Description of the eduGAIN Service

The eduGAIN interfederation service connects identity federations around the world, simplifying access to content, services and resources for the global research and education community. The eduGAIN consortium is comprised of many legal entities.

GÉANT is the body which is responsible for the international coordination and interoperability of the eduGAIN, and operates a number of services for the eduGAIN consortium globally. These central services are maintained by eduGAIN Operations Team (OT). This privacy policy concerns part of the eduGAIN consortium that is operated and maintained by GÉANT including, but not limited to, the following services: eduGAIN metadata distribution service, supporting tools available at the eduGAIN Technical site, secretarial services and support for eduGAIN users.

We are fans of privacy, and we are proud to say that the eduGAIN service is designed for minimal disclosure of end users personal data. eduGAIN DOES NOT process or have access to any transaction between an Identity Provider and Service Provider or any end user personal data as part of the authorisation process. eduGAIN provides advice and guidance to Identity Providers and Service Providers on how to meet GDPR requirements as part of its Best Current Practice documentation.

To view the general Privacy Notice for GÉANT, please visit the GÉANT website.

Why We Process Personal Data

eduGAIN processes personal data to support running the eduGAIN Steering Group and the administration of the eduGAIN service.

eduGAIN processes a small amount of end user personal data to monitor use of its website and authentication traffic in eduGAIN federation members for security and statistical purposes.

eduGAIN processes personal data that is made available in metadata aggregates provided by identity federations that participate in eduGAIN. This data is publicly available, but eduGAIN has specific permission to use this metadata via the signed eduGAIN Declaration with each member federation.

What Personal Data We Process

eduGAIN processes the following information:

  • Statistical information and logs for the edugain.org and technical.edugain.org website. We collect the usual web server logs, i.e. timestamp of access, IP address which requested the page, the page being requested, the HTML result code, etc.  GÉANT has a legitimate interest in this data processing.
  • Contact name, surname, email and affiliation of eduGAIN Steering Group and eduGAIN Federation Operator staff contacts. eduGAIN asks for the consent of individuals in the Steering Group and Federations before publishing and using this data.
  • Personal data made available by identity federations participating in eduGAIN in publicly available metadata streams is processed as part of the eduGAIN Technical Database and the creation of the eduGAIN metadata aggregate. This data may include name, surname, email, phone number and affiliation to the entity. eduGAIN strongly advises identity federations to use function contacts rather than the personal ones.  GÉANT has a legitimate interest in this data processing.
  • Statistical information about authentication traffic in eduGAIN federation members, available at f-ticks.edugain.org. When you use services available in eduGAIN, we may receive and log the following data of event when you logged in to institution Identity Provider: institution, service accessed, hashed SAML session-id, pseudonymised identifier and time stamp of authentication event. GÉANT has a legitimate interest in processing this information.

Who Do We Share Data With?

Personal data gathered for website statistics is only shared within the GÉANT Association and with the eduGAIN Operational Team for management and communication purposes.

eduGAIN Steering Group delegate personal data is shared with other members of the eduGAIN Steering Group and the eduGAIN Operations Team. This data may also be made publicly available on the eduGAIN Technical website with the consent of the SG member in question.

Personal data in federation metadata is made publicly available by the identity federations in question. To view this data, please see the eduGAIN Technical Database.

Statistical information about authentication traffic in eduGAIN federation members at f-ticks.edugain.org is only accessible by eduGAIN Operational Team. Additionally, Federation Operators are able to see data from their own federation members. Statistics without any personal information are available publicly at f-ticks.edugain.org website

Personal Data Retention

Analytical data for website statistics is currently retained permanently.

Data relating to eduGAIN Steering Group members is retained for the period of membership of the Steering Group.

Statistical information about authentication traffic in eduGAIN federation members at f-ticks.edugain.org is retained for 12 months, after which only aggregated data without personal information is kept.

Security

We support the following processes to ensure the security of your data:

  • Minimisation of personal data we collect;
  • Managing, limiting and controlling access to personal data;
  • Resilience of processing systems and services;
  • Regular testing of the effectiveness of measures implemented.

Your Rights

You have the right to ensure:

  • We process your data fairly and lawfully;
  • Your data is accurate (to rectify data released by your home organisation, please contact directly);
  • The data we collect is not excessive but only the data we require to provide the service;
  • Your data is secure;
  • Your personal data is securely destroyed when no longer required

You also have the right to ask what personal data we hold about you, and to complain to the Supervisory Authority (Autoriteit Persoonsgegevens at https://autoriteitpersoonsgegevens.nl) about our data processing activities if you feel your data is not being managed as described here.

Contact Information

Data Controller and Contact Data Protection Officer

GÉANT Association
Hoekenrode 3
1102 BR
Amsterdam – Zuidoost
Netherlands
Telephone number: +31 20 530 4488
email: gdpr@geant.org

Jurisdiction Netherlands

Dutch Data Protection Authority
Autoriteit Persoonsgegevens
Postbus 93374 2509 AJ DEN HAAG.
Telephone number: (+31) – (0)70 – 888 85 00.