As part of the comprehensive review of all GÉANT services for General Data Protection Regulation (GDPR) support, eduGAIN has published advice on the impact of GDPR on its current set up.
eduGAIN is not involved in managing any personal data as part of the authorisation process from identity provider to service provider, as this flow does not move through our central infrastructure. We have, however, identified several areas where personal data is managed by eduGAIN as both a data controller and a data processor, and have identified some areas for improvement to help both the organisation and the community better meet the principles of GDPR.
With approximately 27 million users currently having access to services via eduGAIN, we also thought it important to provide some general advice and guidance to federation operators, identity providers and service providers as to how they can manage their GDPR assessments. Our impact assessment is now available on the eduGAIN wiki.
Changes at eduGAIN
As part of changes we will introduce to better support GDPR, eduGAIN will:
- Conduct a review with the eduGAIN steering group (SG) and consider options on whether SG membership names and email addresses should remain public or not.
- Position the advice given below as Best Current Practice within the eduGAIN policy set.
- Give guidance on what people should share, and not share, with the edugain-support contact.
Advice from eduGAIN
eduGAIN makes the following recommendations to the community:
- Identity providers and service providers provide contact details in metadata to help manage technical support, administrative support and security management. eduGAIN strongly recommends that these contacts should be a role-based name and email address and NOT personal data wherever practical. A Best Current Practice document will be issued by eduGAIN to all federation operators.
- eduGAIN recommends that identity providers and service providers use the GÉANT Code of Conduct, REFEDS Research and Scholarship and SIRTFI appropriately to help manage GDPR requirements both inside and outside the EU / EEA. These processes will be positioned as Best Current Practice within eduGAIN.
- Consent should ONLY be used where a user may say no without losing access to a service. Consent-style dialogues can instead be used to inform the user of the attributes being sent.
- Privacy notices should be developed at all levels of the federated infrastructure: by eduGAIN, by federation operators, by IdPs and by SPs. Example notices are available from the impact assessment.