Presentation is loading. Please wait.

Presentation is loading. Please wait.

Https://aarc-project.eu Authentication and Authorisation for Research and Collaboration Uros Stevanovic AARC F2F, Milano Accounting and logging data protection.

Published byDerrick May Modified over 9 years ago

Similar presentations

Presentation on theme: "Https://aarc-project.eu Authentication and Authorisation for Research and Collaboration Uros Stevanovic AARC F2F, Milano Accounting and logging data protection."— Presentation transcript:

1 https://aarc-project.eu Authentication and Authorisation for Research and Collaboration Uros Stevanovic AARC F2F, Milano Accounting and logging data protection 2-4 Nov 2015 KIT, SCC

2 https://aarc-project.eu Survey, collect and process: Requirements Template policies Recommendations that can be applied across the infrastructure Legal policies and requirements Google doc, also for comments: https://goo.gl/XrYoF2 https://goo.gl/XrYoF2 2 Accounting and processing of user data Goals and purpose of the work package: Timeline: DNA3.5 – M18, MN3.2 – M7

3 https://aarc-project.eu What is in the scope of the task: Processing of user data: Collecting Transfer Access to the user data Publishing the user data Use cases (not an exhaustive list): Accounting Monitoring Logging What is NOT in the scope: Attribute release 3 Accounting and processing of user data

4 https://aarc-project.eu Requirements from the communities, with use cases Information on types of data: Personal-identifiable/personal-pseudoanonymized Personal-anonymized Personal-group based Non-personal Technical data Site policies Legal policies 4 Collected inputs

5 https://aarc-project.eu The framework for national policies is set with the Directive 95/46/EC Important terms: Personal data – any information that can be used to discern a physical, mental, economic, social (etc.) identity (e.g. name, email, race, gender…) Processing of personal data – any operation on personal data, e.g. collection, recording, storage, dissemination, etc. Data controller – entity/person/.. which determines the purpose and means of processing of personal data Data processor – entity/person/… which processes the data on behalf of the controller Important principles: Identification of personal data – Member states shall determine how the personal data will be processed Information presented to the data subject – What is presented to the user when collection and processing its data Right of access – High level of transparency btw controller and subject, i.e. confirmation of data processing, all recipients of data, ability to rectify/erase the data, what kind of processing is involved.. Confidentiality Security of processing New EU regulation should be adopted by the end of year 5 Legal terms

6 https://aarc-project.eu Security incidents Registration of users Data retention Accounting Monitoring/logging 6 Use cases

7 https://aarc-project.eu Accounting data resulting from executing jobs on grid Purpose: Monitoring, planning and control the use of resources Discerning how the resources are used and by whom Reporting to funding bodies Operation and scientific analysis Troubleshooting, debugging Handling security incidents 7 Existing policies: EGI accounting user data policy

8 https://aarc-project.eu Accounting data storage Regular collection of accounting records of each job execution Aggregating data in Accounting Data Centre (ADC) Informing the user Users must accept the conditions of the Acceptable Use Policy (AUP) Control and access to the information Local control of the accounting record by the site where job is executed Copies are stored in ADC, controlled by the Grid In ADC, only authorized persons have access Aggregated data of a user is anonymized, restricted access Period of retention Protection of the information Transfer of the data (also internationally) Access by the user to their own information 8 Existing policies: EGI accounting user data policy (contd.)

9 https://aarc-project.eu Federal Data Protection Act (BDSG) Telemedia Act (TMG) BDSG important aspects: Personal data – in short, anything concerning the personal/material circumstances of a person. Special categories of personal data – anything regarding racial/ethnic/political opinion/etc.  more protected Data collection – only allowed if stipulated by law, or user has explicitly consented Controller identity needs to be known, as is the purpose of collection, and whom has access Consent needs to be in writing (there are exceptions for scientific research) Data processing – storage, modification, transfer, erasure, blocking Automatic processing needs to be registered with the supervisory authorities, unless there is a data protection official Transfer of personal data – in EU, EEA, bodies of the EC is permissible, outside is not, unless the level of data protection is not adequate (Safe Harbor) Right of access – subject has access to its own data: correction, erasure, blocking. Personal data are to be erased if not needed anymore (blocked if too difficult) Compensation 9 German legal policies

10 https://aarc-project.eu TMG: Scope: all electronic information and communication services, unless it is involved in transmission of signals in the telecommunication networks Monitoring is not required for the information transmitted or stored, or to search for illegal activity (also third party transfer) User must be informed (electronically is permissible): Consent must be given consciously and unambiguously the record of it must be kept user can access it and revoke it at any time Monetary fines 10 German legal policy

11 https://aarc-project.eu Obligatory information on personal data Right to review and correction of personal data written request by a user organization needs to respond in 4 weeks correction of inconsistencies Right to motivation Privacy data for marketing purposes – user can object for usage of personal information Personal data processing by the government policies needs to exist for protection of data individual can object for government sharing the data with other organizations Dispute resolution CBP or judge 11 Dutch legal policies

12 https://aarc-project.eu Act on Processing of Personal Data Executive Order on Security Data Protection Agency (Datatilsynet) is responsible for all processing operations Security of processing data Appropriate technical measures for protection (destruction, loss, unauthorized disclosure) Comprehensive risk assessment Processor must comply with both Danish security requirements and of the processor’s home country Transmission of data to third countries – adequate security measures, or users consent Notification of data processing – Datatilsynet must be informed Deletion of personal data Destroying the disk or using special programs (overwriting) Data can not be kept for longer than necessary Control of rejected attempts to access data all rejected attempts needs to be registered, and acted upon comprehensive security mechanism Logging – use of personal data must be logged 12 Danish legal policies

13 https://aarc-project.eu Designated personal protection official Collect as little personal data as possible Policies for any kind of personal data processing need to exist (and accessible to user) storage, for how long to whom it will be transferred (exception is law enforcement) what kind of processing is conducted Potential difficulties: Users consent preferably in writing (electronically is ok) free will for consent revocation of consent International bodies/sites E.g. Danish law requires compliance with both Danish law and designated country law How to handle deletion of personal data across sites Is a unified recommendation possible? 13 Recommendations (so far)

14 https://aarc-project.eu Thank you Any Questions? © GÉANT on behalf of the AARC project. The work leading to these results has received funding from the European Union’s Horizon 2020 research and innovation programme under Grant Agreement No. 653965 (AARC). https://aarc-project.eu uros.stevanovic@kit.edu

15 https://aarc-project.eu Style Guide A Guide to Using the AARC Template This template is to present information on behalf of the AARC Project Font is Calibri and will auto-size. Avoid using a font size less than 18pt. Main font colour is Teal, highlight colour is Orange and should be used sparingly. If the colours are not shown in PowerPoint use the colour picker to select the correct colour from the logo or these samples The title slide has space for the speaker’s own organisation logo which should be no larger than the main AARC logo The end slide includes EU logo, copyright, and funding statement and must be included in any slide packs distributed or printed. 15

16 https://aarc-project.eu Trial Text here 16 Title Subtitle

Download ppt "Https://aarc-project.eu Authentication and Authorisation for Research and Collaboration Uros Stevanovic AARC F2F, Milano Accounting and logging data protection."

Similar presentations

PRIVACY ASPECTS OF RE-USE OF PSI: BETWEEN PRIVATE AND PUBLIC SECTOR

PRIVACY ASPECTS OF RE-USE OF PSI: BETWEEN PRIVATE AND PUBLIC SECTOR
DATA PROTECTION and Research University Research Ethics Committee – 30.05.2008 David Cauchi David Cauchi Office of the Commissioner for Data Protection.

DATA PROTECTION and Research University Research Ethics Committee – David Cauchi David Cauchi Office of the Commissioner for Data Protection.
Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.

Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.
The Gathering Cloud computing - Legal considerations David Goodbrand, Partner 28 February 2013 Aberdeen Edinburgh Glasgow.

The Gathering Cloud computing - Legal considerations David Goodbrand, Partner 28 February 2013 Aberdeen Edinburgh Glasgow.
Www.dataprotection.gov.je The Data Protection (Jersey) Law 2005.

The Data Protection (Jersey) Law 2005.
Data Protection and the GRA. 1. Commentary on Data Protection 2. The GRA’s Role The Register Investigations, Mediation and Compensation Enforcement Notices.

Data Protection and the GRA. 1. Commentary on Data Protection 2. The GRA’s Role The Register Investigations, Mediation and Compensation Enforcement Notices.
DATA PROTECTION and Research University Research Ethics Committee – 08.05.2006 David Cauchi Office of the Data Protection Commissioner.

DATA PROTECTION and Research University Research Ethics Committee – David Cauchi Office of the Data Protection Commissioner.
Developing a Records & Information Retention & Disposition Program:

Developing a Records & Information Retention & Disposition Program:
Lecture to Carleton University, Center for European Studies, December 1, 2010.

Lecture to Carleton University, Center for European Studies, December 1, 2010.
A European View of Privacy Protection John Woulds Director of Operations UK Data Protection Commissioner National Conference on Privacy, Technology & Criminal.

A European View of Privacy Protection John Woulds Director of Operations UK Data Protection Commissioner National Conference on Privacy, Technology & Criminal.
Data Protection: International. Data Protection: a Human Right Part of Right to Personal Privacy Personal Privacy : necessary in a Democratic Society.

Data Protection: International. Data Protection: a Human Right Part of Right to Personal Privacy Personal Privacy : necessary in a Democratic Society.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Data Protection Overview

Data Protection Overview
Protecting information rights –­ advancing information policy Privacy law reform for APP entities (organisations)

Protecting information rights –­ advancing information policy Privacy law reform for APP entities (organisations)
1 25 October 2012 - EPFL Conference Data Protection in Intergovernmental Organizations Workshop 7 February 2013 K. Ernst S. Lüders C. Viala.

1 25 October EPFL Conference Data Protection in Intergovernmental Organizations Workshop 7 February 2013 K. Ernst S. Lüders C. Viala.
Lawyer at the Brussels Bar Lecturer at the University of Strasbourg Assistant at the University of Brussels Data Protection & Electronic Communications.

Lawyer at the Brussels Bar Lecturer at the University of Strasbourg Assistant at the University of Brussels Data Protection & Electronic Communications.
Www.nationalsmartcardproject.org.uk www.scnf.org.uk National Smartcard Project Work Package 8 – Security Issues Report.

National Smartcard Project Work Package 8 – Security Issues Report.
CUI Statistical: Collaborative Efforts of Federal Statistical Agencies Eve Powell-Griner National Center for Health Statistics.

CUI Statistical: Collaborative Efforts of Federal Statistical Agencies Eve Powell-Griner National Center for Health Statistics.
1 Privacy issues on pan-European White Pages service 4rd TF-LSD Meeting Amsterdam, 29.10.2001 Peter Gietz

1 Privacy issues on pan-European White Pages service 4rd TF-LSD Meeting Amsterdam, Peter Gietz
LexisNexis Confidential EU Privacy Framework Michael Lamb LexisNexis Risk Solutions Vice President and Lead Counsel: Regulatory, Privacy & Policy May 19,

LexisNexis Confidential EU Privacy Framework Michael Lamb LexisNexis Risk Solutions Vice President and Lead Counsel: Regulatory, Privacy & Policy May 19,

Similar presentations

Ads by Google