Hi,
it seems like in the moment Elsevier is safe to go for Pseudonymous Authorisation entity category - https://refeds.org/category/pseudonymous in the SP metadata at eduID.at, RENATER, SWITCHaai, Edugate, LIAF. And for Anonymous Authorisation entity category - https://refeds.org/category/anonymous in the SP metadata at DFN-AAI, InCommon.
In eduID.cz we rely on metadata in eduGAIN for service providers with residency outside Czech Republic as recommended in "How to Join eduGAIN as Service Provider" [1]. In Czech Republic universities, libraries are fine with releasing pairwise-id/ePTID for services with personalisation capabilities. So for automated attributes release for Elsevier we'd need Pseudonymous Authorisation entity category support in Elsevier SP metadata in eduGAIN.
Freiburg University may go for CAR implementation at the university IdP to provide university users with optional release of pairwise-id/ePTID according to users consent :-)
Sunny regards from Prague
Jiri
1. https://wiki.geant.org/display/eduGAIN/How+to+Join+eduGAIN+as+Service+Provid...
On Mon, Mar 15, 2021 at 8:58 PM Bernd Oberknapp bo@ub.uni-freiburg.de wrote:
Hi Peter,
On 15.03.21 20:07, Peter Schober wrote:
- Bernd Oberknapp bo@ub.uni-freiburg.de [2021-03-15 19:53]:
The point is that we cannot force users to consent to releasing PII (like a pairwise-id/eduPersonTargetedID) that isn't necessary (if the user doesn't want to use the personalization) and deny access to resources necessary for their studies or research if the users don't give their consent - that again wouldn't be free and informed consent.
Maybe my issues with the paragraph above are due to merely phrasing things in an unfortunate way (I'm not discounting the possibilty that we all agree on these issues), but not knowing that for sure all I have to go on is what's written above. To which I'll say this:
You can't ever "force users to consent", obviously. (You can certainly ask them to consent, though. Unless consent is not the legal basis for processing, see below.) And asking for consent in cases where the processing "isn't necessary" is exactly the right case to be asking for consent, IMO. Vice versa, asking for consent to processing that's necessary (e.g. GDPR Art. 6 1 b) is wrong anyway, then the legal bases is not consent and you shouldn't give the impression it is by asking for it.
the wording was indeed unfortunate. What I was trying to say is that if consent is used as a legal basis, the user must have a choice to not release the attribute and still get access to the resource (or have an comparable alternative to the institutional login), and that using a different legal basis might be difficult.
Best regards, Bernd
-- Bernd Oberknapp Gesamtleitung ReDI
Albert-Ludwigs-Universität Freiburg Universitätsbibliothek Platz der Universität 2 | Postfach 1629 D-79098 Freiburg | D-79016 Freiburg
Telefon: +49 761 203-3852 Telefax: +49 761 203-3987 E-Mail: bo@ub.uni-freiburg.de Internet: www.ub.uni-freiburg.de
FIM4L mailing list FIM4L@lists.daasi.de http://lists.daasi.de/listinfo/fim4l