THIS IS DRAFT !
Assessment of the GDPR implications on eduGAIN constituency was conducted and the results are presented in the Assessment of DP legislation implications document.
Based on this assessment, following action points can be attributed to eduGAIN central operations, REFEDS, Identity Federation Operators, Service Providers and Identity Providers.
AP | Who | Description | How | Status |
---|---|---|---|---|
Publishing contacts in metadata | eduGAIN | Published contacts in metadata should not be personal but rather to functions | ||
Identity Federations |
Published contacts in metadata should not be personal but rather to functions | Recommend their IdPs, SPs and AAs to use non-personal contact information in the metadata. If personal information is unavoidable, Article 15 on the Rights of Access by the data subject applies. | |||
DPA aggreements | IdPs, SPs | Identify where scalable models (entity categories) don't apply so that the contacting parties can make bilateral Data Processor Agreements | ||
Identity Federations | Support the IdPs and SPs | |||
eduGAIN |
Consider to develop a sample bilateral Data Processor Agreement in the BCP package, with the caveat that implementation must be at the risk of the contracting parties | ||||
GÉANT Data Protection Code of Conduct - CoCo | eduGAIN | Update GÉANT CoCo to reflect the changes between the new GDPR and the old DPD | The work on a new version of GÉANT CoCo commenced in the GN4-2 project and is being carried out by a small team of identity federation specialists with support from data protection legal specialists at the global law firm DLA Piper. The draft GDPR version has been substantially completed and has been sent out to consultation within the international identity federation community. The new version of GÉANT CoCo is more detailed than version 1 as the new legislation is more prescriptive and takes into consideration the areas of Increased Territorial Scope, Penalties, Consent, Breach Notification, Right to Access, Right to be Forgotten, Data Portability, Privacy by Design and Data Protection Officers. The interim working draft was published in June 2017 on the REFEDS Wiki [GÉANT CoCo-v2]. An explanatory memorandum is being prepared in parallel. The small working group shall complete the work on the new GDPR version of the GÉANT Data Protection Code of Conduct, including aspects such as jurisdiction and arbitration clauses for international organisations. After completion, the new version must be submitted to the EU GDPR competent supervisory authority of approved codes of conduct as described in GDPR Article 40. After the submission of GÉANT CoCo v2.0. GÉANT shall work together with the competent supervisory authority to get GÉANT CoCo v2.0 approved as an official GDPR Code of Conduct, effective after 25 May 2018. In parallel with the approval process, adoption and use of GÉANT CoCo v2.0 within eduGAIN will be formalised as Best Practice for both Service Providers and Identity Providers. Federations should therefore prepare their tools and processes to enable adoption and use by Identity Providers and Service Providers. They can be supported in this by GÉANT, with training and best practice documentation. | |
eduGAIN | Formalise adoption of and use of the GÉANT CoCo v2 within eduGAIN as Best Practice for both SPs and IdPs and support IdFeds with trainings | |||
Identity Federations | Prepare the tooling and processes to enable adoption of GÉANT CoCo v2 by Identity Providers and Service Providers | |||
REFEDS R&S | REFEDS | Should |
perform an |
assessment of the GDPR on REFEDS R&S: use of consent, use outside EU/EEA and the applicability as certification mechanism | |||
eduGAIN | Incorporate REFEDS R&S as BCP | ||
Identity Federations |
Implement a lightweight audit for before applying the REFEDS R&S tag to ensure that the data in the attribute bundle is legitimately required by SP. This is supported by a risk management toolkit to help organisations make effective decisions when supporting REFEDS R&S. | ||||
eduGAIN SG members data | eduGAIN | Inform eduGAIN members that information about their SG delegate and deputy are published on technical web site. Ensure that the individuals mentioned have the appropriate ability to ensure this information is accurate and to understand how it is used. | ||
- IdFeds, eduGAIN, REFEDS: need to review their best practices regarding Attribute Assertions
...
5. general approach: create and implement standardised classifications for attribute assertion i.e. Entity Categories
7.
10. REFEDS: .
11. eduGAIN: Incorporate REFEDS R&S as BCP
12. IdFeds: i
13. eduGAIN: To address requirements regarding data breaches place SIRTFI as recommended practice and support data breaches by central function.
14. IdFed: recommend their IdPs, SPs and AAs to use non-personal contact information in the metadata. If personal information is unavoidable, Article 15 on the Rights of Access by the data subject applies.
15. eduGAIN: inform eduGAIN members that information about their SG delegate and deputy are published on technical web site. Ensure that the individuals mentioned have the appropriate ability to ensure this information is accurate and to understand how it is used.
16. IdFed, IdPs: Further investigate usage of consent when the Attribute Assertion is not necessary, including seeking of specific legal opinion when preparing Best Common Practice (BCP).
...