UK IRIS Privacy Notice

The UK e-Infrastructure for Research and Innovation for STFC (“UK IRIS”) is a body of peer participant organisations co-ordinated for the purpose of sharing IT resources and services to further the science goals and missions supported by those organisations.
This Privacy Notice is a statement by the UK IRIS Community Coordination body of data protection and privacy for UK IRIS as a whole and applies to all UK IRIS services, including the related IT infrastructures used for data storage and analysis by the science communities that UK IRIS supports.

General Principles:

UK IRIS considers it important to process only such personal data as is required for the proper functioning of UK IRIS. All UK IRIS services are bound to a common policy framework for Data Protection and Privacy which is available at .
The personal data detailed below is collected for the purposes of identification, authentication, authorisation, access control, accounting, billing, resource management and information security. The legal basis for processing this data is for the purposes of the legitimate interests pursued by UK IRIS and the science communities that UK IRIS supports in order to provide IT services to its users.
Where the processing requirements of a service are not covered by this document, the managers of the service are responsible for providing their own Privacy Notice to the user.

What personal data is collected from you and why?

  1. Registration

    When you register to use UK IRIS services, the following data may be collected and associated with your account:

    • Personal Name
    • Professional email address
    • Employing institute
    • Science community affiliation and validity dates
    • Science community groups and roles
    • Professional address and telephone number
    • A non-reassigned, unique personal identifier - for example, the Subject Distinguished Name (DN) from your personal certificate

    This data is necessary for security and accounting purposes to uniquely and properly identify and authenticate you when creating an account for subsequently accessing UK IRIS services.

  2. Access

    When you access UK IRIS services, log records of your access to and actions on UK IRIS resources are created. These records may contain:

    • your unique identifier (as described in 1, above)
    • your science community group(s) and role(s)
    • the network (IP) address from which you access the services
    • the date and time of access
    • details of actions you perform

    In combination with the registration data above, these log records are necessary to meet the reliability and security requirements of UK IRIS services and for resource management purposes. This includes authentication, authorisation, accounting, security incident handling, assisting in the analysis of reported problems and for contacting you if a problem is identified with your account.

Retention Period of your Personal Data

Access logs and accounting records are kept for up to 18 months before being anonymised or deleted.
UK IRIS will keep your user registration data for as long as you remain a registered member of your Science Community plus the maximum accounting record retention period. In order to enable UK IRIS to support the user employment life cycle, e.g. to confirm your identity when you return after a period of absence, and unless you explicitly request otherwise, UK IRIS may keep your registration data for up to 36 months after you leave.

How your personal data is protected

Your personal data is protected against unauthorised disclosure, modification or deletion, by technical and organisational measures, including during transfer as described below, as required by the policy framework for Data Protection and Privacy.

Who has access to your personal data?

UK IRIS will make your personal data accessible only to those authorised by UK IRIS, and only for the purposes described above.

To whom do we transfer your data?

Your personal data may be transferred only to the following parties, and only as far as is necessary to provide the UK IRIS services that you make use of:

  • authorised UK IRIS participants,
  • third parties whose data privacy and protection policies are equal to or more restrictive than the UK IRIS policy.

Other transfers are not allowed except where legally required.

What rights do you have related to our processing of your personal data?

You have the right to access a copy of the personal data we hold about you and you may request that, where allowable, we:

  • rectify them if inaccurate
  • cease their processing
  • delete them.

If your request is not applicable, we will write to tell you of this including the reasons why.
Changes to or removal of personal data may limit your access to UK IRIS services.
Where appropriate, in the first instance, use the contact details provided by the service in question. If this does not resolve your concern and for other cases, please use the contact details given below.

REFEDS Data Protection Code of Conduct

The IRIS-IAM is committed to following the REFEDS Data Protection Code of Conduct. Your personal data will be protected according to the Code of Conduct for Service Providers, a common standard for the research and higher education sector to protect your privacy.

Who to contact if you have a query about this privacy notice?

Please e-mail, with subject "ATTN: Privacy Policy"
The IRIS IAM is ran by the Science and Technology Facilities council, and is registered at:

As such this privacy policy falls under the jurisdiction of England and Wales - please see the UK Information Commisioners Office guide for further info.

How to complain to a supervisory authority.

You have the right to lodge a complaint with a supervisory authority in relation to our processing of your personal data. For example, the UK Information Commissioner’s Office ( or another applicable authority for where you live, your place of work or the location of the service you are accessing, from the EU Data Protection Board web page (

Effective Date: 26/06/2019