interfed - [inc-interfed] NOTES, discussion of the Geant Code of Conduct
Subject: Interfederation
List archive
- From: Steven Carmody <>
- To:
- Subject: [inc-interfed] NOTES, discussion of the Geant Code of Conduct
- Date: Tue, 12 Mar 2013 13:05:38 -0400
- Authentication-results: sfpop-ironport01.merit.edu; dkim=neutral (message not signed) header.i=none
what is the Directive
url http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:NOT
because its a Directive, implemented via national law
multiple interpretations
enforced by each national data regulator
EU Article 29 Working Party offers non-binding "interpretations"
The new EU data protection regulation proposal (directly binding to the 27 EU countries) -- DRAFT, not yet adopted,
Summary of the Directive
url, mikael's doc https://refeds.terena.org/index.php/Introduction_to_Data_protection_directive
objective -- The objective of the directive is to protect a person’s fundamental rights while guaranteeing the free flow of personal data between member states.
data controllers, processors VS home org, SP
"joint data controllers"
imposes requirements on both parties
seems to expect bilateral contracts
Problems with the Directive, from the HE viewpoint
bilateral contracts do not scale
crossing national boundaries -- different interpretations
org-org, not person to person
many possible approaches to compliance, but the two parties in any given transaction must use the same approach
How does the CoC approach this situation
url https://refeds.terena.org/index.php/Data_protection_coc
developed with advice from DLA Piper
only tackles part of the problem (declares optional attr/user consent out of scope)
defines AN approach for the two parties
if party A sees that party B is operating in compliance with the CoC, then party A can make some assumptions about how to proceed
the CoC does not do away with RISK, but aims to minimize it
Phase 1 avoids optional attributes; only refers to "Attributes that are necessary for the legitimate interests of the Service Provider to provide the service"
How does the CoC Actually Work
-- SP indicates that it has committed to the CoC (not a contract -- a declaration)
-- SP asks, via metadata, for required attributes
-- SP INFORMS the user (via its privacy policy) of its processing of attributes
-- IDP INFORMs the user when required attributes are released
Extending Beyond the EU
"countries with comparable privacy protection"
US -- SAfe Harbor, Commerce Dept, specifically excludes Higher Ed
CoC -- "combine the current CoC with the EC model contractual clauses and make both the home organization and service provider commit to them."
- [inc-interfed] NOTES, discussion of the Geant Code of Conduct, Steven Carmody, 03/12/2013
Archive powered by MHonArc 2.6.16.