...
- DIRECTIVE 95/46/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
- ARTICLE 29 DATA PROTECTION WORKING PARTY Opinion 06/2014 on the notion of legitimate interests of the data controller Under Article 7 of Directive 95/46/EC.
- ARTICLE 29 DATA PROTECTION WORKING PARTY Opinion 15/2011 on the definition of consent.
- "Consent, the Last Resort?" Blog post by Andrew Cormack.
- "Legitimate Interests and Federated Access Management." Blog post by Andrew Cormack.
- CoCo Guidelines on "necessary" attributes.
With thanks to Andrew Cormack for allowing REFEDS to use his material for this advice piece.
...
Only three of these options would have bearing in the typical exchanges within a research and education identity federation: consent, contractual and legitimate interests. One of the main problems with implementation under the 1995 Directive is that all of the processes are interpreted differently in different member states.
...
C. Consent Justification
Work has been done on consent modules for access management workflows and it is now easier to build this functionality in to user screens, but there are concerns that in many scenarios consent could be seen as forced as the subject has no choice but to pass the information if they want to use the resource. The Article 29 Working Party warn that consent may be a "false good solution".
...
D. Contractual Justification
The important text here is that release must be in line with the performance of a contract to which the data subject is a party. It could be argued that for some staff members, accessing services using federated identities could be seen as a function that is required by their job role but this is difficult to assert for all scenarios. The argument would be much more difficult for students and researchers.
...
E. Legitimate Interests Justification
The Research and Scholarship Entity Category relies on the legitimate interest approach. This is supported by the Article 29 WP Opinion on Legitimate Interests documentation.
...
Here are some of the topics discussed in the paper, what the WP says about them and how they are being addressed by one of the REFEDS tools: the Research and Scholarship Entity Category. There is a useful "balancing test" in Annex 1 of the WP paper that can be used be federations thinking of including a service under R&S. The Code of Conduct also has some useful information on good practice for home organisations.
| Issue | Discussion | Review of R&S |
|---|---|---|
| Safeguards | Data minimisation (necessary), privacy enhancing technologies (for example pseudonyms), transparency and a right to opt-out. | R&S addresses all of these areas. The Code of Conduct also has information on necessary attributes. |
| Balance | Ensures the necessary flexibility for data controllers for situations where there is no undue impact on data subjects, while at the same time providing sufficient legal certainty and guarantees to data subjects that this open-ended provision will not be misused. The stronger the legitimate interest being pursued by the data controller and the less harm the processing does to the interests of the data subject, the greater the likelihood that the activity will be lawful. | R&S asddresses this by limiting the types of services that are allowed to claim this category and focusing on low-risk services that have a clearly identifiable need for personal information such as wikis etc. |
| Impact Management | Impact on the individual will depend on the nature of the personal information, how it is processed and what the individual would reasonably expect. | Controlled in the R&S use case by minimal attribute sets and stress on the concept that attribute must not be asked for if it is not needed. |
| What are "legitimate" reasons? | Norms in the community concerned falls in to this definition, as does the idea of both parties wishing to provide and receive access. Those claiming legitimate interest should be able to explain their interest and how it satisfies this balancing test | R&S provides this reason in its definition to support the process and to ensure that release is happening against an agreed set of criteria. |
| Transparency | Relying on legitimate interests still means users have to be informed about what their personal information is being used for. | Transparency is provided by keeping lists of SPs in this category and clear descriptions of what is being released. |
| Case-by-Case | Legitimacy must be ensured for each service. | Each SP is considered on a case-by-case basis by the federation in question and reviewed annually. |
F. The "Balance" Test
| Info | ||
|---|---|---|
| ||
STEP ONE: Assessing which legal ground may potentially apply under Article 7(a).
|
| Info | ||
|---|---|---|
| ||
STEP TWO: Qualifying an interest as 'legitimate' or ‘illegitimate’.
|
| Info | ||
|---|---|---|
| ||
STEP THREE: Determining whether the processing is necessary to achieve the interest pursued.
|
| Info | ||
|---|---|---|
| ||
STEP FOUR: Establishing a provisional balance by assessing whether the data controller’s interest is overridden by the fundamental rights or interests of the data subjects.
|
| Info | ||
|---|---|---|
| ||
STEP FIVE: Establishing a final balance by taking into account additional safeguards.
|
| Info | ||
|---|---|---|
| ||
STEP SIX: Demonstrate compliance and ensure transparency.
|
| Info | ||
|---|---|---|
| ||
STEP SEVEN: What if the data subject exercises his/her right to object?
|