Related but more problematic scenarios occur where access crosses national jurisdictions. Again, we should identify separate cases that may require different treatment: (a) access within an HE institution that has international campuses (b) access between different institutions, whether this is a matter of long-term cooperation between institutions, or shorter-term international research projects that require cross-border access to restricted material in distributed locations.
The UK Federation is focussed (naturally) on the UK, although technically this is not an absolute restriction; for example, if an international publisher were to become a member it would have the same rights as UK institutional members . Some countries, but not as yet all, have set up Shibboleth-based access management federations of their own. Future identity management and access management strategies must be able to work in such globalised, cross-federation environments.
International federated access gives rise to data protection issues, in cases which require cross-border transfer of personal data (when it is possible to avoid exporting personal data, these issues can be avoided entirely) Data protection legislation is quite well aligned within Europe, but outside it is more difficult, particularly where personally identifiable information is involved.
In case (a), there is a single institution, so users at international campuses may have identities provided by the home IdP; the University of London, for example, has used Shibboleth for exactly this purpose. Even here, however, there may be data protection restrictions in moving data between different national jurisdictions. The situation becomes even more complex if some operations and services are sub-contracted to local companies within the overseas jurisdiction, as these may not be under the institution’s control, and it may be difficult to apply sanctions in case of breaches. Depending on the nature of the data, it may be acceptable for there to be some “leakage” of restricted information, so long as there is a policy that is managed proactively, and violation is kept within reasonable limits (e.g. in cases of copyright infringement).
Some work has been done on inter-federation agreements, both between different US federations (state federations and the national InCommon federation), and between the UK and US federations . In Europe, there has been discussion within TERENA about federating European federations , and the Kalmar Union has been established as a cross-federation of the national academic identity federations for the Nordic countries . From a technical perspective, there should be little problem within the EU as the member states follow European law and data protection legislation is quite well aligned within Europe . The questions here concern risk and the fabric of trust – how far are SPs willing to go in accepting attributes from international IdPs, and thus will it be possible to obtain equivalent levels of assurance across the board? There is in addition the issue of consistency in publishing attributes across Europe; this has turned out to be hard enough even within the UK. Of course, work on inter-federation agreements does not help for those countries that do not have a federation.
JISC Legal has recently completed work on issues raised by moving data across borders: Feasibility of a cross-jurisdiction Common Access Management Federation Agreement . Also relevant here is ongoing work by the Article 29 Working Party, which is addressing the protection and processing of personal data across the EU , and work by Andrew Cormack from JANET.
These developments are of interest to JISC and should be monitored. JISC intends to look at inter-federation issues in a forthcoming programme, initially focussing on getting agreement for UK-US federations, then testing this process more widely.
It would be useful if JISC Legal could provide some guidance to HEIs on what they can and cannot do (Note: they are not allowed to give advice, only general information).