Child pages
  • Guidance on justification for attribute release for RandS

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


  • There is no access on a general basis to a database of users:.
  • The access only covers time-limited, minimised data of the single user who has chosen to authenticate that way and should already have been informed of the consequences.
  • There are individual safeguards: we minimise, pseudonymise, encrypt and contractually limit the purpose for which the data can be used.
  • Retaining data is actively counter-productive – the main benefit for the data importer is that they can get fresh data every time the individual logs in.
  • There isn’t a “stable relationship between the exporter (IdP) and importer (SP)”: each has a relationship only with its own federation. Where there are such relationships (e.g. site licenses) then there’s already a contract to put the necessary safeguards in.