This story is from the category Services and the dossier Identity Management

Right to be forgotten and lifetime data retention

What are SWITCH's answers to the questions about data protection in connection with the Swiss edu-ID?

Text: Esther Zysset, published on 01.10.2015

Student ID card, library ID, Unilogin plus much more, but without a physical card – the Swiss edu-ID is meant to be all of these things. But from a legal perspective, the Swiss edu-ID mainly relates to the data, also known as attributes. Attributes are information about the user that is obtained from various sources or attribute authorities, stored, and usually forwarded to service providers.

Admittedly, this was already the case with SWITCHaai. However, the following is new in relation to the Swiss edu-ID:

  • SWITCH as creator: The Swiss edu-ID account is no longer created by the university but by SWITCH, but still at the user's initiative. So now there is a central creator, referred to in the technical jargon as an identity provider. An advantage of this solution is that it costs less to universities and avoids duplicates. One risk, however, is that the data are concentrated in one place. Security and availability are all the more crucial for this reason. With SWITCH, this raises the question as to how to handle data protection.
  • Lifetime availability: The Swiss edu-ID is designed to be available to the user for his entire life. Thus, the right to be forgotten is now an issue. For SWITCH, this raises the question as to how the identity can actually be used on a lifelong basis without a pile of unused personal data being stored for years or even decades without any reason whatsoever.

In addition, the two purposes of the Swiss edu-ID have to be kept separate. In this respect, it is important to know that in the area of data protection, the applicable right is that of the person who decides on the intended purpose of the data, or, in the words of the Swiss Federal Act on Data Protection Act, on their processing purpose:

 

 

  • First purpose: Simplification of administrative processes for the university administration; in this case, the university decides on the processing purpose. SWITCH, however, holds the role of order data processor for the university. As such, it is subject to the same data protection rules as the university is – usually cantonal rules.
  • Second purpose: Use of the Swiss edu-ID for the private purposes of the identity holder; e.g., buying a product that is discounted for students. In this case, it is the user alone who decides who receives which information about him. Here, SWITCH, as the user’s contractual partner, is only obligated to him and subject to the Swiss Federal Data Protection Act.

As shown above, in terms of simplifying administrative processes, universities are subject to the cantonal rules for data processing. These rules may vary considerably. In order to meet the requirements of the various cantonal rules when designing the Swiss edu-ID, SWITCH has contacted various data protection authorities and requested their assessment. Meetings were held with the Federal Data Protection and Information Commissioner (FDPIC) and the cantonal authorities in Zurich, Fribourg and Lucerne. Their feedback is gradually being integrated into future work.

The following insights from the meetings have already been received:

  • Retention of attributes by SWITCH: Once the user has left the university, the university has to retain his attributes if he wishes to continue using his Swiss edu-ID. The university normally requires a legal basis for doing this, but such legal basis does not exist at present. Accordingly, when the user leaves the university, his attributes should be transferred to SWITCH for purposes of continued use, because SWITCH is not subject to that requirement.
  • Handling the lifetime retention of data: On the one hand, the Swiss edu-ID must be available on a lifetime basis or capable of being reactivated as needed, as the case may be. On the other hand, for purposes of personal privacy, the attributes of a Swiss edu-ID that is no longer in use should not be retained forever. In order to reconcile these two contradictory interests, the holder of an unused Swiss edu-ID must be asked at regular intervals – for instance, every five years – whether his data should continue to be retained or whether they should be deleted.

However, the following should remain unchanged as regards SWITCHaai: It is the user who decides, by way of a user consent, whether his attributes should be released to the service providers.

This article appeared in the SWITCH Journal October 2015.
Further articles on legal issues concerning the Swiss edu-ID:

 

About the author
Esther   Zysset

Esther Zysset

Esther Zysset has been General Counsel at SWITCH since 2012. Prior to that, she was a lawyer at a firm specialising in corporate law.

E-mail

Swiss edu-ID

SWITCH is currently working with Swiss universities to create a lifelong digital identity that will allow the holder to access all university services with one login instead of needing different logins for different services. The Swiss edu-ID is an evolution of SWITCHaai, which has been in operation for ten years and is used by over 400,000 people. The Swiss edu-ID goes a step further in a number of key areas. SWITCHaai was designed for using web-based resources and presupposes membership of an institution. The Swiss edu-ID, on the other hand, is geared towards lifelong use of a wide range of applications.

http://projects.switch.ch/eduid/
Other articles