Your collaboration may deal with personal data of two types, both of which deserve your protection:
- personal data of the users using the infrastructure themselves, and (or)
- personal data contained in the research objects processed within that infrastructure, or in the data exposed in the infrastructure.
All collaborations will have to manage "(1)", the access personal data. This is the personal data, also known as personally identifiable information (PII), that comes from the authentication sources, is contained in the collaboration membership management service, and that is collected as part of access control to services, accounting, and security logging. In most cases it will contain (semi) public information like the name of the user, institutional email address, and the internet addresses hence the user originates. In a federated AAI, usually long-term credentials like passwords are only present in the authentication sources (home organisation, or the user's wallet), but more ephemeral credentials like ID tokens and structured JWTs may also carry information about the user. This PDK article, and the REFEDS Data Protection Code of Conduct ('DPCoCo') deal with this type of personal data (only).
When you are based in, collaborate with, or process data of live people in the European Union and the EEA, as well as in jurisdictions with similar statutes, you are required to project this data. You must follow 'Privacy by design, privacy by default', protect this data at rest and in transit, and have an identified reason for handling the personal data in the first place. The General Data Protection Regulation (GDPR) and any national implementation legislation describes what you should do, and what you cannot do. Even if you are not subject to GDPR, organisational policy may be in place (for quite some intergovernmental organisations), or your collaboration may want to collaborate with users in a 'GDPR country' ... and you will be affected by GDPR anyway.
The 'REFEDS Data Protection Code of Conduct' helps you align with GDPR requirements, and the example privacy notices help communicate how you meet these to both users (data subjects) and reviewers.
Some collaboration deal also with personal data as part of the data they operate on. Think of the data of real people in medical and health studies, social science surveys, and social geography. If your collaboration uses that type of data, and it is not fully anonymised (which is quite hard!), then you should take extra care when engaging service providers and infrastructures. Agreements and contracts should be in place before working with that data, and the safeguards should be firm enough to satisfy your organisation's risk appetite. This PDK article does not address the protection needed for research data - that is specific to the type of research data, and not an AAI issue. Of course, you can use the AAI to implement appropriate safeguards and technical and organisational measures to protect this sensitive data!
Templates of privacy notices
REFEDS DPCoCo v2 example
The REFEDS DPCoCo provides a tabular template for service providers to present their privacy notice. This 12-point notice ticks all the requirements of the GDPR in a way that is consistent and can (almost) be parsed by machines, although it is not very readable by people. The advantage of it is that all service providers that use the REFEDS DPCoCo template can be compares, and it makes it 'easier' to create combined notices (e.g. in the line of AARC-G083):