Recognising the importance of privacy and user control to stakeholders in scholarly communications, RA21is happy to announce the adoption and endorsement of the GEANT Data Protection Code of Conduct.
The GEANT Data Protection Code of Conduct provides specific guidance to service providers about how they should handle personal data in the context of federated authentication. Key points include:
Purpose limitation: to only process Attributes of the End User that are necessary for enabling access to the service provided by the Service Provider;
Data minimisation: to minimise the Attributes requested from a Home Organisation to those that are adequate, relevant and not excessive for enabling access to the service and, where a number of Attributes could be used to provide access to the service, to use the least intrusive Attributes possible;
Deviating purposes: not to process the Attributes for any other purpose (e.g. selling the Attributes or selling the personalisation such as search history, commercial communications, profiling) than enabling access, unless prior consent has been given to the Service Provider by the End User;
Data retention: to delete or anonymise all Attributes as soon as they are no longer necessary for the purposes of providing the service.
For additional details, see the RA21 announcement, dated February 28, 2019.