- There is no access on a general basis to a database of users:.
- The access only covers time-limited, minimised data of the single user who has chosen to authenticate that way and should already have been informed of the consequences.
- There are individual safeguards: we minimise, pseudonymise, encrypt and contractually limit the purpose for which the data can be used.
- Retaining data is actively counter-productive – the main benefit for the data importer is that they can get fresh data every time the individual logs in.
- There isn’t a “stable relationship between the exporter (IdP) and importer (SP)”: each has a relationship only with its own federation. Where there are such relationships (e.g. site licenses) then there’s already a contract to put the necessary safeguards in.