Federated Identity enables institutions to electronically release information about their constituents to service providers for the purposes of easing access management and increasing security. Current campus processes entail deciding which attributes (information) can be released for each external application. With the growth in web-based student services and the blur between what's hosted locally or by a third party, this institutional process to visit each service, one-by-one, will not scale and should be addressed through new policy supporting this new environment and implemented in the technology. However, an institution must also be compliant with FERPA and other privacy and data protection legislation.
With Federated Identity, however, an organization can release attributes about a person to a service provider without revealing the individual's actual name (DisplayName in attribute-speak). The question comes up about what specific attributes are personally identifiable information or FERPA controlled. Examples include
- login name (EPPN or eduPersonPrincipalName),
- email address, DisplayName,
- unique but opaque identifiers (EPTID or eduPersonTargetedID),
- classes, clubs or activities, majors, etc.
(Note: For the details on the standard attributes to which Ken is referring in this paragraph, see the eduPerson Object Class Specification used by the InCommon Federation.)
For the purposes of beginning this discussion, we offer the following questions:
- How are campuses approaching the balance between the opportunities created by sharing student info (eg course memberships) in the brave new world of online everything, and the requirements of FERPA and privacy rules in general?
- Would the possibility of getting student consent to release their information in real time change this approach? How does one (or can one) withdraw consent?
- Does a set of attribute release recommendations need to be developed that
- align with an institution's directory information as defined by FERPA and that
- clarify what can be released without consent of the individual and the organization's FERPA officer?
Ken K. offered the following the translation of EC policy, an example of how consent release might be supported.
Organizations:
• Must identify which services are necessary for education/research
- Must consider whether personally identifiable information is necessary for those services, or whether anonymous identifiers or attributes are sufficient;
- Must inform users what information will be released to which service providers, for what purpose(s).
- May release that necessary personally identifiable information to those services;
• May seek users' informed, free consent to release personal data to other services that are not necessary for education/research
- Must inform users what information will be released to which service providers, for what purpose(s);
- Must maintain records of individuals who have consented;
- Must allow consent to be withdrawn at any time;
- Must only release personal information where consent is currently in effect.
• Should have a data processor/data controller agreement with all service providers to whom personally identifiable data is released.
• Must ensure adequate protection of any data released to services outside the European Economic Area.