An IAM Blog
I’ve posted a few comments on Facebook’s poor behaviour in the past (as have many others), so I’m not surprised they are in the news again.
Kim Cameron’s take on the data abuse controversy unfolding in Europe is pretty good — and the videos are even better! I like this (translated) quote:
“No KGB or CIA has had 1200 pages about an average citizen…”
Indeed. So what is in your 1200 pages?
Mike
Let’s start by stating the obvious: identity management systems must abide by provincial/state and national laws. An IAM assessment needs to identify the laws and legislation that govern the organization to ensure identity-related systems are appropriately structured and legally compliant.
(Disclaimer: I’m not a lawyer, not even close… I don’t even watch Law and Order anymore! Please consider this article general information only. For some actual legal opinion, check out the Canadian Privacy Law Blog.)
When implementing an IAM system, a review of the legal aspects of identity is important. Issues can arise when identity management systems do not consider the legal requirements. For example, privacy legislation may put limits on what type of information an organization may collect and store (e.g. sensitive personal information). Or there may be legal limits on how information is shared, or how a user is notified about identity information sharing.
On the flip side, misunderstandings about what legislation allows and disallows can lead to poor user experiences or systems with reduced functions. In one case, I was developing an identity strategy for a client who is subject to some fairly specific privacy legislation. We wanted to share identity information between business applications and with other partners.
Several senior people in the sessions insisted that the act disallowed this type of information sharing. I knew there were restrictions so I sifted through the actual privacy legislation to be sure. I was surprised to find that the restriction was not as severe as the group thought. The act stated that the intended use of personal information needed to be clearly stated, and that the individual needed to consent to this use. This clarification allowed the group to create a framework for collecting identity information for a specific use, collecting consent from their users, and then sharing the identity information within the stated use.
By including a legal review in an IAM assessment or solution project, clients can have confidence that their systems are compliant with their obligations.
Mike
I recently came across this article from E-Commerce Times (via a Paul Madsen tweet) that is worth a read. It provides a good high-level summary of legal considerations for federated identity implementations. A quote:
“Many of the legal issues arise when things go wrong, such as incorrect identification, faulty authentication, or misuse of personal data…”
While it is US-based, it highlights many of the issues that we will face with Canadian implementations.
Mike