Use Internet2 SiteID

Already have an Internet2 SiteID?
Sign in here.

Internet2 SiteID


Baseline Expectations: Privacy Policy URL Guidance

May 25, 2018, by Dean Woodbeck
Tags: Trust & Identity

InCommon's Baseline Expectations for Trust in Federation includes a metadata requirement for a privacy policy URL. This has generated a fair number of questions and some uncertainty about what, exactly, the privacy policy should cover. 

The InCommon Community Trust and Assurance Board (CTAB) compiled the following guidance to both identity providers and service providers. CTAB is not providing content requirements, but some suggestions on things to consider. In general, the idea is to provide end users with an idea about how their data will be handled. If your organization already has such a policy for other purposes, that may well be adequate.

Q: Why does Baseline Expectations require a Privacy Policy URL be included in the metadata for both IdPs and SPs?

A: InCommon's Baseline Expectations requires each identity provider and service provider to include a privacy policy URL in the metadata for users to review. Requiring a URL establishes a uniform means for use by current and future processes to present privacy policies to users. 

Q: Do I need to include a different privacy policy for each of my IdP and SPs in metadata?

A: No, you can point to your organization policy as long as it covers the entity you have in metadata.

Q: Are there any content requirements or recommendations so that users have a degree of common experience?

A: There are no content requirements at this time. Please consider content that will be helpful to users, such as detailing the information released to each service. Here are links from GÉANT (the pan-European network) and REFEDS (the international collaboration of federation operators) with some suggestions and guidelines.

Q: My organization is reviewing its privacy policy. What can I use until we complete this process?

The CTAB provides the following ideas for what you might include: 

  • Link to whatever privacy policy you have in your Participant Operational Practices (POP) 
  • Refer to privacy policies available through the EDUCAUSE Higher Education Information Security Council (HEISC):
  • Develop a web page that links to established organizational policies related to privacy and include that URL in your metadata. These policies can include data sharing, FERPA release, acceptable use policy (AUP), among others.

For more information on the Baseline Expectations program, please visit the Baseline web page, as well as the Baseline wiki space.