This will likely result in a situation where all parties are facing some unmanaged risks and liabilities. This document describes what happens and who suffers if someone fails to fulfill their requirements. This document also suggests an approach (the Code of Conduct) that can be used by Home Organisations and Service Providers to minimize the risk that arises from depending on each other. Acting without an absolute assurance creates risk and potential liability; the suggested approach atempts to minimize that risk.
The goal is to facilitate easy sharing of appropriate end users’ Attributes by his/her Home Organization with remote Service Providers in a manner that is consistent with law and accepted practice, and minimizes the risk for all parties.
- Create an environment where campus users can expect to successfully login and enter destination Service Provider sites that use Attribute values asserted by their Home Organization
- Allow all parties to remain sufficiently compliant with regional and national laws and regulations guarding personal privacy in order for the risk of non-compliance to be acceptable to all the parties. Find an appropriate balance between risk and value for all parties.
- Provide suggestions to Federations, Home Organisations and Service Providers on Business Practices that are believed to be consistent with the EU data protection directive and its interpretations.
- Provide suggestions that would allow Attribute release to a Service Provider in EU/EEA.
This paper is most definitely NOT a legal opinion, and should not be relied on as such. A recommendation with no guarantee is the best we can ever have.
3.1. The Highly Collaborative Research and Higher Education Environment
Operating with less than perfect compliance means that there will be non-zero risk. Responsibility for failure will fall wherever the legal system assigns it, which may not be the "obviously guilty" party. For example, the EU Data protection directive may assign responsibility to the Home Organisation if a Service Provider spills data due to poor practice.
3.2. Using Contracts to Further Minimize Risk
However, it is not uncommon that even if there is a contract already in place that it completely ignores data protection issues. See, for instance, the JISC model licenses on digital contents for education and research.
3.3. EU Data Protection Law as the Starting Point
However, for a Service Provider in a jurisdiction outside EU/EEA, this Code of Conduct actually proposes new responsibilities which extend the requirements in local laws. Therefore, releasing Attributes from a Home Organisation in EU/EEA to a Service Provider outside EU/EEA (and outside countries with adequate data protection like Switzerland) is likely to require stronger guarantees (For instance, the model contracts of European Commission) than what the Code of Conduct currently offers.
3.4. A Global Approach Needed
It is likely that there are other approaches to addressing these risks that would be judged to be acceptable. However, global inter-operation will succeed only by adopting a single approach. There is a need for broad consensus around a deployment profile that describes the technical mechanisms to address these requirements. Partial implementations of the agreed upon profile are unlikely to inter-operate (either technically or legally). Federations, Home Organisations, and Service Providers must work out their preferred balance of following the common recommendation as opposed to bilateral hacks.
4. When Does Risk Arise?
The Introduction to Data protection directive document, in Section 13, provides a summary of specific requirements from the Data protection directive for both Home Organisations and Service Providers. Clearly a party is at risk if it does not directly address the requirements associated with its Role.
In situations lacking a contract, each Home Organisation must determine its risk appetite. The regulations assume that each Home Organisation will assess the risk with each Service Provider. In the absence of any additional information, suggestions, or hints, it is reasonable to assume that a) very few Home Organisations would be able to assess every potential Service Provider, and b) the set of Home Organisations that do assessments will produce a variety of answers. From the Service Providers perspective this approach is not scaleable; it will result in too much uncertainty and variation. The problem for Service Providers in this environment is that they cannot know how many Home Organisations are going to be willing to release, so they will always have to cope with less than 100% coverage of its users.
4.1. Summary of Home Organisation and Service Provider Responsibilities
Both the Home Organisation and the Service Provider have specific responsibilities.
Introduction to Data protection directive, section 13, Provided a complete list of concrete design requirements for Attribute Release. The responsibilities of the Home Organisation include but are not limited to:
Clearly, both the Home Organisation and the Service Provider have specific responsibilities which they must meet.
4.2. Description of the Risks
Alternatively, a Service Provider may be willing to process Attributes without any contract or signal, concluding that if the Home Organisation *does not* do its part then the Home Organisation will actually have committed a more serious breach of the law. Unfortunately the difference in national interpretations and enforcement means you cannot rely on both Home Organisation and Service Provider coming to the same risk assessment.
4.3. Legal Description of the Risk
Article 17. Security of processing. 1. Member States shall provide that the controller must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing. Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected.
5. Managing Risk with the Code of Conduct
The specific text of the generally approved Code of Conduct can be found in Code of Conduct for Service Providers. These are the statements that a Home Organisation would ask to be included in a contract, if there were a contract. Minimally, the Home Organisation must be assured that all the processing being done by the Service Provider is lawful and provides appropriate privacy safeguards.
Without a contract, it is difficult to impose penalties on misbehaving parties. The Handling non-compliance document that is a part of the CoC recommends several approaches when a party suspects that another party is not operating in compliance with the CoC.
In a slightly modified approach, the declaration had provisions both for the Home Organisations and Service Providers and both the Home Organisations and Service Providers could commit to it. As an outcome, each Home Organisation and Service Provider who has committed to the the declaration would have a direct contractual relationship, without a need to sign bilateral contracts. This approach would translate the unilateral declaration into a multilateral agreement, but adds some complexity by requiring commitment also from the Home Organisations.
6. Other Possible Models to Manage Risk
Note that the term "deployment model" refers to each Home Organisation and Service Provider combination. A single Home Organisation could use different models with different Service Providers.
6.1 Home Organisation and Service Provider have a bilateral contract
- contains language similar to the Code of Conduct for Service Providers
- the role(s) of the Home Organisation and Service Provider (data controller, data processor, shared role in some fashion)
- which party assumes which aspects of liability,
- identifying which user Attributes and values are shared, and what processing is performed on them,
- require that the Home Organisation agree to perform user INFORM/CONSENT processing
- require that the Home Organisation and Service Provider follow the Metadata recommendations.
This and the model presented in section 5 can be used in parallel. The unilateral declaration signed and published by a Service Provider can act as a baseline. Those Home Organisations which are not satisfied by the quarantees provided by the unilateral declaration can enter into a bilateral contract with the Service Provider.
6.2 Home Organisations and Service Providers sign a contract with the same third party
The assumption is that the third party is a Federation, and that the Home Organisation and Service Provider have both signed the Federation's Participation Agreement (PA). Language in the PA could impose specific responsibilities on both Home Organisations and Service Providers. This language could address risk situations. For example, it might require certain specific practices by Service Providers with respect to Attributes that it receives, and impose requirements on how Service Providers process and handle Attributes. (This language could be similar to the eduGAIN Code of Conduct for Service Providers.) The PA might also require Home Organisations to obtain user consent before releasing any Attributes described as optional in the Service Provider's metadata entry.
In a more centralised model, the third party does not provide just suggestions but actually negotiates the attribute release policy with the Service Provider on behalf of the Home Organisations and takes legal responsibility of the outcome.
7. Alternative approach: Service Provider categories
In addition, each category might have associated with it a list of suggested possible Attributes. These lists could help both Service Providers and Home Organisations in their thinking about which Attributes might be relevant and useful for a Service Provider.
7.1 The Renater and InCommon model
Also InCommon has started with one category (research and scholarship) but expects to extend the list. The federation inserts a particular EntityAttribute to the Service Provider's SAML 2.0 metadata to indicate it has been approved to the category.
The approach does not cause the Home Organisations data protection liability to disappear, but may result in a Home Organisation being more comfortable releasing Attributes.
According to the EU Data protection directive, Home Organisations have an obligation to ensure that the purpose of processing personal data in the Service Provider does not conflict with the purpose of processing in the Home Organisation. Service Provider categories would enable the Home Organisations to filter out those Service Providers whose purpose is conflicting with that of the Home Organisation.
- The Federation is not assuming the Home Organisation's risk; it is merely providing advice.
8. Sources of Information
- The OECD privacy principles, which have been the basis for the EU data protection directive. The benefit is, that OECD is not limited just to the UK or Europe.
- The EU Data Protection Directive 95/46/EC (Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data)
- Additional material is provided by the Article 29 Data Protection Working Party
- In addition, while the legal principles are buried in the Directive, the UK law provides a different presentation, which may be more readable
- A recent An opinion from the European Court that a member state cannot further limit the power to process data, by adding an additional qualification to their equivalent of Art 7f. There are comments that this is a reminder that the Directive is supposed to \*promote\* the flow of data at the same time as protecting the privacy of individuals.
- A related blog posting
- A memo from DLA Piper to the eduGAIN project
- The REFEDS paper on data protection in Federated Access Management pdf
- The eduGAIN Policy Framework Data Protection Good Practice Profile ver 1.0 pdf