Rank4

Idea#8

Active
Scenarios »

Scenario 8: International access

Related but more problematic scenarios occur where access crosses national jurisdictions. Again, we should identify separate cases that may require different treatment: (a) access within an HE institution that has international campuses (b) access between different institutions, whether this is a matter of long-term cooperation between institutions, or shorter-term international research projects that require cross-border access to restricted material in distributed locations.

The UK Federation is focussed (naturally) on the UK, although technically this is not an absolute restriction; for example, if an international publisher were to become a member it would have the same rights as UK institutional members . Some countries, but not as yet all, have set up Shibboleth-based access management federations of their own. Future identity management and access management strategies must be able to work in such globalised, cross-federation environments.

International federated access gives rise to data protection issues, in cases which require cross-border transfer of personal data (when it is possible to avoid exporting personal data, these issues can be avoided entirely) Data protection legislation is quite well aligned within Europe, but outside it is more difficult, particularly where personally identifiable information is involved.

In case (a), there is a single institution, so users at international campuses may have identities provided by the home IdP; the University of London, for example, has used Shibboleth for exactly this purpose. Even here, however, there may be data protection restrictions in moving data between different national jurisdictions. The situation becomes even more complex if some operations and services are sub-contracted to local companies within the overseas jurisdiction, as these may not be under the institution’s control, and it may be difficult to apply sanctions in case of breaches. Depending on the nature of the data, it may be acceptable for there to be some “leakage” of restricted information, so long as there is a policy that is managed proactively, and violation is kept within reasonable limits (e.g. in cases of copyright infringement).

Some work has been done on inter-federation agreements, both between different US federations (state federations and the national InCommon federation), and between the UK and US federations . In Europe, there has been discussion within TERENA about federating European federations , and the Kalmar Union has been established as a cross-federation of the national academic identity federations for the Nordic countries . From a technical perspective, there should be little problem within the EU as the member states follow European law and data protection legislation is quite well aligned within Europe . The questions here concern risk and the fabric of trust – how far are SPs willing to go in accepting attributes from international IdPs, and thus will it be possible to obtain equivalent levels of assurance across the board? There is in addition the issue of consistency in publishing attributes across Europe; this has turned out to be hard enough even within the UK. Of course, work on inter-federation agreements does not help for those countries that do not have a federation.

JISC Legal has recently completed work on issues raised by moving data across borders: Feasibility of a cross-jurisdiction Common Access Management Federation Agreement . Also relevant here is ongoing work by the Article 29 Working Party, which is addressing the protection and processing of personal data across the EU , and work by Andrew Cormack from JANET.

Proposed actions:

These developments are of interest to JISC and should be monitored. JISC intends to look at inter-federation issues in a forthcoming programme, initially focussing on getting agreement for UK-US federations, then testing this process more widely.

It would be useful if JISC Legal could provide some guidance to HEIs on what they can and cannot do (Note: they are not allowed to give advice, only general information).

Submitted by Neil Jacobs 5 years ago

Vote Activity [ 2 ] [+]

Comments [2]

  1. Again, this is not primarily repository related, and these developments should be supported at the level of the SP software and not require intervention in the repository itself. That said, the work JISC does on the legal and policy side of international access could affect policy decisions about access made when a repository is set up or suggest changes to policies which describe access to existing repositories. (This is probably true of any FAM-protected resource which may have international access, particularly if personal information is required.)

    As well as the JISC repositories team keeping an eye on the process, it seems to me that it is important for repository management in HEI to think about their access and privacy policies, formulating them and making them publicly available - not just for international access but for all kinds of access. This is perhaps an area where JISC are well placed to offer help and support, and maybe guidance in terms of some draft policy examples for common access scenarios would be welcomed by repository managers.

    5 years ago
  2. Unsubscribed User

    Agreed with Simon that where repositories come into this specifically is around how the legal and policy aspect applies because that is based on content and not just what happens in SP software. Once you get outside Europe I think this problem really escalates and it's a major one to resolve for research if data is going to cross borders and be shared. The alternative is that it sits outside the repository, which brings quite a few negatives.

    5 years ago