Refeds


Subject RE: (fwd) New version of eduPerson now entering last call
From Andrew Cormack <Andrew.Cormack@xxxxxx>
Date Thu, 13 Jun 2013 14:48:10 +0000

UK law (and enforcement) distinguishes directly identifying and indirectly identifying information. So here ePUID will only be regarded as personal data when held by someone who can link it to the flesh and blood individual. The originating IdP usually can do that, of course, as can any SP that asks for directly identifying information as well. Hence our law actually gives an incentive to SPs to use pseudonyms. 

The Directive isn't clear whether that's the intention or not. Other EC countries don't make the distinction, which makes it harder to sell identifiers such as ePITD/ePUID, unfortunately.

Andrew

--
Andrew Cormack
Chief Regulatory Adviser, Janet
t: +44 1235 822302
b: https://community.ja.net/blogs/regulatory-developments

Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire, OX11 0SG. VAT No. 614944238




________________________________________
From: Mikael Linden [Mikael.Linden@xxxxxx]
Sent: 13 June 2013 14:20
To: Jones, Mark B; Leif Johansson; Cantor, Scott
Cc: Hildegunn Vada; refeds@xxxxxxxxxx
Subject: RE: [refeds] (fwd) New version of eduPerson now entering last call

>Does email address qualify as personal data in Europe?  IMO ePUID should be
>treated similarly with regard to sharing.

The definition is:
'personal data' shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;

Email address, ePPN, ePUID or even ePTID is there to identify an end user. It suggests that they all qualify as personal data.

mikael

-----Original Message-----
From: Mikael Linden [mailto:Mikael.Linden@xxxxxx]
Sent: Thursday, June 13, 2013 4:29 AM
To: Leif Johansson; Cantor, Scott
Cc: Hildegunn Vada; refeds@xxxxxxxxxx
Subject: RE: [refeds] (fwd) New version of eduPerson now entering last call

>I don't know (or have any opinion about) weather this means that
>eduPersonUniqueID shouldn't be used for national id numbers.

The current draft says eduPersonUniqueId "is meant to be freely sharable, is
public, opaque, and..."
In many (European) countries a National Identification Number counts as
sensitive personal data. In those countries it doesn't seem a good idea to
use NIN as ePUID.

Although defined as "freely sharable, public and opaque", there is still the
possibility that ePUID qualifies as personal data in Europe and the data
protection laws will apply to it, as Andrew mentioned. It means that the
organization (IdP) "sharing it freely" may take some legal risks. The risks
are probably smaller for an identifier that is opaque, though.

mikael