Hi Peter,
Thanks for your detailed response and sorry for not responding sooner.
We're not currently enabling the consent function on our IdPs but it is
now on our pipeline. We initially disabled it to simplify/streamline the
user experience- we run our Shibboleth IdP behind another Single Sign-on
system so Shibboleth is/was seen as something that's only visible if it
goes wrong :-).
It's a good point you make that any assertion could be considered
personal information under GDPR. In practice we (and no doubt others)
are classifying the risk based on whether the data is directly
identifiable or not.
I think I've now got enough to take to our meeting with the Data
Protection team. In practice I think we'll need to implement consent
before proceeding with applying R&S unilaterally. In the meantime we can
keep the status quo of releasing these attributes on request on a
per-service basis.
Kind regards,
Mark
On 28/02/2019 20:30, Peter Schober wrote:
> * Mark Cairney <[log in to unmask]> [2019-02-28 18:17]:
>> For those institutions who have signed up to it, what assurances did you
>> have to give your internal data providers in terms of data use and
>> retention? Were there any unexpected implications as a result of signing
>> up to it?
>
> FWIW, there's some Guidance from REFEDS wrt releasing data under
> REFEDS R&S:
>
> https://wiki.refeds.org/display/ENT/Guidance+on+justification+for+attribute+release+for+RandS
>
> Transfers to "third countries" are the weak spot here (if you're
> looking for one) due to relying on an interpreation of Art 49
> (derogations) favorable to federation participants.
>
> Though at the latest TIIME Workshop in Vienna some privacy researcher
> (and law PhD) shared an idea I haven't heard before, commenting that
> such release could be seen to be covered by a contract between the
> indidvidual and the institution (e.g. employment).
>
> If all else fails you could ask for consent (a Shibboleth IDPv3 would
> even do so by default) and come up with a plan to deal with the case
> where consent cannot be freely given by the subject because someone
> needed an R&S service for their research/work.
> (Asking for consent -- i.e., allowing someone to access a service at
> their own risk -- clearly is still preferable to not providing the
> service at all, of course.)
>
> But since we also have information duties to fulfill, which will in
> practice look very much like consent screens, doing this all right
> (not limited to the legal sense) requires quite a bit of effort.
> My own attempts at suggesting Shibboleth configuration to deal with
> the "information" vs. "consent" case based on the SP having the REFEDS
> R&S or GÉANT CoCo entity category labels or not are still not
> finalised...
>
>> At the moment we've been pretty cautious about releasing personal
>> data via Shibboleth to third parties and I suspect we're not alone
>> in this respect.
>
> Note that sending anything via SAML to any SP, even an "empty"
> authentication assertion (even without a NameID or a transient one)
> will likely be seen as giving out personal data under GDPR.
> (E.g. an Assertion ID will be there and will allow the IDP and SP to
> establish the identity of the person.)
>
> So if your IDP is part of a federation or interfederation you'd needed
> to terminate any transaction with an error message at the IDP if
> you're not prepared to risk sending any PII.
>
> Best regards,
> -peter
>
> ########################################################################
>
> To unsubscribe from the JISC-SHIBBOLETH list, click the following link:
> https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=JISC-SHIBBOLETH&A=1
>
--
/****************************
Mark Cairney
ITI Enterprise Services
Information Services
University of Edinburgh
Tel: 0131 650 6565
Email: [log in to unmask]
PGP: 0x435A9621
*******************************/
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.
########################################################################
To unsubscribe from the JISC-SHIBBOLETH list, click the following link:
https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=JISC-SHIBBOLETH&A=1
|