[Fim4l] Fwd: RA21 Adopts GEANT Data Protection Code of Conduct

[Jiri Pavlik]

FYI

---------- Forwarded message ---------
From: Julia Wallace <julia at ra21.org>
Date: Fri, Mar 15, 2019 at 10:05 AM
Subject: RA21 Adopts GEANT Data Protection Code of Conduct

Privacy Matters!

The RA21 project is pleased to announce its endorsement of the GEANT
Data Protection Code of Conduct.

Earlier this year (2019), the RA21 Security & Privacy group endorsed
the GEANT Data Protection Code of Conduct as guidance that RA21 should
follow: data minimization, purpose limitation, data retention, and
more.

What does data minimization mean in an RA21 context, where users are
trying to access scholarly information resources, particularly in an
academic setting?

It means that unless the Service Provider (such as a publisher or
other content vendor) has a specific agreement with an Identity
Provider (IdP - usually an individual’s institution) to receive
additional data the IdP should only send anonymous and pseudonymous
identifiers to the Service Provider. Specifically, the service
provider should only ask for eduPersonEntitlement and, optionally, a
pseudonymous pairwise user identifier (e.g., eduPersonTargetedID). In
the case that the IdP sends more attributes than those one or two
requested by the Service Provider, the Service Provider must not
collect or store that data under any circumstance.

The endorsement of the GEANT Data Protection Code of Conduct and the
specifics around what attributes may be requested feeds directly into
the upcoming NISO Recommended Practices for Improved Access to
Institutional Information Resources, expected to go out for public
comment in the next few weeks. Expect another announcement from us as
soon as that comment period opens.