The UK e-Infrastructure for Research and Innovation for STFC (“UK IRIS”) is a body of peer participant organisations co-ordinated for the purpose of sharing IT resources and services to further the science goals and missions supported by those organisations. This Privacy Notice is a statement by the UK IRIS Community Coordination body of data protection and privacy for UK IRIS as a whole and applies to all UK IRIS services, including the related IT infrastructures used for data storage and analysis by the science communities that UK IRIS supports.
UK IRIS considers it important to process only such personal data as is required for the proper functioning of UK IRIS. All UK IRIS services are bound to a common policy framework for Data Protection and Privacy which is available at . The personal data detailed below is collected for the purposes of identification, authentication, authorisation, access control, accounting, billing, resource management and information security. The legal basis for processing this data is for the purposes of the legitimate interests pursued by UK IRIS and the science communities that UK IRIS supports in order to provide IT services to its users. Where the processing requirements of a service are not covered by this document, the managers of the service are responsible for providing their own Privacy Notice to the user.
When you register to use UK IRIS services, the following data may be collected and associated with your account:
This data is necessary for security and accounting purposes to uniquely and properly identify and authenticate you when creating an account for subsequently accessing UK IRIS services.
When you access UK IRIS services, log records of your access to and actions on UK IRIS resources are created. These records may contain:
In combination with the registration data above, these log records are necessary to meet the reliability and security requirements of UK IRIS services and for resource management purposes. This includes authentication, authorisation, accounting, security incident handling, assisting in the analysis of reported problems and for contacting you if a problem is identified with your account.
Access logs and accounting records are kept for up to 18 months before being anonymised or deleted. UK IRIS will keep your user registration data for as long as you remain a registered member of your Science Community plus the maximum accounting record retention period. In order to enable UK IRIS to support the user employment life cycle, e.g. to confirm your identity when you return after a period of absence, and unless you explicitly request otherwise, UK IRIS may keep your registration data for up to 36 months after you leave.
Your personal data is protected against unauthorised disclosure, modification or deletion, by technical and organisational measures, including during transfer as described below, as required by the policy framework for Data Protection and Privacy.
UK IRIS will make your personal data accessible only to those authorised by UK IRIS, and only for the purposes described above.
Your personal data may be transferred only to the following parties, and only as far as is necessary to provide the UK IRIS services that you make use of:
Other transfers are not allowed except where legally required.
You have the right to access a copy of the personal data we hold about you and you may request that, where allowable, we:
If your request is not applicable, we will write to tell you of this including the reasons why. Changes to or removal of personal data may limit your access to UK IRIS services. Where appropriate, in the first instance, use the contact details provided by the service in question. If this does not resolve your concern and for other cases, please use the contact details given below.
The IRIS-IAM is committed to following the REFEDS Data Protection Code of Conduct. Your personal data will be protected according to the Code of Conduct for Service Providers, a common standard for the research and higher education sector to protect your privacy.
You have the right to lodge a complaint with a supervisory authority in relation to our processing of your personal data. For example, the UK Information Commissioner’s Office (https://ico.org.uk/) or another applicable authority for where you live, your place of work or the location of the service you are accessing, from the EU Data Protection Board web page (https://edpb.europa.eu/about-edpb/board/members_en).
Effective Date: 26/06/2019