Why do I need to write a Privacy Policy for my Service Provider?
End Users intending to access your service might be interested to know how you treat the personal data the service needs. Therefore, the privacy policy document needs to be publicly accessible, without access restrictions.
The Privacy Policy should be available in English and optionally in other languages.
The privacy policy document should provide answers to questions like:
- For what purpose do you need the personal data?
- Who is responsible for the proper data handling at this site?
- What does the service do with the personal data?
- Does the service pass parts of the data further on in order to be able to provide its service?
- When will the personal data be deleted?
- Does the Service Provider support the GÉANT Data Protection Code of Conduct (update link)?
Where to start in writing a Privacy Policy?
Use this Privacy Policy Template to draft the Privacy Policy for your Service Provider. You should consult your organizational Privacy Policy, if available.
Checkout some privacy policies from SPs already accessible via eduGAIN:
- wiki.edugain.org (update link) (English)
- Funet FileSender (English/Finnish)
- Haka Attribute Test Service (English/Finnish)
- LAT - Language Archive Tools (English)
More examples of privacy policies can be found on the page that lists all sevices that support the GÉANT Data Protection Code of Conduct.
Where to publish the link to the Privacy Policy?
The URL pointing to the Privacy Policy must be published in the Metadata of the Service Provider, like in this example:
<md:EntityDescriptor xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" entityID="https://wiki.edugain.org/shibboleth" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"> [ ... ] <SPSSODescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol"> <Extensions> <mdui:UIInfo xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"> <mdui:PrivacyStatementURL xml:lang="en">https://wiki.edugain.org/eduGAIN:Privacy_policy</mdui:PrivacyStatementURL> [ ... ] </mdui:UIInfo> </Extensions> [... More SAML metadata ...]
In addition, end users should easily find the link also on the web interface of the service itself, not just in the Metadata.