user consent, which SPs should trigger these screens ?

Curry, Warren whcurry at ufl.edu
Wed Dec 2 21:29:57 EST 2015 

Nicely written set of thoughts.  We are looking at this.  I have been meaning to get with Susan Blair in UF privacy.  We have some current policy and practice to cover this area of risk.   In our case I want to be sure turning on consent does not weaken or cause a risk not intended by the tactical changes in the consent page.  The policy, practice and tool must complement each other for a solution that manages risks well and defensibly.

I will pursue this soon and see what IAM and privacy legal can come up with.

+1 on this topic.

Warren

Sent from my Verizon Wireless 4G LTE DROID
On Dec 2, 2015 3:05 PM, Steven Carmody <steven_carmody at brown.edu> wrote:
Hi,

I see that sites (including mine) are starting to experiment with User
Consent to Attribute release -- I'd be interested in hearing what people
are thinking about how to approach the question of when to present the
browser user with the Consent screens... some thoughts and examples  ..

-- always present the Consent screen to every student who has opt'ed out
under FERPA. This rule overrides all of the others.

-- we have contracts with a number of commercial SPs (eg Canvas, the LMS
people; Workday; etc). We want to suppress consent in these cases. Do we
add each one to a blacklist ? Or does it make better sense to TAG them
in some way, and use the TAG value to suppress ?

-- R&S. Always release the standard R&S bundle to R&S SPs ? Or always
present the Consent screens, and let individuals decide what to release?

-- should we TAG ALL (or most) of the local SPs, and release all the
required attributes, and bypass Consent ? "we trust ourselves".

-- are there other well known and easily identifiable Categories of
sites that we should try to implement ?

-- should we provide users with an out-of-band management console where
they could specify some "global rules" to control how Consent works for
them ? (eg Always/Never ask for my Consent, and presumably some
in-between possibilities.) Presumably this would also include a
mechanism to revoke Consent.

Thanks for your thoughts !


--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20151203/7e9e9147/attachment.html>

More information about the users mailing list