You can have data which is in a nice “open” format (eg. RDF/XML rather than HTML) but is not public.
Mild example; a FOAF profile for a member of staff should not be made public on the web without their permission, but could reasonably be made available to all members of the university.
Extreme example; exam transcripts should be made available in an electronic & machine readable form if a student (or tutor) wants them, but should be locked down.
You never want your students & staff giving their username/password to 3rd party apps willy nilly… although I bet they type it into SSH/Firefox/VPN on cybercafes so that ship pretty much sailed, the only difference is a smart phone app can be more targeted.
Here’s what I’m thinking a first draft of private linked data policy should be:
There is a web-page on the Intranet, requiring authentication which allows members to generate pass keys for their data, these keys will have a text description for what they are used for and a mandatory expiry date. They can then add “privs” to that key, like “profile data”, “timtable” or “assignments” (with carefully worded warnings about implications). They then cut and paste that key into the app they want to have access to the data.
The key consists of a username & password for the app to pass to the RDF server to get results. For example cjg-key2/8347e084309bc20 (where the username is a combo of my username and the key ID)
28, 14 and 0 days before the key expires the person gets an email telling them it’s expiring/has expired with a URL to click to add 12 months to the key. Maybe less time if it’s got very sensitive access.
RDF documents created with the username & password would contain a triple
<> generatedFor <...etc.../account/cjg#access-key2> .
And maybe and rdfs:comment with a deliberate long code in which the org can scan Google to catch if data is leaking.
Unexpected emergent behaviour
I can see one really interesting potential issue with this… If it became standard I can imagine high-pressure parents or even the government of the country an overseas student came from to keep a check on their grades! This is an interesting privacy issue, where a student can’t be *forced* to tell the truth to 3rd parties about their grades until their final graduation (or lack thereof).
Linked data makes this easier, but the problem exists already. You could just as easily insist the student gave over their normal username/password for parental or government monitoring.
Personal data vs Data I can view
Toby, one of our student coursework helpdesk guys, made a good point to me; there’s an important distinction between data I can view and data about me. A good policy may be to allow people to freely generate keys to any information about themselves (with some advice on the screen), but a key which can access raw data about other people, such as your tutees marks, or the internal university phonebook (with all those DPA-restricted names & numbers in) should require some more formal process, even if it’s data you can view via a portal in HTML.
That more formal process could be a signature, training or just a bigger EULA style page for you to fail to read.
So I assume you are starting to role out RDF as your internal infrastructure?