Federated Identity and Data Protection Law

Slides:



Advertisements
Similar presentations
PRIVACY ASPECTS OF RE-USE OF PSI: BETWEEN PRIVATE AND PUBLIC SECTOR
Advertisements

NIGB Legal requirements for use of personal data in research OnCore UK / NRES Training workshop Ethical Principles relating to consent for use of samples.
NATIONAL INFORMATION GOVERNANCE BOARD
THE FOLLOWING SLIDES EXPLAIN THE REQUIRED ELEMENTS THAT MUST BE INCLUDED FOR A HIPAA AUTHORIZATION TO BE VALID HIPAA Authorizations.
Innovation through participation Attributes Release Working Group European data protection directive REFEDS meeting 22th Apr, 2012
Copyright JNT Association Federated Identity and Data Protection Law Andrew Cormack, Eva Kassenaar, Mikael Linden, Walter Martin Tveter.
DATA PROTECTION and Research University Research Ethics Committee – David Cauchi Office of the Data Protection Commissioner.
Data Protection & Freedom of Information The Practical Implications of Data Protection and Freedom of Information Caroline Dominey Data Protection Officer.
Cooperative Research IRB Brownbag, 3/4/08. ISU Policy Cooperative research projects are those projects which involve more than one institution. The official.
Data Protection Data Protection Acts 1988 & 2003 Directive 95/46/EC Privacy.
8 Criteria for IRB Approval of Research 45 CFR (a)
4/3/20011 Ethics in Special Education Assessment and Testing and Maintenance of Student Information.
 The Data Protection Act 1998 is an Act of Parliament which defines UK law on the processing of data on identifiable living people and it is the main.
The Legal Framework Can you work out which slide each bullet point should go on?!
Workshop on Health Examination Surveys (HES) Legal and ethical issues Susanna Conti, M. Kanieff, G. Rago Istituto Superiore di Sanità (ISS) (National Public.
Data protection supervision authority’s practice concerning exception provided in par. 2 of article 5 of Directive 2002/58/EC DIJANA ŠINKŪNIENĖ State Data.
The Data Protection Act 1998 The Eight Principles.
Privacy and Confidentiality. Definitions n Privacy - having control over the extent, timing, and circumstances of sharing oneself (physically, behaviorally,
Data Protection Corporate training Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.
Processing personal health data: the regulator’s perspective Ken Macdonald Assistant Commissioner Information Commissioner’s Office.
What is personal data? Personal data is data about an individual which they consider to be private.
International Investigations: Issues to Consider When Conducting or Defending Against an FCPA Investigation Outside the United States Presented by: Sandee.
INTERNATIONAL E-DISCOVERY: WHEN CULTURES COLLIDE Alvin F. Lindsay Hogan & Hartson LLP.
10/25/2015 AEB/Yleisesittely Organising Federated Identity in Finnish Higher Education TNC2005 Mikael Linden June 8th, 2005.
Data Protection Act (1984, 1998). 2 Data Protection Act There are many organisations which hold personal information about individuals Examples: Loyalty.
Data Protection - Rights & Responsibilities Information Commissioner’s Office Orkney Practice Forum 4 th July 2007.
We are a group of national health and care organisations working together to provide a joined up and consistent approach to information governance. We.
Data Protection Act The Data Protection Act (DPA) is a balance between rights of the DATA SUBJECT and obligations of the DATA CONTROLLER DATA CONTROLLER.
Information Technology & Ethics. Impact The impact of IT on information and communication can be categorized into 4 groups: privacy, accuracy, property,
Data Protection Act (1998).
DATA PROTECTION ACT INTRODUCTION The Data Protection Act 1998 came into force on the 1 st March It is more far reaching than its predecessor,
Networks ∙ Services ∙ People Nicole Harris UK federation meeting eduGAIN, REFEDS and the UK 23 June 2015 Project Development Officer GÉANT.
Sharing Personal Data ‘What you need to know’ Corporate Information Governance Team Strategic Intelligence.
Health and Safety Executive “Working in Great Britain from Overseas”. Nigel Chambers “Plymouth Public Health Exchange’s Training” – 18/06/2008.
Clark Holt Limited (Co. No ), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.
HIPAA Training Workshop #3 Individual Rights Kaye L. Rankin Rankin Healthcare Consultants, Inc.
The Data Protection Act 1998
COCE Institutional Review Board Academic Spotlight
Trevor Ellis Trainee Programmer (1981 – 28 years ago)
Protection of Human Subjects In Research
Data protection issues in regulatory investigations
Data Protection Act.
The Data Protection Act 1998
Information Governance and Data Privacy: A World of Risk
Data workshop WhOSE DATA IS IT ANYWAY? Alexia Christie
Data Protection Legislation
EU Directive 95/46/EC (Paragraph 2) “Whereas data-processing systems are designed to serve man; whereas they must Respect their fundamental rights.
GDPR - Individual’s Rights
Getting to grips with the Homelessness Reduction Act:
Safeguarding Update for Pharmacists
Limited Scope Representation
Data Protection principles
Data Protection What’s new about The General Data Protection Regulation (GDPR) May 2018? Call Kerry on Or .
Mathew Norman, Policy & Public Affairs Officer, RLA Wales
How we use Your Health Records
GDPR (Patrix interpretation)
General Data Protection Regulations 2018
CCG COMMISSIONS HIU COLLATING PROVIDER: A&E BI TEAM CSU
Recording Clinical Data
Improving Communication routes between Schools and GP Practices
Recording Clinical Data
IAPP TRUSTe SYMPOSIUM 9-11 JUNE 2004
Fingerprint Based Criminal History Records
What does that have to do with me?
“Seven-minute Staff Meeting”
Privacy & Interfederation
EU Data Protection Legislation
GEANT Data protection Code of Conduct 2.0 REFEDS meeting 16 June 2019
HIU Process Map The collating provider has primacy, and must have/had a direct relationship with the patient CCG COMMISSIONS HIU COLLATING PROVIDER: A&E.
Getting Ready For GDPR Simon Marks Director
Presentation transcript:

Federated Identity and Data Protection Law Andrew Cormack, Eva Kassenaar, Mikael Linden, Walter Martin Tveter

Which Law? Directive 95/46/EC NB National laws may vary this a bit Processing of personal data allowed when Required to perform contact with data subject, or Required to satisfy legal duty, or If data subject gives free, informed consent And does not withdraw it Different conditions apply to each of these NB National laws may vary this a bit

What does it mean for FAM? FAM can be a good thing IF it satisfies the relevant conditions Which look like good practice anyway… See next two slides Which use RFC-speak... And not too much law-speak…

Identity Providers Must identify which services are necessary for education/research Must consider whether personally identifiable information is necessary for those services, or whether anonymous identifiers or attributes are sufficient; Must inform users what information will be released to which service providers, for what purpose(s). May release that necessary personally identifiable information to those services; May seek users’ informed, free consent to release personal data to other services that are not necessary for education/research Must inform users what information will be released to which service providers, for what purpose(s); Must maintain records of individuals who have consented; Must allow consent to be withdrawn at any time; Must only release personal information where consent is currently in effect. Should have a data processor/data controller agreement with all service providers to whom personally identifiable data is released. Must ensure adequate protection of any data released to services outside the European Economic Area.

Service Providers Must consider whether personally identifiable information is necessary for their service, or whether anonymous identifiers or attributes can be used; Should obtain that information from home organisations; Should have a data processor/data controller agreement with all home organisations from whom personally identifiable data is obtained; If no such agreement is in place, must inform users what personal information will be obtained, by which service providers, for what purpose(s). May request personal information from users Must inform users what information will be released to which service providers, for what purpose(s); Must ensure that users who do not provide information are not unreasonably disadvantaged; Must maintain records of individuals who have consented; Must allow consent to be withdrawn at any time; Must cease processing data when consent is withdrawn

What next? Keep this, in case we’re challenged? Publish it for information (not advice)? Get it validated by authorities? Something else?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.