The REFEDS community informs us today that the new REFEDS data protection Code of Conduct has been published.
Federated identity management is about releasing attributes from an Identity Provider (IdP) to a Service Provider (SP). In the research and education sector, the attributes are seldom intrusive but consist of a user’s name, e-mail address and affiliation i.e. if they are a researcher or a student of a particular institution (dubbed as their home organisation). Nevertheless, in the European union, the attributes qualify as personal data under the General Data Protection Regulation (GDPR).
A major obstacle for federated identity management is home organisations’ hesitation to release their users’ attributes to the SPs. In certain scenarios (e.g. licensed content, cloud services) the home organisation and the SP have a contract which can also address the GDPR responsibilities. But in many research and collaboration scenarios there is no underlying contract or it is too generic to cover attribute release. For these scenarios, a bilateral agreement on attribute release scales poorly. To be on the safe side of GDPR, many home organisations don’t configure their IdPs to release attributes.