South African eduroam Privacy Statement


eduroam (education roaming) is a secure, world-wide roaming access service developed for the international research and education community. eduroam allows any user from an eduroam participating site to get network access at any location that provides eduroam service.


The basic principle underpinning the security of eduroam is that the authentication of a user is carried out at his/her home institution (Identity Provider, IdP) using the institution’s specific authentication method. The authorisation required to allow access to local network resources is carried out by the visited institution (Service Provider, SP).


Thus the eduroam roaming consortium is comprised of many legal entities: (N)ROs, IdPs and SPs. (National) roaming operators ((N)RO)  are entities that operate the eduroam service for a country or economy and coordinate the activity of IdPs and SPs in the respective territory.


This Privacy Statement covers those parts of the services operated by the South African national roaming operator. We respect your rights under the Protection of Personal Information Act, 2013 and this Privacy Statement exists to ensure you know how we process your personal information.


When roaming outside of South Africa you should be aware that your personal information may be collected and retained by other entities involved in eduroam.


Why we process Personal Information


We process information in order to provide a reliable and secure eduroam service and to ensure and improve the quality of the eduroam supporting service. The eduroam service is designed in a way that we don’t need to know end-user identity in order to provide the service. However, it is up to individual IdPs to correctly configure the service to make this possible for their users — consult your home organisation for more details.


We also collect data related to IdPS and SPs to enable supporting services. Access to the data collected by our management system and other supporting services which is considered private is limited to authenticated, responsible personnel of TENET, the SANReN Competency Area, GÉANT and other NROs.


What Personal Information we process


As part of the eduroam service, we process the following information:



  • When you roam within South Africa or abroad we will receive and log the following data: your realm (denoting your institution and federation) and MAC addresses. We can also receive your username if you have not chosen to anonymize this data or if your home identity provider (IdP) does not support this feature.

    In addition to the above, we process information about the visited country, visited institution and authentication outcome for monitoring, measuring and reporting services.

  • When you connect to an eduroam wireless network at your home institution, the requests should be handled within your institution and we should not receive any information whatsoever.

  • As part of supporting activities, we maintain public websites where we collect normal web server logs, i.e. timestamp of access, IP address which requested the page, the page being requested, the HTML result code, etc. The data collected is for the purpose of troubleshooting and debugging potential problems with eduroam web servers.

  • We run various mailing lists, and these lists may make the personal information (name, email address) of subscribers available to other subscribers. In addition, when a subscriber posts to the list, the resulting email may be archived on a publically accessible web site.

  • When you make use of the eduroam Visitor Access service, personal information (name, email address, cell phone number) of visitors and their sponsors is made available to authorised institutional administrators.


TENET has a legitimate interest in this data processing. There is a legal obligation and contractual necessity to retain some logs.


Who do we share information with?


When roaming in South Africa we share the roaming data described above with both your home organisation and the organisation you're visiting. This is necessary to make authentication work.


When you visit other countries (or visit South Africa from another country) we share the roaming data described above either directly to the national roaming operator for that country or via the eduroam top-level servers in Europe. Again this is necessary to make authentication work.


We supply the global eduroam Operational Team information related to IdPS and SPs to enable supporting services and improve incident response and user support. The contact information collected in the eduroam database is used by the OT and other NROs in order to resolve security incidents and debug problems reported by the end users. The data provided is based on the eduroam Policy.


We forward some anonymised statistical information about the use of our services to the eduroam monitoring service operated by GÉANT and located in Europe. 


We make use of a third-party analytics service (Google Analytics) to provide insight into how users interact with various websites. This information is used to improve the user interfaces for these sites. The analytics service may set cookies within an end user’s web browser, and these cookies may contain an opaque identifier to uniquely identify the browser. In addition, the analytics service may collect anonymous information about an end user’s browser (such as display size, version, capabilities, etc).  You may opt out of this tracking.


The eduroam Visitor Access service makes use of a third-party SMS processor, currently MessageBird BV and/or Clickatell (Pty) Ltd. When an SMS is sent, the processor gets the body of the message together with the recipient's mobile/cellular number.


Personal Information retention


All data related to roaming are kept for a period of six months (184 days).


Personal information related to guests of the eduroam Visitor Access service is retained for six months after the last login/expiry of guest access. Information related to users and administrators is kept for as long as their institution designates them as such.


Statistical and analytical data is currently retained indefinitely.


Security


As noted above, the eduroam service is built with security in mind and we deliberately minimise the personal information we collect and retain. We also ensure that access to information such as logs is limited, and we endeavour to follow industry best practices when it comes to securing our infrastructure.


Corrections and objections


You have the right to ensure the data we process is accurate. However, except in very limited circumstances, if there are errors in your personal information, you'd need to contact your home organisation's IT help desk.


If you have any objection to the way we process your personal information, you are welcome to abort any login process and contact us.


Information officers


TENET’s information officers (data protection officers) can be reached via email at dpo@tenet.ac.za.


Other documents


Further details of the SA NREN's handling of personal information may be found in TENET's Privacy Policy and the CSIR's Privacy Notice.


Information on the privacy of eduroam beyond South Africa can be found in the global eduroam privacy notice.


Google Analytics has comprehensive privacy information available.


MessageBird B.V's privacy notice and Clicktell (Pty) Ltd's privacy notice are both relevant to users of the eVA service.