Versions Compared

Old Version 3

changes.mady.by.user Mikael Linden

Saved on

compared with

New Version Current

changes.mady.by.user Peter Brand

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: fix broken (most) links

...

This will likely result in a situation where all parties are facing some unmanaged risks and liabilities. This document describes what happens and who suffers if someone fails to fulfill their requirements. This document also suggests an approach (the Code of Conduct) that can be used by Home Organisations and Service Providers to minimize the risk that arises from depending on each other. Acting without an absolute assurance creates risk and potential liability; the suggested approach atempts to minimize that risk.

 

2. Goals

The goal is to facilitate easy sharing of appropriate end users’ Attributes by his/her Home Organization with remote Service Providers in a manner that is consistent with law and accepted practice, and minimizes the risk for all parties.

  1. Create an environment where campus users can expect to successfully login and enter destination Service Provider sites that use Attribute values asserted by their Home Organization
  2. Allow all parties to remain sufficiently compliant with regional and national laws and regulations guarding personal privacy in order for the risk of non-compliance to be acceptable to all the parties. Find an appropriate balance between risk and value for all parties.
  3. Provide suggestions to Federations, Home Organisations and Service Providers on Business Practices that are believed to be consistent with the EU data protection directive and its interpretations.
  4. Provide suggestions that would allow Attribute release to a Service Provider in EU/EEA.

...

3. Approach

This paper is most definitely NOT a legal opinion, and should not be relied on as such. A recommendation with no guarantee is the best we can ever have. 

3.1. The Highly Collaborative Research and Higher Education Environment

...

Operating with less than perfect compliance means that there will be non-zero risk. Responsibility for failure will fall wherever the legal system assigns it, which may not be the "obviously guilty" party. For example, the EU Data protection directive may assign responsibility to the Home Organisation if a Service Provider spills data due to poor practice. 

3.2. Using Contracts to Further Minimize Risk

The EU Data protection directive does not explicitly require a contract between a Home Organisation and Service Provider. However, a contract would always be the safest and most predictable way to achieve Minimum risk. According to the UK Information commissioner, "A decision to share personal data with another organisation does not take away your duty to treat individuals fairly. So before sharing personal data, you should consider carefully what the recipient will do with it, and what the effect on individuals is likely to be. It is good practice to obtain an assurance about this, for example in the form of a written contract."

...

However, it is not uncommon that even if there is a contract already in place that it completely ignores data protection issues. See, for instance, the JISC model licenses on digital contents for education and research.

 

3.3. EU Data Protection Law as the Starting Point

...

However, for a Service Provider in a jurisdiction outside EU/EEA, this Code of Conduct actually proposes new responsibilities which extend the requirements in local laws. Therefore, releasing Attributes from a Home Organisation in EU/EEA to a Service Provider outside EU/EEA (and outside countries with adequate data protection like Switzerland) is likely to require stronger guarantees (For instance, the model contracts of European Commission) than what the Code of Conduct currently offers. 

3.4. A Global Approach Needed

...

It is likely that there are other approaches to addressing these risks that would be judged to be acceptable. However, global inter-operation will succeed only by adopting a single approach. There is a need for broad consensus around a deployment profile that describes the technical mechanisms to address these requirements. Partial implementations of the agreed upon profile are unlikely to inter-operate (either technically or legally). Federations, Home Organisations, and Service Providers must work out their preferred balance of following the common recommendation as opposed to bilateral hacks.

 

4. When Does Risk Arise?

The Introduction to Data protection directive document, in Section 13, provides a summary of specific requirements from the Data protection directive for both Home Organisations and Service Providers. Clearly a party is at risk if it does not directly address the requirements associated with its Role.

...

In situations lacking a contract, each Home Organisation must determine its risk appetite. The regulations assume that each Home Organisation will assess the risk with each Service Provider. In the absence of any additional information, suggestions, or hints, it is reasonable to assume that a) very few Home Organisations would be able to assess every potential Service Provider, and b) the set of Home Organisations that do assessments will produce a variety of answers. From the Service Providers perspective this approach is not scaleable; it will result in too much uncertainty and variation. The problem for Service Providers in this environment is that they cannot know how many Home Organisations are going to be willing to release, so they will always have to cope with less than 100% coverage of its users.

 

4.1. Summary of Home Organisation and Service Provider Responsibilities

...

Clearly, both the Home Organisation and the Service Provider have specific responsibilities which they must meet. 

4.2. Description of the Risks

...

Alternatively, a Service Provider may be willing to process Attributes without any contract or signal, concluding that if the Home Organisation *does not* do its part then the Home Organisation will actually have committed a more serious breach of the law. Unfortunately the difference in national interpretations and enforcement means you cannot rely on both Home Organisation and Service Provider coming to the same risk assessment.

 

4.3. Legal Description of the Risk

...

Article 17. Security of processing. 1. Member States shall provide that the controller must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing. Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected. 

5. Managing Risk with the Code of Conduct

...

The specific text of the generally approved Code of Conduct can be found in Code of Conduct for Service Providers. These are the statements that a Home Organisation would ask to be included in a contract, if there were a contract. Minimally, the Home Organisation must be assured that all the processing being done by the Service Provider is lawful and provides appropriate privacy safeguards.

...

In a slightly modified approach, the declaration had provisions both for the Home Organisations and Service Providers and both the Home Organisations and Service Providers could commit to it. As an outcome, each Home Organisation and Service Provider who has committed to the the declaration would have a direct contractual relationship, without a need to sign bilateral contracts. This approach would translate the unilateral declaration into a multilateral agreement, but adds some complexity by requiring commitment also from the Home Organisations. 

6. Other Possible Models to Manage Risk

...

Note that the term "deployment model" refers to each Home Organisation and Service Provider combination. A single Home Organisation could use different models with different Service Providers. 

6.1 Home Organisation and Service Provider have a bilateral contract

...

  • contains language similar to the Code of Conduct for Service Providers
  • the role(s) of the Home Organisation and Service Provider (data controller, data processor, shared role in some fashion)
  • which party assumes which aspects of liability,
  • identifying which user Attributes and values are shared, and what processing is performed on them,
  • require that the Home Organisation agree to perform user INFORM/CONSENT processing
  • require that the Home Organisation and Service Provider follow the Metadata recommendations.

...

This and the model presented in section 5 can be used in parallel. The unilateral declaration signed and published by a Service Provider can act as a baseline. Those Home Organisations which are not satisfied by the quarantees provided by the unilateral declaration can enter into a bilateral contract with the Service Provider.

 

6.2 Home Organisations and Service Providers sign a contract with the same third party

...

The assumption is that the third party is a Federation, and that the Home Organisation and Service Provider have both signed the Federation's Participation Agreement (PA). Language in the PA could impose specific responsibilities on both Home Organisations and Service Providers. This language could address risk situations. For example, it might require certain specific practices by Service Providers with respect to Attributes that it receives, and impose requirements on how Service Providers process and handle Attributes. (This language could be similar to the eduGAIN Code of Conduct for Service Providers.) The PA might also require Home Organisations to obtain user consent before releasing any Attributes described as optional in the Service Provider's metadata entry.

...

In a more centralised model, the third party does not provide just suggestions but actually negotiates the attribute release policy with the Service Provider on behalf of the Home Organisations and takes legal responsibility of the outcome.

 

7. Alternative approach: Service Provider categories

...

In addition, each category might have associated with it a list of suggested possible Attributes. These lists could help both Service Providers and Home Organisations in their thinking about which Attributes might be relevant and useful for a Service Provider. 

7.1 The Renater and InCommon model

Renater, the French Federation for higher education and research, has created a process to aid Home Organisations in making their Attribute release decisions. The federation has defined a set of categories (e.g. e-learning resource, groupware service, business application, etc). Each category has associated with it a set of "possible" Attributes for release. The Federation investigates each Service Provider and places them into an appropriate category. In addition, for each Service Provider, the Federation recommends a set of Attributes to be released (which can be narrower than the set associated with the category). The Home Organisation can then decide whether or not to accept the Federation's advice.

Also InCommon has started with one category (research and scholarship) but expects to extend the list. The federation inserts a particular EntityAttribute to the Service Provider's SAML 2.0 metadata to indicate it has been approved to the category.

 

7.2 Discussion

The approach does not cause the Home Organisations data protection liability to disappear, but may result in a Home Organisation being more comfortable releasing Attributes.

...

  1. The Federation is not assuming the Home Organisation's risk; it is merely providing advice.

...

8. Sources of Information

  1. The OECD privacy principles (from Part 2 of the Annex to the OECD Privacy Guidelines), which have been the basis for the EU data protection directive. The benefit is, that OECD is not limited just to the UK or Europe.
  2. The EU Data Protection Directive 95/46/EC (Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data)
  3. Additional material is provided by the Article 29 Data Protection Working Party
    1. Opinion on the Concept of Personal Data pdf
    2. Opinion on the concepts of "controller" and "processor" pdf
    3. Opinion on Consent pdf
  4. In addition, while the legal principles are buried in the Directive, the UK law provides a different presentation, which may be more readable
  5. An opinion from the European Court that a member state cannot further limit the power to process data, by adding an additional qualification to their equivalent of Art 7f. There are comments that this is a reminder that the Directive is supposed to \*promote\* the flow of data at the same time as protecting the privacy of individuals.
    1. A related blog posting
  6. A memo from DLA Piper to the eduGAIN project
  7. The REFEDS paper on data protection in Federated Access Management pdf
  8. The eduGAIN Policy Framework Data Protection Good Practice Profile ver 1.0 pdf