Now that a lot of the work in setting up Shibboleth IdPs has been completed at institutions, many people are now thinking about the ways in which the technology can be exploited away from the commercial third party supplier model. The most common uses are for blogs, wikis, repositories and Virtual Learning Environments.

A point that keeps on coming up is: ‘but the UK federation doesn’t allow the transfer of personal data’. This is simply not the case.

The UK federation provides recommendations for the use of personal data that follow the guidelines of the Data Protection Act - to which all UK institutions are already bound. To quote from this recommendation document (note, not policy!):

The basis for the Federation is that a user’s primary relationship is with their organisation and that personal data should normally be kept within this relationship. Many Service Providers will only need to know that an individual is a recognised user, having a particular status, at a member organisation. This involves no personal data being disclosed. Where Service Providers need to obtain additional personal data about individual users they may either request it from the appropriate User Organisation (this will usually need to be covered by a legal agreement), or ask the individual user to provide it, seeking free and
informed consent by informing the user what the data will be used for and what benefit the user will receive. Service Providers should endeavour to provide service, possibly at a reduced level, to users for whom personal data is not available.

So yes, personal data can be exchanged - as long as this exchanged is deemed necessary! Please don’t let this misconception put you off moving forward with broadening federated access.

Many of the international federations are looking at user consent modules for use with Shibboleth such as the FEIDE SimpleSAMLPhP Module
and the SWITCH ARPViewer. Others are taking the approach of using student registration to get permission, or simply taking the stance that user consent is not required as long as sharing personal data meets the goal of educating the student.

JISC is looking at some of the ways in which federated access can be used across its project portfolio including a study on federated access and personalisation, and a look at federated access and repositories building on the FAR Project.

It is also worth remembering that not all federated exchanges need to go through the UK federation. In the case of Virtual Learning Environments and Repositories, you may often be dealing with an in-house IdP and SP. The personal data issues become a lot more manageable in this environment.

you don’t accept comments. Have wasted effort on writing replies on a couple of blogs this week only to find that after a suitable period for much needed moderation (after all IT forums are hardly the place to endorse male vitality products) the sites are clearly not putting any replies / comments up. If a an opinion piece doesn’t have scope for comments then that’s what it is - a magazine style opinion piece not a blog. It’s what puts the “2.0″ into the web.
Don’t bother replying as I may just decideto be lazy and auto bin all comments……..

On other news, Federation membership has now moved from 599 (a figure I don’t really like as it sounds like the price of a post credit crunch cut price sofa) to the much more regal 601. That figure really should function as an indicator to publishers who have not yet joined, of the need to get such activity into their business plan.