Please note this is a summary of the reasoning behind approaches taken to attribute release by federations. It does not constitute legal advice but does point to legal documentation that can be used to support the ideas in this process. All federations and organisations should take appropriate legal advice but are free to use this information to support arguments and processes.
A. Useful Information Sources
- DIRECTIVE 95/46/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
- ARTICLE 29 DATA PROTECTION WORKING PARTY Opinion 06/2014 on the notion of legitimate interests of the data controller Under Article 7 of Directive 95/46/EC.
- ARTICLE 29 DATA PROTECTION WORKING PARTY Opinion 15/2011 on the definition of consent.
- "Consent, the Last Resort?" Blog post by Andrew Cormack.
- "Legitimate Interests and Federated Access Management." Blog post by Andrew Cormack.
With thanks to Andrew Cormack for allowing REFEDS to use his material for this advice piece.
B. Justification for Processing Data
Any organisation that processes personal data needs to have a legal justification for doing so. There are 6 use-cases in which you can share personal data within the EU.
Reason | Short Name used by REFEDS | Issues |
|---|---|---|
The data subject has unambiguously given his consent. | CONSENT | Consent must be unambiguous – forcing people to tick boxes for access can be seen as forced consent. |
Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. | CONTRACTUAL | Limited cases where the data subject is legitimately required by contract to provide personal data. |
Processing is necessary for compliance with a legal obligation to which the data controller is subject. | LEGAL OBLIGATION | Unlikely to apply in REFEDS scenarios. |
Processing is necessary in order to protect the vital interests of the data subject. | VITAL INTEREST | Unlikely to apply in REFEDS scenarios. |
Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed. | PUBLIC INTEREST | Unlikely to apply in REFEDS scenarios. |
Processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed. | LEGITIMATE INTEREST | Can be claimed that legitimate interest exists where users need to give certain pieces of data to use a tool for their study / work. |
Only three of these options would have bearing in the typical exchanges within a research and education identity federation: consent, contractual and legitimate interests. One of the main problems with implementation under the 1995 Directive is that all of the processes are interpreted differently in different member states.
D. Consent Justification
Work has been done on consent modules for access management workflows and it is now easier to build this functionality in to user screens, but there are concerns that in many scenarios consent could be seen as forced as the subject has no choice but to pass the information if they want to use the resource. The Article 29 Working Party warn that consent may be a "false good solution".
E. Contractual Justification
The important text here is that release must be in line with the performance of a contract to which the data subject is a party. It could be argued that for some staff members, accessing services using federated identities could be seen as a function that is required by their job role but this is difficult to assert for all scenarios. The argument would be much more difficult for students and researchers.
C. Legitimate Interests Justification
The Research and Scholarship Entity Category relies on the legitimate interest approach. This is supported by the Article 29 WP Opinion on Legitimate Interests documentation.
The Article 29 WP recognises that:
"The current text of Article 7(f) of the Directive is open ended. This flexible wording leaves much room for interpretation and has sometimes as experience has shown led to lack of predictability and lack of legal certainty. However, if used in the right context, and with the application of the right criteria, as set out in this Opinion, Article 7(f) has an essential role to play as a legal ground for legitimate data processing."
The Article 29 WP states that:
"...an appropriate assessment of the balance under Article 7(f), often with an opportunity to opt-out of the processing, may in other cases be a valid alternative to inappropriate use of, for instance, the ground of 'consent' or 'necessity for the performance of a contract'. Considered in this way, Article 7(f) presents complementary safeguards - which require appropriate measures - compared to the other pre-determined grounds. (p10)".
Here are some of the topics discussed in the paper, what the WP says about them and how they are being addressed by one of the REFEDS tools: the Research and Scholarship Entity Category. There is a useful "balancing test" in Annex 1 of the WP paper that can be used be federations thinking of including a service under R&S.
| Issue | Discussion | Review of R&S |
|---|---|---|
| Safeguards | Data minimisation, privacy enhancing technologies (for example pseudonyms), transparency and a right to opt-out. | R&S addresses all of these areas. |
| Balance | Ensures the necessary flexibility for data controllers for situations where there is no undue impact on data subjects, while at the same time providing sufficient legal certainty and guarantees to data subjects that this open-ended provision will not be misused. The stronger the legitimate interest being pursued by the data controller and the less harm the processing does to the interests of the data subject, the greater the likelihood that the activity will be lawful. | R&S asddresses this by limiting the types of services that are allowed to claim this category and focusing on low-risk services that have a clearly identifiable need for personal information such as wikis etc. |
| Impact Management | Impact on the individual will depend on the nature of the personal information, how it is processed and what the individual would reasonably expect. | Controlled in the R&S use case by minimal attribute sets and stress on the concept that attribute must not be asked for if it is not needed. |
| What are "legitimate" reasons? | Norms in the community concerned falls in to this definition, as does the idea of both parties wishing to provide and receive access. Those claiming legitimate interest should be able to explain their interest and how it satisfies this balancing test | R&S provides this reason in its definition to support the process and to ensure that release is happening against an agreed set of criteria. |
| Transparency | Relying on legitimate interests still means users have to be informed about what their personal information is being used for. | Transparency is provided by keeping lists of SPs in this category and clear descriptions of what is being released. |
| Case-by-Case | Legitimacy must be ensured for each service. | Each SP is considered on a case-by-case basis by the federation in question and reviewed annually. |