terena logo
28 April 2014
REFEDS Entity Category helps organisations release data securely

REFEDS is pleased to announce that its first Entity Category has been formally approved by the REFEDS Steering Committee and is available for use by research and education federations. The Research and Scholarship Entity Category helps identity providers to securely release a set of attributes, including personal data, to a service provider that has proved it needs the information to provide an effective service to users.

Identity federations were set up to help organisations protect user data, allowing users to connect with services whilst limiting the amount of data, or attributes, they release - including the ability to remain anonymous. However, concerns about data release have led educational institutions to be very cautious about passing any information about users to services – even when this would be helpful.

REFEDS Entity Categories help address this issue by providing tools to allow institutions and service providers to flag their compliance with data protection laws and explain the purposes for which they will use the user data. Entity Categories are used by federations to assign a service to a specific group based on its use of personal data. Institutions can then trust that provider and release sets of user data, known as attributes, without significant amounts of work by either party.

Research and Scholarship Entity Category

The Research and Scholarship Entity Category is aimed at service providers that provide collaborative, interactive or management tools to researchers and other educational users where some personal data is required to make the service work properly. This might include wikis, blogs, project or grant management tools. Service providers can apply to their federation to be added to the Research and Scholarship Entity Category. Once they have satisfied the federation operator that the attribute is necessary for the service in question, they are given a tag in federation metadata. Identity providers seeing this tag can then immediately trust and permit attribute release for this service.

More information:

REFEDS Entity Categories are based on the draft SAML Entity Category specification. The Entity Categories provide a risk-assessed way of ensuring that the release is "necessary" for the use of the service and therefore permitted under Data Protection processing. The Information Commissioner's Office in the UK has a useful guide on conditions of processing.

An FAQ on Entity Categories is available on the REFEDS wiki. Identity providers and service providers interested in using these categories should contact their local federation or the REFEDS coordinators.