Processing of users' personal data in connection with the guest use of the eduroam network using a user account managed by the Nicolaus Copernicus University in Toruń

Z Uniwersyteckie Centrum Informatyczne

Terminology

  1. User - a natural person authorized to use eduroam.
  2. Home institution - the institution responsible for issuing the certificate confirming the user's authorization to use eduroam.
  3. Institution providing network - an institution providing its own network to eduroam users - Nicolaus Copernicus University in Toruń.
  4. Intermediate institution - an institution maintaining the eduroam proxy server, these are institutions maintaining the global, national or regional eduroam nodes in all countries included in the eduroam structure.

Personal data administrator

The administrator of personal data processed in connection with the use of eduroam on the premises of the Nicolaus Copernicus University is the Nicolaus Copernicus University, ul. Gagarina 11, 87-100 Toruń.

Legality and purpose of data processing

The data is processed in order to guarantee a legitimate interest resulting from providing users with internet connectivity. The purpose of the eduroam service is to enable authorized users to use the Internet in a simple and secure manner on the premises of all cooperating institutions in the world. In the process of logging into the network, it is necessary to process personal data for the following purposes:

  1. confirming the user's entitlement to use eduroam;
  2. providing technical means of using encrypted wireless transmission;
  3. providing the potential possibility of linking the user to the assigned IP number in case of violation of law by this User and NCU receiving an appropriate request from the authorities;
  4. providing the possibility of contacting the user in the event that it is necessary to pay attention to the incorrectness of actions;
  5. providing the possibility of emergency blocking of access to the network in case the user's actions are inconsistent with the local network regulations;
  6. providing the ability to create and report statistics on the use of the eduroam network for the needs of co-financing entities.

Documents constituting the basis for data processing in eduroam

  1. Rules of eduroam services in Poland [eduroam-pl]
  2. Rules of the European eduroam confederation [eduroam-org]
  3. Rules of regional cooperation of eduroam confederations [eduroam-complience]
  4. Declaration of Poland's accession to the European confederation eduroam [declaration-en]
  5. Declarations of Polish institutions using eduroam [declaration]
  6. Rules of foreign eduroam federations

The scope of personal data processing

  1. Category of data subjects - User.
  2. Data categories:
    1. network interface address (MAC) - this value is provided by the user's device;
    2. connection identifier, and when using individual certificates, also the entire certificate - usually anonymous or pseudonymous data - the value of this identifier is provided by the user's device;
    3. pseudonymous CUI identifier - this value can be provided by the user's home institution;
    4. connection establishment time - information generated by the UMK server;
    5. assigned internet address - information generated by the UMK servers;
    6. identifier of the institution providing the network (i.e. the umk.pl value attached by the UMK servers to the authentication packages);
    7. user's location on the network (identifier of the wireless point serving the user) - information generated by the UMK servers.

Data retention period

The data is stored for a period of 12 months. After this period, data is reduced and anonymized. Anonymized data can be processed and stored without restrictions.

Data recipients

Administrators of the network and service infrastructure required to provide eduroam services at the Nicolaus Copernicus University.

External data sharing

In the authentication process, messages are exchanged between the institution providing the network and the user's home institution. Data transmission takes place via proxy servers appropriate for the user's location and his home institution. The selection of these servers is mostly beyond the control of the Nicolaus Copernicus University. If the institution providing the network in which the user is located is outside the European Economic Area, then the user's data is transferred to this institution, and therefore outside the European Economic Area. The following is shared:

  1. user's network interface address (MAC);
  2. connection identifier, and if individual certificates are used, also the entire certificate;
  3. institution identifier.

For the purposes of statistics, the following data are shared:

  1. user device network interface address pseudonymized;
  2. domain address of the user's home institution;
  3. identifier of the country visited (Poland);
  4. visor of the visited institution (1umk.pl).

These data are stored locally and transferred to a nationwide server run by the Nicolaus Copernicus University in Toruń - eduroam coordinator in Poland and through it to a European server run by the global eduroam operator - GÉANT Association.

Description of technical and organizational security measures

Access to servers and network infrastructure required to provide the eduroam service that processes eduroam data on the premises of the Nicolaus Copernicus University is protected as follows:

  1. Systems are in a separate network protected by a firewall;
  2. Access is restricted only to authorized persons (administrators);
  3. Access is only possible from authorized network resources;
  4. Security Policy of the Nicolaus Copernicus University computer network was introduced.

Communication between the user's device and the authentication server is TLS encrypted.

Sources