Please note this is a summary of the reasoning behind approaches taken to attribute release by federations. It does not constitute legal advice but does point to legal documentation that can be used to support the ideas in this process. All federations and organisations should take appropriate legal advice but are free to use this information to support arguments and processes.
RELEASING PERSONAL DATA:
Any organisation that processes personal data needs to have a legal justification for doing so. There are 6 use-cases in which you can share personal data within the EU:
SOURCE:
DIRECTIVE 95/46/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data
http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:01995L0046-20031120&rid=1 |
Reason | Short Name used by REFEDS | Issues |
The data subject has unambiguously given his consent. | CONSENT | Consent must be unambiguous – forcing people to tick boxes for access can be seen as forced consent. |
Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. | CONTRACT | Limited cases where the data subject is legitimately required by contract to provide personal data. |
Processing is necessary for compliance with a legal obligation to which the data controller is subject. | LEGAL OBLIGATION | Unlikely to apply in REFEDS scenarios. |
Processing is necessary in order to protect the vital interests of the data subject. | VITAL INTEREST | Unlikely to apply in REFEDS scenarios. |
Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed. | PUBLIC INTEREST | Unlikely to apply in REFEDS scenarios. |
Processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed. | LEGITIMATE INTEREST | Can be claimed that legitimate interest exists where users need to give certain pieces of data to use a tool for their study / work. |
Only three of these options would have bearing in the typical exchanges within a research and education identity federation: consent, contractual and legitimate interests. Work has been done on consent modules for access management workflows, but there are concerns that in many scenarios consent could be seen as forced as the subject has no choice but to pass the information if they want to use the resource.
LEGITMATE INTERESTS AND RESEARCH AND SCHOLARSHIP
The Research and Scholarship Entity Category relies on the legitimate interest approach. This is supported by the Article 29 WP Opinion on Legitimate Interests documentation.
SOURCE:
ARTICLE 29 DATA PROTECTION WORKING PARTY Opinion 06/2014 on the notion of legitimate interests of the data controller Under Article 7 of Directive 95/46/EC
|