Processing personal data federation: Różnice pomiędzy wersjami

Z Uniwersyteckie Centrum Informatyczne

(Description of technical and organizational security measures)
Linia 14: Linia 14:
  
 
=== Legality and purpose of data processing ===
 
=== Legality and purpose of data processing ===
#The data processing is aimed at providing the user with access to a specific external service, as well as confirming the rights to such access in case of any doubts raised by the Service Provider at a later date.
+
#The data processing is aimed at providing the User with access to a specific external service, as well as confirming the rights to such access in case of any doubts raised by the Service Provider at a later date.
#The NCU Central Login Point is a technical tool that provides confirmation of the user's relationship with the Nicolaus Copernicus University, and if the service requires it, providing additional information about this user, while confirming the compliance of this information with the state recorded in the NCU user databases.
+
#The NCU Central Login Point is a technical tool that provides confirmation of the User's relationship with the Nicolaus Copernicus University, and if the service requires it, providing additional information about this user, while confirming the compliance of this information with the state recorded in the NCU user databases.
 
#Storing the value of the pseudonymous ID is necessary to ensure the same value each time the user accesses the Service.
 
#Storing the value of the pseudonymous ID is necessary to ensure the same value each time the user accesses the Service.
 
#The purpose for which data is processed at the Service Provider depends on the specific Service and is not considered here.
 
#The purpose for which data is processed at the Service Provider depends on the specific Service and is not considered here.
Linia 23: Linia 23:
 
#Data categories
 
#Data categories
 
#*first name and last name
 
#*first name and last name
#* user account ID and password
+
#* User account ID and password
#* user's email address
+
#* User's email address
 
#* user type - employee, student
 
#* user type - employee, student
 
#* permanent, pseudonymous identifier created separately for each user and each service
 
#* permanent, pseudonymous identifier created separately for each user and each service
#* identifier of the service the user is using
+
#* identifier of the service the User is using
 
#* the time of each login to the service
 
#* the time of each login to the service
 
#* permanent consent to share attributes and the time they are granted
 
#* permanent consent to share attributes and the time they are granted
Linia 41: Linia 41:
  
 
=== External data sharing ===
 
=== External data sharing ===
#Data are made available to the Service each time the user logs in.
+
#Data are made available to the Service each time the User logs in.
#First sharing of data for a specific Service is preceded by displaying to the user an information screen with:
+
#First sharing of data for a specific Service is preceded by displaying to the User an information screen with:
 
#* list of data to be shared,
 
#* list of data to be shared,
 
#* link to the privacy policy of the Service (if it is published by the service),
 
#* link to the privacy policy of the Service (if it is published by the service),
 
#* question about confirmation of willingness to use the service and simultaneous transfer of data.
 
#* question about confirmation of willingness to use the service and simultaneous transfer of data.
# Not expressing consent to transfer data to the Service means for the user no access to this Service. When agreeing to the transfer of data to the Service, the user indicates the mode of operation chooses for the future. By default, the consent has a permanent charterer, i.e. on subsequent accesses the data will be transferred automatically, without displaying the information screen again. Permanent consent is recorded in the NCU Central Login Point database.
+
# Not expressing consent to transfer data to the Service means for the User no access to this Service. When agreeing to the transfer of data to the Service, the User indicates the mode of operation chooses for the future. By default, the consent has a permanent charterer, i.e. on subsequent accesses the data will be transferred automatically, without displaying the information screen again. Permanent consent is recorded in the NCU Central Login Point database.
 
# Users can view the list of permanent consents granted and withdraw them, for this purpose they can use the internal service [https://skrypty2.uci.umk.pl/zgoda/?lang=en https://skrypty2.uci.umk.pl/zgoda/?lang=en].
 
# Users can view the list of permanent consents granted and withdraw them, for this purpose they can use the internal service [https://skrypty2.uci.umk.pl/zgoda/?lang=en https://skrypty2.uci.umk.pl/zgoda/?lang=en].
#NCU acts as a trusted intermediary when passing user data to the Service Provider and is not responsible for the processing of personal data in the Service. In particular:
+
#NCU acts as a trusted intermediary when passing User data to the Service Provider and is not responsible for the processing of personal data in the Service. In particular:
 
#* withdrawal of permanent consent to data transfer via the Central Login Point does not automatically delete previously transferred data in the Service;
 
#* withdrawal of permanent consent to data transfer via the Central Login Point does not automatically delete previously transferred data in the Service;
#* any queries about the processing process, requests to be forgotten etc. the user should direct to the Service Provider;
+
#* any queries about the processing process, requests to be forgotten etc. the User should direct to the Service Provider;
#* NCU cannot confirm whether the Service Provider is based in the European Economic Area and whether data is processed in the service in accordance with the GDPR. Such information should be available in the privacy policy of the service. In case of doubt, users should assume that their data may be processed outside the European Economic Area.
+
#* NCU cannot confirm whether the Service Provider is based in the European Economic Area and whether data is processed in the service in accordance with the GDPR. Such information should be available in the privacy policy of the service. In case of doubt, Users should assume that their data may be processed outside the European Economic Area.
  
 
=== Description of technical and organizational security measures ===
 
=== Description of technical and organizational security measures ===

Wersja z 10:24, 19 maj 2020

Terminology

  1. NCU - Nicolaus Copernicus University in Toruń
  2. Service - external authorized service - a service based on the so-called federated login
  3. Central Login Point of the Nicolaus Copernicus University - single sign-on service to the WWW application using the user accounts of the Nicolaus Copernicus University Computer Network
  4. User - a natural person using external services via the NCU Central Login Point
  5. Service provider - an institution conducting an external authorized service

Personal data administrator

  1. The administrator of personal data processed in connection with providing access to external authorized services is the Nicolaus Copernicus University, ul. Gagarina 11, 87-100 Toruń.
  2. The administrator of the data provided to the external service is the Service Provider, in accordance with the privacy policy of the service.

Legality and purpose of data processing

  1. The data processing is aimed at providing the User with access to a specific external service, as well as confirming the rights to such access in case of any doubts raised by the Service Provider at a later date.
  2. The NCU Central Login Point is a technical tool that provides confirmation of the User's relationship with the Nicolaus Copernicus University, and if the service requires it, providing additional information about this user, while confirming the compliance of this information with the state recorded in the NCU user databases.
  3. Storing the value of the pseudonymous ID is necessary to ensure the same value each time the user accesses the Service.
  4. The purpose for which data is processed at the Service Provider depends on the specific Service and is not considered here.

The scope of personal data processing

  1. Category of data subjects - User.
  2. Data categories
    • first name and last name
    • User account ID and password
    • User's email address
    • user type - employee, student
    • permanent, pseudonymous identifier created separately for each user and each service
    • identifier of the service the User is using
    • the time of each login to the service
    • permanent consent to share attributes and the time they are granted

Data retention period

  1. Data for logging into services are stored for a period of 12 months.
  2. Data on permanent consents are stored for the duration of the consent.
  3. The period of storage of backups is determined in accordance with the principles NCU Computer Network Security Policy.

Data recipients

  1. Administrators of the NCU Central Login Point
  2. Administrators of the Service

External data sharing

  1. Data are made available to the Service each time the User logs in.
  2. First sharing of data for a specific Service is preceded by displaying to the User an information screen with:
    • list of data to be shared,
    • link to the privacy policy of the Service (if it is published by the service),
    • question about confirmation of willingness to use the service and simultaneous transfer of data.
  3. Not expressing consent to transfer data to the Service means for the User no access to this Service. When agreeing to the transfer of data to the Service, the User indicates the mode of operation chooses for the future. By default, the consent has a permanent charterer, i.e. on subsequent accesses the data will be transferred automatically, without displaying the information screen again. Permanent consent is recorded in the NCU Central Login Point database.
  4. Users can view the list of permanent consents granted and withdraw them, for this purpose they can use the internal service https://skrypty2.uci.umk.pl/zgoda/?lang=en.
  5. NCU acts as a trusted intermediary when passing User data to the Service Provider and is not responsible for the processing of personal data in the Service. In particular:
    • withdrawal of permanent consent to data transfer via the Central Login Point does not automatically delete previously transferred data in the Service;
    • any queries about the processing process, requests to be forgotten etc. the User should direct to the Service Provider;
    • NCU cannot confirm whether the Service Provider is based in the European Economic Area and whether data is processed in the service in accordance with the GDPR. Such information should be available in the privacy policy of the service. In case of doubt, Users should assume that their data may be processed outside the European Economic Area.

Description of technical and organizational security measures

  1. Access to servers and the network infrastructure of the NCU Central Login Point is protected as follows:
  2. The identity of the service provider is confirmed by a certificate, in accordance with the list published by the cooperating national identity management federations.
  3. All Service Providers based in the European Economic Area are required to implement a policy for the protection of personal data in accordance with the GDPR.