Last updated: 
2 months 3 weeks ago
Blog Manager
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

Low-risk identifiers in Access Management

Friday, February 14, 2014 - 14:07

The Information Commissioner’s analysis of the European Parliament’s amendments to the draft Data Protection Regulation discusses the wide range of information that falls within the definition of "personal data" and gives examples that seem particularly relevant to identity federations.

The Information Commissioner considers that identifiers pose a higher privacy risk if they are "interoperable". Since the examples given are names, addresses and telephone numbers I think this refers to the range of additional uses to which such an identifier, once collected or disclosed, can be put. For example an e-mail address may be collected as a login name, but it can also be used to send unsolicited e-mails. Using a hash function to derive a non-interoperable identifier is given as an example of how to reduce this risk. Risk is also higher for identifiers that can be used to match information about a single individual on different systems or different organisations.

The standard identifier recommended by the UK Access Management Federation, eduPersonTargetedID (ePTID) is low risk on both counts, since the normal way to generate it involves hashing both information about the user and the particular service they are accessing. It therefore prevents matching across either services or organisations, as well as having no "interoperable" uses.

The Information Commissioner doesn’t favour multiple categories of "personal data", "pseudonyms", etc., as proposed by the European Parliament to deal with this range of different risks. Instead he recommends a single category with the regulatory burden on organisations being be proportionate for those that use lower-risk identifiers. This should provide both an appropriate level of privacy protection and an incentive for organisations to adapt their systems and processes to use lower-risk identifiers where possible.

Interestingly the Commissioner notes that using low-risk identifiers makes it more difficult – even impossible – to obtain verifiable consent because the whole point of these identifiers is to prevent direct identification (or recording) of the consenting individual. It strikes me that consent management could even be seen as a form of "interoperable" additional use that creates a higher privacy risk than the processing itself requires! Instead the Information Commissioner suggests that legitimate interests will often be a more appropriate and reliable basis for processing of this type of data. Legitimate interests can provide a justification for processing so long as the processor's interests are not overridden by the fundamental rights of the individual which, when using identifiers that are low-risk by design, is unlikely to occur.  When relying on legitimate interests, users still need to be informed what their personal data will be used for but services don’t need to insert an extra interaction to seek consent. The design of the identifier and the legal requirement to protect fundamental rights (including privacy) should give sufficient protection.