Subject RE: (fwd) New version of eduPerson now entering last call
From "Jones, Mark B" <Mark.B.Jones@xxxxxxxxxxx>
Date Thu, 13 Jun 2013 08:05:48 -0500

Does email address qualify as personal data in Europe?  IMO ePUID should be
treated similarly with regard to sharing.

-----Original Message-----
From: Mikael Linden [mailto:Mikael.Linden@xxxxxx] 
Sent: Thursday, June 13, 2013 4:29 AM
To: Leif Johansson; Cantor, Scott
Cc: Hildegunn Vada; refeds@xxxxxxxxxx
Subject: RE: [refeds] (fwd) New version of eduPerson now entering last call

>I don't know (or have any opinion about) weather this means that 
>eduPersonUniqueID shouldn't be used for national id numbers.

The current draft says eduPersonUniqueId "is meant to be freely sharable, is
public, opaque, and..."
In many (European) countries a National Identification Number counts as
sensitive personal data. In those countries it doesn't seem a good idea to
use NIN as ePUID.

Although defined as "freely sharable, public and opaque", there is still the
possibility that ePUID qualifies as personal data in Europe and the data
protection laws will apply to it, as Andrew mentioned. It means that the
organization (IdP) "sharing it freely" may take some legal risks. The risks
are probably smaller for an identifier that is opaque, though. 


Attachment: smime.p7s
Description: S/MIME cryptographic signature