Presentation is loading. Please wait.

Presentation is loading. Please wait.

Privacy & Interfederation

Published byTommasa Valente Modified over 5 years ago

Similar presentations

Presentation on theme: "Privacy & Interfederation"— Presentation transcript:

1 Privacy & Interfederation
A challenge to soup

2 Some topics to discuss IDENTITY vs identity
Privacy and a federation’s role The JA.NET analysis of EU rules So what constitutes PII anyway? Can interfederation work? Others ?

3 IDENTITY vs identity Is it a pointer to your protoplasm?
Is it some subset of data about you? It’s all of the above, BUT… Fundamental to the notion of privacy You decide what to reveal in any context Revealing too little may have consequences

4 Privacy and a federation’s role
Federation sets rules for its members Protection of identity data Part of an Identity Assurance Profile? Current focus is on IdP SP/RPs are also critical Commercial interests don’t want constraints What liability might a federation incur if it tried to ‘enforce’ privacy rules?

5 JA.NET analysis of EU rules
Places requirements on both IdP & SP Provides for predefined default release Subjects must know what that is and why Anything additional requires consent Federations aren’t enforcers “It’s the law!”

6 Identity Providers Must identify which services are necessary for [each recognized SP/RP] Must consider whether personally identifiable information is necessary for those services, or whether anonymous identifiers or attributes are sufficient; Must inform users what information will be released to which service providers, for what purpose(s). May release that necessary personally identifiable information to those services; May seek users’ informed, free consent to release personal data to other services that are not necessary for [a given SP/RP] Must inform users what information will be released to which service providers, for what purpose(s); Must maintain records of individuals who have consented; Must allow consent to be withdrawn at any time; Must only release personal information where consent is currently in effect. Should have a data processor/data controller agreement with all service providers to whom personally identifiable data is released. Must ensure adequate protection of any data released to services outside the European Economic Area.

7 Service Providers Must consider whether personally identifiable information is necessary for their service, or whether anonymous identifiers or attributes can be used; Should obtain that information from home organisations; Should have a data processor/data controller agreement with all home organisations from whom personally identifiable data is obtained; If no such agreement is in place, must inform users what personal information will be obtained, by which service providers, for what purpose(s). May request personal information from users Must inform users what information will be released to which service providers, for what purpose(s); Must ensure that users who do not provide information are not unreasonably disadvantaged; Must maintain records of individuals who have consented; Must allow consent to be withdrawn at any time; Must cease processing data when consent is withdrawn

8 What constitutes PII? There may be an EU analysis … Does FERPA help?
Does HIPAA help? If rules or laws(!) differ what applies? Jurisdiction of the Subject? What about a Stanford student studying in Paris? Do we use the union of both rules? Do we use the common subset?

9 Can interfederation work?
It must! (My words) It will take discussion, cooperation, work Interfederation Agreements must address this issue Can individual federations require this of their members? Depends on member agreements… Who is the enforcer? (Judge Dredd !)

10 Discussion …

Download ppt "Privacy & Interfederation"

Similar presentations

Why do we need Government?

Why do we need Government?
PRIVACY ASPECTS OF RE-USE OF PSI: BETWEEN PRIVATE AND PUBLIC SECTOR

PRIVACY ASPECTS OF RE-USE OF PSI: BETWEEN PRIVATE AND PUBLIC SECTOR
Innovation through participation Attributes Release Working Group European data protection directive REFEDS meeting 22th Apr, 2012

Innovation through participation Attributes Release Working Group European data protection directive REFEDS meeting 22th Apr, 2012
Copyright JNT Association 20071 Federated Identity and Data Protection Law Andrew Cormack, Eva Kassenaar, Mikael Linden, Walter Martin Tveter.

Copyright JNT Association Federated Identity and Data Protection Law Andrew Cormack, Eva Kassenaar, Mikael Linden, Walter Martin Tveter.
1 PRIVACY ISSUES IN THE U.S. – CANADA CROSS BORDER BUSINESS CONTEXT Presented by: Anneli LeGault ACC Greater New York Chapter Compliance Seminar May 19,

1 PRIVACY ISSUES IN THE U.S. – CANADA CROSS BORDER BUSINESS CONTEXT Presented by: Anneli LeGault ACC Greater New York Chapter Compliance Seminar May 19,
FERPA: Family Educational Rights and Privacy Act.

FERPA: Family Educational Rights and Privacy Act.
1 Who Gets to Know? Child Welfare & Confidentiality John L. Saxon Institute of Government The University of North Carolina at Chapel Hill February, 2004.

1 Who Gets to Know? Child Welfare & Confidentiality John L. Saxon Institute of Government The University of North Carolina at Chapel Hill February, 2004.
What if my organization conducts business across borders ? Your footnote Privacy and “Personal Information” have different meanings in different countries;

What if my organization conducts business across borders ? Your footnote Privacy and “Personal Information” have different meanings in different countries;
4/3/20011 Ethics in Special Education Assessment and Testing and Maintenance of Student Information.

4/3/20011 Ethics in Special Education Assessment and Testing and Maintenance of Student Information.
Class 13 Internet Privacy Law European Privacy.

Class 13 Internet Privacy Law European Privacy.
Data Protection Overview

Data Protection Overview
 The Data Protection Act 1998 is an Act of Parliament which defines UK law on the processing of data on identifiable living people and it is the main.

 The Data Protection Act 1998 is an Act of Parliament which defines UK law on the processing of data on identifiable living people and it is the main.
Copyright 2006 Archistry Limited. All Rights Reserved. SOA Federated Identity Management How much do you really need? Andrew S. Townley Founder and Managing.

Copyright 2006 Archistry Limited. All Rights Reserved. SOA Federated Identity Management How much do you really need? Andrew S. Townley Founder and Managing.
© 2007 The MITRE Corporation. MITRE Privacy Practice W3C Government Linked Data Working Group Michael Aisenberg, Esq. 29 June 2011 Predicate for Privacy.

© 2007 The MITRE Corporation. MITRE Privacy Practice W3C Government Linked Data Working Group Michael Aisenberg, Esq. 29 June 2011 Predicate for Privacy.
EHRs and the European Union – current legislation and future directions. Dr Richard Fitton.

EHRs and the European Union – current legislation and future directions. Dr Richard Fitton.
The Cal Lutheran Family and FERPA New Student Orientation 2008.

The Cal Lutheran Family and FERPA New Student Orientation 2008.
Student Confidentiality: The FERPA/HIPAA Facts AISD Policy 09.14 Student Records AISD Procedure 09.14 AP. 11.

Student Confidentiality: The FERPA/HIPAA Facts AISD Policy Student Records AISD Procedure AP. 11.
FERPA: What you Need to Know The Family Educational Rights and Privacy Act & SEI.

FERPA: What you Need to Know The Family Educational Rights and Privacy Act & SEI.
IBT - Electronic Commerce Privacy Concerns Victor H. Bouganim WCL, American University.

IBT - Electronic Commerce Privacy Concerns Victor H. Bouganim WCL, American University.
INTERNATIONAL E-DISCOVERY: WHEN CULTURES COLLIDE Alvin F. Lindsay Hogan & Hartson LLP.

INTERNATIONAL E-DISCOVERY: WHEN CULTURES COLLIDE Alvin F. Lindsay Hogan & Hartson LLP.

Similar presentations

Ads by Google