Date: Tue, 19 Mar 2024 13:31:36 +0000 (UTC)
Message-ID: <1870233180.125.1710855096231@wiki-prod.refeds.org>
Subject: Exported From Confluence
MIME-Version: 1.0
Content-Type: multipart/related;
boundary="----=_Part_124_1746690536.1710855096228"
------=_Part_124_1746690536.1710855096228
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Content-Location: file:///C:/exported.html
Good practice for Home organisations
Good practice for Home organisations
Home Organisations managing Identity=
Provider servers do not commit to the Code of Conduct for Service Provider=
s. However, Home Organisations as data c=
ontrollers of their End users may consider taking the following steps to ma=
nage the attribute release to the Service Providers and reduce their risks<=
/span>
- Study Code of C=
onduct for Service Providers and, based on the Home Organisation's loca=
l risk management procedures, decide if a Service Provider's unilateral com=
mitment to the Code of Conduct provides the Home Organisation with sufficie=
nt guarantees for an Attribute release
- For instance, a Home Organisation may reduce its risks by releasing onl=
y non-sensitive attributes.
- Ensure that the Service Provider has committed to the Data Prot=
ection Code of Conduct for Service Providers
- Ensure that the Service Provider's Purpose of Processing is consistent =
with the Home Organisation's Purpose of Processing (typically, "support Res=
earch and Instruction").
- the Code of Conduct does not provide support to this directly
- the Entity Category SAML Entity Metadata Attribute work may assist a Ho=
me Organisation with filtering out Service Providers with a conflicting pur=
pose of processing
- Release only Attributes that are adequate, relevant and not exc=
essive for the Service Provider
- Inform the end user on the Attribute release
- by providing the following information to the user when s/he is accessi=
ng a new Service Provider for the first time
- the identity of the Service Provider Organisation (mdui:DisplayName and=
mdui:Logo, if available, for better usability and look-and-feel)
- the purpose of the service (mdui:Description)
- a clickable link to the Service Provider's Privacy Notice document (mdu=
i:PrivacyStatementURL)
- for each Attribute, the Attribute name, description and value
- an easily understood label can be displayed instead of displaying sever=
al closely related Attributes (eg the various name Attributes)
- user can be provided a checkbox "don't show this information again". If=
they check it, the information above is not provided next time they log in=
to this Service Provider.
- see How the Home organisation should inform the End user for de=
tails and GUI recommendations on how to inform the end user
- use the data controller's legitimate interests as the =
legal grounds for attribute release
- release only attributes that are flagged as NECESSARY (see Code of Conduct 2.0 Entity Category for details on how =
this is done)
- however, in certain jurisdiction (e.g. Switzerland) user consent may be=
needed for attribute release
------=_Part_124_1746690536.1710855096228--