Privacy Statement (Draft)

This document is intended to work in conjunction with the SAFIRE Privacy statement found at https://safire.ac.za/safire/policy/privacy/, and has been used as a reference point where relevant.

Published: 2016-12-12

Introduction

The University of Cape Town (hereafter referred to as ĎUCTí) has joined the South African federation of identities for Research and Education Federation (Hereafter referred to as ĎSAFIREí).

A federation is an agreement to a certain level of trust with other members of the federation. The federation provides a basic level of trust that can then be augmented by other criteria.

This document explains what personal information is collected about a user (hereafter referred to as data-subject) by the UCTís Identity Provider, and what will be shared with SAFIRE, and other members of the federation

Metadata

The UCT Identity Providerís metadata has been shared with SAFIREís federation hub, and adheres to best practices outlined by the federation. Such metadata typically contains the canonical legal name of the organisation operating the entity, the contact details of various responsible parties, as well as technical information pertaining to its operation.

More information on Metadata and SAFIRE can be found here: https://safire.ac.za/technical/metadata/

Cookies

Various web sites used by the Federation set and store cookies within a data-subjectís web browser. These cookies are used to track sessions and facilitate the technical operations of the Federation (for instance, ensuring a particular browser is consistently redirected to the same backend server).

Whilst these cookies may contain a unique identifier for a particular browser, they SHALL NOT contain any personally identifying information about the data-subject (who may or may not be logging in). The underlying sessions MAY contain personal information, either with consent or as otherwise detailed in this document.

Attributes

Based on the minimum requirements set forth by SAFIRE, The UCT Identity Provider has the ability to release Attributes about a person to Service Providers via the SAFIRE Federation hub.

At this time, the UCT Identity Provider may provide the following user attributes to other members of the SAFIRE federation after a successful authentication:

More information on the Attribute requirements of SAFIRE can be found here: https://safire.ac.za/technical/attributes/

Consent

When a data-subject logs in to their Identity Provider via the Federation Hub (SAFIRE), the Federation acts as an operator (data processor) on behalf of its participants who are the responsible party (data controller). As part of this, it collects information about the data subjectís consent to release personal information from their home organization to another (usually third-party) service provider.

The records required to facilitate this SHALL be stored using a one-way cryptographic hash (SHA256) of the attributes rather than the original attributes. In this way, the hub need store no personal information about the data-subject.

The Federation Operator provides a mechanism for the data-subject to withdraw such consent at https://consentadmin.safire.ac.za/.

Logs

All Identity Provider activities result in the generation of log files. These logs may contain a username or similar non-opaque unique identifier assigned by a data subjectís home institution as well as the IP address of the Internet connection they are using. They further keep a record of which service provider(s) a given data-subject logged into and at what time(s).

All Logs generated by the UCTís Identity Provider are copied to a central logging server for auditing purposes, and are subsequently deleted from the Identity Provider server 90 days after generation.