Right menu

APOSDLE - work, learn, collaborate

Legal and Ethical Issues Version 1

This document gives an overview of the activities the APOSDLE project consortium has undertaken in the first and second project year in the privacy area while rolling out the socio-technical solution APOSDLE into small or medium enterprises (SMEs) or departments of a global (European) company. In consultation with SAP’s departments of Works Council, Corporate Legal and Data Protection & Privacy Office and IHK security consultants a privacy policy was specified to fulfil the seven principles Notice, Purpose, Consent, Security, Disclosure, Access and Accountability as stated in OECD’s recommendations for protection of personal data and in directive 95/46/EC on the protection of personal data. The experiences and resulting privacy policy have been summarised in the paper “Privacy Issues when rolling out an E-Learning Solution” accepted for ED-Media 2008 in Vienna.

In the first chapter, the purpose and scope of this document are specified. Chapter “Directive 95/46/EC on the protection of personal data” motivates how Directive 95/46/EC protects individuals with regard to the processing of personal data and on the free movement of such data. Here, it must be noted that EU directives are addressed to the member states, and aren't legally binding for citizens in principle. The member states must transpose the directive into internal law. Directive 95/46/EC on the protection of personal data had to be transposed by the end of 1998. All member states have enacted their own data protection legislation.

Chapter 3 steps into data protection principles at SAP. Instead of claiming to be complete, this chapter addresses the privacy basics which might be slightly different in another use case depending on boundary conditions of the company or country. In consultation with SAP departments of Works Council, Corporate Legal and Data Protection & Privacy Office a privacy policy was specified to fulfil the seven principles Notice, Purpose, Consent, Security, Disclosure, Access and Accountability as stated in OECD’s recommendations for protection of personal data and in directive 95/46/EC on the protection of personal data. This policy will have to be signed by APOSDLE users before logging on for the first time.

Chapter 4 describes security management within APOSDLE. Here, security and privacy issues have to be implemented by the task observer, the security manager of the central server and the privacy enhancement services. The last paragraph shortly describes a potential approach to integrate Web Service Security as a standardized way to ensure SOAP message integrity and confidentiality.

The undertaken actions in terms of legal and technical issues shown in this report allow to roll-out APOSDLE into organisations. Finally, the success of the prototype or later an APOSDLE-like product depends heavily on the trust of the user into the system. This user behaviour will be studied during the evaluation of the second APOSDLE prototype in more detail.