An Acceptable use policy (AUP) and terms and conditions are necessary instruments in the regulation of infrastructure access. They bind the user to the ‘purpose’ for which the services and resources they use have been provided. Also the SCI Trust Framework in section 6 already stated that "Each infrastructure has the following: ... An Acceptable Use Policy (AUP) addressing at least the following areas: defined acceptable and non-acceptable use, user registration, protection and use of authentication and authorisation credentials, data protection and privacy, disclaimers, liability and sanctions".
Yet, as with privacy notices, the reader is rather inclined to click through and proceed with the actual task at hand. Thus, to reduce the burden on the user and increase the likelihood that they will read the AUP, the number of times a user is presented with such notices must be kept to a minimum, preferably just a single time. Yet the notice should cover as much of the user’s potential use of the infrastructure as possible: the more services and resources deem an AUP as sufficient for their policy purposes, the better it will be. This will allow users to use resources from multiple service and resource providers without the need to confirm acceptance of additional AUPs.
The aim of the Baseline AUP is to
- provide a common baseline set of criteria for acceptable use and terms and conditions for the professional use of IT infrastructures for research globally – and thereby ease the trust of users across infrastructures: services within an infrastructure have a common framework describing the behaviour of users coming from multiple communities;
- facilitate a presentation format that allows necessary privacy notices (in Europe for GDPR compliance) to be presented at the same time and remain easily available thereafter;
- support services with varying levels of support and quality guarantees;
- provide for augmentation of the baseline AUP with community and infrastructure-specific terms and conditions
be applicable to both community-first and user-first AAI membership management services.
WISE Baseline AUP - latest version
- full text (status: definitive text, pending changes to presentation)
Development process
Given the many possible AUPs in use which might form a basis for a common baseline, a study was conducted in the AARC project comparing 11 existing community and infrastructure AUP texts, looking for commonalities and discrepancies to inform the project. From an initial reading, it was apparent that a majority of the texts already shared a common heritage. Adopting the result of the AUP Study - and given that the so-called ‘JSPG' AUP clauses reflected the common heritage and could be used as a baseline template - an initial Baseline AUP was created and subsequently evolved. In March 2019 the WISE community adopted the AUP clauses and form (it is currently under final editing in the Steering Committee for formatting and presentation updates only).
Implementation guidance
Supplementing the basic instructions on usage of the AUP template included within the text itself, an Implementer’s Guide to the WISE Baseline Acceptable Use Policy [AARC-I044] was written with detailed advice for implementers wishing to adopt the Baseline AUP. It distinguishes two possible implementation models. The first, more straightforward, route to adoption, is a so-called “community-first” use-case. Here, a community (or other body) has its own ‘AAI entry point’ and can easily adapt the AUP template for its own purposes for presentation to its members. A second model, so-called “user-first” use-case, is used where the community, in which the user has yet to become registered, makes use of a (multi-tenant) membership management service. The reader is referred to the Implementers Guide for full details.