Cliquez ici pour la version française
eduGAIN Data Protection Code of Conduct
1. Problem statement
One of the major obstacles to the proper functioning of identity federations at the national and international level is the configuration of the release of user attributes from the side of identity providers. The constraints related to the protection of user personal data are one of the main challenge for identity provider administrators.
The Data Protection Code of Conduct, defined by GEANT as part of eduGAIN, provides a framework for the release of user attributes to international service providers.
- eduGAIN federation, RENATER
- Code of Conduct, GEANT
2. Code of Conduct principle
The Code of Conduct defines a set of good practices that service providers undertake to respect:
- 1. Publication of a privacy policy (at least in english) mentioning :
- the legal entity,
- the purpose of the processing operations,
- the category of user attributes,
- the recipient of data,
- the procedures for access/rectification of data.
- 2. Minimum user attributes request for the proper functioning of the service,
- 3. No use of data for other processing,
- 4. No secondary data processing,
- 5. Data securing process.
Only service providers established in Europe (or in a country with adequate data protection) can subscribe to the Code of Conduct GEANT. Another version of the Code of Conduct is being prepared for service providers outside of Europe.
3. Code of Conduct subscription and use
Service providers declare their compliance with the Code of Conduct through their own federation's registry by indicating the URL of their Privacy Policy. This information is then propagated in eduGAIN metadata in a form that can be used by IdP administrators to manage the automated release of user attributes to these service providers (and taking into account the guarantees they provide in the management of personal data)
An extract from the eduGAIN metadata describing a service provider that complies with the Code of Conduct:
<md:EntityDescriptor entityID="https://clarin.ids-mannheim.de/shibboleth"> <md:Extensions> ... <mdattr:EntityAttributes> <saml:Attribute Name="http://macedir.org/entity-category" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue>http://www.geant.net/uri/dataprotection-code-of-conduct/v1</saml:AttributeValue> </saml:Attribute> </mdattr:EntityAttributes> </md:Extensions> <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol"> <md:Extensions> <mdui:UIInfo> ... <mdui:PrivacyStatementURL xml:lang="en">https://clarin.ids-mannheim.de/privacy.html</mdui:PrivacyStatementURL> </mdui:UIInfo> </md:Extensions> ...