Child pages
  • Requirements for Federations Operators Assessing R&S
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

This is currently a proposed draft and is not in use with Federation Operators at this time. 

The following requirements are proposed as a minimal expectation for a Federation Operator to be asserting R&S for Service Providers within their federation.   It is important when using Legitimate Interests as a reason for processing data that organisations are able to demonstrate that that conducted an assessment, documented this assessment and given transparency and visibility to that assessment (see guidance from Article 29 WP).

1.The Federation Operator actively declares support for R&SDeclare support by email to  This will be re-verified as part of the REFEDS annual audit.
2.Maintain a detailed description of the federation's administrative process for tagging a Service Provider with R&SHost a wiki or web page with information for SPs. 
 3.Have a clear assessment process for Service Providers

Consider using the following checks:

  • Can the SP demonstrate a reasonable need to use the full R&S bundle?
  • Is there a relevant and appropriate between the data subject and the Service Provider?
  • Would there be a reasonable expectation on the part of the data subject that personal data will be released?
  • Does the Service Provider demonstrate appropriate safe-guards / effective behaviour regarding data protection (e.g. do they have a privacy notice? do they use a code of conduct etc?)
4.Have a Process for reviewing use of R&SHave measures in place to review R&S where you are the Registration Authority.  This may be in line with the annual REFEDS review of R&S.
  • No labels