Subject: Re: [security-services] SAML deployments that use consent step?
Paul, On 11 Nov 2009, at 22:12, Paul Madsen wrote: > Thanks Josh, do you have a link for that? Here's the response from my colleague: > I've recently re-discovered the UK Information Commissioner's original > statement that I have been paraphrasing as "consent is hard and should > be the last resort". > > Section 3.1.5 of > http://www.ico.gov.uk/upload/documents/library/data_protection/detailed_ > specialist_guides/data_protection_act_legal_guidance.pdf says: > > "The Commissioner's view is that consent is not particularly easy to > achieve and data controllers should consider other conditions in > Schedule 2 (and Schedule 3 if processing sensitive personal data) > before > looking at consent. No condition carries greater weight than any > other. > All the conditions provide an equally valid basis for processing. > Merely > because consent is the first condition to appear in both Schedules 2 > and > 3, does not mean that data controllers should consider consent first." > > I've just updated my privacy course to have the reduced version: > "consent is not particularly easy to achieve and data controllers > should > consider other conditions ... before looking at consent." > > And the European Data Protection Supervisor (Peter Hustinx) said very > much the same thing in a presentation to the ENISA summer school in > Crete in September (and agreed with my observation that it was > unfortunate that consent came first: "I didn't draft the > Directive..."). > > There are also some explicit statements about not giving people the > impression they are consenting when they aren't in the Good Practice > Guide on Privacy Notices (page 8 in particular): > http://www.ico.gov.uk/upload/documents/library/data_protection/detailed_ > specialist_guides/privacy_notices_cop_final.pdf