THIS IS DRAFT !
Assessment of the GDPR implications on eduGAIN constituency was conducted and the results are presented in the Assessment of DP legislation implications document.
Based on this assessment, following action points can be attributed to eduGAIN central operations, REFEDS, Identity Federation Operators, Service Providers and Identity Providers.
| AP | Who | Description | How | Status |
|---|---|---|---|---|
| Publishing contacts in metadata | Identity Federations, eduGAIN | Published contacts in metadata should not be personal but rather to functions | ||
| DPA aggreements | IdPs, SPs | Identify where scalable models don't apply so that the contacting parties can make bilateral Data Processor Agreements | ||
| Identity Federations | Support the IdPs and SPs | |||
| eduGAIN | should consider to develop a sample bilateral Data Processor Agreement in the BCP package, with the caveat that implementation must be at the risk of the contracting parties | |||
| GÉANT Data Protection Code of Conduct - CoCo | eduGAIN | Update GÉANT CoCo | ||
| eduGAIN | Formalise adoption of and use of the GÉANT CoCo v2 within eduGAIN as Best Practice for both SPs and IdPs and support IdFeds with trainings | |||
| Identity Federations | Prepare the tooling and processes to enable adoption of GÉANT CoCo v2 by Identity Providers and Service Providers | |||
| REFEDS R&S | REFEDS | Should do an sssessment of the GDPR on REFEDS R&S: use of consent, use outside EU/EEA and the applicability as certification mechanism | ||
| eduGAIN | Incorporate REFEDS R&S as BCP | |||
| Identity Federations | mplement a lightweight audit for before applying the REFEDS R&S tag to ensure that the data in the attribute bundle is legitimately required by SP. This is supported by a risk management toolkit to help organisations make effective decisions when supporting REFEDS R&S. | |||
- IdFeds, eduGAIN, REFEDS: need to review their best practices regarding Attribute Assertions
2. IdFeds: should continue to work on scalable minimal Attribute Assertions and adapt them to GDPR
5. general approach: create and implement standardised classifications for attribute assertion i.e. Entity Categories
7.
10. REFEDS: .
11. eduGAIN: Incorporate REFEDS R&S as BCP
12. IdFeds: i
13. eduGAIN: To address requirements regarding data breaches place SIRTFI as recommended practice and support data breaches by central function.
14. IdFed: recommend their IdPs, SPs and AAs to use non-personal contact information in the metadata. If personal information is unavoidable, Article 15 on the Rights of Access by the data subject applies.
15. eduGAIN: inform eduGAIN members that information about their SG delegate and deputy are published on technical web site. Ensure that the individuals mentioned have the appropriate ability to ensure this information is accurate and to understand how it is used.
16. IdFed, IdPs: Further investigate usage of consent when the Attribute Assertion is not necessary, including seeking of specific legal opinion when preparing Best Common Practice (BCP).
17. IdPs: can and maybe should inform the users what personal data is released to the service using “OK” to support transparent privacy notice rather than consent.
18. SPs: should enable end user to look up what personal data is available at the SP about the user. Interoperability with Jurisdictions outside the EU and EEA
19. eduGAIN, IdFed, SPs, IdPs: create a privacy policy that describes what and how personal data is used in the service to fulfil the right to information on data processing is to. One notable effect of the right to erasure is that personal information, such as personal data within logs, should not be saved longer than needed. The privacy policy shall contain information on how long personal data is kept. The upcoming version 2 of GÉANT Code of Conduct will contain information on how to uphold the rights of the End User that can be adapted to provide a framework for such privacy policies.