Privacy Statement
This document must be read in conjunction with the SAFIRE Privacy statement.
Introduction
The University of Cape Town (hereafter referred to as ‘UCT’) has joined the South African federation of identities for Research and Education Federation (Hereafter referred to as ‘SAFIRE’).
A federation is an agreement to a certain level of trust with other members of the federation. The federation provides a basic level of trust that can then be augmented by other criteria.
We respect your rights under the Protection of Personal Information Act, 2013 and related legislation, and this Privacy Statement exists to ensure you know how we process your personal information. Hereafter user and personal data is referred to as data-subject and SAFIRE as the UCT’s Identity Provider.
Metadata
The UCT Identity Provider’s metadata has been shared with SAFIRE’s federation hub, and adheres to best practices outlined by the federation. Such metadata typically contains the canonical legal name of the organisation operating the entity, the contact details of various responsible parties, as well as technical information pertaining to its operation.
More information on Metadata and SAFIRE can be found here: https://safire.ac.za/technical/metadata/
Cookies
Various web sites used by the Federation set and store cookies within a data-subject’s web browser. These cookies are used to track sessions and facilitate the technical operations of the Federation (for instance, ensuring a particular browser is consistently redirected to the same backend server).
Whilst these cookies may contain a unique identifier for a particular browser, they SHALL NOT contain any personally identifying information about the data-subject (who may or may not be logging in). The underlying sessions MAY contain personal information, either with consent or as otherwise detailed in this document.
Attributes
Based on the minimum requirements set forth by SAFIRE, The UCT Identity Provider may release attributes about a person to Service Providers via the SAFIRE Federation hub.
At this time, the UCT Identity Provider may provide the following user attributes to other members of the SAFIRE federation after a successful authentication:
More information on the Attribute requirements of SAFIRE can be found here: https://safire.ac.za/technical/attributes/
Consent
When a data-subject logs in to their Identity Provider via the Federation Hub (SAFIRE), the Federation acts as an operator (data processor) on behalf of its participants who are the responsible party (data controller). As part of this, it collects information about the data subject’s consent to release personal information from their home organization to another (usually third-party) service provider.
The records required to facilitate this SHALL be stored using a one-way cryptographic hash (SHA256) of the attributes rather than the original attributes. In this way, the hub needs store no personal information about the data-subject.
The Federation Operator provides a mechanism for the data-subject to withdraw such consent at https://consentadmin.safire.ac.za/.
Logs
All Identity Provider activities result in the generation of log files. These logs may contain a username or similar non-opaque unique identifier assigned by a data subject’s home institution as well as the IP address of the Internet connection they are using. They further keep a record of which service provider(s) a given data-subject logged into and at what time(s).
All Logs generated by the UCT’s Identity Provider are copied to a central logging server for auditing purposes and are subsequently deleted from the Identity Provider server 90 days after generation.