Privacy Policy : A document drawn up in order to implement the information obligation contained in the data protection legislation, which is used to fulfill the information obligation of the data controller. The notification informs the registered (i.e. individuals) how their personal data is processed. The data protection notice is one of the documents on the basis of which the compliance with the data protection legislation of online services that process personal data can be assessed.
Background
- Data Protection Directive, article 4: personal data means any information relating to an identified or identifiable natural person
- Data Protection Directive, article 6 & 7: user consent is the basis for legitimate processing of personal data (https://tietosuoja.fi/en/when-is-the-processing-of-personal-data-permitted). Personal data may be processed if one of the bases mentioned in the law can be found (user consent is one of these)
- Data Protection Directive, article 14 & 15: user must be informed, when an Identity Provider is going to disclose his personal data to a third party (ie. Service Provider), and when a Service Provider is going to obtain his personal data from an party other than the data subject itself (ie. Identity Provider)
Service Provider (SP) is required to report URL of the privacy policy document in Haka-metadata. Currently the URL is reported in Haka Resource Registry in Ui Extensions. In UI Extensions the URL is given in all three languages: fi, sv, en. It is recommended to support all three languages either in the same document of with different URLs to different language versions.
Shibboleth IdP has a property to show the link to the privacy policy on sign in page. The language setting in user's browser determines which language version will be shown.
Related policy issues in Haka federation's Service Agreement
- (appendix 3, 2.4.3) If the Service Provider processes attributes which are considered as personal data, the Service Provider informs the Operator about the URL in which the End Users are able to read the Privacy policy before they start to use the service. If the purpose of processing of personal data in the Service is changed, the Service is considered as a new service in the AAI.
- (appendix 3, 1.2) The Operator operates a register of meta-data describing the Federation, including a list of attributes necessary for the Service in the AAI, and the Privacy policy address of the Service if personal data is processed in the Service.
- (appendix 3, 2.3.7) Home organizations maintain attribute release policies (ARP), which define what are the user attributes released to each of the Services.
- (appendix 3, 2.3.8) The starting point is that each End User shall give his/her consent for attribute release for each Service separately (see Appendix 7). The End User shall have a chance to read the privacy policy of the Service before giving his/her consent.
More information on the website of the Office of the Data Protection Commissioner: https://tietosuoja.fi/en/home