Privacy Policy

Background

• Data Protection Directive, article 2a: personal data means any information relating to an identified or identifiable natural person
• Data Protection Directive, article 7: user consent is the basis for legitimate processing of personal data
• Data Protection Directive, article 11: user must be informed, when an Identity Provider is going to disclose his personal data to a third party (ie. Service Provider), and when a Service Provider is going to obtain his personal data from an party other than the data subject itself (ie. Identity Provider)

Service Provider (SP) is required to report URL of the privacy policy document in Haka-metadata. Currently the URL is reported in two separate sections in Haka Resource Registry: in SP Basic information and Ui Extensions. In UI Extensions the URL is given in all three languages: fi, sv, en. It is recommended to support all three languages either in the same document of with different URLs to different language versions.

Shibboleth IdP has a property to show the link to the privacy policy on sign in page. The lagnuage setting in user's browser determines which language version will be shown.

Related policy issues in Haka federation's Service Agreement

• (appendix 3, 2.4.3) If the Service Provider processes attributes which are considered as personal data, the Service Provider informs the Operator about the URL in which the End Users are able to read the Privacy policy before they start to use the service. If the purpose of processing of personal data in the Service is changed, the Service is considered as a new service in the AAI.
• (appendix 3, 1.2) The Operator operates a register of meta-data describing the Federation, including a list of attributes necessary for the Service in the AAI, and the Privacy policy address of the Service if personal data is processed in the Service.
• (appendix 3, 2.3.7) Home organizations maintain attribute release policies (ARP), which define what are the user attributes released to each of the Services.
• (appendix 3, 2.3.8) The starting point is that each End User shall give his/her consent for attribute release for each Service separately (see Appendix 7). The End User shall have a chance to read the privacy policy of the Service before giving his/her consent.
• Privacy Policy document template