Draft Notes- please inform Dave Kelsey of any corrections needed.

Meeting of EGI Security Policy Group  - Zoom – 9 Jun 2021

Present: Linda Cornwall (STFC), David Crooks (STFC), Sven Gabriel ( Nikhef), Baptiste Grenier (EGI), David Groep (Nikhef), David Kelsey (Chair, STFC), Vicky Konstantinopoulou (GRNET), Ian Neilson (STFC), Uros Stevanovic (KIT).

Apologies: Ian Collier (STFC), Jean-Francois Guezou (RENATER), Stefan Lueders (CERN), Stefan Paetow (Jisc), Alan Sill (TTU)

Agenda: https://indico.egi.eu/event/5623/

(notes by Dave Kelsey - 18 Jun 2021)

Welcome, Introductions and Aims

DavidK welcomed all to the meeting. VickyK had been invited to attend by Baptiste. She is the Deputy Data Protection Officer for GRNET and had earlier raised concerns about the EGI OLA referring to the existing EGI Data Protection policy – still based on the EU 1995 Directive - and not GDPR. DavidK welcomed her and looked forward to SPG benefiting from her expertise in this area.

The aim of today’s meeting is to explore issues related to updating the current EGI Policy on the Processing of Personal Data.  https://documents.egi.eu/document/2732

The scope of the policy is Personal Data contained within the "operations" data (logs, accounting data, audit files) stored and processed at each Resource Centre. This policy does not address Privacy, Data Protection, GDPR etc related to personal data stored by and within the Research Data for any Research Community.

Consider these questions: Do we maintain the same overall approach? Or do we aim for a completely new approach? Which entities are Data Controllers? Do we have any Data Processors?

Some History

DavidK showed some slides (available on the agenda) describing the history of the current policy (adopted 2017).

• Existing EGI policy on Data Protection (2015 to 2017) – prepared jointly with AARC and WLCG https://documents.egi.eu/document/2732

• Based on EU Directive 95/46/EC (not GDPR)
• Lots of consultation with GEANT, REFEDS, R&E federation, legal experts during development
• AARC addressed this in deliverable DNA3.5 – we followed the guidance
• The topic only concerns Personal Data collected as a result of Infrastructure Operations
  • Not sensitive - just R&S attributes (name, professional email, institute)
• All sites are Data Controllers
• Full mesh of bi-lateral contracts not possible - too many sites and no central controller – does not scale!
• Risks to end users are very small
• User Consent does not work – must be freely given – not possible for professional work
• Legal Basis - Legitimate Interest
• “Lightweight” Binding Corporate Rules “(BCR)-like” approach
  • All participants are “bound” by MoUs, OLAs and policies
  • But no monitoring and limited control of legal/financial responsibility
    • If a participant misbehaves – they can be removed from the Infrastructure
• AARC Deliverable DNA3.5: Recommendations and Template Policies for the Processing of Personal Data.
  https://aarc-project.eu/wp-content/uploads/2018/03/AARC-DNA3.5_Recommendations-for-Processing-Personal-Data_2016_11_07_v4_DG.pdf
• AARC Data Protection Impact Assessment - an initial guide for communities
  https://aarc-project.eu/wp-content/uploads/2018/05/AARC-G042-Data-Protection-Impact-Assessment-initial-guidance-for-communities.pdf
• AARC Preliminary Policy Recommendations for the LS AAI (application to R&S and CoCo)
  https://aarc-project.eu/wp-content/uploads/2018/03/AARC-G040-Preliminary-Policy-Recommendations-for-the-LSAAI-RandS-and-DPCoCo.pdf

Now consider the recent history (2018 onwards in GDPR era)

• Code of Conduct is now a supported part of the regulation
• GEANT working on new (V2) DPCoCo - this could help lots with international transfers of operational data (accounting etc)
  • The old pre-GDPR GEANT Code of Conduct V1 was only for transfers within EU
• While waiting for the new GEANT CoCo, we decided to concentrate on producing Privacy Notices (note that the current 2017 EGI policy still presents good practice under GDPR)
  • Did this mainly for WLCG
    • https://wlcg-docs.web.cern.ch/?dir=policy/security
  • As the EGI Foundation was taking care of its own privacy notice
    • And was exploring possibility of Controller-Processor DP agreements everywhere
    • This approach of many DPAs was not followed (except for sub-contracted core services)
• Decided to continue to wait for GEANT CoCo V2.

GEANT gave up on the CoCo V2 (Dutch Authority said could only be inside Europe – for now and imposed too many difficult to implement conditions). For more details on GEANT and the work on version 2 of the Code of Conduct see https://connect.geant.org/2021/04/09/next-steps-for-geant-code-of-conduct

• EGI SPG presented and WLCG MB approved a Privacy Notice for WLCG (July 2019)
  • And use of WISE Baseline AUP v1 for the WLCG AUP.
• We started work on an updated version of the 2017EGI  DP Policy
• Only a few changes needed for GDPR era (as far as we could tell)
  • In section 5 vii - Requirement for a PN
    • No longer require a named DPO
    • Policy must state that the PN must specify the legal basis for processing
• Then lots of WLCG discussion in Grid Deployment Board
  • Data retention - maximum 18 months – several sites said they needed to keep longer
  • To where does User report issues? Especially for those outside EU. WLCG did not want to take on this role.
  • To where do we report breaches? Same issue.

And lots of concern about the other old wording (but this had not been questioned back in 2015-17)

Again we decided to wait – concentrate on full deployment of Privacy Notices for WLCG services and for CERN to complete its internal work on PN for services.

So – now to consider the current situation (June 2021)…

• EGI needs an updated policy for DP
  • Or a completely different approach
• WLCG needs an updated policy too
• Cannot continue to wait for GEANT CoCo – that will now not happen
  • And even a Best Practices document will take some time (due later this year)

Discussion – what can we do?  what should we do?

DaveK presented a proposal

• Start again with the updating the old DP policy for GDPR changes
• Are there any requirements from the CoCov2 work that we should include?

BUT FIRST - lets discuss the overall approach as introduced by Baptiste in a recent mail thread.

Many issues were discussed

• Can the EGI Foundation be the Data Controller and all Resource Centres become Data Processors?  With a Data Processing Agreement signed by all sites
  • As before when this had been discussed by EGI EB/Council – too many sites, too many lawyers, much of the personal data is not “owned” by EGI, sites are really “Data Controllers”
  • Vicky reported that many sites are actually keen to sign a data processing agreement so that it is clear to them what their responsibilities are
  • It was suggested that perhaps a general Controller to Controller agreement could be produced and signed.
• The conclusion was that all of this is way too complicated for a non-legal body like EGI SPG. We cannot give advice on what should happen

Next steps

Aim for today - agree the approach and next steps.

Having agreed that the use of Data Processing agreements (or not) is not an issue for EGI SPG, that the most useful approach we could take is

• To update the existing policy framework with any changes needed for the GDPR era
• If this is found to be useful, it could be used as a “Code of Conduct” BCR-like approach which together with Privacy Notices, EGI services could use to constrain their behaviour to follow “best practice” and minimise the data protection risks to end users
• If participants agree and sign bi-lateral data processing agreements they will of course take precedence
• This policy would be for cases where no such contract or DPA exists

DaveK will create a shared document for SPG members to start work on updating the old policy wording.  Work can continue offline and by email and then some meetings will be called to agree the final words