Changes to the Privacy Statement are approved by the SAFIRE Steering Committee. This version was ratified on 7 December 2018. It is a complete rewrite of v20161221.
The South African Identity Federation (SAFIRE) exists to simplify access to content, services and resources for the global research and education community.
The basic principle underpinning the security of SAFIRE is that the authentication of a user is carried out at his/her home institution (Identity Provider, IdP) using the institution’s specific authentication method. The authorisation required to allow access to the requested service is carried out by the service provider (SP). Thus whilst SAFIRE is operated by TENET, the service as it appears to end-users consists of many legal entities.
SAFIRE respects your rights under the Protection of Personal Information Act, 2013 and related legislation, and this Privacy Statement exists to ensure you know how we process your personal information.
Why we process Personal Information
SAFIRE processes personal information during login in order to transfer it from your home identity provider to the service provider you are trying to log into.
We collect a small amount of end-user personal information for logging and statistical purposes, as well as to facilitate our internal operations.
What Personal Information we process
SAFIRE processes the following information:
When as an end-user1 (data subject), you log in via the Federation Hub, we act as an operator1 (data processor) on behalf of our participants who are the responsible party1 (data controller). We receive personal information in the form of attributes from your home identity provider, annotate and transform them, and then transfer them to the service provider you are logging into.
Not all of the attributes we receive from your identity provider are necessarily sent to the service provider — this is governed by our attribute release policy (ARP) and in many cases we establish that the service provider has a legitimate interest in processing the personal information we release. However, irrespective of the basis for transfer, the first time you log into a given service provider and whenever your personal information changes we will display all the personal information that will be passed to that provider. Where legitimate interest has not been established, we give you the opportunity to abort the login process if you are uncomfortable with the information being transferred. Thus the transfer notification we display may also collect your consent for processing in some circumstances.
Every time you try and log in via the Federation Hub, we log a timestamp, details of the identity- and service-providers involved, and the result of the authentication. The logs may sometimes also record your username and affiliation information, although this is not typically collected. This information is collected to allow us to resolve security incidents and debug problems.
We maintain public websites (including the Federation Hub) where we collect normal web server logs, i.e. timestamp of access, IP address which requested the page, the page being requested, the HTML result code, etc. The data collected is for the purpose of troubleshooting and debugging potential problems with SAFIRE web servers.
Personal information made available by SAFIRE participants in their metadata is made publicly available both in metadata aggregates and on the SAFIRE web page. This data may include name, surname, email address, phone number and affiliation to the entity. SAFIRE strongly advises participants to use role-based contacts rather than the personal ones.
We run various mailing lists to facilitate the operations of the federation, and these lists may make the personal information (name, email address) of subscribers available to other subscribers. In addition, when a subscriber posts to the list, the resulting email may be archived on a publically accessible web site.
SAFIRE has a legitimate interest in this data processing. There is a legal obligation to retain some logs.
Who do we share information with?
During the login process we share the attributes we’ve received or generated with the appropriate service provider as described in our attribute release policy.
We forward some anonymised statistical information about the use of our services to the eduGAIN monitoring service operated by GÉANT and located in Europe.
We make use of a third-party analytics service (Google Analytics) to provide insight into how users interact with various websites, including the Federation hub. This information is used to improve the user interfaces for these sites. The analytics service may set cookies within an end user’s web browser, and these cookies may contain an opaque identifier to uniquely identify the browser. In addition, the analytics service may collect anonymous information about an end user’s browser (such as display size, version, capabilities, etc). You may opt out of this tracking.
The metadata aggregates we publish are publically available and contain the contact details we are provided during entity registration.
Cookies we set
When we display a list of attributes that we are being transferred to a given service provider, we may set a cookie in your browser to indicate that we’ve done so (where consent is required, you can opt out of this by choosing the “only this time” option). The cookie contains a cryptographic hash of the service provider name and the values of the attributes we sent so we can detect when we need to re-display the notification page. Clearing the cookie has the effect of withdrawing any consent you may have given.
We also set cookies in your browser recording various session identifiers, to ensure the smooth operations of the service and so that you can log into other service providers without having to re-authenticate. These cookies contain no personal information, but do uniquely identify you.
Personal Information retention
When facilitating a user log in, for operational efficiency the Federation Hub may cache the attributes returned by the user’s home organisation. These attributes may be stored either in memory or on disk, but will not be retained for longer than eight hours.
Logs of authentications are kept for a period of six months (184 days).
Statistical and analytical data is currently retained indefinitely.
As noted above, the SAFIRE service is built to minimise the amount of personal information we need to process and retain. We make sure that all personal information is encrypted in transit between providers. We also ensure that access to information such as logs is limited, and we endeavour to follow industry best practices when it comes to securing our infrastructure. See our key management practice statement for further information.
Corrections and objections
You have the right to ensure the data we process is accurate. However, except in very limited circumstances, SAFIRE is not responsible for the actual content of the attributes we process. If there are errors in your personal information, you’d need to contact your home organisation’s IT help desk.
If you have any objection to the way we process your personal information, you are welcome to abort any login process and contact us.
Information on the privacy of the eduGAIN inter-federation service may be found in their Privacy Notice.
Google Analytics has comprehensive privacy information available.
Terminology from the Protection of Personal Information Act, 2013. Equivalent terminology from the European data protection directive (95/46/EC) and subsequent General Data Protection Regulation (GDPR) is given in parentheses. ↩︎