Thursday 8th February 2018
As experts in federated access management and online identity, OpenAthens has always made data protection and online security a key focus as these are central to our industry leading offering.
However, we have viewed these changes as an opportunity to review and enhance our data collection and security processes.
Here we highlight the key forthcoming changes and what we are doing to ensure compliance:
1) Businesses must collect the least possible personal data
OpenAthens only requires a username, password, e-mail address and the person’s name to create the unique identification needed for people to set up an account and access on-line content.
The organisation through which an individual is accessing the site – whether a university, employer, library etc – can configure the account creation in OpenAthens to request additional details, for example job role or department, but this is not mandatory and is a choice on the part of OpenAthens customers. OpenAthens only collect and processes the information the organisation specifies.
2) Data should be held for as little time as possible
The maximum amount of time that OpenAthens continues to store personal information is for one year after the account expires. All the data is then deleted from our system.
Information can be kept for up to 12 months after the account expires because many individuals choose to return and renew their accounts within this time.
Organisations can choose to set their expiry time at less than a year when creating an account with us, so the account information will only be kept while the organisation administrator renews the account when it reaches its expiry.
3) Personal data must be adequately protected against unauthorised access
OpenAthens has in place a wide range of security features and adheres to internationally recognised information security standards.
All data that is transmitted between the database and applications in a user’s browser and all crucial data is encrypted and stored behind a firewall.
To support our security features, it is vital that data controllers or identity providers ensure user accounts are kept up to date. For example, if a member of staff leaves, their account is automatically deleted or updated to reflect their alumni relationship with the organisation.
4) Data subject rights
This enables people to ask what data an organisation holds about them, why, what measures are in place to protect it and demand that it is wiped.
OpenAthens has the ability to pull all the relevant information and produce PDF report with all the detail held on any individual if requested.
One of the main features of OpenAthens is that it puts data subjects or administrators in charge of their own data. The organisations that use our system are the only ones that work with their end users’ information and can change it. We simply accept the information and process it. Organisations acting as data controllers must have robust policies and processes of their own in place in relation to user managed consent for collecting people’s personal data.
This means such requests have to come via the individual user’s administrator, which is the organisation through which they have been given access, ie. a university, library, publisher etc. If the individual asks their administrator for their personal details, the request will be fulfilled by the OpenAthens Service Desk who will send the data to the organisation administrator to pass the information to the account holder.
5) Data breaches can lead to tough penalty fines and reputational harm
Under GDPR, large fines can be imposed by the Information Commissioner’s Office in cases of severe compliance issues or breaches of the regulations. Even more significant is the reputational damage which would result from a data breach.
Since its founding OpenAthens has had mechanisms in place to rapidly identify potential data security breaches or cyber-attacks. The service is continually monitored and it alerts the support team whenever unusual behaviour is detected, such as the same login being used from different geographic locations within 24 hours.
The facilities and features in OpenAthens are designed to spot warning signs and prevent breaches before they happen.
6) Transparency and information notices
Businesses must provide clear information before undertaking any automated decision and provide clear information notices on why they are taking personal data during the data collection process.
When a user account is created with OpenAthens, an activation email is sent to the individual which explains why the information is needed and how it will be used. If people don’t activate their account after receiving this e-mail then all the data is deleted.
Eduserv has an established reputation for achieving high security standards. It supplies services to the UK government and is ISO 9001 and ISO 27001 certified.
Data protection and internet security is at the heart of the unrivalled federated access service we provide and always has been.
View our privacy notice for more information about how we comply with the new data protection regulations.
Share this article