Please note this is a summary of the reasoning behind approaches taken to attribute release by federations, with particular reference to the REFEDS Research and Scholarship Entity Category. It does not constitute legal advice but does point to legal documentation that can be used to support the ideas in this process. All federations and organisations should take appropriate legal advice but are free to use this information to support arguments and processes. For more information see: https://refeds.org/research-and-scholarship
|Table of Contents|
A. Useful Information Sources
- DIRECTIVE 95/46/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
- ARTICLE 29 DATA PROTECTION WORKING PARTY Opinion 06/2014 on the notion of legitimate interests of the data controller Under Article 7 of Directive 95/46/EC.
- ARTICLE 29 DATA PROTECTION WORKING PARTY Opinion 15/2011 on the definition of consent.
From 25th May 2018
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
- "Consent, the Last Resort?" Blog post by Andrew Cormack.
- "Legitimate Interests and Federated Access Management." Blog post by Andrew Cormack.
- Data Protection Code of Conduct for Service Providers: Guidelines on "necessary" attributes.
With thanks to Andrew Cormack for allowing REFEDS to use his material for this advice piece.
B. Justification for Processing Data in Europe
Any organisation that processes personal data needs to have a legal justification for doing so. Personal data is defined in GDPR as "information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person."
Only three of these options would have bearing in the typical exchanges within a research and education identity federation: consent, contractual and legitimate interests.
C. Consent Justification
Work has been done on consent modules for access management workflows and it is now easier to build this functionality in to user screens, but there are concerns that in many scenarios consent could be seen as forced as the subject has no choice but to pass the information if they want to use the resource. The Article 29 Working Party warn that consent may be a "false good solution". This is strengthened in the text of the GDPR, which is clear that consent must be freely given (Article 7).
"Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement." (Recital 32).
D. Contractual Justification
The important text here is that release must be in line with the performance of a contract to which the data subject is a party. It could be argued that for some staff members, accessing services using federated identities could be seen as a function that is required by their job role but this is difficult to assert for all scenarios. The argument would be much more difficult for students and researchers.
E. Legitimate Interests Justification
Use of Legitimate Interests under 1995 Directive
The Article 29 WP recognises that:
"...an appropriate assessment of the balance under Article 7(f), often with an opportunity to opt-out of the processing, may in other cases be a valid alternative to inappropriate use of, for instance, the ground of 'consent' or 'necessity for the performance of a contract'. Considered in this way, Article 7(f) presents complementary safeguards - which require appropriate measures - compared to the other pre-determined grounds. (p10)".
Use of Legitimate Interests under GDPR
The text of the GDPR makes a stronger case for the use of Legitimate Interests. This is described in Recitals 47 - 49.
F. Research and Scholarship Entity Category and Legitimate Interests
In outlining the use case for using Legitimate Interests, the GDPR states that:
|Issue||Discussion||Review of R&S|
|Put in Place Safeguards||Data minimisation (necessary), privacy enhancing technologies (for example pseudonyms), transparency and a right to opt-out.||R&S addresses all of these areas. The Code of Conduct also has information on necessary attributes.|
|Balance the Rights of Data Subjects and the Rights of Data Controllers||Ensures the necessary flexibility for data controllers for situations where there is no undue impact on data subjects, while at the same time providing sufficient legal certainty and guarantees to data subjects that this open-ended provision will not be misused. The stronger the legitimate interest being pursued by the data controller and the less harm the processing does to the interests of the data subject, the greater the likelihood that the activity will be lawful.||R&S addresses this by limiting the types of services that are allowed to claim this category and focusing on low-risk services that have a clearly identifiable need for personal information such as wikis etc.|
|Impact Management||Impact on the individual will depend on the nature of the personal information, how it is processed and what the individual would reasonably expect.||Controlled in the R&S use case by minimal attribute sets and stress on the concept that attribute must not be asked for if it is not needed.|
|Define the "legitimate" reasons?||Norms in the community concerned falls in to this definition, as does the idea of both parties wishing to provide and receive access. Those claiming legitimate interest should be able to explain their interest and how it satisfies this balancing test||R&S provides this reason in its definition to support the process and to ensure that release is happening against an agreed set of criteria.|
|Ensure Transparency||Relying on legitimate interests still means users have to be informed about what their personal information is being used for. Privacy notices should still be put in place by IdPs and SPs.||Transparency is provided by keeping lists of SPs in this category and clear descriptions of what is being released.|
|Case-by-Case||Legitimacy must be ensured for each service.||Each SP is considered on a case-by-case basis by the federation in question and reviewed annually.|
The "Balance" Test
In order to meet the requirements of the Legitimate Interests, the Article29WP suggests using the following balance test. The onus is on each home organisation / identity provider to carry out the balance test, but using R&S effectively helps organisations "pre-fill" this in. Whilst legitimacy must be ensured for each service, we suggest that organisations only need to carry out the balance test once for all R&S services as the services are vetted both at Federation level and in an annual audit by REFEDS.
What if the data subject exercises his/her right to object?
Identity Providers need to be able to demonstrate a mechanism for users to opt-out of data release. This can include scenarios where users lose access to the service.
H. Use of R&S Outside of Europe
The GDPR claims that it should be followed by "controllers and processors in the Union" (Recital 22) and controllers and processors "processing the data of data subjects who are in the Union" (Recital 23), although it is not clear how organisations outside of the EU will be made to comply with the requirements. This means the requirements of the GDPR impact nearly all participants in Identity Federation, as most will have some users accessing services within the EU. Where transfers are happening outside of the EU, the GDPR allows for this to happen under one of three possible headings:
- On the basis of an adequacy decision (Article 45).
- Subject to appropriate safeguards (Article 46).
- Subject to a derogation (Article 49).
Countries and processes covered by an adequacy decision are clearly defined and documented. At the time of writing these countries are: Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the US (limited to the Privacy Shield framework). Transfers to these countries can be made using the same criteria as any EU country.
Article 46 sets out a series of safeguards that can be used to permit transfer to a third country or international organisation. These are:
REFEDS is actively following guidelines on Certification to see if R&S can be consider a certification approach in the future. This is likely to be a lengthy process.
At the time of writing, The Article 29 Working Party have an open consultation on their advice for Article 49. The Article lists a series of potential derogations that could be used for transfer, but many of these will not prove adequate for federated access management.