THIS IS DRAFT !
Assessment of the GDPR implications on eduGAIN constituency was conducted and the results are presented in the Assessment of DP legislation implications document.
Based on this assessment, following action points can be attributed to eduGAIN central operations, REFEDS, Identity Federation Operators, Service Providers and Identity Providers.
| Action Topic | Who | Description | How | Status |
|---|---|---|---|---|
| Publishing contacts in metadata | eduGAIN | Operational contact information for individual administrators IdPs, SPs, AAs and Identity Federations is collected in the metadata published by Identity Federation Operators. The information is held and published in the eduGAIN database and in the eduGAIN metadata. | Published contacts in metadata should not be personal but rather to functions. Advise identity federation operators. If personal information is unavoidable, Article 15 on the Rights of Access by the data subject applies. | |
| Identity Federations | Operational contact information for individual administrators of IdPs, SPs and AAs is collected in their metadata. | Published contacts in metadata should not be personal but rather to functions Recommend their IdPs, SPs and AAs to use non-personal contact information in the metadata. If personal information is unavoidable, Article 15 on the Rights of Access by the data subject applies. | ||
| SG members contacts | eduGAIN | Contact information for the eduGAIN Steering Group delegate and deputy of all member federations are collected and published on the technical website. | Inform member federations that information about their SG delegate and deputy is published on the technical website. Processes in eduGAIN should ensure that the individuals mentioned have the appropriate ability to ensure this information is accurate and to understand how it is used (as described in Article 15 Rights of access by the data subject). | |
| Data Processor Agreements - DPA | IdPs, SPs | GDPR regulates the release of personal information from an IdP/AA to SP. Scalable minimal Attribute Assertions should be addressed with use of entity categories. However, where scalable models do not apply, the contracting parties cam make bilateral DPA agreements. | Can make bilateral DPAs where scalable models do not apply. | |
| Identity Federations | Support the IdPs and SPs, and help them identify where scalable models dont apply. | |||
| eduGAIN /REFEDS | Consider to develop a sample bilateral Data Processor Agreement in the BCP package, with the caveat that implementation must be at the risk of the contracting parties | |||
| GÉANT Data Protection Code of Conduct - CoCo | eduGAIN | The current version of the CoCo describes an approach to meet the requirements of the EU DPD. It defines behavioural rules for SPs that want to receive attributes from IdPs/AAs about the user that logs in to the service. | Update GÉANT CoCo to reflect the changes between the new GDPR and the old DPD. After completion, new CoCo v2.0 must be submitted to the EU GDPR competent supervisory authority of approved codes of conduct as described in GDPR Article 40. After the submission of CoCo v2.0. GÉANT shall work together with the competent supervisory authority to get CoCo v2.0 approved as an official GDPR Code of Conduct, effective after 25 May 2018. In parallel with the approval process, adoption and use of CoCo v2.0 within eduGAIN will be formalised as Best Practice for both SPs and IdPs. | The work on a new version of CoCo commenced by a small team of identity federation specialists with support from DLA Piper. The draft version has been substantially completed and has been sent out to consultation within the international identity federation community.The interim working draft was published in June 2017 and an explanatory memorandum is being prepared in parallel. |
| Identity Federations | Prepare the tooling and processes to enable adoption of GÉANT CoCo v2 by IdPs and SPs | |||
| REFEDS Research and Scholarship Entity Category -REFEDS R&S | REFEDS | REFEDS R&S is designed to allow data to flow to research and scholarship interaction SPs, that have a legitimate interest in the data.The attributes supported in REFEDS R&S are chosen to represent a privacy baseline such that further minimisation achieves no particular benefit. The impact of the GDPR is low due to the fact that REFEDS R&S is based on necessary use of the service and utilises the minimal Attribute Assertion (shared user identifier, person name, email address and the optional organisational affiliation). | Should perform an assessment of the GDPR on REFEDS R&S: use of consent, use outside EU/EEA and the applicability as certification mechanism. Explore the potential of certifying the REFEDS R&S as Certification bodies emerge. | |
| eduGAIN | Incorporate REFEDS R&S as BCP | |||
| Identity Federations | Implement a lightweight audit for before applying the REFEDS R&S tag to ensure that the data in the attribute bundle is legitimately required by SP. This is supported by a risk management toolkit to help organisations make effective decisions when supporting REFEDS R&S. | |||
| IdPs | As REFEDS R&S is based on necessary use by legitimate interest, the IdPs can remove the consent question. Transparent privacy notice in which the IdP explains to the end user which attributes are released and why can be used instead. | |||
| Security Incident Response Trust Framework for Federated Identity – SIRTFI | eduGAIN | SIRTFI aims to enable the coordination of incident response across federated organisations. This assurance framework comprises a list of assertions which an organisation can attest in order to be declared SIRTFI compliant. In GDPR Chapter IV Section 2 the security practices for data breach of personal data are defined. Security incidents involving breach of personal data are in scope for SIRTFI. | The recommended way to meet the requirement of the GDPR with regard to handling communications around data breaches within the federated environment is to use the SIRTFI framework. SIRTFI Best Practice will therefore be positioned formally within eduGAIN as recommended practice, and supported by the central function for data breaches. SIRTFI has also been included in the GÉANT CoCo v2.0 specification to address GDPR requirements on incident response. SIRTFI states that the use of the Traffic Light Protocol (TLP) must be used to facilitate such information sharing. | The SIRTFI framework was finalised in late 2016, and adoption of SIRTFI throughout the eduGAIN membership is underway. |
13. eduGAIN: To address requirements regarding data breaches place SIRTFI as recommended practice and support data breaches by central function.
16. IdFed, IdPs: Further investigate usage of consent when the Attribute Assertion is not necessary, including seeking of specific legal opinion when preparing Best Common Practice (BCP).
17. IdPs: can and maybe should inform the users what personal data is released to the service using “OK” to support transparent privacy notice rather than consent.
18. SPs: should enable end user to look up what personal data is available at the SP about the user. Interoperability with Jurisdictions outside the EU and EEA
19. eduGAIN, IdFed, SPs, IdPs: create a privacy policy that describes what and how personal data is used in the service to fulfil the right to information on data processing is to. One notable effect of the right to erasure is that personal information, such as personal data within logs, should not be saved longer than needed. The privacy policy shall contain information on how long personal data is kept. The upcoming version 2 of GÉANT Code of Conduct will contain information on how to uphold the rights of the End User that can be adapted to provide a framework for such privacy policies.