Legal issues

Only IPR (Copyright) and Data Protection should affect the setting up of a simple Shibboleth connection.

Data Protection

Institutions setting up a Shibboleth Identity Provider server must be aware of the implications of Data Protection Law.

The law governing the way in which personal data should be used of processed is set out in the Data Protection Act 1998, which came into effect on 1 March 2000. Personal data can be collected from individuals and processed provided there is compliance with the eight data protection principles[18]. When institutions collect data from users (staff and students) they need to be clear, and unambiguous, about the ways in which that data will be used, including its passing to third parties involved in authentication or authorisation.

It is worth noting that in the case of a Shibboleth connection, no sensitive personal data which is covered by the act should be required to authenticate and authorise users.

Intellectual Property Rights

Users must stay within the law of copyright when using electronic journals.

E-journals are subject to copyright law in exactly the same way as printed material. E-journals also tend to have additional restrictions on use defined by their associated license agreements. The main prohibited activities include:

  • downloading entire volumes or issues of journals;

  • the commercial use of journal content.

It is unclear exactly how developments in the management of rights in the digital environment will alter the availability and use of digital works. The increasing enclosure of digital works by publishers, supported by changes in the legal environment that favour rights-holders over public access, has seen innovative responses from those who wish to maintain the free flow of information, in the form of creative copyright licensing (open source licensing, the Creative Commons model), new publication models (pre-print publishing e.g. SSRN, open access publishing) and greater co-operation and collaboration between interest groups, such as educational institutions.

For more detail on Digital Rights Management and legal issues surrounding Shibboleth Federations see An introduction to Shibboleth Federations at

[18] Additional guidance on the Data Protection Act and other legal issues surrounding the use of information is available from The Information Commissioners Office: