The Data protection Code of Conduct (CoCo) enables safe attribute release between Identity and Service Providers within EU.
The following steps explain how to support the Code Of Conduct for a Service Provider.
- Read and understand the GEANT Data protection Code of Conduct for SPs:
- GÉANT Data Protection Code of Conduct for Service Providers
- For a more complete presentation of the Code of Conduct, please have a look at TNC2013 Code of Conduct Presentation or the memorandum prepared for Article 29 working party
- SP’s jurisdiction:
- Is the SP established in EU/EEA, or in a country/jurisdiction with adequate data protection (the EC white-list)?
- The GEANT Data protection Code of Conduct for SPs in EU/EEA is only applicable for those SPs
- Find out if the organization that is responsible for the SP feels comfortable to commit to the GEANT data protection Code of Conduct for SPs:
- As an SP administrator, you may need to ask someone above you in your organization
- Remember: In many cases there is nothing to worry about because in EU/EEA countries, many of the CoCo requirements are already mandated by the data protection laws
- Develop a list of attributes that are necessary for enabling access to the service:
- Provide a name and description for the service:
- There must be at least an English name and description
- Choose names that are meaningful for the end user who might not be familiar yet with the service
- Good example:
- Name: University of Tübingen's Weblicht tool for linguistics research
- Description: WebLicht is a chaining tool for linguistics research. It provides an execution environment for automatic annotation of text corpora.
- Bad example:
- Name: Finna
- Description: Public Interface Finna.
- Develop and publish a Privacy policy document:
- It must contain a link to the GÉANT Data Protection Code of Conduct: http://www.geant.net/uri/dataprotection-code-of-conduct/v1
- There must be at least an English version available:
- It is recommended to write the document using this template: Privacy Policy Guidelines for Service Providers
- Ensure that the Service Provider is registered in your federation/eduGAIN with the following SAML2 metadata elements:
- Entity Category attribute for the Code of Conduct
- mdui:PrivacyStatementURL
- list of md:RequestedAttributes
- mdui:Displayname (recommended)
- mdui:Description (recommended)
- For details of these elements, see SAML 2.0 profile for the Code of Conduct
- How these elements are registered depends on your local federation
- Find below an example of how the metadata looks like for a Service Provider that supports the GEANT Code Of Conduct.
<!-- This is the GEANT Code of Conduct Entity Attribute. Might be set by the federation operator only --> http://www.geant.net/uri/dataprotection-code-of-conduct/v1 <!-- This URL must contain a privacy statement that must include a link to the GEANT Code of Conduct (http://www.geant.net/uri/dataprotection-code-of-conduct/v1) --> https://wiki.edugain.org/eduGAIN:Privacy_policy <!-- At minimum an English display name and a description --> eduGAIN Wiki This wiki provides recommendations and instructions on how to enable web services for eduGAIN. eduGAIN Wiki Dieses Wiki enthält Empfehlungen und Anleitungen um Webdienste für eduGAIN anzupassen. eduGAIN Wiki Ce wiki met à disposition des recommandations et instructions expliquant comment intégrer des services web dans eduGAIN. [... More SAML metadata ...]