think about data protection - switch · • legal developments in ch and eu observed (2014 -… )...
TRANSCRIPT
![Page 1: Think about Data Protection - SWITCH · • Legal developments in CH and EU observed (2014 -… ) • Participation in E-ID consultation (May 2017) ... 11 1. Lawfulness, fairness](https://reader034.vdocument.in/reader034/viewer/2022050413/5f8982fe5b988448cb49a3f0/html5/thumbnails/1.jpg)
© 2018 SWITCH | 1
Petra [email protected]
Trust & Identity WG Meeting14. March 2018, Bern
Think about Data Protection
![Page 2: Think about Data Protection - SWITCH · • Legal developments in CH and EU observed (2014 -… ) • Participation in E-ID consultation (May 2017) ... 11 1. Lawfulness, fairness](https://reader034.vdocument.in/reader034/viewer/2022050413/5f8982fe5b988448cb49a3f0/html5/thumbnails/2.jpg)
© 2018 SWITCH | 2
GoalWe are compliant with the different applicable data protection laws
![Page 3: Think about Data Protection - SWITCH · • Legal developments in CH and EU observed (2014 -… ) • Participation in E-ID consultation (May 2017) ... 11 1. Lawfulness, fairness](https://reader034.vdocument.in/reader034/viewer/2022050413/5f8982fe5b988448cb49a3f0/html5/thumbnails/3.jpg)
© 2018 SWITCH | 3
But …
Data Protection Law compliant
X
![Page 4: Think about Data Protection - SWITCH · • Legal developments in CH and EU observed (2014 -… ) • Participation in E-ID consultation (May 2017) ... 11 1. Lawfulness, fairness](https://reader034.vdocument.in/reader034/viewer/2022050413/5f8982fe5b988448cb49a3f0/html5/thumbnails/4.jpg)
© 2018 SWITCH | 4
3 Actors
Cantonal Universities
SWITCHFederal Institutes ofTechnology
CantonalData ProtectionLaws
FederalData ProtectionLaw
![Page 5: Think about Data Protection - SWITCH · • Legal developments in CH and EU observed (2014 -… ) • Participation in E-ID consultation (May 2017) ... 11 1. Lawfulness, fairness](https://reader034.vdocument.in/reader034/viewer/2022050413/5f8982fe5b988448cb49a3f0/html5/thumbnails/5.jpg)
© 2018 SWITCH | 5
2 Purposes
UniversityAdministration
User Purposes
![Page 6: Think about Data Protection - SWITCH · • Legal developments in CH and EU observed (2014 -… ) • Participation in E-ID consultation (May 2017) ... 11 1. Lawfulness, fairness](https://reader034.vdocument.in/reader034/viewer/2022050413/5f8982fe5b988448cb49a3f0/html5/thumbnails/6.jpg)
© 2018 SWITCH | 6
• Legal questions collected (regulations WG, 2014)
• Questions sent to different Data Protection Officers (2015)
• Several queries on federal data protection officer because of expected written answer (2015 - … )
• Legal developments in CH and EU observed (2014 - … )
• Participation in E-ID consultation (May 2017)
• Situation about social security number AHVN13 analysed with FHNW (2017)
• SWITCH edu-ID database declared (2017)
• Service Description elaborated (federation policies adopted; 2018)
How to get & deliver answers …
![Page 7: Think about Data Protection - SWITCH · • Legal developments in CH and EU observed (2014 -… ) • Participation in E-ID consultation (May 2017) ... 11 1. Lawfulness, fairness](https://reader034.vdocument.in/reader034/viewer/2022050413/5f8982fe5b988448cb49a3f0/html5/thumbnails/7.jpg)
© 2018 SWITCH | 7
• Positive: „Lifelong use“ of SWITCH edu-ID
• Negative: Storing data after leaving Higher Education Institution
Statements by Data Protection Officers
Allow to delete account (if no active affiliation)
à solution found
Former affiliation & user consent
![Page 8: Think about Data Protection - SWITCH · • Legal developments in CH and EU observed (2014 -… ) • Participation in E-ID consultation (May 2017) ... 11 1. Lawfulness, fairness](https://reader034.vdocument.in/reader034/viewer/2022050413/5f8982fe5b988448cb49a3f0/html5/thumbnails/8.jpg)
© 2018 SWITCH | 8
• Use of AHVN13 as attribute within SWITCH edu-ID?
• Legal assessment by SWITCH
AHVN13
• Legal advise: • Use of AHVN13 deemed as too delicate• Observe political development about usage of AHVN13
• Legislative project for wider applicability
Risk analysis (in German): https://projects.switch.ch/eduid/documents/
![Page 9: Think about Data Protection - SWITCH · • Legal developments in CH and EU observed (2014 -… ) • Participation in E-ID consultation (May 2017) ... 11 1. Lawfulness, fairness](https://reader034.vdocument.in/reader034/viewer/2022050413/5f8982fe5b988448cb49a3f0/html5/thumbnails/9.jpg)
© 2018 SWITCH | 9
• Data protection provisions (chapter 6.3)
• Provisions regarding
warranty, liability, applicable law, place of jurisdiction etc.
https://www.switch.ch/edu-id/terms/
Legal aspects of the Service Description
![Page 10: Think about Data Protection - SWITCH · • Legal developments in CH and EU observed (2014 -… ) • Participation in E-ID consultation (May 2017) ... 11 1. Lawfulness, fairness](https://reader034.vdocument.in/reader034/viewer/2022050413/5f8982fe5b988448cb49a3f0/html5/thumbnails/10.jpg)
© 2018 SWITCH | 10
1. Lawfulness, fairness and transparency
2. Purpose limitations
3. Data minimisation
4. Accuracy
5. Storage limitations
6. Integrity and confidentiality
7. Accountability
7 Privacy Principles Use of datadescribed
Data economy in federation
Purposes described
Updates
Deletion of accounts
Data security
Demonstrate compliance with principles
![Page 11: Think about Data Protection - SWITCH · • Legal developments in CH and EU observed (2014 -… ) • Participation in E-ID consultation (May 2017) ... 11 1. Lawfulness, fairness](https://reader034.vdocument.in/reader034/viewer/2022050413/5f8982fe5b988448cb49a3f0/html5/thumbnails/11.jpg)
© 2018 SWITCH | 11
1. Lawfulness, fairness and transparency
2. Purpose limitations
3. Data minimisation
4. Accuracy
5. Storage limitations
6. Integrity and confidentiality
7. Accountability
7 Privacy Principles Use of datadescribed
Data economy in federation
Purposes described
Updates
Deletion of accounts
Data security
Demonstrate compliance with principles
Privacy by
• Design: technical integration• Default: data protection friendly settings
![Page 12: Think about Data Protection - SWITCH · • Legal developments in CH and EU observed (2014 -… ) • Participation in E-ID consultation (May 2017) ... 11 1. Lawfulness, fairness](https://reader034.vdocument.in/reader034/viewer/2022050413/5f8982fe5b988448cb49a3f0/html5/thumbnails/12.jpg)
© 2018 SWITCH | 12
1. Apply law(s) and principles for processes & servicesE.g., store & release only data necessary for the declared and current purpose
2. Consult (local) Data Protection Officer(knows local regulations as well as law)
3. Apply specific policies• Resource Registry à Data Release Policy (fill role of administrator)• Local (university) policies
4. Inform & instruct staff and end users• Clear user guides, Help, ToU, courses for IT and other staff• User awareness campaigns (security, data protection)
How to protect data in general
![Page 13: Think about Data Protection - SWITCH · • Legal developments in CH and EU observed (2014 -… ) • Participation in E-ID consultation (May 2017) ... 11 1. Lawfulness, fairness](https://reader034.vdocument.in/reader034/viewer/2022050413/5f8982fe5b988448cb49a3f0/html5/thumbnails/13.jpg)
© 2018 SWITCH | 13
How to protect data in SWITCH edu-ID?
Secure storage of data ISMS ISMS/other credentials
Availability of data SLA SLA (updates)
Confidentiality access/policy access/policy credentials
Transparency user consent, ToU, SLA
local ToU My account
Accuracy (correctness of data)
verified email, mobile number, postal address
all transmitted attributes
(verification)
ToU, updates
Data Economy(minimisation)
define minimal requirements
apply minimal requirements
user consent
Audits ISMS (right reserved) inspection
Attribute Release Policy (ARP) in RR
approval process
approval by RRA admin
user consent
Federation trust layer governance community rules
membership
![Page 14: Think about Data Protection - SWITCH · • Legal developments in CH and EU observed (2014 -… ) • Participation in E-ID consultation (May 2017) ... 11 1. Lawfulness, fairness](https://reader034.vdocument.in/reader034/viewer/2022050413/5f8982fe5b988448cb49a3f0/html5/thumbnails/14.jpg)
© 2018 SWITCH | 14
EU General Data Protection Regulation (GDPR)(Datenschutzgrundverordnung DSGVO):
- enforcement 25.5.2018
- important also for Switzerland
à no immediate adaptations necessary (for SWITCH)
Revision of CH Federal Data Protection Act (Bundesgesetz über den Datenschutz DSG):
- includes adaptations for EU law
- delayed, expected earliest for end of 2018
- “compatibility” with GDPR
à SWITCH will avoid double adjustments and apply CH law
New E-ID law- simultaneously with data protection act or later
- impact possible if used as basic identity (but not directly on edu-ID)
Current Law Situation
https://www.eugdpr.org/
https://www.bj.admin.ch/bj/de/home/staat/gesetzgebung.html
![Page 15: Think about Data Protection - SWITCH · • Legal developments in CH and EU observed (2014 -… ) • Participation in E-ID consultation (May 2017) ... 11 1. Lawfulness, fairness](https://reader034.vdocument.in/reader034/viewer/2022050413/5f8982fe5b988448cb49a3f0/html5/thumbnails/15.jpg)
© 2018 SWITCH | 15
• Fill seat for legal representative in Advisory Board (mandate by SWITCH; hints welcome!)
• Analyse & compare legal statements ofData Protection Officers
• Analyse draft and final version of FDPA;prepare changes (if necessary)
• More detailed description of data processing
• Prepare process for inspection of record by users
• Prepare paper with reasoning for universities
Tasks for the future
![Page 16: Think about Data Protection - SWITCH · • Legal developments in CH and EU observed (2014 -… ) • Participation in E-ID consultation (May 2017) ... 11 1. Lawfulness, fairness](https://reader034.vdocument.in/reader034/viewer/2022050413/5f8982fe5b988448cb49a3f0/html5/thumbnails/16.jpg)
© 2018 SWITCH | 16
Result:We are compliant with the different applicable data protection laws