Versions Compared

Old Version 214

changes.mady.by.user Pål Axelsson

Saved on

compared with

New Version 215

changes.mady.by.user Pål Axelsson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

entity-category URI

http://www.geant.net/uri/dataprotection-code-of-conduct/v1 and
https://refeds.org/category/code-of-conduct/v2

eduGAIN enabledYes


Info
titleDefinition

The GÉANT REFEDS Data protection Code of Conduct (CoCo v2) defines an approach at a European level to meet the requirements of the European Union European General Data Protection Directive for Regulation (GDPR) for releasing mostly harmless personal attributes to a Service Provider (SP) from an Identity Provider (IdP). For more information please see GEANT Data Protection Code of Conduct.an Identity Provider (IdP). For more information please see REFEDS Data Protection Code of Conduct.

The earlier GÉANT Data protection Code of Conduct (CoCo v1) defines an approach at a European level to meet the requirements of the European Union Data Protection Directive. The Data Protection Directive has been superseeded by GDPR and therefore GDPR must be fulfilled by CoCo v1. For more information please see GEANT Data Protection Code of Conduct.

CoCo v1 will exist in parallell with CoCo v2 for an extended time and therefore we recommend all services that uses CoCo v2 to also declare CoCo v1 and the other way around.

CoCo is used both within SWAMID and in the eduGAIN interfederation to make services available to users of the higher education institutions in Sweden and around Europe. The CoCo makes it possible to automatically release mostly harmless attributes to Service Providers which fulfil the EU Data Protection legislation. The expected Identity Provider behaviour is to release the Service Provider required attributes if the IdP is able to. Required attributes means attributes the service must have to be able to work for the user. However it's possible to require more than one attribute of a specific type, i.e. name and identifier attributes, to increase the possibility to get the needed set of attributes. The required attributes for a specific service is defined in the the service metadata and must be described in the mandatory Service Provider Privacy Policy. There is furthermore an identity provider entity support category that should be registered for all Identity Provider that supports the CoCo entity category that can be used for filter purpose in a discovery service.

...

  • Well functional SAML2 metadata for the service with an entityid in URL-form.
  • Display name for the Service in English and preferable also in Swedish for use in Identity Providers' login pages and Discovery Services.
  • Short description of the Service in English and preferable also in Swedish for use in Identity Providers' login pages and Discovery Services.
  • Required attributes of the Service
  • Mail address to the technical and/or support contact for the service.
  • Organisation name of the organisation delivering the service
  • URL to the organisation delivering the service.
  • URL to an informational web page that describes the service in English and preferable also in Swedish.
  • URL to a publicly accessible web page (not a pdf document) with the service privacy policy in English and preferable also in Swedish, a privacy policy example template: SWAMID Service Provider Privacy Policy Template. The privacy policy must at least contain:
    • the name, address and jurisdiction of the Service Provider;
    • the purpose or purposes of the processing of the Attributes;
    • a description of the Attributes being processed;
    • the third party recipients or categories of third party recipient to whom he Attributes might be disclosed, and proposed transfers of Attributes to countries outside of the European Economic Area;
    • the existence of the rights to access, rectify and delete the Attributes held about the End User;
    • the retention period of the Attributes; and
    • a reference to this Code of Conduct including the formal reference URL http://www.geant.net/uri/dataprotection-code-of-conduct/v1.

The request is highly recommended to also have the following information for metadata publication:

  • URL beginning with https to the service logotype for use in Identity Providers login pages and Discovery Services
    • .

It's also a highly recommended that the service adheres to the REFEDS Security Incident Response Trust Framework for Federated Identity (Sirtfi).

...