...
However, the Data protection regulators and the groups developing and enforcing these regulations recognize that there is a balance between full disclosure to meet the requirements and usability. A poor design of the user interaction screens can actually reduce the likelihood that users will understand what is happening.
1.1 Requirements from the Directive
For the requirements on informing the end user, see Introduction to Data protection directive, section 8.
For the requirements on user consent, see Introduction to Data protection directive, section 9.
Note: Introduction to Code of Conduct proposes to defer release of optional extra Attributes based on user consent until Phase 2.
1.2 General Principles for informing the user
...
There are other attributes where the values are intentionally opaque (e.g. ePE="urn:mace:rediris.es:entitlement:wiki:tfemc2"). It is NOT reasonable to expect the end user to understand what this value means and to pick up a particular value to be released. Instead, natural language descriptions of the vallues should be provided.
A good way to explain to a user why there is a transfer of information is "your email, name and affiliation will be transfered, as we do for international projects like Zyzzy, VO2 and Tjollabong". Explaining by analogy is human, albeit not necessarily academic in all disciplines.
1.3 Recommendations
See SAML 2 Profile for the Data Protection Code of Conduct for details on the related SAML2 metadata elements.
...
- The user MUST be informed on the attribute release separately for each SP.
- The user MUST be presented with the mdui:DisplayName value for the SP, if it is available.
- The user MUST be presented with the mdui:Description value for the SP, if it is available.
- The user SHOULD be presented with the mdui:Logo image for the SP, if it is available.
- The user MUST be provided with access (e.g. a clickable link) to the document referenced by the mdui:PrivacyStatementURL.
- The IDP MUST present a list of the RequestedAttributes defined as NECESSARY. No user consent is required before release. (However, given how web browsers work, the user may have to click a CONTINUE button in order to continue in the sequence.)
- The IDP MAY list the NECESSARY attributes on the same screen as the username/password entry boxes, making clear that *if* you login then this is what will happen. It MUST be clear to the user that the consequence of their next action will be to release the attributes. NOTE -- the attribute values for the specific user are not available when the login screen is presented, since the user's identity is not yet known.
- The display software SHOULD provide the ability to configure and display localised descriptions of the attributes (e.g. what PersistentID means) and their values (e.g. what eduPersonEntitlement="urn:mace:rediris.es:entitlement:wiki:tfemc2" means)
- The display software MAY inform the user of the release of an "attribute group" (eg attributes expressing the user's "name"), and then release all requested attributes in the group (e.g. various forms of the user's name such as cn, sn, givenName and displayName).
- The display software MAY give the user the option to remember that they have been INFORMed of the release of the necessary attributes.
- If any of the following has changed since the user accessed this SP for the last time, the user MUST be prompted again for the INFORM interaction
- the list of attributes the SP requests
- the DisplayName of the SP
- the Description of the SP
...