Last updated: 
3 months 2 weeks ago
Blog Manager
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

Federated Authentication and the GDPR Principles

Friday, March 23, 2018 - 13:24

The General Data Protection Regulation's Article 4(1) establishes six principles for any processing of personal data. It's interesting to compare how federated authentication – where a student authenticates to their university/college, which then provides relevant assurances to the website they want to access – performs against those principles when compared with traditional direct logins to websites.

Lawfulness, fairness and transparency (processed lawfully, fairly and in a transparent manner)

Personal data required to maintain an account on a website will normally be processed on the grounds that it is necessary for a contract between the site and the user. For federated authentication, where there is rarely a direct contract between the site and the user, it is generally considered that a more appropriate legal basis is the legitimate interests of home organisation and service provider in providing the service requested. Both situations therefore permit only "necessary" data to be exchanged, but federated authentication additionally requires both home organisation and service provider to consider the fundamental rights and freedoms of the individual.

Purpose limitation (collected for specific, explicit and legitimate purposes and not processed incompatibly)

With direct login, the purpose(s) of processing are set in the contract the website offers to the user. Federated authentication agreements between home organisations and service providers typically require that the information provided may only be used for access and service personalisation decisions. Federated authentication technology also provides a practical limit on incompatible processing, since the pseudonymised information provided will often be of little use for other purposes in any case. For example federated authentication requires much less information for the website to protect itself against misuse, since federation agreements normally require the home organisation to enforce any breaches of policy by its users.

Data minimisation (adequate, relevant and limited)

Where a user registers themselves for access to a website, that website is likely to obtain significant amounts of (self-declared) information about who the user is. For websites attempting to implement particular authorisation policies (for example, that the user is a member of an organisation holding a licence) this may well be both excessive and inadequate. By contrast, federated authentication can provide exactly the membership information the website needs, without any unnecessary personal information. Federated thus achieves better adequacy, relevance and limitation.

Accuracy (accurate and kept up to date)

As noted under minimisation, traditional login relies on information provided by the individual user. The website has no way to determine whether it is accurate, either at the time it is provided, or later. Each time a user logs in using federated authentication, the site is provided with current information from the home organisation's own records.

Storage limitation (kept in a form that permits identification no longer than necessary)

Direct login requires the website to maintain all its account details, essentially indefinitely, since it has no way to determine when the user is no longer interested in the service. Federated authentication can be done without the website retaining any personal data, since the necessary assurances are provided by the home organisation each time the user accesses the site. Where a site wishes to let users retain information between sessions (saved searches, progress, etc.) this can be done using a pseudonymous identifier, unique to that site, provided by the home organisation. Again, there is no need for the website to retain any other information about the user.

Integrity and confidentiality (appropriate security, using technical or organisational measures)

With direct login, integrity and confidentiality are a matter for the service provider. With federated authentication, personal data are held by the home organisation, which has a strong incentive to keep it secure to protect its own systems and the individuals (students and staff) with whom it needs a strong, long-term trust relationship. Furthermore the authentication process only reveals to the home organisation which websites the individual has authenticated to, not which content on those sites they accessed.

Federated login therefore appears clearly better for five of the six GDPR principles, and at least equal to direct login on the other.