Identity, Access, and Privacy: Lessons from the Vanguard in Europe

Legal frameworks, regulations, and requirements such as CCPA, GDPR, and the NIH adoption of REFEDS are having a profound influence on how organizations manage personal information and govern access. So far, the impact to US higher education has been minimal. In contrast, peer institutions in Europe are at the forefront of deploying strategic, tactical and technical responses to privacy and access governance issues. In 2020–21, Moran Technology Consulting participated in the first phase of a multi-year program to provide a nationwide identity and governance administration (IGA) solution to the Norwegian higher education sector. Working with Uninett (a state-owned company responsible for the National Research and Education Network) and Identity Automation, a first-generation shared IGA service was deployed and piloted at the University of Bergen. Uninett’s objectives include providing a central, nationwide IGA to manage personal and organizational data that: meets national audit requirements; delivers flexible, distributed, and granular access governance to institutions; and meets privacy requirements for users' right to know and be forgotten. We will present news and lessons from the front. How do expanding privacy regulations change our approach to and priorities for IAM? How do these and future regulations impact our business processes, data management tools, and the capabilities we need from our IGA solutions? What can we be doing now to prepare for the future?