Innovation through participation Data Protection Code of Conduct (DP CoC) TNC2013 conference, 4 June 2013 Mikael Linden, CSC – IT Center for Science

Slides:



Advertisements
Similar presentations
Innovation through participation Data Protection Code of Conduct (DP CoC) REFEDS Helsinki Mikael Linden, CSC – IT Center for Science
Advertisements

CLARIN AAI, Web Services Security Requirements
Innovation through participation GÉANT Data Protection Code of Conduct (DP CoC) FIM for research collaboration workshop Mikael Linden,
User Attributes; who, where, how many? Daan Broeder TLA – MPI for Psycholinguistics.
Innovation through participation Attributes Release Working Group European data protection directive REFEDS meeting 22th Apr, 2012
CLARIN and the DSA Paul Trilsbeek The Language Archive Max Planck Institute for Psycholinguistics.
Kalmar Union Mikael Linden CSC, the Finnish IT Center for Science.
Innovation through participation eduGAIN federation operator training eduGAIN policy eduGAIN training in Vienna Oct 2011
REFEDS RESEARCH AND EDUCATION (R&S) ENTITY CATEGORY NICOLE HARRIS.
Property of Common Sense Privacy - all rights reserved THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.
Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.
CASE: Haka federation EuroCAMP, 3-5 April, 2006 CSC, the Finnish IT Center for Science
Innovation through participation Interfederation through eduGAIN - steps and challenges eduGAIN interfederation service Federated Identity Systems.
The ReFEDS/GÉANT Code of Conduct (CoC) An Approach to Compliance with the EU Data Protection Directive Steve Carmody April 23, 2012.
Identity Federation Policy Marina Vermezović, AMRES Federated Identity Technology Workshop Sofia, Bulgaria, 20. Jun 2014.
Belnet Federation Belnet – Loriau Nicolas Brussels – 12 th of June 2014.
FIM, , Nijmegen CLARIN: status of FIM Dieter Van Uytvanck 1.
Authentication and Authorization Overview Kimmo Koskenniemi, Antti Arppe, Mikael Lindén University of Helsinki, CSC – IT Centre for Science Consortium.
Kalmar Union, a Conferedation of Nordic Identity Federations TNC2009 Mikael Linden, CSC Andreas Solberg, UNINETT.
European Life Sciences Infrastructure for Biological Information Life science community update for the 7 th Federated Identity Management.
Towards Interconnecting the Nordic Identity Federations TNC2007 Walter M Tveter, UiO Mikael Linden, CSC/HAKA Ingrid Melve, Uninett/Feide.
10/25/2015 AEB/Yleisesittely Organising Federated Identity in Finnish Higher Education TNC2005 Mikael Linden June 8th, 2005.
The Framework for Privacy Policies in the UK: Is telling people what information is gathered about them part of the framework? Does it need to be? Emma.
Campus Identity Management Requirements (=IAP) REFEDs meeting Mikael Linden,
7 th Pan-Data & CRISP Harmonisation Meeting Zürich Airport TERENA Code of Conduct B.Abt PSI 1 Björn Abt.
Kalmar Union lessons: Findings in federation harmonisation REFEDS Mikael Linden, CSC.
Federated Identity Management IG FIM4R CLARIN pilot – progress report Menzo Windhouwer (CLARIN ERIC, Meertens Institute)
Federations round table Haka federation of Finland EuroCAMP Mikael Linden CSC, the Finnish IT Center for Science.
Innovation through participation eduGAIN interfederation service for research and education Cern FedID workshop in RAL, UK 2-3 Nov 2011 Mikael Linden,
Authentication and Authorisation for Research and Collaboration David Kelsey AARC AHM Milan And mechanisms NA3 Task 4 – Scalable.
Innovation through participation eduGAIN policy: A worm report TF-EMC2 Vienna Mikael Linden, CSC The worm farmer.
Federations, the Data Protection Directive and WP29 TF-EMC2 Mikael Linden, CSC, the Finnish IT Center for Science.
Authentication and Authorisation for Research and Collaboration Mikael Linden AARC all hands Milan Authentication and Authorisation.
Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012.
Clain update TF-EMC Mikael Linden, CSC.
Innovation through participation EduGAIN policy (working draft) Status update REFEDs 30th May 2010
Networks ∙ Services ∙ People Thomas Bärecke Journée Fédération, Paris Collaboration européenne GÉANT SA5 03/07/2015 SA5 T5 team
Networks ∙ Services ∙ People Nicole Harris UK federation meeting eduGAIN, REFEDS and the UK 23 June 2015 Project Development Officer GÉANT.
The EU General Data Protection Regulation Frank Rankin.
AAI needs of the Distributed Computing Infrastructures - CLARIN Dieter Van Uytvanck Max Planck Institute for Psycholinguistics
Connect communicate collaborate Case Studies in Federated Identity Management for Research Communities Ann Harding, SWITCH/GN3plus Peter Gietz, DAASI International.
Designing Identity Federation Policy, the right way Marina Vermezović, Academic Network of Serbia TNC2013 conference 4 May 2013.
How eduGAIN can help education: a real life story Sabita Behari Product Manager TNC14.
Networks ∙ Services ∙ People TNC 2016, Prague Alice Through the Looking Glass Science DMZ goes above the network 13 June
Networks ∙ Services ∙ People Ann Harding Networkshop 44, Manchester Thinking globally, acting locally Trust and Identity in the GÉANT project.
Authentication and Authorisation for Research and Collaboration Taipei - Taiwan Mechanisms of Interfederation 13th March 2016 Alessandra.
Cross-sector and user-centric AAI
Overall Roadmap and Timeline
GÉANT Data Protection Code of Conduct (CoCo)
Athina Antoniou and Lilian Mitrou
TF-EMC2 - eduGAIN update
AAI Alignment Nicolas Liampotis (based on the work of Mikael Linden)
GÉANT 4-2 JRA3 T1 Something with Federations and Campus VC
General Data Protection Regulation
GÉANT International Networking and Collaboration
GEANT Code of Conduct and REFEDS Research and Scholarship compared
Minimal Level of Assurance (LoA)
InAcademia Simple Validation Service Niels van Dijk
GÉANT 4-2 JRA3 T1 and T2 Federations and Campus (CaFe) e-Infrastructures and Service Providers (RASP) Daniela Pöhn JRA3 T1 LRZ/DFN-AAI Technology Exchange.
EU Directive 95/46/EC (Paragraph 2) “Whereas data-processing systems are designed to serve man; whereas they must Respect their fundamental rights.
Policy and Best Practice … in practice
General Data Protection Regulation
Common Authentication and Authorisation Service for Life Science Research Mikael Linden, ELIXIR Finland.
The activity of Art. 29. Working Party György Halmos
New Data Innovation Projects: Data Privacy and Data Protection
GÉANT 4-2 JRA3 Daniela Pöhn JRA3 T1 LRZ/DFN-AAI
Resource Entitlement Management System
Resource Entitlement Management System
Baseline Expectations for Trust in Federation
GEANT Data protection Code of Conduct 2.0 REFEDS meeting 16 June 2019
Presentation transcript:

Innovation through participation Data Protection Code of Conduct (DP CoC) TNC2013 conference, 4 June 2013 Mikael Linden, CSC – IT Center for Science

Innovation through participation The data protection risk In EU, a Home organisation takes a risk when it releases attributes to an Service Provider Home organisation may become partly liable if the SP is hacked and personal data is spilled to the Internet => Home Organisations hesitate to release attributes Home organisation (IdP) Service Provider (SP) Attributes = personal data (unique ID, name, mail, eduPersonAffiliation…)

Innovation through participation Requirements to attribute release from the EU data protection directive Security of processing Purpose of processing Minimal Disclosure Informing the end user Specify legal grounds for attribute release Necessary attributes based on legitimate interests legal grounds Optional extra attributes on user consent (deferred to phase 2) Attribute release out of EU/EEA and countries with adequate data protection requires EC model contracts Initially the Code of Conduct covers just SPs in EU/EEA and similar

Innovation through participation Requirements from the R&E community Scalability (thousands of Entities) Balance risks with easiness of collaboration Tolerate and recover from misbehaving entities Minimise home organisation’s liability Suggest good practices to Home Organisations Minimise federation’s role A global approach needed

Innovation through participation Data Protection Code of Conduct approach Voluntary to SPs (but SPs have an interest to commit to receive attributes) Voluntary to Home Orgs to rely on (but may increase Home Org’s scientific output and reduce the IdP admin’s work) It’s simple! SP Commit to SP Commit to SP Commit to HO Learn SP’s commitment GEANT Data protection Code of Conduct

Innovation through participation Code of Conduct: Service Providers commits to Directly from the DP law Data minimisation Data rentention Information security Informing the end user Data release out of EU/EEA requires EC model contracts Further specifies the DP law Legal grounds: ”attributes that are necessary…” Purpose: ”enabling access” Deviating purpose: on user consent only Release to 3rd party: on user consent or 3rd party committed to CoC Report security breaches Read the full Code of Conduct text in:

Innovation through participation SAML 2.0 metadata profile supporting the Code of Conduct Standard SAML 2.0 metadata elements used to convey SP’s relevant properties to a Home Organisation: Indication of SP’s commitment to the CoC (Entity Category element) List of attributes the SP requires ( md:requestedAttributes ) Link to the SP’s Privacy policy document ( mdui:privacyStatementURL ) SP’s name ( mdui:displayName ) SP’s description ( mdui:Description )

Innovation through participation Informing the end user on release of his/her personal data WebLicht is a service for language research. It provides an execution environment for automatic annotation of text corpora. Weblicht Service name Description Your following information will be released Unique NameMikael Linden Privacy policy OK

Innovation through participation The Code of Conduct timeline 1st public call for comments 6-8/2012 2nd public call for comments 11-12/2012 Pilot with the CLARIN community 6/2012-4/2013 Submitted to the eduGAIN Technical Steering Group for approval on the 31st of May Use your vote! Submission to Article 29 Working Party Q2/2013 the EU body contributing to the uniform application of the Data protection directive

Innovation through participation Code of Conduct pilot with CLARIN Identity Federations: DFN-AAI (Germany). Haka (Finland), SWAMID (Sweden) Home Organisations: DFN (connected to DFN-AAI), Institut für Deutsche Sprache (DFN-AAI), CSC (Haka), Uppsala university (SWAMID) Service Providers LAT – Language Archive Tools (CSC, connected to Haka) IDS – CLARIN services (IDS, DFN-AAI) IDS – repository (IDS, DFN-AAI) CLARIN Catalog (MPI for Psycholingusitics, DFN-AAI) MPI second SP (MPI for Psycholingusitics, DFN-AAI) Weblicht – annotation tool (Tübingen university, DFN-AAI) Filesender (CSC, Haka)

Innovation through participation Findings in the pilot Pilot Service Providers happy to commit to the Code of Conduct Pilot Home Organisations happy to release attributes to committed SPs More documentation, templates and training needed How to write a Privacy Policy document What attributes are necessary for a service Some sanity checks seem necessary by a third party (federation operator) Privacy policy document and SAML 2.0 metadata are consistent Service name and description understandable and useful for common users – “Lux17 Service Provider” – “Max Planck Institute for Psycholinguistics second Service Provider” Final report:

Innovation through participation Questions? Read the TNC2013 full paper in:

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.