
FYI
---------- Forwarded message --------- From: Julia Wallace julia@ra21.org Date: Fri, Mar 15, 2019 at 10:05 AM Subject: RA21 Adopts GEANT Data Protection Code of Conduct
Privacy Matters!
The RA21 project is pleased to announce its endorsement of the GEANT Data Protection Code of Conduct.
Earlier this year (2019), the RA21 Security & Privacy group endorsed the GEANT Data Protection Code of Conduct as guidance that RA21 should follow: data minimization, purpose limitation, data retention, and more.
What does data minimization mean in an RA21 context, where users are trying to access scholarly information resources, particularly in an academic setting?
It means that unless the Service Provider (such as a publisher or other content vendor) has a specific agreement with an Identity Provider (IdP - usually an individual’s institution) to receive additional data the IdP should only send anonymous and pseudonymous identifiers to the Service Provider. Specifically, the service provider should only ask for eduPersonEntitlement and, optionally, a pseudonymous pairwise user identifier (e.g., eduPersonTargetedID). In the case that the IdP sends more attributes than those one or two requested by the Service Provider, the Service Provider must not collect or store that data under any circumstance.
The endorsement of the GEANT Data Protection Code of Conduct and the specifics around what attributes may be requested feeds directly into the upcoming NISO Recommended Practices for Improved Access to Institutional Information Resources, expected to go out for public comment in the next few weeks. Expect another announcement from us as soon as that comment period opens.