Categories
Articles

Building Trust in a Digital Identity

A panel on “Building Trust in a Digital Identity” at the UK IGF may have raised more questions than answers, but at least highlighted why doing so is taking so long. Since terminology can be confusing, what was being discussed was how to prove facts about your real-world self to an online service: for example […]

Categories
Articles

Identity without identifying

In the week that would have been their annual conference, EEMA have been hosting a series of fascinating online discussions among experts in the identity world. Today’s featured Steve Purser, Dave Birch and Kim Cameron in a deep discussion about whether we might have been looking at the wrong kind of “identity” all along… The […]

Categories
Publications

IDPro Body of Knowledge

I was delighted to be invited to contribute an article to IDPro’s Body of Knowledge for professionals working in the field of digital identity. Mine is (of course) on how the GDPR applies to identity management. But as well as standards and regulation the collection is steadily expanding to cover things like privacy for consumers, […]

Categories
Articles

Federated Authentication and the GDPR Principles

The General Data Protection Regulation’s Article 4(1) establishes six principles for any processing of personal data. It’s interesting to compare how federated authentication – where a student authenticates to their university/college, which then provides relevant assurances to the website they want to access – performs against those principles when compared with traditional direct logins to […]

Categories
Articles

GDPR Exports and Federated Authentication

Although the Article 29 Working Party seem to have had applications such as incident response in mind when drafting their guidance on exports, that guidance could also be helpful in the field of federated authentication. This technology allows an “identity provider” such as a university or college to assure a “service provider” such as a […]

Categories
Articles

Federated Access Management and the GDPR

[this article is based on the draft text published by the European Council on 28th January 2016. Recital and article numbers, at least, will change before the final text] When individuals register to access a website or other on-line service, it’s common to have to provide a significant amount of personal data. Some of this […]

Categories
Publications

Accounting and e-Infrastructures

While some e-infrastructures included accounting in their design and operations from the start, others are now being asked or required to add accounting support to their existing systems. Typically accounting forms part of a relationship between the infrastructure and some other organisation – perhaps a funder, host or customer – rather than the infrastructure’s relationship […]

Categories
Articles

GDPR – the final text?

The European Council of Ministers have now published a proposed text for the General Data Protection Regulation. This still needs to be edited by the Commission’s “lawyer-linguists” to check for inconsistencies, sort out the numbering of recitals and articles etc. But the working parties of both the Parliament and the Council have recommended that the […]

Categories
Articles

Information Commissioner on Alternatives to Consent

A helpful comment on page 3 of the Information Commissioner’s discussion of the latest (Council) draft of the General Data Protection Regulation: We reiterate our view that there must be realistic alternatives to consent – for example ‘legitimate interests’ where the data processing is necessary to provide the goods or services that an individual has […]

Categories
Articles

A Question of Trust?

A question that comes up from time to time when discussing federated access management is “how can I rely on another organisation to manage accounts for me?”. Federation saves services the trouble of managing user accounts by instead delegating the job to an external identity provider, but it’s entirely reasonable to think carefully about that. […]