user consent, which SPs should trigger these screens ?
whcurry at ufl.edu
Wed Dec 2 21:29:57 EST 2015
Nicely written set of thoughts. We are looking at this. I have been meaning to get with Susan Blair in UF privacy. We have some current policy and practice to cover this area of risk. In our case I want to be sure turning on consent does not weaken or cause a risk not intended by the tactical changes in the consent page. The policy, practice and tool must complement each other for a solution that manages risks well and defensibly.
I will pursue this soon and see what IAM and privacy legal can come up with.
+1 on this topic.
Sent from my Verizon Wireless 4G LTE DROID
On Dec 2, 2015 3:05 PM, Steven Carmody <steven_carmody at brown.edu> wrote:
I see that sites (including mine) are starting to experiment with User
Consent to Attribute release -- I'd be interested in hearing what people
are thinking about how to approach the question of when to present the
browser user with the Consent screens... some thoughts and examples ..
-- always present the Consent screen to every student who has opt'ed out
under FERPA. This rule overrides all of the others.
-- we have contracts with a number of commercial SPs (eg Canvas, the LMS
people; Workday; etc). We want to suppress consent in these cases. Do we
add each one to a blacklist ? Or does it make better sense to TAG them
in some way, and use the TAG value to suppress ?
-- R&S. Always release the standard R&S bundle to R&S SPs ? Or always
present the Consent screens, and let individuals decide what to release?
-- should we TAG ALL (or most) of the local SPs, and release all the
required attributes, and bypass Consent ? "we trust ourselves".
-- are there other well known and easily identifiable Categories of
sites that we should try to implement ?
-- should we provide users with an out-of-band management console where
they could specify some "global rules" to control how Consent works for
them ? (eg Always/Never ask for my Consent, and presumably some
in-between possibilities.) Presumably this would also include a
mechanism to revoke Consent.
Thanks for your thoughts !
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the users