...
The following requirements are proposed as a minimal expectation for a Federation Operator to be asserting R&S for Service Providers within their federation. It is important when using Legitimate Interests as a reason for processing data that organisations are able to demonstrate that that conducted an assessment, documented this assessment and given transparency and visibility to that assessment (see guidance from Article 29 WP).
Requirement | Implementation | |
---|---|---|
1. | The Federation Operator actively declares support for R&S | Declare support by email to contact@refeds.org. This will be re-verified as part of the REFEDS annual audit. |
2. | Maintain a detailed description of the federation's administrative process for tagging a Service Provider with R&S | Host a wiki or web page with information for SPs. |
3. | Have a clear assessment process for Service Providers | Consider using the following checks:
|
4. | Have a Process for reviewing use of R&S | Have measures in place to review R&S where you are the Registration Authority. This may be in line with the annual REFEDS review of R&S. |
5. | Have a Process for removing R&S from a Service Provider | Have a simple process that allows for the removal of R&S if an entity no longer meets the requirements, cannot demonstrate compliance or no longer wishes to support R&S. |