The new REFEDS data protection Code of Conduct has been published.
Background
Federated identity management is about releasing attributes from an Identity Provider (IdP) to a Service Provider (SP). In the research and education sector, the attributes are seldom intrusive but consist of a user’s name, e-mail address and affiliation i.e. if they are a researcher or a student of a particular institution (dubbed as their home organisation). Nevertheless, in the European union, the attributes qualify as personal data under the General Data Protection Regulation (GDPR).
A major obstacle for federated identity management is home organisations’ hesitation to release their users’ attributes to the SPs. In certain scenarios (e.g. licensed content, cloud services) the home organisation and the SP have a contract which can also address the GDPR responsibilities. But in many research and collaboration scenarios there is no underlying contract or it is too generic to cover attribute release. For these scenarios, a bilateral agreement on attribute release scales poorly. To be on the safe side of GDPR, many home organisations don’t configure their IdPs to release attributes.
The attribute release challenge
To address the attribute release challenge, REFEDS has developed and identity federations deployed Entity Categories (EC) that organisations can use to signal their IdPs’ and SPs’ behaviour in federations and eduGAIN. An SP can use the Research and Scholarship EC to indicate that they process the attributes to support research and scholarship activities and a recent Personalized EC to signal that they process the attributes to provide the service as described in the privacy notice. Both ECs come with a default set of attributes the IdPs are expected to release.
REFEDS Data protection Code of Conduct provides an alternative EC for home organisations who have wider concerns on GDPR compliance. REFEDS Code of Conduct is a best practice designed to address the requirements of GDPR. When an SP agrees to commit to the Code of Conduct the commitment is recorded by the SP’s registrar (home federation) and signaled to the home organisations using the EC. Unlike other ECs, it has no fixed attribute bundle which adds further attribute release minimisation.
Code of Conduct with 17 clauses
The Code of Conduct Best Practice consists of 17 clauses that cover different aspects of GDPR. The clauses have explanatory text to help the SP administrators on their interpretation. Together they set the “code” i.e. what is the best practice for interpreting GDPR in the context of attribute release in research and education federations.
The Code of Conduct minimises the attribute release to what is necessary for enabling access to the service. It suggests how attributes can be released for user identification, authorisation, accounting, billing and information security management. The Code of Conduct mandates the SP to provide GDPR compatible information to end users and home organisations on personal data processing and security breaches. For information security measures, the Code of Conduct refers to Sirtfi.
In research and other communities, a popular approach for access management is to have an SP proxy that receives the attributes from the IdPs and relays them to other SPs in the community. The Code of Conduct describes how an SP proxy can maintain compliance while relaying the attributes to third parties, including those outside EU/EEA. While the Code of Conduct is primarily focused on SPs in EU/EEA, also SPs elsewhere can commit to the Code of Conduct if they can demonstrate adequate level of data protection or appropriate safeguards, as defined in GDPR.
GDPR addresses the liabilities of the organisations processing personal data. The Code of Conduct adds a clause that shields the home organisation from damage caused by an SP violating the Code of Conduct. This is important for home organisations who don’t want to become liable for releasing attributes to an SP who later turns out to be misbehaving.
Over a decade long process of development
The work towards the Code of Conduct started as a result of a data protection analysis of eduGAIN, carried out by professional IT law experts in 2011. The analysis triggered an attempt to approach data protection in an identity federation in a formal and legally compliant way. Funded by the GEANT project, the GEANT Data protection Code of Conduct ver 1.0 was published in June 2013.
The Code of Conduct ver 1.0 was ruled by the Data protection directive that – like GDPR – had the concept of a code of conduct approved by the data protection authorities. In 2014, GEANT project presented the Code of Conduct to the Article 29 data protection working party who rejected the code because it was not deemed to add enough value. Instead of just rephrasing the directive, the code of conduct was expected to fill the gap between the abstract directive and the practice in identity federations. As a result, the GEANT project started to develop a more descriptive Code of Conduct version 2.0, making the Code of Conduct grow from four pages to the current 26 pages where each clause has an explanation.
The approval of GDPR in 2016 made the GEANT project refocus the work to align with the new regulation. GDPR provided more powers to codes of conduct approved by the authorities. In particular, an approved code of conduct was introduced as an appropriate safeguard for release of personal data to a third country which has over time turned out to be even more problematic (Schrems, Schrems II).
In 2019, the European Data Protection Board (EDPB) published its guidelines for codes of conduct and, in 2020, the GEANT project had a meeting with the Dutch data protection authorities regarding the submission of the Code of Conduct 2.0 for approval. In the discussion it turned out that, while the EDPB guidelines for international transfers are still missing, it is not possible to submit a code of conduct that would be applied as an appropriate safeguard for a 3rd country release. As a consequence, the GEANT decided to reduce its ambition level and refrain from the EDPB approval. As a result, the Code of Conduct was moved to REFEDS and published as a REFEDS best practice, with no approval from the authorities.
The REFEDS Code of Conduct 2.0 leaves the door open for later amending the Code of Conduct for enabling the release of attributes to third countries. Related EDPB guidelines were published in February 2022.