SPG:Drafts:Data Privacy EGI CheckIn
To enable the Infrastructure to be safe and reliable for your use and to preserve your rights as a user we adhere to "The Policy on the Processing of Personal Data" (“The Policy”) available in the Appendix below.
What Personal Data do We collect and process?
We collect and process the following Personal Data to identify you thereby enabling us to grant you access to the Infrastructure and to the services and resources provided by the Infrastructure:
- Data for User authentication
- Identifiers unique to you as released by your authentication service
- Data for registration with the EGI CheckIn service and for collaboration management
- Your name
- Your Institute
- Your e-mail address
- Data which may be used to grant you access to the services
- Home Institute, Infrastructure and User Community specific information relating to your affiliations and rights
Purposes? We process your personal data solely to grant and manage your access to services provided by the Infrastructure or by User Communities that are bound to the Infrastructure policies.
Besides this processing, We will store your personal data in log files and audit archives. These logs and other records are used solely for administrative, operational, monitoring, security and dispute resolution purposes. These may be shared for security incident response purposes with other authorised participants in the academic and research distributed digital infrastructures via secured mechanisms, only for the same purposes and only as far as necessary to provide the incident response capability.
Accessed by whom?
Retained for how long?
Your Personal Data will be shared but only where -
- 1. The recipient has agreed to abide by The Policy
- 2. Doing so is likely to assist in the investigation of suspected misuse of Infrastructure resources.
Your usage of the Infrastructure will be monitored. Records of this use, containing your Personal Data, may be shared as described above for operational, security and accounting purposes only. These records will be purged or anonymised after, at latest, 18 months. You can contact our Data Protection Officer ([insert contact details here]) to obtain a copy of your Personal Data, request that it is corrected in case of factual error or if you suspect that it has been misused. You can also request that we stop using your Personal Data but this will affect your access to the Infrastructure. This Policy should be read with reference to the Policy on the Processing of Personal Data and other Infrastructure policies available at [insert link to Infrastructure Policies here]. [Insert Name and Contact Details of Infrastructure Participant]
Appendix: The Policy on the Processing of Personal Data
This policy ensures that data collected as a result of the use of the Infrastructure is processed fairly and lawfully by Infrastructure participants. Some of this data, for example that relating to user registration, monitoring and accounting contains “personal data” as defined by the European Union (EU) [R 1]. The collection and processing of personal data is subject to restrictions aimed at protecting the privacy of individuals.
Infrastructure The bounded collection of universities, laboratories, institutions or similar entities, which adhere to a common set of policies [R 2] and together offer data processing and data storage services to End Users. Participant Any entity providing, managing, operating, supporting or coordinating one or more Infrastructure service(s). Personal Data Any information relating to an identified or identifiable natural person [R 1]. Processing (Processed) Any operation or set of operations, including collection and storage, which is performed upon Personal Data [R 1]. End User An individual who by virtue of their membership of a recognised research community is authorized to use Infrastructure services.
This policy covers Personal Data that is Processed as a prerequisite for or as a result of an End User’s use of Infrastructure services. Examples of such Personal Data include registration information, credential identifiers and usage, accounting, security and monitoring records. This policy does not cover Personal Data relating to third parties included in datasets provided by the End User or the research community to which they belong as part of their research activity. Examples of such data are medical datasets which may contain Personal Data.
By their activity in the Infrastructure, Participants: a) Declare that they have read, understood and will abide by the Principles of Personal Data Processing as set out below. b) Declare their acknowledgment that failure to abide by these Principles may result in exclusion from the Infrastructure, and that if such failure is thought to be the result of an unlawful act or results in unlawful information disclosure, they may be reported to the relevant legal authorities.
PRINCIPLES OF PERSONAL DATA PROCESSING
R 1 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (DPD) http://eur-lex.europa.eu/legal-content/en/ALL/?uri=CELEX:31995L0046
R 2 Approved EGI Security Policies. https://wiki.egi.eu/wiki/SPG:Documents