Processing of users' personal data in connection with the use of the eduroam network using a user account managed by the Nicolaus Copernicus University in Toruń

Z Uniwersyteckie Centrum Informatyczne

Terminology

  1. NCU - Nicolaus Copernicus University in Toruń
  2. User - a natural person authorized to use eduroam.
  3. Home institution - institution responsible for issuing the certificate confirming the user's right to use eduroam - Nicolaus Copernicus University in Toruń.
  4. Institution providing the network - an institution that provides its own network to eduroam users.
  5. Intermediate institution - an institution maintaining the eduroam proxy server, they are institutions maintaining the global, national or regional eduroam nodes in all countries included in the eduroam structure.

Personal data administrator

The administrator of personal data processed in connection with the use of eduroam at the Nicolaus Copernicus University and data processed in the process of authenticating users using eduroam outside the Nicolaus Copernicus University is the Nicolaus Copernicus University, ul. Gagarina 11, 87-100 Toruń. If the user uses eduroam outside the Nicolaus Copernicus University, the administrator of personal data is the Institution providing the network. In addition, the data administrator may also be Institutions intermediating in the User's authentication process.


Legality and purpose of data processing

The data is processed in order to guarantee a legitimate interest resulting from providing users with internet connectivity. The purpose of the eduroam service is to enable authorized users to use the Internet in a simple and secure manner on the premises of all cooperating institutions in the world. In the process of logging into the network, it is necessary to process personal data for the following purposes:

  1. confirming the user's entitlement to use eduroam;
  2. providing technical means of using encrypted wireless transmission;
  3. providing the potential possibility of linking the user to the assigned IP number in case of violation of law by this User and NCU receiving an appropriate request from the authorities;
  4. providing the possibility of contacting the user in the event that it is necessary to pay attention to the incorrectness of actions;
  5. providing the possibility of emergency blocking of access to the network in case the user's actions are inconsistent with the local network regulations;
  6. providing the ability to create and report statistics on the use of the eduroam network for the needs of co-financing entities.

Documents constituting the basis for data processing in eduroam

  1. Rules of eduroam services in Poland [eduroam-pl]
  2. Rules of the European eduroam confederation [eduroam-org]
  3. Rules of regional cooperation of eduroam confederations [eduroam-complience]
  4. Declaration of Poland's accession to the European confederation eduroam [declaration-en]
  5. Declarations of Polish institutions using eduroam [declaration]
  6. Rules of foreign eduroam federations

The scope of personal data processing

  1. Category of data subjects - User.
  2. Data categories:
    1. First name, surname, certificate's CN assigned to a given person, email address;
    2. network interface address (MAC) - this value is provided by the user's device;
    3. user ID that uniquely associates it with a natural person;
    4. connection identifier, and when using individual certificates, also the entire certificate - usually anonymous or pseudonymous data - the value of this identifier is provided by the user's device;
    5. pseudonymous CUI identifier - this value is generated by the Nicolaus Copernicus University as long as the institution providing the network sets the appropriate tag.
    6. connection establishment time;
    7. assigned internet address - only in cases when the user uses the network on the premises of the Nicolaus Copernicus University;
    8. identifier of the institution providing the network, if the institution providing the network transmits it;
    9. user's location on the network (identifier of the wireless point serving the user) - only in cases when the user uses the network within the UMK.

Data retention period

The data is stored for a period of 12 months. After this period, data is reduced and anonymized. Anonymized data can be processed and stored without restrictions.

Data recipients

If the user uses an account maintained by the Nicolaus Copernicus University and:

  1. use of eduroam in the Nicolaus Copernicus University, the data is processed only by the Nicolaus Copernicus University and the recipients of his data are Administrators of the network and service infrastructure required to provide the eduroam service in the Nicolaus Copernicus University;
  2. uses eduroam outside the Nicolaus Copernicus University, the data is processed by the Nicolaus Copernicus University in the scope described in this document, and additionally by the institution in which he uses eduroam and by intermediaries in the user authentication process. The recipients of the data are Administrators of the network and service infrastructure required to provide the eduroam service at the Nicolaus Copernicus University, Administrators of the network and service infrastructure required to provide the eduroam service in the institution providing the network on which the User uses eduroam, and Administrators of the network and service infrastructure required to provide the eduroam service in institutions mediating the User's authentication process.

External data sharing

In the authentication process, messages are exchanged between the institution providing the network and the user's home institution. Data transmission takes place via proxy servers appropriate for the user's location and his home institution. The selection of these servers is mostly beyond the control of the Nicolaus Copernicus University. If the institution providing the network in which the user is located is outside the European Economic Area, then the user's data is transferred to this institution, and therefore outside the European Economic Area. The following is shared:

  1. confirmation of user entitlement to use eduroam;
  2. CUI pseudonymous identifier - this value is generated by the Nicolaus Copernicus University as long as the institution providing the network sets the appropriate tag.

Description of technical and organizational security measures

Access to servers and network infrastructure required to provide the eduroam service that processes eduroam data on the premises of the Nicolaus Copernicus University is protected as follows:

  1. Systems are in a separate network protected by a firewall;
  2. Access is restricted only to authorized persons (administrators);
  3. Access is only possible from authorized network resources;
  4. Security Policy of the Nicolaus Copernicus University computer network was introduced.

Communication between the user's device and the authentication server is TLS encrypted.

All sharing institutions that have their headquarters in the European Economic Area are required to implement a policy for the protection of personal data in accordance with the GDPR.

All sharing institutions that have their headquarters outside the European Economic Area are obliged to comply with the principles of operation of the European eduroam confederation [eduroam-org].

Sources