The InCommon Community Trust and Assurance Board (CTAB) compiled the following guidance to both identity providers and service providers. CTAB is not providing content requirements, but some suggestions on things to consider. In general, the idea is to provide end users with an idea about how their data will be handled. If your organization already has such a policy for other purposes, that may well be adequate.
A: No, you can point to your organization policy as long as it covers the entity you have in metadata.
Q: Are there any content requirements or recommendations so that users have a degree of common experience?
A: There are no content requirements at this time. Please consider content that will be helpful to users, such as detailing the information released to each service. Here are links from GÉANT (the pan-European network) and REFEDS (the international collaboration of federation operators) with some suggestions and guidelines.
The CTAB provides the following ideas for what you might include:
- Refer to privacy policies available through the EDUCAUSE Higher Education Information Security Council (HEISC):
- HEISC Information Security Guide: https://spaces.internet2.edu/display/2014infosecurityguide/Privacy
- Develop a web page that links to established organizational policies related to privacy and include that URL in your metadata. These policies can include data sharing, FERPA release, acceptable use policy (AUP), among others.