Page History

• Introductions to all parties involved.

• We need a simple solution to the exchange of a very limited set of personal data as attributes for the research and education community.
• The only other option is signed contracts that won't scale to the thousands of relationships that are concerned here.

 Work is needed to put parameters on the scope of CoCo usage.  If we cannot monitor it, we cannot include it. 

• Should the scope be limited to only eduGAIN entities?   This would seem sensible as this is currently the limit of what we can monitor.  Monitor is at: https://monitor.edugain.org/coco/. 
• Consider a name change - GÉANT is very broad and this is limited to conduct in identity federations.
• How many organisations could be using CoCo?  5445 currently in eduGAIN. 

What would the monitoring body do?  Mikael highlighted three main functions:

• Monitoring.  We have the monitoring tool but work will need to be done to put in place OLAs and reactive intervention when entities are red.  Nicole can liaise with eduGAIN team on this as we get clarity on requirements.  
• Auditing. At the moment this is scoped as self-assessment.  Will this be acceptable? 
• Way to lodge a complaint.  Would make sense for this to be via the normal GÉANT GDPR channels. 

Only current advice is from EDPB to DPAs, we are waiting for DPA - potential bodies: edpb-20190219_guidelines_coc_public_consultation_version_en.pdf

Responsibility: would need to be a liaison between GÉANT GDPR team, GÉANT T&I Ops team and eduGAIN Support team.

• Self Assessment: is self-assessment an acceptable approach.
• Independence: does GÉANT have enough independence.

It was agreed that Ana and Magda would approach the Dutch DPA to see if they have a view on these issues. 

• Clarity on budget for DLA Piper
• Clarity on budget for general support for CoCo
• Proposal for a budget for monitoring body moving forward (training, production etc.).

Nicole will discuss these issues with Licia and Marina