Taking your personal information seriously – the OpenAthens Privacy Notice
OpenAthens is a Jisc enterprise. Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. If you are a visitor to this website or an OpenAthens user, or if you represent an organisation that uses OpenAthens, we want to explain how we respect your privacy. If you have any questions about this privacy notice or about your personal information, then please call 0300 121 0043 or email firstname.lastname@example.org.
Our overall policy is to collect the minimum personal data that we need to provide you with the OpenAthens service and to keep you updated about it. We keep personal data for as short a period as possible and take good measures to protect it. We’re always happy for you to check the data we have about you and we’ll delete it if you want us to – unless this would mean we wouldn’t be able to provide your organisation with the OpenAthens service.
How have we got your information
- You may have given us your personal data yourself. For example, you may have given us your business card at an event, emailed us requesting information, or filled in an online form so that you could download a report, document or some other information.
- We may have found your contact details at some publicly available source but in this case, we wouldn’t use them without your consent.
- The organisation you work for may have given us your personal data or asked you to give it to us because your role is key to the OpenAthens service or because you need to be an OpenAthens user.
What information do we collect
- If you are an OpenAthens user your organisation may have asked us to create an account for you. To do this we only need your name and email address. We encrypt this information so that we don’t disclose your identity to the publishers whose resources you need to access unless your organisation asks us to do so. If your organisation creates your account they will choose what information to collect and what information to disclose to publishers. This OpenAthens Privacy Notice can’t address that situation, you need to contact your organisation’s OpenAthens administrator if you have any questions.
- If you are the OpenAthens contact for your organisation or someone who has expressed an interest in OpenAthens, we only require your name, your role or job title, your department, the name of your organisation and your business contact details (phone numbers and email address).
- Occasionally we might ask you for other personal information when we run an event or an online survey. We’ll always make it clear why we’re collecting that information and how long we’ll keep it and of course, it will be up to you whether you want to participate in the event or survey.
What we do with your information
We only use your information in connection with the OpenAthens service.
- We may contact you with news about OpenAthens including changes and improvements to service and to tell you about any events or surveys that we’ll be running.
- If you’re the nominated contact for your organisation, we may also need to use your personal data to process your purchase orders, invoices and payments and to contact you about the service. This means we might need to share your personal data with some of our suppliers/service providers.
- If you’re an OpenAthens user and we were responsible for creating your account, we anonymise your personal data when we deliver the OpenAthens service to you and we do not sell or share your personal data with any third party.
Contact us for if you’d like details about any specific third party that we’re using.
How we protect your information
- We adopt best industry practice to protect your information by aligning with the international standards for information security such as ISO27017 and ISO27018 and we hold our own ISO27001 certification. We keep your personal information behind firewalls to prevent unauthorised access and it’s encrypted in transit.
- If you’re the nominated contact for your organisation your information may also be kept in public or private clouds used by the service providers we’ve selected for our finance systems. We only use service providers where we are happy with the security measures they implement to protect the data we entrust them with.
- All other third parties, wherever they are located, who have to use your information in connection with the OpenAthens service must give us contractual commitments to adopt practices consistent with the requirements of the General Data Protection Regulation.
How long do we keep your information
- We’ll keep your personal information until you tell us not to. All our communications will ask you if you want to continue receiving OpenAthens news. Every couple of years we’ll also contact you to check that you’re still happy to hear from us.
- However, by law we must keep financial records such as purchase orders and invoices for six years. If you’re the nominated contact for your organisation, your details might appear on these records. But apart from this, we keep your information until your organisation tell us not to – for example when you stop working for them or because your job role has changed. In any case, we contact your organisation every two years to check that your details are still valid. One year after your organisation’s OpenAthens contract ends, we’ll contact you to see if you want us to delete your contact details or whether you’d like us to continue to send you OpenAthens news.
How you can check your information
- We’re happy for you to check the information we have about you at any time. You can ask us to tell you what information we have, why we have it, how we protect it etc. You can also check that your information’s accurate and we’ll make any corrections promptly. Similarly, we’ll delete your information if you ask us to.
- Please note that if you’re an OpenAthens user or the nominated contact for your organisation, we’re obliged to check with them before we delete your information. This is because they are the data controller for your information and, for example, your organisation might need us to substitute someone else’s contact details before we delete yours.
- If you want to know about your information please use the contact details shown at the top of this notice.
This OpenAthens website contains links to other websites. Your visit to those other websites will be governed by their own published privacy policies.
Changes to our information security practices
We review our information security practices frequently, so this privacy notice will be updated periodically, therefore we suggest you check it from time to time.
Effective from 2 January 2019 the data controller for OpenAthens has changed from Eduserv to Jisc. This reflects the merger between Eduserv and Jisc.
The version that appears here was published in January 2019.