Data Protection issues with Shibboleth
Some notes about data protection issues and requirements as they apply to the Shibboleth project.
Most of the static data (e.g. information about users, rather than e.g. logfiles) being used by the IdP is already held elsewhere by the CS (Jackdaw, lookup, etc.) so we can (presumably?) assume that most DP issues relating to it have already been resolved. Though might Shib be a new Purpose?
Life is much easier where we can avoid disclosing personal/bibloigraphic data. This is true even if it is in the user's interest for us to do so (i.e. it's better for us to require a user to to supply his/her email address direct to each and every SP they use than it is for us to supply it for them). We should therefore resist releasing any non-anonymous attributes as strongly as we can, which in any case fits with UK Federation policy.
If users decline to allow us to disclose information they may be refused access to some resources. This could be unacceptable if access to these resources was in some way required and there is no alternative.
Neither user consent nor UK Federation rules can be guaranteed to protect us if personal data that we transfer outside the EEA is subsequently misused. This suggests that such transfers can only take place if covered (as the UK Federation suggests) by contracts that contain acceptable safeguards. This is going to be a problem where an SP is run by something ad-hoc, like a research group. Note that it's not easy, or perhaps possible, to work out if an SP is inside the EEA or not. Documented procedures and records justifying release decisions would be advisable. However manual approval of every SP is going to be time consuming.
It would be advisable to clearly distinguish between resources provided by the University, which users might choose to trust, and those provided by others. A typical Shib interaction switches between these in what may be a confusing manner.
In designing the system we should remember to make servicing subject access requests as easy as possible. Likely data not imported from elsewhere include attribute release decisions and logging information.
The Colleges are of course separate legal entities. This will have implications both for data use and disclosure. We should probably treat SPs in the colleges by default as we would any SP elsewhere in the EEA. We should check that data we collect form the colleges, or direct from college employees, may be used for purposes such as Shib.