Changes to our Federation Rules
On August 31 2020, the AAF Board voted on changes to the Federation Rules
| Previous Rule | Change – (agreed in 2020) | Reason |
|---|---|---|
| DEFINITIONS | Conditional Attributes A set of Attributes selected by the Federation that all Identity Providers are required to support where they have implemented systems to support the Conditional Core Attributes. | New definition added |
| DEFINITIONS | Data encryption Laws The Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (Cth) and any other applicable laws or codes governing data encryption. | New definition added |
| DEFINITIONS | Insolvency Event A liquidation or winding up, the appointment of a controller, administrator, receiver, manager or similar insolvency administrator to a Subscriber or any substantial part of its assets or the occurrence of any event that has a substantially similar effect to any of the above events. | New definition added |
| DEFINITIONS | Personal Information Information or an opinion about an identified individual, or an individual who is reasonably identifiable. | New definition added |
| DEFINITIONS | Privacy Laws The Privacy Act 1988 (Cth), the Australian Privacy Principles in the Privacy Act 1988 (Cth) and any other applicable laws or codes governing data protection, privacy and Personal Information. | New definition added |
| 6.2.8 When acting in its capacity as a Subscriber of the Australian Access Federation, it will comply with all applicable laws. | New rule | |
| 8.4 Identity Providers must collect or generate the Conditional Attributes as defined by the Federation (refer Appendix 2) where they have implemented systems to support the Conditional Core Attributes. | New rule | |
| 10.1 A Subscriber must, when acting in its capacity as a Subscriber of the Australian Access Federation, comply with any applicable legislation regarding data protection and privacy, including without limitation, the Australian Privacy Act 1988 (Cth). | 10.1 A Subscriber must, when acting in its capacity as a Subscriber of the Australian Access Federation, comply with: (a) any applicable legislation regarding data protection and privacy, including without limitation, Privacy Laws and Data Encryption Laws; (b) all directions and instructions of AAF in relation to actual or potential: (i) security or data breaches relating to the System; or (ii) configurations of the System that may lead to a security or data breach; and (c) all existing policies of AAF regarding data protection and privacy and all reasonable directions of AAF in relation to data protection and privacy. | Additional/ new rule |
| 10.2 Each Subscriber acknowledges and agrees that, should it fail to comply with any direction or instruction of AAF in accordance with section 10.1(b) within seven (7) days, AAF may, without further notice to the Subscriber, take all necessary action on behalf of the Subscriber to comply with such direction or instruction, which may include sending communications on the Subscriber’s behalf, notifying relevant authorities and suspending the Subscriber’s use of the Federation. | New rule | |
| 10.4 Each Subscriber acknowledges and agrees that AAF may use, disclose or otherwise deal with any Data or Personal Information collected or obtained in connection with the Federation as required or authorised by or under law (including any Privacy Laws or Data Encryption Laws) or any court or tribunal order. | New rule | |
| 10.5 If a Subscriber becomes aware or suspects that it has gained unauthorised access to any Data or Personal Information of another Subscriber, it must: (a) immediately notify AAF of the unauthorised access and provide all relevant information and copies of the Data or Personal Information; (b) promptly take all necessary steps to destroy all copies of such Data or Personal Information; (c) promptly do all things within its power to remedy any consequences associated with the unauthorised access; and (d) comply with all reasonable directions of AAF in relation to the unauthorised access. | New rule | |
| 13.1 A Subscriber may voluntarily withdraw from the Australian Access Federation upon 20 Working Days’ notice to AAF Ltd. | 13.1 A Subscriber may voluntarily withdraw from the Australian Access Federation upon 20 Working Days’ notice to AAF Ltd. The Subscriber acknowledges and agrees that if it voluntary withdraws from the Australian Access Federation in accordance with this clause 13.1, it will not be entitled to any refund of subscription fees paid to AAF. | Amended rule |
| 13.3.1 Has a receiver, administrative receiver, administrator or other similar officer appointed over it or over any part of its undertaking or assets; or | 13.3.1 is subject to an Insolvency Event; | Amended rule |
| 13.3.2 Passes a resolution for winding up (other than for the purpose of a bona fide scheme of solvent amalgamation or reconstruction) or a court of competent jurisdiction makes an order to that effect; or | 13.3.2 Commits a material breach of these Rules which is not capable of remedy; or | Amended rule |
| 13.3.3 Becomes subject to an administration order or enters into any voluntary arrangement with its creditors or ceases or threatens to cease to carry on business; or | 13.3.3 Commits a material breach of these Rules, which is capable of remedy and does not remedy the breach within fourteen (14) days after being notified by AAF that it requires the breach to be remedied. | Amended rule |
| 13.3.4 Is unable to pay its debts or is deemed by an appropriate court to be unable to pay its debts; or | 13.3.4 Fails to comply with any direction or instruction of AAF in accordance with section10.1(b) and 10.1(c) within seven (7) days, and does not remedy this failure and inform AAF the failure has been remedied within fourteen (14) days after being notified by AAF that it is treating the failure as a breach of the Rules and that it requires the breach to be remedied. | Amended rule |
| 13.3.5 Undergoes or is subject to any analogous acts or proceedings under any foreign law, including, but not limited to, bankruptcy proceedings. | 13.3.5 Fails to pay any subscription fees within [90 days] of the due date. | Amended rule |
| 18.2 A significant proportion of the material in this document has been adopted or modified from the UK Access Management Federation and is used with the permission of the copyright owner. The authors are grateful for the support of their UK colleagues in this endeavour. The core documents of the UK federation are available at: http://www.ukfederation.org.uk/content/Documents/Documentation. | Removed | |
| APPENDIX 2 CONDITIONAL ATTRIBUTES Attribute eduPersonOrcid Example values https://orcid.org/0000-0002-1825-0097 Conditional Attributes A set of Attributes selected by the Federation that all Identity Providers are required to support where they have implemented systems to support the Conditional Attributes. | New Conditional attribute |