Name of the Service

MyAccessID

Description of the Service

The MyAccessID Service enables users to securely access Connected Services and share electronic resources using federated identities from eduGAIN and non-eduGAIN, as well as other trusted Identity Providers.

Leveraging the ubiquitous presence of eduGAIN and other federated identities, the MyAccessID Service enables users to securely authenticate and identify themselves by using federated identities assigned by the organisation they are affiliated with. As research is not confined only in the research institutes and universities, the MyAccessID Service caters also for users coming from the industry or citizen scientists who may not have access to an institutional account. It does so by supporting external (non-eduGAIN) identity providers that provide federated user identities, such as social networks, community identity providers and other platforms, as well as the Guest Identity Provider for users without a federated identity.

Creating a user profile on the MyAccessID Service is voluntary.

This privacy notice describes how we process the personal data of you – data subject – when you use the MyAccessID Service.

Data controller and a contact person

GÉANT VERENIGING (Association) – registered with the Chamber of Commerce in Amsterdam with registration number 40535155 with its registered address at Hoekenrode 3, 1102 BR, Amsterdam, The Netherlands (hereinafter referred to as: “we” or “GÉANT”) is the data controller. For any inquiries regarding MyAccessID, you can contact the [Support Helpdesk] 

Data controller’s data protection officer (if applicable)

Jurisdiction and supervisory authority

The applicable jurisdiction is The Netherlands.

Our lead supervisory authority is the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).

Personal data processed

Data requested from Identity Providers

When you create or use a user profile on the MyAccessID Service, we may request from your home institution or another identity provider of your choice some or all of the following information:

• Identifiers (e.g. unique identifiers assigned by the Identity Provider)
• Level(s) of Assurance
• Given name
• Middle name
• Family name
• Email address(es)
• Affiliations (e.g. student, staff, faculty, employee, collaborator)
• Organisation that issued your identity

Data you provide or manage in your MyAccessID profile

The information that may be processed and visible in your MyAccessID profile includes:

• Honorific
• Given name
• Middle name
• Family name
• Suffix
• Display name(Combination of Given Name and Family Name)
• Sex
• Date of Birth
• Nationality
• Email address
• Language preference

• Type of Organization you might belong to

• Country of Residence
• Organization Display Name
• Country of Registration of the User's Organization
• Organization that issued your identity
• Affiliation
• Username
• SSH public key(s)
• Level of Assurance
• Identifiers provided by identity providers (for example from your home institution or from third parties such as ORCID)

This information is either provided directly by you or by the Identity Provider you choose to use with MyAccessID.

The actual data collected and used by any particular Connected Service that you access via MyAccessID may differ, depending on what that service requires. You can consult the attributes released to services at any time via the [User profile Page].

Data processed for identity verification

Where MyAccessID offers identity verification using a passport or other supported identity document, GÉANT uses ReadID service by Inverid B.V. (Dutch, part of Signicat AS, registered in Norway) to perform document verification. As part of that workflow, facial verification and liveness detection are performed by iProov Ltd within the contracted verification chain.

In this process, data may be read from the identity document and processed in order to verify the authenticity and validity of the document. In addition, a facial verification step is performed in which a selfie image and/or short verification video frames captured from the user’s device are processed to compare the user’s face with the face associated with the identity document and to confirm that the user is physically present during the verification transaction.

MyAccessID itself receives and processes only the verification result and the limited document-related data necessary to record and maintain the verification status in the user profile. MyAccessID does not retain the full passport chip contents or biometric verification data in the user profile.

If verification is successful, MyAccessID may retain the following data in the user profile:

• date of expiry
• document code
• family name
• given name
• date of birth
• date of issue, where available
• issuing country
• nationality
• sex
• a stable identifier generated from the hash of the issuing country and document number

Technical log data

When you use the MyAccessID Service, we also generate and store technical log data, which may include:

• Your actions on MyAccessID along with timestamps
• Connected Services you accessed through MyAccessID
• Your IP address
• The Identity Provider you used

Guest Identity Provider data

When you create an account on the Guest Identity Provider, we collect the following personal data:

• Name and surname
• Email
• Password (stored securely in hashed form)
• Organization
• Reason for Registration

Purpose of the processing of personal data

We process your personal data for the following purposes:

1. Provision of the MyAccessID account and identity service
   • To create and maintain your MyAccessID user profile
   • To link identities from different Identity Providers
   • To identify and authenticate you when you access Connected Services
   • To provide Connected Services with unique, persistent identifiers and minimal attributes necessary for authorisation

2. Identity verification

   • to verify your identity, where this functionality is made available in MyAccessID, using a passport or other supported identity document through ReadID verification service by Inverid B.V. (Dutch, part of Signicat AS, registered in Norway).
   • to perform facial verification and liveness detection in order to verify that the person presenting the document is the same person and is physically present during the verification transaction
   • to receive, record and maintain the verification result and the limited verification data necessary to support verified status within MyAccessID
3. Operation and security of the MyAccessID infrastructure
   • To operate and improve the MyAccessID components (Account Registry, Proxy, Discovery Service)
   • To keep technical logs for troubleshooting, monitoring, capacity planning and service optimisation
   • To detect, investigate and prevent abuse, security incidents and fraud
   • To comply with legal and contractual obligations, including security and accountability requirements
4. Statistics and service reporting
   • To produce anonymized and aggregated statistics about the use of MyAccessID and Connected Services for reporting and service planning
5. Optional communications and features (where applicable)
   • To contact you with optional service information, surveys or user experience studies, or
   • To enable optional profile features that are not strictly necessary for providing access to Connected Services as well as providing unique identifiers and attributes required for those services to grant you access.

Legal basis for processing

We rely on the following legal bases under Article 6 GDPR:

1.     Performance of a contract – Article 6(1)(b) GDPR

When you register and use a MyAccessID account, we process your personal data to:

• create and maintain your account and profile,
• authenticate you to Connected Services, 
• provide unique identifiers and attributes required for those services to grant you access ,and

• provide the requested MyAccessID functionality, including identity verification and verified status where available.

This processing is necessary for the performance of a contract between you and GÉANT for the provision of the MyAccessID Service, or to take steps at your request prior to entering into such a contract.

2.     Legitimate interests – Article 6(1)(f) GDPR

We process technical log data and certain identifiers as necessary to pursue the legitimate interests of:

• operating a secure and reliable identity and access management service,
• enabling research organizations, infrastructure providers and other Connected Services to identify and authorize users correctly,
• preventing misuse and ensuring the integrity and availability of the MyAccessID infrastructure, and
• demonstrating accountability and compliance.

We carefully balance these interests against your rights and freedoms and apply appropriate safeguards, such as strict access controls, data minimization, pseudonymisation where possible, and limited retention periods.

You have the right to object to processing based on legitimate interests (see the “Your rights” section below).

3.     Explicit consent for biometric processing – Article 9(2)(a) GDPR

Where identity verification uses facial verification and liveness detection, biometric data is processed for the purpose of verifying that the user presenting the identity document is the same person and is physically present during the verification transaction.

Because this involves biometric processing, we rely on your explicit consent for that step. If you do not provide that consent, biometric verification cannot be performed and verified status through this method cannot be granted.

You may withdraw your consent to the processing of your personal data by deactivating your account in the MyAccessID service at any time by sending an email to the [Support Helpdesk]. Withdrawal of your consent shall not affect the lawfulness of processing based on consent before its withdrawal.

Recipients

When you use MyAccessID, we may disclose your personal data to the following categories of recipients:

• Connected Services you choose to access, which receive only the attributes necessary to identify and authorise you;
• Other participants in the MyAccessID, such as Identity Providers and intermediary proxies, to the extent necessary to provide the service and ensure secure operation;
• Service operators and contractors acting on behalf of GÉANT and bound by appropriate data protection and confidentiality obligations.

Where identity verification is used, personal data may also be processed by service providers supporting the document-reading and verification workflow, including Inverid B.V. (Dutch, part of Signicat AS, registered in Norway) for document verification and iProov for facial verification and liveness detection.

Data release will be done via secure mechanisms and in accordance with the standards required by GDPR.

The current listing of Connected Services to the MyAccessID Service, which are enabled to receive personal data, is available at the [Connected Services]. 

Statistical data may be gathered from the technical logs. This data is anonymized and does not contain any personal data. Statistical data may be made publicly available by the MyAccessID Service.

Data storage

All data processed by the MyAccessID service is stored within the EU/EEA.

Where identity verification is used, personal data is also processed within the contracted verification chain by Inverid B.V. (Dutch, part of Signicat AS, registered in Norway)and, for facial verification and liveness detection, by iProov Ltd. Processing in that verification chain may take place within the EEA and, for the facial-verification component, also in the United Kingdom, subject to applicable contractual safeguards.

The MyAccessID service is operated under the jurisdiction of the Data Controller.

Where personal data is transferred outside the EU/EEA, such transfers will take place in accordance with applicable data protection law, for example on the basis of Standard Contractual Clause and Transfer Impact Assessment.

Connected services that you choose to access may receive your personal data – those may be based in the EU/EEA, or in countries with less adequate data protection provisions, in which case check the information of those services before being allowed to access those services.

Data retention

• Your personal data associated with your MyAccessID account is kept for as long as your account is active.
• If you do not log in to the MyAccessID Service for 12 consecutive months, your account will be deactivated. Certain limited information may be retained as necessary for audit and security purposes, in line with our retention rules.

Technical logs and related information are retained independently in order to guarantee the security and optimisation of the infrastructure and will be retained for no longer than 18 months, unless a longer retention period is required in the context of an ongoing security incident or legal obligation.

Where identity verification is used, MyAccessID temporarily stores the full verification response for up to 4 hours for debugging and troubleshooting purposes and then deletes it. MyAccessID then retains only the limited verification result and document-related fields needed to maintain verified status for 2 years, after which re-verification is required.

MyAccessID does not retain full passport chip contents or biometric verification data in the user profile.

Within the verification provider chain, verification-related data may be retained for limited periods necessary to complete the verification process, maintain security, prevent fraud, and troubleshoot service issues.

Security

GÉANT takes the confidentiality, integrity and availability of your personal data very seriously. We take appropriate security precautions to protect your personal data from loss, misuse and unauthorised access, disclosure, alteration and destruction. 

In particular: access to technical log data is restricted and can only be accessed in a secure way by the MyAccessID service staff.

Where identity verification is used, MyAccessID is designed to retain only the minimum data needed to record the verification outcome and maintain verified status. MyAccessID does not retain biometric templates or raw facial verification video in the user profile.

Any temporary processing carried out within the contracted verification chain is subject to limited retention periods and technical and organisational safeguards necessary to complete verification, maintain security, and prevent fraud.

When accessing MyAccessID we will have adequate security controls in place to keep your personal data safe in accordance with the classification of the personal data we have collected from you.

Although we endeavor to ensure your personal data remains secure, there is no absolute guarantee of security when using services online. While we strive to protect your personal data, you acknowledge that:

• There are security and privacy limitations on the internet which are beyond our control and which can have a negative impact on the confidentiality, integrity and availability of the information.
• We cannot be held accountable for activity that results from your own neglect to safeguard the security of your login credentials and equipment which results in a loss of your personal data. If you feel this is not enough, then please do not provide any personal data.

Your rights

To access your data, go to the [User profile Page].  You may access and rectify your personal data or deactivate your account by sending an email to the [Support Helpdesk]. 

If you have any additional questions connected with your data protection rights contact the  [Support Helpdesk]

To access, rectify the data released by your Home Organisation (e.g. your university or research institute), contact your Home Organisation's IT helpdesk. You may object to the processing based on the legitimate interest of your personal data by deactivating your account in the MyAccessID service at any time by sending an email to the [Support Helpdesk]. You can also withdraw your consent for the processing based on your consent by sending an email to the [Support Helpdesk].

Moreover, you have the right to file a complaint to the Dutch Data Protection Authority [Autoriteit Persoonsgegevens], Postbus 93374 2509 AJ DEN HAAG, Telephone number: (+31) - (0)70 - 888 85 00.

Data Protection Code of Conduct

Your personal data will be protected according to the Code of Conduct for Service Providers [Code of Conduct], a common standard for the research and higher education sector to protect your privacy.

References

Contact  Information

AWSALB

Essential cookie. Functional cookie used by the Amazon Application Load Balancer (ALB) to support “sticky” sessions. It ensures that requests from your browser are consistently routed to the same backend server so that your session works correctly.

Type: Load balancer-generated HTTP cookie.

Expiration: approx. 1 week. This is the period during which the service can store and/or read this cookie on your device.

SATOSA_myaccessid_PROXY_STATE_LEGACY

Essential cookie. Legacy session cookie used by MyAccessID to support older users’ browsers and maintain a single sign-on (SSO) session towards MyAccessID.

Type: SSO session authentication cookie.

Duration: 20 minutes.

SATOSA_myaccessid_PROXY_STATE

Essential cookie used by MyAccessID to maintain your SSO session and keep you authenticated while you access Connected Services.

Type: SSO session authentication cookie.

Duration: 20 minutes.