What are SWITCH's answers to the questions about data protection in connection with the Swiss edu-ID?
Student ID card, library ID, Unilogin plus much more, but without a physical card – the Swiss edu-ID is meant to be all of these things. But from a legal perspective, the Swiss edu-ID mainly relates to the data, also known as attributes. Attributes are information about the user that is obtained from various sources or attribute authorities, stored, and usually forwarded to service providers.
Admittedly, this was already the case with SWITCHaai. However, the following is new in relation to the Swiss edu-ID:
In addition, the two purposes of the Swiss edu-ID have to be kept separate. In this respect, it is important to know that in the area of data protection, the applicable right is that of the person who decides on the intended purpose of the data, or, in the words of the Swiss Federal Act on Data Protection Act, on their processing purpose:
As shown above, in terms of simplifying administrative processes, universities are subject to the cantonal rules for data processing. These rules may vary considerably. In order to meet the requirements of the various cantonal rules when designing the Swiss edu-ID, SWITCH has contacted various data protection authorities and requested their assessment. Meetings were held with the Federal Data Protection and Information Commissioner (FDPIC) and the cantonal authorities in Zurich, Fribourg and Lucerne. Their feedback is gradually being integrated into future work.
The following insights from the meetings have already been received:
However, the following should remain unchanged as regards SWITCHaai: It is the user who decides, by way of a user consent, whether his attributes should be released to the service providers.