Description of a service for verification of Assurance Level

This service is part of the administration process of Assurance Level and is used to verify people using EduID.

Processing of personal data

Transfer of personal data

Personal data is transferred from the identity provider to the service, in order to ensure that the person is allowed to access information supplied with the service and also to provide a degree of personalization in the service.

With a successful authentication with the service, the following personal data (attributes) will be requested from the identity provider:

Personal data	Purpose	Technichal name
Unique identifier	Used to verify personal data against the university's system.	eduPersonPrincipleName
		norEduPersonNIN
		samlSubjectID
Identifier of person	Used to verify personal data against the university's system.	personalIdentityNumber
		schacDateOfBirth
		givenName
		Sn
		eduPersonAssurance
		schacDateOfBirth
		givenName
		sn
		mail
		mailLocalAddress
		displayName
Assurance level	Used for verification of Assurance level.	eduPersonAssurance
Affiliation	Type of affilitation with the organization	eduPersonAffiliation
		eduPersonScopedAffiliation
Country	Country name	c
		co
Organization	Information on the organization	o
		norEduOrgAcronym
		schacHomeOrganization
		schacHomeOrganizationType

Aside direct personal data, related information, such as the person’s home organize and which identity provider that was used, is also transferred. These items of information can in combination with the requested attributes be used for unique identification.

Other processing of personal data within the service

Depending on which function with the service is used, different personal data is handled in different ways. This may include user-provided information received, data from Ladok or personal data already present in Mid Sweden University’s information domain.

Our service also produces technical logging for the purpose of error handling and security monitoring. These logs may also include personal data.

Transfer of personal data to third parties

Personal data used for creating the student’s user account within Mid Sweden University’s network will be synchronized with the Mid Sweden University agreement with Microsoft Azure Ad services.

Refer to https://www.miun.se/en/contact/personaldata.

Lawful basis

There must always be legal grounds for the processing of personal data. The most common ones at Mid Sweden University are:

•  that the processing of personal data is essential to complete a task of general interest or the exercise of authority, such as the examination of students. This can also include publishing of photos from an event, as we are obliged to inform the public about our activities.
•  that the processing of personal data is essential to comply with an agreement or a legal obligation.
• that there is a consent from the registered person, for instance when registering for a conference.

Refer to https://www.miun.se/en/contact/personaldata.

Right of access, right of rectification and right of erasure of personal data

Refer to https://www.miun.se/en/contact/personaldata.

Purging of personal data

Refer to https://www.miun.se/en/contact/personaldata.

Personal data controller

Mid Sweden University is the formal data controller responsible for handling personal data. The responsibility for this service is currently delegated to: Helena Wallskog, https://www.miun.se/helenawallskog

Data Protection Officer: Dataskyddsombud@miun.se

Refer to https://www.miun.se/en/contact/personaldata

 

GÉANT Data Protection Code of Conduct

This service complies with the international framework GÉANT Data Protection Code of Conduct (https://www.geant.net/uri/dataprotection-code-of-conduct/v1) for the transfer of personal data from identity providers to the service. This framework is intended for services in Sweden, the EU and the EEA that are used in research and higher education.