Versions Compared

Old Version 43

changes.mady.by.user Stefan Winter

Saved on

compared with

New Version 44

changes.mady.by.user Stefan Winter

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...


Data itemIs personal data (DPO fills in)
1

administrator authentication - supplied from eduroam SP proxy

  • eduPersonTargetedId or equivalent
  • real name
  • email address
x
2

administrator authorisation

  • is user an NRO administrator, and for which country - supplied from eduroam SP proxy
  • initial email address of new institution administrators during signup (supplied from NRO administrator)
  • is user institution administrator, and for which institution - information gathered from NRO administrators and with email voucher verification process
x
3

general institution information - supplied by institution administrator input

  • institution name, multi-language
  • geographical coordinates of institution
  • institution logo
  • whether institution also exists in eduroam database (institution information), and the ID in that database
x
4

eduroam media deployment information - supplied by institution administrator input

  • SSIDs and encryption levels
  • whether or not eduroam is on wired ports
  • onboarding SSIDs which should be removed upon installation
  • Passpoint consortia identifiers
x
5

support contacts of institution - supplied by institution administrator input

  • helpdesk email, multi-language
  • information web page, multi-language
  • Acceptable Use Policy, multi-language
  • telephone contact
x
6

RADIUS/EAP details - supplied by institution administrator input

  • name of deployment profile, multi-language
  • description of deployment profile, multi-language
  • production-readiness state of deployment profile
  • domain name ("realm") for deployment profile
  • anonymous outer ID to be used in installers
  • supported EAP types
  • CA certificates that identify EAP server
  • names of EAP servers
  • redirection URLs for external installer handling, multi-language
  • custom text accompanying installer downloads, , multi-language
  • EAP-TLS username handling directives (does not contain actual user names)
x

...

Dataset description:eduroam Managed IdP is a derivative of eduroam CAT (see above), which additionally produces per-user personalised installation programs and maintains a database of these end users. It also authenticates the end users based on the installed programs
Purpose of processing:allowing administrators to upload and maintain the information needed to manage their end user base to the end of creating eduroam installation programs ("installers") within their country / institution, and to authenticate their users in eduroam
Data source:eduroam database - NRO information & institution information (see datasets above), eduroam SP proxy authentication data (see dataset above), administrator input, produces web server and application logs (cat-pilot.eduroam.org / auth-test.hosted.eduroam.org / auth-test-2.hosted.eduroam.org / ocsp-test.hosted.eduroam.org)
Data storage and access:
  • this needs to be filled in by the sys admins of the servers
Data transfer:None
Data retention:
  • The authorisation status of administrators who ever logged in is retained permanently.
  • Most of the installer-relevant information is kept until the administrator chooses to delete it (then deleted immediately), with the exception of ...
  • ... end user authentication data, which is retained (indefinitely?) even after deletion of users to enable prosecution
Personal data processed: authentication and authorisation data of NRO and institution administrators, pseudonyms of individuals (institutions' end users), authentication logs of end users including indication of location, frequency and timestamps of use

Dataset content


Data itemIs personal data (DPO fills in)
1-5Dataset content items 1 to 5 are IDENTICAL to those of eduroam CAT (see above)
6TBD


Description of fields

The details of service related datasets (data collections) should be filled with a list of all kinds of data which is collected or processed by this service. The table should be filled by the Service Manager and afterwards reconciled with the GEANT Data Protection Officer in order to address GDPR requirements. One service often incorporates several datasets.

<dataset_name> - name of dataset (collection of data processed in similar way).

Dataset description: brief explanation of the kind of information or entities the dataset contains.

Purpose of processing: what is purpose of data collecting and processing.

Data source: what are source(s) of data - list of services, systems, applications, databases or similar source components, including user's input, from which data are being received. E.g. RIPE database, service ABC, organisation LDAP directory...

Data storage and access: describe where the data are stored, backup-ed etc. and who has access to the data.

Data transfer: list of other services, systems, applications, databases or similar destinations to which data are being sent. E.g. RIPE database, service ABC, GÉANT's database XYZ...

Data retention: describe data retention policy ie. for how long data are stored before being deleted. E.g. 1 year, 2 years after contract ending, forever...

Dataset content

  • Data item: a specific dataset item. It may be an attribute, component or structure within a dataset that can be clearly described in terms of content. If attribute, it is usually described with the formally assigned name and corresponding explanation of meaning, purpose, expected content or allowed values. Property values characterise all or some items (records, members...) within the dataset.
  • Is personal data (DPO fills in): whether this item is (a part of) personal data. Decided and entered by the GÉANT Data Protection Officer while analysing the GDPR requirements. Answer Yes of No.

...