederationUkfed (.uk)

Purpose of processing personal data

According to the EU data protection directive article 6, personal data may be collected only for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes.

  • what is the purpose of processing personal data in the IDPs of federation?

Provision of education. The Federation's Recommendations for the use of Personal Data encourage IDPs and SPs to provide services in a way that minimises the need for personal data to be exchanged. http://www.ukfederation.org.uk/library/uploads/Documents/recommendations-for-use-of-personal-data.pdf

  • how do you make sure that the SPs don't process personal data in an incompatible way?

All Members are required to comply with the UK's Data Protection Act. In particular Paragraph 4 prohibits SPs using attributes other than to deliver the service for which they were provided. http://www.ukfederation.org.uk/library/uploads/Documents/rules-of-membership.pdf

Relevance of attributes

According to the EU data protection directive article 6, personal data must be adequate, relevant and not excessive in relation to the purposes for which they are collected

  • how do you make sure, that the attributes released by the IDPs are adequate, relevant and not excessive in relation to the SP in question?

IDPs are encouraged to use appropriate Attribute Release Policies to ensure that only necessary attributes are released to each SP. SPs are encouraged to publish their attribute requirements in their metadata

User consent

According to the EU data protection directive article 7, end user's consent is the basis for attribute release from an IDP to an SP

  • how do you cover user consent?

The Guidelines for Use of Personal Data inform SPs and IDPs of the need to ensure that any processing of personally identifiable information is authorised either by necessity (as part of the contract between the user and the IDP), or by obtaining informed consent from users before releasing these attributes.

Informed consent

According to the EU data protection directive article 11, when an IDP releases personal data to an SP, the end user must be informed at least with following information: identity of the SP and its representative; purpose of processing personal data in the SP; categories of attributes provided; recipients of attributes; right of access and rectify etc

  • how do you make sure that this information is provided to the end user no later than the time when the attributes are first disclosed to the SP?

The Guidelines for Use of Personal Data inform SPs and IDPs of the need to inform users of these details before releasing attributes that may comprise personally identifiable information.

Attribute release to 3rd countries

According to the EU data protection directive article 26, an IDP may release personal data to an SP in the 3rd country without adequate level of data protection, if the SP adduces adequate safeguards with respect to the protection of the privacy of the end user

  • how does the federation handle attribute release to 3rd countries (e.g. to the US)?

The Guidelines for the Use of Personal Data recommend that attributes that may comprise personally identifiable information should only be released to SPs outside the European Economic Area where a contract is in place between the SP and the IDP to ensure that an equivalent standard of protection is provided for the personal data.

Federation InCommon (.us)

Purpose of processing personal data Not currently a central federation matter
Relevance of attributes Dependent on each collaboration
User consent non required
Informed consent non required
Attribute release to 3rd countries not yet


Federation IGTF (.int)

Purpose of processing personal data
  • Personal data used for issuing a certificate
  • SPs collect other data required for authorization directly from a user
Relevance of attributes
  • only personal name, home organization name (and, if required email) are included in a certificate
User consent Users provide their consent by applying for the certificate
Informed consent A user is informed that a SP will have access to the data in his certificate when applying for the certificate as part of authentication process
Attribute release to 3rd countries A user presents its certificate (=personal data) to an SP himself

Federation GrIDP (.int)

Purpose of processing personal data
 None defined.
Relevance of attributes
 SP's must declare their attribute needs to the federation operator, these are evaluated by each IdP.
User consent
 It is at the IdP's discretion to use a consent module, no federation policy.
Informed consent
 It is at the IdP's discretion to use a consent module, no federation policy.
Attribute release to 3rd countries
 No restriction at federation policy level.

--Marco Fargetta 16:27, 07 February 2014 (UTC)

Personal tools