Primary means of addressing Right of Access is mandatory identification of the authority from where the data originated. TAS3 attribute authorities MUST identify themselves in the data set. One of the following approaches are acceptable:
If data is conveyed in SAML assertion and the origin of the data is the same as the assertion's Issuer, then the assertion's Issuer field is taken as sufficient identification of the authority.
If data is conveyed in X509 attribute certificate and the origin of the data is the same as the certificate's Issuer, then the certificate's Issuer field is taken as sufficient identification of the authority.
Include in the data set attribute named urn:tas3:issuer whose value is the Entity ID of the issuer.
The Right of Access, Rectification, and Deletion ultimately needs to be satisfied at the origin of the data. To facilitate this process, the Service Providers that are consumers or users of the data MUST display the identity of the origin of any given data item or data set. Another way for the user to find out the origin of the data used in transactions is to see it in the Dashboard.
Either way, the user is then expected to direct his Right of Access, Rectification, or Deletion requests directly to the origin. User MAY request deletion of the local copy from the SP using the data, but the using SP is not responsible for correcting the data at the origin. Instead the user really needs to contact the origin.