Neil Scully and Martyn Jansen - Protecting the user

1. openathens.org
Protecting the user:
Data protection, privacy and security
Martyn Jansen
Contracts & Legal Manager
martyn.jansen@eduserv.org.uk
Neil Scully
Head of Development and Service Delivery
neil.scully@eduserv.org.uk

2. openathens.org
GDPR
• Putting people in control of their data
• Properly protecting personal data in your care

3. openathens.org
What we want to tell you about…
• Rights and freedoms of data subjects
• Transparency and information
• Minimisation
• Protection
• Breaches

4. openathens.org
Rights and freedoms
• The right to be informed
• The right of access
• The right to restrict processing
• The right to rectification, object and erasure

5. openathens.org
Transparency and information
• Clear and timely information
• What/how/why/when

6. openathens.org
Minimisation
• Like re-cycling, collect the minimum and use it for shortest time
• Issues around deletion

7. openathens.org
Protection
• Good measures required
• CIA
• Encryption and pseudonymisation
• Technology not the whole answer - privacy by default and design, PIA,
procedures and staff training

8. openathens.org
Breaches
• €20m!
• Reporting
• Avoidance

9. openathens.org
Managing personal data in OpenAthens
• Creating and managing personal accounts
• Releasing attributes to publishers (Service Providers)
• Dealing with access and deletion requests
• Data retention

10. openathens.org
Roles
• OpenAthens customers are data controllers
• OpenAthens is the data processor
So…..
• OpenAthens provides tools to allow customers
to control data

11. openathens.org
Creating OpenAthens accounts
OpenAthens
database
Admin Interface
Bulk Upload
Self
Registration
Customer Application
OpenAthens
API
Customer
Directory
Local Directory /
Authentication

12. openathens.org
Collecting personal data
• By default
• Email address
• First name
• Last name
• Optional details
• Custom schemas
• Attribute mapping

13. openathens.org
Personal Data - Mandatory

14. openathens.org
Personal data - optional

15. openathens.org
Custom schema

16. openathens.org
Attribute Mapping

17. openathens.org
Releasing personal data
• By default – not personally identifiable
• Organisation ID
• Entitlement ID
• User ID
• Custom release policies

18. openathens.org
Release policies

19. openathens.org
Access & deletion requests
• Access requests
• To us – we will confirm with organisation administrator before acting
• To you – request via the OpenAthens Service Desk
• Full details sent in PDF
• Delete accounts
• Delete in the OAAdmin area (or via API)

20. openathens.org
Data retention
• Accounts are deleted when
• They are not activated
• They reach their expiry date
• Can be configured in preferences menu

21. openathens.org
Organisation preferences

22. openathens.org
Protective measures
• Minimisation
• Anonymisation
• Encrypted in transit
• Firewalls and public cloud

23. openathens.org
User awareness
• OpenAthens privacy policy & T&Cs updated https://openathens.org/privacy/
• Make privacy policy more visible to users
• Link from sign in pages *
• E-mail templates *
• User review prompts *
(* Work to do)

24. openathens.org
Conclusion
• OpenAthens requires minimal personal data
• OpenAthens has considerable in-built privacy controls
• Some care with attribute release and peripheral processes
• User awareness

25. openathens.org
Questions?