...
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
General Advice
- "Consent, the Last Resort?" Blog post by Andrew Cormack.
- "Legitimate Interests and Federated Access Management." Blog post by Andrew Cormack.
- Data Protection Code of Conduct for Service Providers: Guidelines on "necessary" attributes.
...
The Research and Scholarship Entity Category relies on the legitimate interest approach. This is supported by the Article 29 WP Opinion on Legitimate Interests documentation. There has been some concern expressed that Legitimate Interests cannot be used for Public Authorities as in some countries universities and colleges are deemed Public Authorities, but this limitation is only related to activities that directly relate to work that directly relates to the "public" aspects of the worn undertaken by that organisation. A student accessing a scholarly article or the typical day to day work of a researcher would not fall under the "public" aspects of the organisation. There is a useful article detailing how this has been addressed in the UK.
Use of Legitimate Interests under 1995 Directive
...
| Issue | Discussion | Review of R&S |
|---|---|---|
| Put in Place Safeguards | Data minimisation (necessary), privacy enhancing technologies (for example pseudonyms), transparency and a right to opt-out. | R&S addresses all of these areas. The Code of Conduct also has information on necessary attributes. We'd also recommend reviewing the Privacy Notice of an SP and encouraging them to populate privacy statement URL in metadata. |
| Balance the Rights of Data Subjects and the Rights of Data Controllers | Ensures the necessary flexibility for data controllers for situations where there is no undue impact on data subjects, while at the same time providing sufficient legal certainty and guarantees to data subjects that this open-ended provision will not be misused. The stronger the legitimate interest being pursued by the data controller and the less harm the processing does to the interests of the data subject, the greater the likelihood that the activity will be lawful. | R&S addresses this by limiting the types of services that are allowed to claim this category and focusing on low-risk services that have a clearly identifiable need for personal information such as wikis etc. |
| Impact Management | Impact on the individual will depend on the nature of the personal information, how it is processed and what the individual would reasonably expect. | Controlled in the R&S use case by minimal attribute sets and stress on the concept that attribute must not be asked for if it is not needed. |
| Define the "legitimate" reasons? | Norms in the community concerned falls in to this definition, as does the idea of both parties wishing to provide and receive access. Those claiming legitimate interest should be able to explain their interest and how it satisfies this balancing test | R&S provides this reason in its definition to support the process and to ensure that release is happening against an agreed set of criteria. |
| Ensure Transparency | Relying on legitimate interests still means users have to be informed about what their personal information is being used for. Privacy notices should still be put in place by IdPs and SPs. | Transparency is provided by keeping lists of SPs in this category and clear descriptions of what is being released. |
| Case-by-Case | Legitimacy must be ensured for each service. | Each SP is considered on a case-by-case basis by the federation in question and reviewed annually. |
...
Countries and processes covered by an adequacy decision are clearly defined and documented. At the time of writing these countries are: Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the US (limited to the Privacy Shield framework). Transfers to these countries can be made using the same criteria as any EU country.as any EU country. Since July 2020, the US Privacy Shield has been determined invalid for international transfers.
Safeguards
Article 46 sets out a series of safeguards that can be used to permit transfer to a third country or international organisation. These are:
- A legally binding and enforceable instrument between public bodies.
- Binding Corporate Rules.
- Standard data protection clauses adopted by the Commission. The wording for these contracts can be found here.
- An approved Code of Conduct.
- An approved Certification mechanism.
Of these, only the Code of Conduct approach is well used significantly at this point in time in our community. Guidelines are being developed for the use of Binding Corporate Rules and Certification but it may be some time before they can be practically used by organisations.
GÉANT is exploring a Code of Conduct that can be used at international scale. This could be used in conjunction with R&S to support data transfer to third countries and international organisationscould be used in conjunction with R&S to support data transfer to third countries and international organisations. As things currently stand, the Dutch Data Protection Authority has declared that it will not be possible to have a Code of Conduct for GÉANT that covers both EU transfers and non-EU transfers.
REFEDS is actively following guidelines on Certification to see if R&S can be consider a certification approach in the future. This is likely to be a lengthy process.
Derogation
At the time of writing, The Article 29 Working Party have an open consultation on their advice for provide guidelines for the use of derogation under Article 49. The Article lists a series of potential derogations that could be used for transfer, but many of these will not prove adequate for federated access management.
...
- There is no access on a general basis to a database of users.
- The access only covers minimised data of the single user who has chosen to authenticate that way and should already have been informed of the consequences.
- There are individual safeguards: we minimise, pseudonymise, encrypt and contractually limit the purpose put in place rules for which the data can be used.
- Retaining data is actively counter-productive – the main benefit for the data importer is that they can get fresh data every time the individual logs in.
- There isn’t a “stable relationship between the exporter (IdP) and importer (SP)”: each has a relationship only with its own federation. Where there are such relationships (e.g. site licenses) then there’s already a contract to put the necessary safeguards in.
...