Différences

Ci-dessous, les différences entre deux révisions de la page.

Lien vers cette vue comparative

federation:en:documentation:engagement-conformite:cnil-et-federation [2019/07/08 10:36]
127.0.0.1 modification externe
federation:en:documentation:engagement-conformite:cnil-et-federation [2019/07/11 18:07] (Version actuelle)
herve.bourgault@renater.fr
Ligne 3: Ligne 3:
 ====== Fédération Éducation-Recherche - Data protection good practices ====== ====== Fédération Éducation-Recherche - Data protection good practices ======
  
-===== Introduction =====+===== 1. Introduction =====
 This page aims to answer the questions related to the organizations running an identity provider or federated on line resources as regards to their responsibilities on implementing the French law on the Personally Identifiable Information (PII) protection. Moreover, it shows how the management procedures undertaken by the Fédération Éducation-Recherche (FER) operators eases the work to solve this issues. This page aims to answer the questions related to the organizations running an identity provider or federated on line resources as regards to their responsibilities on implementing the French law on the Personally Identifiable Information (PII) protection. Moreover, it shows how the management procedures undertaken by the Fédération Éducation-Recherche (FER) operators eases the work to solve this issues.
  
Ligne 22: Ligne 22:
   * Eventually, The Fédération Education-Recherche operator do not process any PII and thus, he have no constraints regarding the "​informatique et liberté"​ law. He acts as a mediator, providing informations and performing some checking on service providers to ease the task at identity provider'​s level.   * Eventually, The Fédération Education-Recherche operator do not process any PII and thus, he have no constraints regarding the "​informatique et liberté"​ law. He acts as a mediator, providing informations and performing some checking on service providers to ease the task at identity provider'​s level.
  
-===== Service providers responsibilities ===== +===== 2. Service providers responsibilities ===== 
-==== Minimal disclosure ====+ 
 +==== 2.1 Minimal disclosure ====
  
 It is strongly recommended to do not collect personal data only if it is necessary for providing the service. It is strongly recommended to do not collect personal data only if it is necessary for providing the service.
Ligne 33: Ligne 34:
 If no personal data is collected, the service provider is not bound to fulfill the obligations set by the I&​LL. ​ If no personal data is collected, the service provider is not bound to fulfill the obligations set by the I&​LL. ​
  
-==== Criteria for legitimate use of personal data ====+==== 2.2 Criteria for legitimate use of personal data ====
  
 The service provider must be particularly watchful on: The service provider must be particularly watchful on:
Ligne 39: Ligne 40:
   * The data retention duration must be limited and proportional regarding the usage   * The data retention duration must be limited and proportional regarding the usage
  
-==== User's information ====+==== 2.3 User's information ====
 The service provider must inform the user about the usage of its processed data as explained in the section 2 of the "​informatique et liberté"​ guide mentioned above. The service provider must inform the user about the usage of its processed data as explained in the section 2 of the "​informatique et liberté"​ guide mentioned above.
  
 This information must be performed before the user accesses the service. It can be available as a web page. This information must be performed before the user accesses the service. It can be available as a web page.
  
-==== Fulfilling the formalities ====+==== 2.4 Fulfilling the formalities ====
  
 The formalities are described in the section 10 of the "​informatique et liberté"​ guide. If the service provider have a legal department dealing with data protection, it have to fulfill the requirements with its country'​s equivalent to data protection organization [[http://​www.cnil.fr|CNIL (France)]]. The formalities are described in the section 10 of the "​informatique et liberté"​ guide. If the service provider have a legal department dealing with data protection, it have to fulfill the requirements with its country'​s equivalent to data protection organization [[http://​www.cnil.fr|CNIL (France)]].
  
-===== Identity providers responsibilities =====+===== 3. Identity providers responsibilities =====
  
-==== Evaluate the relevance of the service provider data processing ====+==== 3.1 Evaluate the relevance of the service provider data processing ====
  
 Starting from the informations provided by the French federation operating team, the identity provider manager must gauge the relevance of the resource before promoting it to its own users: Starting from the informations provided by the French federation operating team, the identity provider manager must gauge the relevance of the resource before promoting it to its own users:
Ligne 60: Ligne 61:
 The identity provider is the **unique responsible** of the personal data provided to service providers in accordance with the I&LL. The identity provider is the **unique responsible** of the personal data provided to service providers in accordance with the I&LL.
  
-==== User's information ====+==== 3.2 User's information ====
  
 As described in the 2nd section of the I&L guide, the user must be informed about its data processing at the identity provider level. As described in the 2nd section of the I&L guide, the user must be informed about its data processing at the identity provider level.
Ligne 67: Ligne 68:
  
  
-===== Federation operational team role =====+===== 4. Federation operational team role =====
  
-==== Service provider registration checking ====+==== 4.1 Service provider registration checking ====
  
 A service provider registration to the federation Education-Recherche is subject to operational team approval. The validation process consist in checking personal data protection measures at the service provider level: A service provider registration to the federation Education-Recherche is subject to operational team approval. The validation process consist in checking personal data protection measures at the service provider level:
Ligne 76: Ligne 77:
   * Is the processing done in a country where the personal data protection is [[http://​www.cnil.fr/​vos-responsabilites/​le-transfert-de-donnees-a-letranger/​|judged adequate by the European commission (French only)]]?   * Is the processing done in a country where the personal data protection is [[http://​www.cnil.fr/​vos-responsabilites/​le-transfert-de-donnees-a-letranger/​|judged adequate by the European commission (French only)]]?
  
-==== International personal data exchanges ====+==== 4.2 International personal data exchanges ====
 All the countries of the European Union and some others as well are suitable for international (out of France) personal data exchanges. This is based on the European Union directive about personal data protection levels as it can be seen [[http://​www.cnil.fr/​pied-de-page/​liens/​les-autorites-de-controle-dans-le-monde/​|on this interactive map]]. All the countries of the European Union and some others as well are suitable for international (out of France) personal data exchanges. This is based on the European Union directive about personal data protection levels as it can be seen [[http://​www.cnil.fr/​pied-de-page/​liens/​les-autorites-de-controle-dans-le-monde/​|on this interactive map]].
  
Ligne 86: Ligne 87:
  
  
-==== Service provider registering steps ====+==== 4.3 Service provider registering steps ====
  
 If a service provider is registered with the federation, its technical information are automatically included in the federation'​s metadata. If a service provider is registered with the federation, its technical information are automatically included in the federation'​s metadata.