RA21 Adopts GEANT Data Protection Code of Conduct

Recognising the importance of privacy and user control to stakeholders in scholarly communications, RA21 is happy to announce the adoption and endorsement of the GEANT Data Protection Code of Conduct.

The GEANT Data Protection Code of Conduct provides specific guidance to service providers about how they should handle personal data in the context of federated authentication. Key points include:

  • Purpose limitation: to only process Attributes of the End User that are necessary for enabling access to the service provided by the Service Provider;
  • Data minimisation: to minimise the Attributes requested from a Home Organisation to those that are adequate, relevant and not excessive for enabling access to the service and, where a number of Attributes could be used to provide access to the service, to use the least intrusive Attributes possible;
  • Deviating purposes: not to process the Attributes for any other purpose (e.g. selling the Attributes or selling the personalisation such as search history, commercial communications, profiling) than enabling access, unless prior consent has been given to the Service Provider by the End User;
  • Data retention: to delete or anonymise all Attributes as soon as they are no longer necessary for the purposes of providing the service.

On 31 January 2019, the RA21 Security and Privacy Work Group voted to endorse the GEANT Data Protection Code of Conduct v1 (the current approved version) and further stated that this should apply globally, regardless of the location of the user, their identity provider or the service provider they are accessing. The working group also requested that the RA21 Recommended Practice (RP) document under development should include more detailed guidance on what “minimal data” actually means in the library-to-information provider contexts. The resulting guidance in the draft RP specifies that, in the use case of accessing scholarly information resources, unless the SP has a specific, contractual agreement with an IdP, the IdP should only send anonymous and pseudonymous identifiers to the SP. While the v1 of the Data Protection Code of Conduct refers to regulations prior to EU GDPR, the spirit of the guidance — data minimisation, purpose limitations, etc. — is still appropriate today. Future governance bodies for successors of RA21 are encouraged to review and endorse v2 when that guidance is formally approved. 

RA21 is committed to supporting user privacy. All will be welcome to comment on the Recommended Practice document as it works its way through the NISO public review process. Please sign up for the RA21 news & events emails to be alerted when the call for public comment is open.

February 28, 2019