Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: align with CoCo2 updates

...

  • Ensure that the Service Provider has committed to the Data Protection Code of Conduct for Service Providers

...

  • Release only Attributes that are adequate, relevant and not excessive for the Service ProviderIf the Service Provider requests only a particular Attribute value, release only that value and no other values
    • for instance, if the Service Provider requests only eduPersonAffiliation="member", do not release eduPersonAffiliation="faculty"
    • for instance, if the Service Provider requests only eduPersonEntitlement="http://xstor.com/contracts/HEd123", do not release eduPersonEntitlement="urn:mace:washington.edu:confocalMicroscope"
    • see SAML 2 Profile for the Code of Conduct for details on SAML metadata for requesting only particular values
  • Inform the end user on the Attribute release
    • by providing the following information to the user when s/he is accessing a new Service Provider for the first time
      • the identity of the Service Provider Organisation (mdui:DisplayName and mdui:Logo, if available, for better usability and look-and-feel)
      • the purpose of the service (mdui:Description)
      • a clickable link to the Service Provider's Privacy Notice document (mdui:PrivacyStatementURL)
      • for each Attribute, the Attribute name, description and value
      • an easily understood label can be displayed instead of displaying several closely related Attributes (eg the various name Attributes)
    • user can be provided a checkbox "don't show this information again". If they check it, the information above is not provided next time they log in to this Service Provider.
    • see How the Home organisation should inform the End user for details and GUI recommendations on how to inform the end user
  • use the data controller's legitimate interests as the legal grounds for attribute release
    • release only attributes that are flagged as NECESSARY (see SAML 2 Profile for the Code of Conduct 2.0 Entity Category for details on how this is done)
    • however, in certain jurisdiction (e.g. Switzerland) user consent may be needed for attribute release