edugain policy comments

[Thomas Lenggenhager <lenggenhager AT switch.ch>]

Here my comments on the draft eduGAIN Data Protection Profile from 1
July 2010.

Regards,
Thomas

line 809: 1.1 Terms
now:
Home Organisation
The organisation which the end users are affiliated to and which is
responsible for authenticating end users and maintaining their
Attributes. Home Organisation is responsible of setting up and operating
an Identity Provider, either by itself or as an outsourced service. In
this document, a Home Organisation refers to an organisation whose
Identity Provider a Participant Federation has exposed to eduGAIN

new:
Home Organisation
The organisation to which an end user is affiliated to and which is
responsible for authenticating the end user and keeping his/her
Attributes up-to-date. Home Organisation is responsible for setting up
and operating an Identity Provider, either by itself or as an outsourced
service. In this document, a Home Organisation refers to an organisation
whose Identity Provider gets exposed to eduGAIN by a Participant Federation

Oh, I just noticed that this definition should be aligned to the
constitution. I assume the pale blue background means that this term is
elsewhere defined. Make it explicit from where. BTW: the SP definition
should then also have a blue background.



line 813-818:  Requirements and categories for Service Providers
The first sentence does not provide much information, but PII is not
explained.

now:
Service Providers have different characteristics with regards to the end
users accessing the Service Provider. Considering the data protection
directive's implications, Service Providers are divided into the
following two categories:
category PII: the Service Provider processes personal data
category non-PII: the Service Provider processes no personal data
The categories are further elaborated below and summarized as a table in
Appendix A.

new:
Considering the data protection directive's implications, Service
Providers are grouped into these two categories:
- category PII: the Service Provider processes personal data
- category non-PII: the Service Provider processes no personal data

PII stands for 'Personally Identifiable Information'.

The categories are further elaborated in section 2.3 and 2.4 and
summarized in a table in Appendix A.



line 828-829:  Registering to a category
The responsibility referring to 'it' could be interpreted as the SP or
the Home Federation. Meant is the SP, so be more specific.

now:
If a Service Provider is registered to the category non-PII, it takes
the responsibility of ensuring that

new:
If a Service Provider is registered to the category non-PII, the Service
Provider takes the responsibility of ensuring that



line 840:
jurisdictions not juristictions



line 846-849:  Service Providers manifesting no category
The last sentence does not provide additional info. It is obvious since
the profile requires the choice of one of the two categories.

now:
If a Service Provider does not manifest any category, it is assumed that
the Home Organisations and Identity and Service Providers have fulfilled
the obligations set by the data protection directive using an
out-of-band mechanism. This is the default for Home Organisations and
Identity and Service Provides who have not adopted this profile.

new:
If a Service Provider does not manifest any category, it is assumed that
the Home Organisations, Identity Providers and the Service Provider will
fulfil the obligations set by the data protection directive using an
out-of-band mechanism.



line 851-852:  Category PII: SP processes personal data
now:
In category PII, the Service Provider is processing personal data
because it receives Attributes which are considered personal data from
the Identity Provider.

new:
In category PII, the Service Provider is processing personal data
because it requests Attributes from the Identity Provider which are
considered personal data.



line 863-867:
now:
The Service Provider being a data processor or data controller may
depend on the Home Organisation. The Service Provider may have a data
processing agreement with some Home Organisations in eduGAIN, making the
Service Provider a data processor for those Home Organisations. For the
rest of the Home Organisations, the Service Provider may be a data
controller.

new:
Whether the Service Provider is a data processor or data controller may
vary per Home Organisation. With some Home Organisations in eduGAIN, the
Service Provider may have a data processing agreement and acts as a data
processor. For the other Home Organisations, the Service Provider acts
as a data controller.



line 871-872:  Purpose of processing
now:
The data processing agreements signed by the data controllers and
processors may be more specific on what is the purpose of processing.

new:
A bilateral data processing agreement signed by a data controller and a
data processor is likely to be more specific on the purpose of processing.



line 878:  Informing the data subject
now:
and expose it to the eduGAIN metadata.

new:
and expose this URL to the eduGAIN metadata.



line 887-889:
Since it is marked as an example we can drop the 'if necessary'.
now:
This can be done, for instance, when an end user consents, if necessary,
to Attribute release (see next section).

new:
For instance, the Identity Provider displays the URL, when an end user
consents to Attribute release (see next section 2.3.4).



line 890:
> What if the Attribute requirements or other issues above change? 
> Anything about re-consent?

It could be included into the paragraph above, where it now just refers
to the first time.



line 892-894:
If the SP is a data processor, the Home Org has to be a data controller,
so we can drop that. It is anyhow obvious.
now:
The data controller is responsible for informing the end user on
processing his/her personal data. If the Service Provider is a data
processor and the Home Organisation is the data controller, the Service
Provider may refer to the Home Organisation in its privacy policy web page.

new:
The data controller is responsible for informing the end user on
processing his/her personal data. If the Service Provider is a data
processor, the Service Provider may refer to the Home Organisation in
its privacy policy web page.



line 911:
replace 'providers' with 'provides'



line 915:
now:
Provider's privacy policy (see the previous section).

new:
Provider's privacy policy (see the previous section 2.3.3).



line 945-947:
> Attributes revealing racial or ethnic origin, political opinions,
> religious or philosophical beliefs, trade-union membership, and
> the processing of data concerning health or sex life should not be
> released in eduGAIN.

Do we really need this? I do not understand what 'the processing of
data' has to do with 'released in eduGAIN'.

A simple cn may reveal or at least strongly hint at someones religious
origin...



line 959-962: Registering a Home Organisation's conformance
The last sentence does not provide additional info. The profile requires
one or both of the two categories.

now:
If a Home Organisation does not manifest conformance to this profile, it
is assumed that the Home Organisation and the Service Providers have
fulfilled the obligations set by the data protection directive using an
out-of-band mechanism. This is the default for Home Organisations and
Identity and Service Provides who have not adopted this profile.

new:
If a Home Organisation does not manifest conformance to this profile, it
is assumed that the Home Organisation and the Service Providers will
fulfil the obligations set by the data protection directive using an
out-of-band mechanism.



line 964: Technical implementation
I would move chapter 4 to Annex A and rename the existing annexes to B
and C.



line 1040:
Include the xml:lang="en" into the example. Good examples generlly help
for wide adootion later on.

<mdui:PrivacyStatementURL xml:lang="en">
  http://www.example.org/privacypolicy.html
</mdui:PrivacyStatementURL>



line 1046 ff:  4.4. Criteria for making data processing legitimate
Here you should refer to 2.3.4 and the hints provided there for
necessity or conent.



line 1074:  4.5. Identity Provider behaviour
now:
ask him/her to consent, if necessary, to the Attribute release.

new:
ask him/her to consent the Attribute release, if necessary.



line 1076-1078: 4.6. Service Provider behaviour
now:
A Service Provider relying on the data protection mechanisms provided in
this document and belonging to category PII must, before accepting any
Attributes, ensure that the Identity Provider manifests conformance to
category PII.

new:
Relays a Service Provider on the data protection mechanisms defined in
this document and belongs to category PII, the Service Provider must
ensure that the Identity Provider manifests conformance to category PII
before it accepts any Attributes.



line 79: 4.7. Service Providers which have "multiple faces"
new title: 4.7. "Multy faced" Service Providers



line 1084:
now:
the Service Provider registers several entries (with separate entityIDs)
in the metadata, or

new:
the Service Provider registers multiple entities (with separate
entityIDs), or



The appendices A and B I haven't read yet...

-- 
SWITCH
Serving Swiss Universities
--------------------------
Thomas Lenggenhager
P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 1505  direct +41 44 268 1541
http://www.switch.ch