Previous Rule (2023)
|
Change (2024)
|
Reason
|
2 Authority of this document
|
2 Authority of this document
|
|
2.1 The electronic exchange of authentication information between End Users, Identity Providers and Service Providers and the provision of support services for Subscribers may be managed by one or more Operators on behalf of the Federation. |
This document forms a part of the AAF Subscription and becomes a legally binding document upon execution of the AAF Subscription Form. |
Amended rule |
3 Definitions
|
3 Definitions
|
|
AAA
Authentication, Authorisation and Accounting, a term used for describing a technical and legal environment for intelligently controlling access to computer resources, enforcing policies, auditing usage, and providing the information necessary to bill for services. |
|
Removed definition |
Attribute
Metadata describing either the End User or services provided under the AAF framework. Attributes are used by Service Providers for service provision, including Authentication, Authorisation and Accounting operations. Service Attributes can also be used by End User systems to assist in selecting appropriate Services. |
Attribute
means Data and Metadata describing organisations, Identity Providers, Service Providers, End Users and Services within the Federation, and includes the Core Attributes and the Conditional Attributes. Attributes are used by Service Providers for service provision, including Authentication, Authorisation and Accounting operations. Service Attributes can also be used by End User systems to assist in selecting appropriate Services. |
Amended definition |
Attribute release
The release of Attributes for transfer from an Identity Provider to a Service Provider. |
|
Removed definition |
Australian Access Federation Limited |
Australian Access Federation Limited (AAF Ltd) |
Amended definition |
Core Attributes
A set of Attributes selected by the Federation that all Identity Providers are required to support. |
Core Attributes
means a set of Attributes selected by the Federation Operator that all Identity Providers are required to support, detailed at Appendix 1. |
Amended definition |
Conditional Attributes
A set of Attributes selected by the Federation that all Identity Providers are required to support where they have implemented systems to support the Conditional Attributes. |
Conditional Attributes
means a set of Attributes selected by the Federation Operator, detailed at Appendix 2. |
Amended definition |
|
Connected Systems
means hardware, software, platforms, infrastructure and other technologies, products, services, systems, processes, applications and any form of communications used to access, collect, process, maintain, use and share Data used by any Authentication Service or Authorisation Service connected to the Federation. |
New definition |
|
Cyber Security Incident
has the meaning given in section 12M of the Security of Critical Infrastructure Act 2018 (Cth). |
New definition |
Data Encryption Laws
The Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (Cth) and any other applicable laws or codes governing data encryption. |
|
Removed definition |
End User
Any natural person who is a user of resources or services made available under the Australian Access Federation. An End User must have an association with an Identity Provider registered by the Federation, such that the Identity Provider is authorised by the End User to hold and pass attributes to a Service Provider in order that the End User may gain access to services. |
End User
means a natural person who has an association with an Identity Provider and is a user of the Federation. |
Amended definition |
Federation
The Australian Access Federation or AAF. |
Federation
means the Australian Access Federation (AAF), a service combining policy and technology that enables authentication, access and identity verification for the Australian education and research community. |
Amended definition |
Good Practice
Good practice as generally accepted within the IT industry and determined by the Board from time to time in the context of the AAF’s required standard covering practices for identity management, authentication and authorisation of users of on-line resources and services. |
Good Practice
means the exercise of skill, diligence, prudence, foresight and judgement which would reasonably be expected by a qualified industry professional. |
Amended definition |
|
Incident
means an unplanned interruption that may impact End Users’ ability to access the Federation, or Services connected to the Federation. |
New Definition |
Identity Provider
Any organisation or institution which has been registered by the Federation and has a legal relationship with an End User to provide an authentication service for that End User. |
Identity Provider
means any organisation or institution which has been registered by the Federation Operator and has a legal relationship with an End User to provide an Authentication Service for that End User to access the Federation. |
Amended definition |
|
Notifiable Data Breach
has the meaning given by section 26WE of the Privacy Act 1988 (Cth). |
New definition |
|
Operational issue
means any actual or potential issue, concern, problem, compromise, Incident, Cyber Security Incident or a Notifiable Data Breach in any information technology or business systems. |
New definition |
Privacy Laws
The Privacy Act 1988 (Cth), the Australian Privacy Principles in the Privacy Act 1988 (Cth) and any other applicable laws or codes governing data protection, privacy and Personal Information. |
Privacy Laws
means the law, principles, industry codes and policies relating to the collection, use, disclosure, storage or granting of access rights to Personal Information and includes:
a) the Privacy Act 1988 (Cth) (and the Australian Privacy Principles established under the Privacy Act 1988 (Cth));
b) the SPAM Act 2003 (Cth);
c) the Do Not Call Register Act 2006 (Cth);
d) any guidelines, public interest determinations or other advices relating to Personal Information issued by the Office of the Australian Information Commissioner or the Federal Privacy Commissioner in Australia;
e) any other requirement under Australian law, industry code or policy relating to the handling of Personal Information; and
f) any other applicable law or binding regulation in relation to data protection, data privacy, personal data or personal information. |
Amended definition |
Rules
The document updated from time to time which defines the Rules for AAF Subscribers. |
Rules
means all the rules set out in this document, including the Appendices. |
Amended definition |
|
Services
means the Service Provider’s resources and information made available to the Federation. |
New definition |
Service Provider
Any organisation or institution that is registered by the Federation and provides access to End Users to services and resources based on a set of Attributes that satisfy their particular authorisation requirements. |
Service Provider
means any organisation or institution that is a Subscriber and registered by the Federation Operator, that provides End Users’ access to Services based on a set of Attributes that satisfy their particular authorisation requirements. |
Amended definition |
|
Subscription
means the subscription details set out in the AAF Subscription Form, which can be obtained by emailing [email protected]. |
New definition |
|
Unique Identifier
means a numeric or alphanumeric string that is associated with a single entity within a given system. |
New definition |
|
Where appropriate we have added Federation Operator and removed “AAF” |
Minor amendment |
6 Subscriber responsibilities
|
6 Subscriber responsibilities
|
|
|
6.1.3 it will promptly respond to any Operational Issue that may impact the Federation, any Subscriber or End User, Connected Systems or Data, and must notify the Federation Operator of the Operational Issue in writing within two [2] Business Days of first becoming aware of the Operational Issue, and provide regular updates in its management of the Operational Issue; |
New rule |
|
6.1.4 it will promptly respond to any Incident that may impact the Federation, any Subscriber, End User, Connected Systems or Data, and it must notify the Federation Operator within two [2] Business Days of first becoming aware of the Incident, and provide regular updates in its management and rectification of the Incident; |
New rule |
7 AAF Limited Responsibilities
|
7 AAF Limited Responsibilities
|
|
|
7.1.1 Publish contact information for the Federation. |
New rule |
|
7.1.2 Promptly respond to Operational Issues and Incidents. |
New rule |
|
7.1.3 Exercise Good Practice in maintaining the security of the Federation and the Connected Systems. |
New rule |
8 Additional rules for Identity Providers
|
8 Additional rules for Identity Providers
|
|
|
8.5 The Identity Provider must ensure that it complies with all Privacy Laws and clause 12 of these Rules. |
New rule |
8.7.2 Where unique persistent Attributes are associated with an End User, the Identity Provider must ensure that these Attribute values are not re-issued to another End User for at least 24 months after the last possible use by the previous End User; |
8.8.2 Where Unique Identifiers are associated with an End User, the Identity Provider must ensure that these Attribute values are not re-issued to another End User; |
Amended rule |
9 Additional rules for Service Providers
|
9 Additional rules for Service Providers
|
|
|
9.4 The Service Provider must make available on its website, and to any Subscriber, End User or any other body that uses its Services, any requirements and/or policies applicable when accessing its Services. |
New rule |
|
9.5 The Service Provider must ensure that it complies with all Privacy Laws and clause 12 of these Rules. |
New rule |
|
10. Modern Slavery
|
New rule |
|
10. Modern Slavery
In this clause 10:
Modern Slavery Laws means the Modern Slavery Act 2018 (Cth) and the Modern Slavery Act 2018 (NSW) and any relevant regulations or ancillary legislation published in respect of the above or any similar modern slavery legislation in another jurisdiction of which AAF Ltd is required to comply.
Modern Slavery Offence means:
a) any conduct which would constitute ‘modern slavery’ under the Modern Slavery Act 2018 (Cth); and
b) any other conduct or practices which amount to an offence under any of the Modern Slavery Laws.
10.1 At the date of entering into the Subscription and these Rules, the Subscriber represents and warrants that it:
10.1.1 has no knowledge of any Modern Slavery Offence currently occurring within its organisation or supply chain; and
10.1.2 takes and will continue to take reasonable steps to identify the risk of, and prevent the occurrence of, Modern Slavery Offences within its organisation or supply chains.
10.1.3 Without limiting clause 10.1 above, the Subscriber represents and warrants to AAF Ltd that in relation to any services procured from, or subcontracted or outsourced to, third parties for the provision of the services (including, for the avoidance of doubt, in the capacity of an Identity Provider and Service Provider) under these Rules, the Subscriber has taken, or will, prior to procuring, sub-contracting or outsourcing any such services from or to a third party, take, and will continue through the Subscription to take all reasonable steps to confirm that such third party is not engaging in Modern Slavery Offences.
10.1.4 The Subscriber will notify AAF Ltd in writing as soon as practicable and no later than ten [10] Business Days upon becoming aware of any Modern Slavery Offence (or of any charges laid or orders made in relation to a Modern Slavery Offence) within its organisation or supply chain.
10.1.5 If requested by AAF Ltd, the Subscriber will, subject to any existing confidentiality requirements and any relevant law, take all reasonable steps to provide AAF Ltd with any information, reports or documents in relation to any Modern Slavery Offence or any risk of a Modern Slavery Offence within the Subscriber’s organisation or supply chain, including if required the completion of a self-assessment questionnaire. |
New rule |
|
11. Anti-corruption
|
New rule |
|
11. Anti-corruption
In this clause 11:
Anti-bribery Laws means all laws, statutes, regulations and directives from a Government Authority in relation to anti-bribery and anti-corruption.
Government Authority means any governmental, semi-governmental, municipal, statutory, judicial or quasi-judicial authority, department, agency, body, entity, organisation, commission or tribunal.
11.1 Compliance with Anti-bribery Laws
The Subscriber must and must ensure that its personnel (including, for the avoidance of doubt, its directors, officers and employees):
11.1.1 comply with all applicable Anti-bribery Laws;
11.1.2 comply with any AAF Ltd policy regarding Anti-bribery as provided to the Subscriber from time to time;
11.1.3 do not directly or indirectly make any offer, transfer of consideration (in the form of money or otherwise), or granting authorisation of any offer or consideration, to any AAF Ltd personnel or any public official (whether Australian or other foreign), that will enable it an unfair or improper advantage under the Subscription and these Rules; and
11.1.4 immediately report to AAF Ltd any request or demand that may consist of a material financial or other advantage which may be unlawful in connection with the Subscription and these Rules.
11.2 Representations and notification
The Subscriber:
11.2.1 warrants that it has not been convicted of any anti-bribery offence under any applicable Anti-bribery Laws;
11.2.2 will immediately notify AAF Ltd if it has publicly announced it is subject to an investigation by a Government Authority for a suspected or actual breach of any Anti-Bribery Laws; and
11.2.3 agrees that if:
(i) the warranty in clause 11.2.1 is or becomes false; or
(ii) the Subscriber is convicted of an offence under any Anti-Bribery Laws, then AAF Ltd may immediately terminate this agreement upon written notice to the Subscriber. |
New rule |
10 Data Protection and Privacy
|
12 Data Protection and Privacy
|
Amended rule |
|
12.1 (b) its obligations under the Privacy Laws in relation to its provision of the Connected Systems, and storage of Personal Information and Data;
12.1 (c) (iii) unauthorised access to Personal Information and/or Data; or
12.1 (c) (iv) Operational Issues; and |
New rule |
10.5 (a) immediately notify AAF of the unauthorised access and provide all relevant information and copies of the Data or Personal Information; |
12.5 (a) immediately notify the Federation Operator of the unauthorised access and provide all relevant information; |
Amended rule |
10.5 (b) promptly take all necessary steps to destroy all copies of such Data and/or Personal Information; |
12.5 (b) promptly take all necessary steps to destroy or de-identify all copies of such Data and/or Personal Information; |
Amended rule |
|
12.6 Each Subscriber will take reasonable steps to ensure the security and safety of the Personal Information and Data held by the Subscriber, including by implementing and maintaining reasonable and current data protection and cyber security procedures and technologies.
12.7 The Subscriber hereby consents to the AAF Ltd publishing or otherwise making available information in relation to the Subscriber as may be required, in the case of a Notifiable Data Breach or Cyber Security Incident, by the Office of the Australian Information Commissioner and/or the Australian Cyber Security Centre as required to comply with the Privacy Laws and/or the Security of Critical Infrastructure Act 2018 (Cth). |
New rule |
12 Audit and Compliance
|
14 Audit and Compliance
|
Amended rule |
12.2 Whether pursuant to an audit or otherwise, if AAF Ltd has reasonable grounds for believing that the Subscriber is not complying with these Rules, then AAF Ltd may notify the Subscriber of such non-compliance in sufficient detail to allow the Subscriber to take appropriate remedial action. Following receipt of such notice, the Subscriber must promptly and in any event within 30 days of such notice, remedy the non-compliance. If the Subscriber has not remedied the non- compliance to AAF Ltd’s reasonable satisfaction within 30 days of the notice, then AAF Ltd may terminate the Subscriber’s participation in the Australian Access Federation. |
14.2 Whether pursuant to an audit or otherwise, if AAF Ltd has reasonable grounds for believing that the Subscriber is not complying with these Rules, then AAF Ltd may notify the Subscriber of such non-compliance in sufficient detail to allow the Subscriber to take appropriate remedial action. Following receipt of such notice, the Subscriber must promptly and in any event within 45 days of such notice, remedy the non-compliance. If the Subscriber has not remedied the non- compliance to AAF Ltd’s reasonable satisfaction within 45 days of the notice, then AAF Ltd may terminate the Subscriber’s participation in the Australian Access Federation. |
Amended rule |
16. Dispute Resolution
|
18. Dispute Resolution
|
Amended rule |
16.1 If any dispute arises between the parties arising from or relating to these Rules, AAF Ltd or the Subscriber will refer the dispute to their respective representatives, whereupon the AAF Ltd representative and the Subscriber representative will promptly discuss the dispute with a view to its resolution.
16.2 If any dispute cannot be resolved in accordance with Section 16.1 within 10 Working Days, the Subscriber or AAF Ltd may require that the matter be referred for consultation between the Chief Executive/Vice Chancellor or equivalent of the Subscriber, or their authorised representative, and the Chief Executive Officer of AAF Ltd. In this event, both the Subscriber and AAF Ltd will be represented by one or more delegates in consultations which will be held within 15 Working Days of the requirement.
16.3 If a dispute cannot be resolved under Sections 16.1 and 16.2, then the dispute may be referred by either party to the Board. The Board may seek expert advice if relevant. The decision of the Board will be final and binding upon the parties. |
18.1 If any dispute arises between the parties arising from or relating to these Rules (Dispute), AAF Ltd or the Subscriber will refer the Dispute to their respective authorised representatives, whereupon the AAF Ltd representative and the Subscriber representative will promptly discuss the dispute with a view to its resolution. Except where the party seeks urgent interim or interlocutory relief, a party may not commence any court, tribunal or other similar proceedings relating to the Dispute unless it has complied with this clause.
18.2 If a party believes that a Dispute has arisen it must provide a written notice to the other party or parties setting out full details of the Dispute (Dispute Notice).
18.3 There will be a period of thirty [30] days from the service of a Dispute Notice during which the authorised representatives of the parties must participate in good faith negotiations to attempt to reach a written agreement regarding the Dispute detailed in the Dispute Notice.
18.4 If, following the expiry of the period described in clause 18.3 no written agreement has been reached regarding the matters set out in the Dispute Notice, either party may, by written notice to the other party submit the dispute for mediation pursuant to clause 18.5.
18.5 Any Dispute submitted for mediation under this clause 18 will be conducted in accordance with the mediation rules of the Resolution Institute (ACN 008 651 232).
18.6 The parties may agree on the identity of the mediator appointed to mediate a Dispute, provided that where the parties are unable to agree on the identity of the mediator within fifteen [15] days of the Dispute being submitted for mediation, either party may request that a mediator be appointed by the Resolution Institute (ACN 008 651 232).
18.7 If a Dispute referred to mediation under clauses 18.4 or 18.5 is not resolved within twenty [20] days after the mediator was appointed or any further time period agreed by the parties in writing, the dispute resolution process under this clause 18 will be terminated and either party may commence legal proceedings in respect of the Dispute.
18.8 The cost of any mediator will be shared equally between each party. Each disputing party will bear their own costs of participating in any such mediation. |
Amended rule |
17. General
|
19. General
|
Amended rule |
17.1 These Rules are governed by laws of Queensland, Australia which will have exclusive jurisdiction to deal with any dispute which may arise out of or in connection with these Rules.
17.2 If any provision of these Rules is held to be unenforceable by any court of competent jurisdiction, all other provisions will nevertheless continue in full force and effect.
17.3 All notices which are required to be given under these Rules must be in writing and sent, in respect of AAF Ltd, Australian Access Federation, Level 21, 179 Turbot Street, Brisbane QLD 4000 and, in respect of the Subscriber, to the address of its principal office, or in either case, to any other address in which the recipient may designate by notice given in accordance with the provisions of this Section.
17.4 Except where otherwise stipulated in these Rules, any notice may be delivered by Priority Post or by email. Notice will be deemed to have been served:
17.4.1 If by Priority Post, 48 hours after posting; or
17.4.2 If by email, when delivered.
17.5 These Rules and all the documents referred to in them supersede all other agreements, arrangements and understandings between the parties in respect of their subject matter and constitute the entire agreement between them relating to their subject matter.
17.6 The Subscriber may not assign or otherwise transfer its subscription of the Australian Access Federation without the prior written consent of AAF Ltd. |
19.1 These Rules are governed by the law in force in the state of Queensland, Australia and the Commonwealth of Australia. The parties submit to the non-exclusive jurisdiction of courts of the State of Queensland and the Commonwealth of Australia including the Federal Court and any courts that may hear appeals from those courts about any proceedings in connection with these Rules.
19.2 If any provision of these Rules is held to be unenforceable by any court of competent jurisdiction, all other provisions will nevertheless continue in full force and effect.
19.3 A notice, consent, approval, waiver or other communication (notice) in connection with these Rules must be in writing and signed by the sender or a person authorised by the sender. A notice may be given by hand delivery, prepaid post or by electronic message to the recipient’s current address for service for notices (located at https://aaf.edu.au/about/contact-us/) or as amended by notice from time to time. Notice will be deemed to be received:
19.4.1 if hand delivered, at the time of delivery;
19.4.1 If by pre-paid post, three [3] Business Days after the date of posting or seven [7] Business Days after the date of posting if posted to or from a place outside Australia; or
19.4.2 If by email, when the sender receives an automated message confirming delivery or eight [8] hours after the message has been sent (as recorded on the device from which the sender sent the message) unless the sender receives an automated message that the electronic message was not delivered or the sender knows or reasonably should know that there is a network failure and accordingly knows or suspects that the electronic message was not delivered, unless a notice is received after 5.00 pm on a Business Day in the place of receipt or at any time on a non-Business Day, in which case, that notice is deemed to have been received at 9.00 am on the next Business Day.
19.6 The Subscriber may not assign or otherwise transfer its Subscription of the Federation without the prior written consent of AAF Ltd. |
Amended rule |
Appendix 1 Core Attributes
|
Appendix 1 Core Attributes
|
|
eduPersonAssurance
urn:mace:aaf.edu.au:iap:id:1; urn:mace:aaf.edu.au:iap:authn:1 |
eduPersonAssurance
https://refeds.org/assurance/ID/unique; https://refeds.org/assurance/IAP/local-enterprise; https://refeds.org/assurance/IAP/low; https://refeds.org/assurance/IAP/medium; https://refeds.org/assurance/ATP/ePA-1m |
Amended attribute |
|
SAMLSubjectID
[email protected] |
New attribute |
|
SAMLPairwiseID
[email protected] |
New attribute |