This page aims to answer the questions related to the organizations running an identity provider or federated on line resources as regards to their responsibilities on implementing the French law on the Personally Identifiable Information (PII) protection. Moreover, it shows how the management procedures undertaken by the Fédération Éducation-Recherche (FER) operators eases the work to solve this issues.

References:

• Guide Informatique et Libertés pour l'enseignement supérieur et la recherche, CNIL 2011: See more precisely the Section 10 (Fiche 10). This document is only available in French.
  

The I&L guide here above explains how the federation works, the PII protection issues that follow from and the requirements to apply for Home Organizations.

There is a distinction among the roles of the different participants regarding the I&LL:

• The identity provider process PII data allowing its users to access on-line services. The home organization running that identity provider is responsible of that processing regarding the I&LL. It defines the usage and the means of such processing
• The organization running a service provider is also responsible if processing of PII is done. PII can be direct or indirect if cross-reference is performed to reveal user's identity
• Eventually, The Fédération Education-Recherche operator do not process any PII and thus, he have no constraints regarding the “informatique et liberté” law. He acts as a mediator, providing informations and performing some checking on service providers to ease the task at identity provider's level.

It is strongly recommended to do not collect personal data only if it is necessary for providing the service.

As a remainder, personally identifiable information or personal data stands for any information relating to an identified or identifiable person, directly or indirectly, in particular by cross-references.

For instance, it is not necessary to collect personnal data to confirm that a user is member of a federation's home organization: the use of an opaque attribute such eduPersonTargetedID can be sufficient.

If no personal data is collected, the service provider is not bound to fulfill the obligations set by the I&LL.

The service provider must be particularly watchful on:

• The collected data must be relevant regarding the usage
• The data retention duration must be limited and proportional regarding the usage

The service provider must inform the user about the usage of its processed data as explained in the section 2 of the “informatique et liberté” guide mentioned above.

This information must be performed before the user accesses the service. It can be available as a web page.

The formalities are described in the section 10 of the “informatique et liberté” guide. If the service provider have a legal department dealing with data protection, it have to fulfill the requirements with its country's equivalent to data protection organization CNIL (France).

Starting from the informations provided by the French federation operating team, the identity provider manager must gauge the relevance of the resource before promoting it to its own users:

• Is it a valuable resource to give access to regarding the missions of the identity provider organization ?
• Are the attribute requested relevant ?

The identity provider can at the end decide to do not release some of the optional attributes requested.

The identity provider is the unique responsible of the personal data provided to service providers in accordance with the I&LL.

As described in the 2nd section of the I&L guide, the user must be informed about its data processing at the identity provider level.

This information can be done by several means, for instance, for an e-documentation resource access the student can be informed as they are registered with their home organization. By the way, the user's information must be done before its personal data is processed.

A service provider registration to the federation Education-Recherche is subject to operational team approval. The validation process consist in checking personal data protection measures at the service provider level:

• Is the purpose of processing corresponding to any of the federation resources categories (e-documentation, e-learning, groupware, Wi-Fi access…)?
• Are the requested attributes necessary regarding the purpose?
• Is the processing done in a country where the personal data protection is judged adequate by the European commission (French only)?

All the countries of the European Union and some others as well are suitable for international (out of France) personal data exchanges. This is based on the European Union directive about personal data protection levels as it can be seen on this interactive map.

For other countries:

• The service provider must guarantee a sufficient level of its personal data protection (e.g.) by conforming to the European Union directive on personal data protection. The identity provider must then request a prior authorization from the CNIL
• If the service provider is a Safe Harbor company, the personal data transfer is allowed http://www.export.gov/safeharbor/

All these cases are explained on the CNIL web site.

If a service provider is registered with the federation, its technical information are automatically included in the federation's metadata.

All Identity provider's managers are notified when a service provider is registered:

• It describes the service provided
• Shows the category the service provider
• The country where the data is processed. If it is out of the EU, other explanations are provided like the safe Harbor membership, a data protection agreements…
• The attribute requested, mentioning optional ones and their purpose of processing