Privacy Statement v20161221

Changes to the Privacy Statement are approved by the SAFIRE Steering Committee. This version reached rough consensus on 21 December 2016 and still needs to be ratified. As a revision to version v20160622, it includes a new section about website analytics.


This document explains what personal information is collected by the South African Identity Federation (SAFIRE) and how it is used.

This document SHALL1 be published on the Federation website at

Types of data collected or processed


The Federation collects metadata from various entities to facilitate the operation of the federation. Such metadata typically contains the canonical legal name of the organisation operating the entity, the contact details of various responsible parties, as well as technical information pertaining to its operation.

This information is considered public, and is freely available at


Various web sites used by the Federation set and store cookies within an end-user’s web browser. These cookies are used to track sessions and facilitate the technical operations of the Federation (for instance, ensuring a particular browser is consistently redirected to the same backend server).

Whilst these cookies may contain a unique identifier for a particular browser, they SHALL NOT contain any personally identifying information about the end user (who may or may not be logging in). The underlying sessions MAY contain personal information, either with consent or as otherwise detailed in this document.

Website analytics

The Federation MAY make use of a third-party analytics service (Google Analytics) to provide insight on how users interact with various websites, including the Federation hub. This information is used to improve the user interfaces for these sites.

The analytics service MAY set cookies within an end user’s web browser, and these cookies MAY contain an opaque identifier to uniquely identify the browser. In addition, the analytics service MAY collect anonymous information about an end user’s browser (such as display size, version, capabilities, etc). Google Analytics has comprehensive privacy information available and end users may opt out.


When facilitating a user log in, for operational efficiency the Federation Hub MAY cache the attributes returned by the user’s home organisation. These attributes MAY be stored either in memory or on disk, but SHALL NOT be retained for longer than eight hours.

When an end-user2 (data subject) logs in via the Federation Hub, the Federation acts as an operator2 (data processor) on behalf of its participants who are the responsible party2 (data controller). As part of this, it collects information about the data subject’s consent to release personal information from their home organisation to another (usually third-party) service provider.

The records required to facilitate this SHALL be stored using a one-way cryptographic hash (SHA256) of the attributes rather than the original attributes. In this way, no personal information about the data subject need be stored by the hub.

The Federation Operator provides a mechanism for the data subject to withdraw such consent at


All Federation activities result in the generation of log files. These logs may contain a username or similar non-opaque unique identifier assigned by an end-user’s home institution as well as the IP address of the Internet connection they are using. They further keep a record of which service provider(s) a given end-user logged into and at what time(s).

Logs SHALL be retained for 184 days after which they SHALL be deleted.

When used for longer term statistical purposes, any personal information (such as unique identifier and/or IP address) SHALL be anonymised by a cryptographic one-way hash.

Release of information to third parties

In the course of normal operations, the Federation hub MAY collect attributes from an identity provider and SHALL release a minimal set of those attributes to a service provider in accordance with the purpose of the service. Except in the circumstance where the service provider acts as an operator (data processor) for the identity provider, the data subject’s consent is always asked for such release.

The Federation Operators SHALL actively co-operate with participating identity and service providers in identifying the source of abuse of their services. It should be noted that generally all three parties need to collaborate in order to accurately identify a particular individual. In such circumstances, the home organisation MAY act against the user responsible for such abuses in terms of their own policies.

The Federation Operator SHALL co-operate with law enforcement organisation as required to by South African law. In general terms, the Federation Operator SHALL require a court order or other due process before considering such requests. However, as noted in the Participation Agreement, the Federation Operator MAY consider a valid notice served on an applicable identity or service provider as also applying to other parties in the transaction, including itself.

Changes to this document

Should there be a change in this document or the underpinning participation agreements that changes the handling of personal information by the Federation, all existing consent that MAY be affected by such a change SHALL be deemed to have been withdrawn. After implementation of any such changes, the Federation Hub SHALL prompt the data subject for consent again, even if they have previously elected to store such consent.

  1. The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” in this document are to be interpreted as described in RFC 2119. ↩︎

  2. Terminology from the Protection of Personal Information Act, 2013. Equivalent terminology from the European data protection directive (95/46/EC) is given in parentheses. ↩︎ ↩︎ ↩︎

South African Identity Federation