Legal Issues

Legal understanding for federations includes the establishment of rules for local authentication, which define shared attributes, use of received attributes, security, privacy and data integrity concerns. Other issues to be considered include trust across federations and rules for subsets of federations.

Data Protection

A UK Shibboleth Federation will be composed of organisations which need to handle personal data about individuals in order to carry out their work and fulfil their obligations to members of staff and students. The law governing the way in which such data should be used or processed is set out in the Data Protection Act 1998, which came into effect on 1 March 2000.

Personal data can be collected from individuals and processed provided there is compliance with the eight data protection principles. The first principle states that personal data must be processed fairly and lawfully. In order to fulfil this principle, the Act sets out that lawful processing will be achieved when either consent is received or one of the other condition of schedule 2 of the Act are fulfilled; these include where it is in the legitimate interest of a data controller (identity provider) to fulfil a contractual requirement such as that between a university and its staff and students. Therefore, although written consent is not necessary to comply with the Act, it is the easiest way. It is best to get it at the point of data collection, and can be obtained through acceptance of a privacy statement of some kind. In the absence of consent the University will need to ensure that it can fulfil one of the other conditions.

The other data protection principles[2] are that personal data must be:

  • collected for a specified and lawful purpose and process in accordance with that purpose;

  • adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed;

  • accurate and, where necessary, kept up to date;

  • kept for no longer than necessary;

  • processed in accordance with the rights of the data subject;

  • have appropriate technical and organisational measures taken to protect it against unauthorised or unlawful processing and accidental loss, destruction of, or damage; and

  • only transferred outside the European Economic Area in restricted circumstances, and if the country or territory guarantees an adequate level of protection for the rights and freedoms of data subjects.

In the case of a Shibboleth Federation, the data controller specified in the act will normally be the Identity Provider. Processing covers anything that can be done with personal data.

An Identity Provider will collect a wide range of personal data relating to staff and students for its own purposes, and to meet external obligations. This information may eventually be transferred to third parties such as a Service Provider. All transfers of personal data which are made must comply with the Data Protection Principles given above. Express consent for transfer of personal data to a third party is only needed for sensitive personal data. Otherwise it must be made clear and unambiguous when the data is collected how it will be used, including that data transfer to third parties involved in provision of services may occur.

It is worth noting that, in the case of a Shibboleth connection, no sensitive personal data which is covered by the Act should be passed to a third party. Shibboleth also gives the user privacy control on release of personal attributes. An Identity Provider would contract with the Federation that it will release data as necessary for authentication and authorisation processes; Service Providers will be contracted to only request necessary data about individuals. In many cases all data will be relatively anonymous, e.g. in the case of an institutional subscription, the only data needed to authenticate individuals is "affiliation to university x".

The JISC Data Protection Code of Practice for the HE and FE Sectors provides guidance on best practice concerning the retention of records containing personal data (version 2 is available at:

Intellectual Property Rights

Ownership of intellectual property (IP) usually rests with the employing institution. In common with existing library and institutional use policies, end users at institutions must respect the copyright on any content accessed, including that accessed through participation in the Federation. End-users and institutions also have to abide by the terms of any copyrights applicable to the use of software, documentation or other materials developed by the Federation or other federation participants.

All works are automatically copyrighted, which can in fact prevent use when the authors and other rights holders would prefer the reuse was possible[3]. To overcome this organisations such as Creative Commons[4]

have created a small set of standardised licenses that can be associated with content. Licenses are a mechanism for copyright holders to grant rights to others under specific conditions without relinquishing control. For example, the license associated with this paper allows anyone to copy and distribute it provided that proper attribution is given.

The JISC have also commissioned work in this area. Casey (2004) presents an overview[5].

It is unclear exactly how developments in the management of rights in the digital environment will alter the availability and use of digital works. The increasing enclosure of digital works by publishers, supported by changes in the legal environment that favour rights-holders over public access, has seen innovative responses from those who wish to maintain the free flow of information, in the form of creative copyright licensing (open source licensing, the Creative Commons[6] model), new publication models (pre-print publishing e.g. SSRN[7], open access publishing) and greater co-operation and collaboration between interest groups, such as educational institutions, which is part of the approach taken by existing federations.

Digital Rights Management

Digital Rights Management (DRM) is necessary to support digital library collections, code and software development , distance education, and networked collaboration. Intellectual Property (IP) needs to be protected from misuse, and open publishing requires DRM strategies that emphasise multiple subscription models, fair use[8] and include paid and unpaid access. It is desirable to support local and inter-institutional sharing of resources in a discretionary, secure and private manner, but a balance between the rights of the owner and the rights of the user needs to be maintained. According to Dalziel and Vullings (2004)[9] , digital rights management has two meanings:

  • management of intellectual property creation and related rights

  • enforcement of rights to use digital intellectual property

Digital rights expression languages (XrML or ODRL) are commonly used to encode rights. The key to fulfilling requirements in this area may not be to do with expressing all rights via a rights expression language but instead in automating access control - i.e. how, what, who. In most cases trusted access control via the web or desktop encryption would be sufficient.

In a given context, authorisation should therefore be granted on the basis of an agreement on common attributes and common policies, and an expression of both in generic languages so that other combinations are possible in future as the community/ federation and its understanding grows.

In a presentation at a recent European conference, Andrew Charlesworth[10], from the University of Bristol Centre for IT and Law, states, "Educational institutions in the UK (and indeed elsewhere) are now faced with a digital environment where ownership of rights in works, the ability to exert ownership control over those works, and the ability to secure access to works at a reasonable cost are of key importance. It is thus an environment where effective rights management is becoming increasingly important, and rightsholders are becoming ever more efficient at identifying and pursuing infringements, supported by changes in the law which provide rightsholders with far greater rights and powers than were previously available to them".

DRM in Federations

Acquisition and distribution of learning resources are likely to increasingly take place between federations of repositories that share metadata and provide their uses with access to each other’s content. These federations (such as the NSDL[11] or coalitions of academic institutions) will have or will develop membership criteria and policies and allow users to simultaneously search and acquire content from all members of a federation.

[2] Additional guidance on the Data Protection Act and other legal issues surrounding the use of information is available from The Information Commissioners Office:

[3] Collier, C., Muramatsu, B., Robson, R. (2004). The Reusable Learning Project. Site). Retrieved from

[4] Creative Commons. (2004). The Creative Commons. Retrieved

[5] Casey, J, 2004, Intellectual Property Rights in Networked e-Learning: A Beginner’s Guide for Content Developers,

[8] In the USA, "fair use" is a commonly used legal exception enabling users to make "reasonable" use of copyrighted work without requesting permission based on factors outlined in section 107 of the Copyright Act 1976, including: the character of use (commercial vs educational/ non-profit); the nature of the copyrighted work; the amount of work used; and the effect of the use on the market for the work.

[9] Dalziel, J. and Vullings, E. (2004). Federations in Action. Presentation

[10] Charlesworth, A. (2005) Copyright Strategies in the Networked Environment.TERENA Networking Conference 2005 - Networking within the Law - Extended Abstract, 6-9 June 2005

[11] NSDL (2004). National Science Digital Library. Retrieved from