Groupcall IDaaS, UK federation, and Personal Data

Member_of_UKAMF_TranscopyAbout this Document

This document is an appendix to the Groupcall IDaaS Data Sharing Agreement; it specifically covers the additional release of data when a school has enabled UK federation (Shibboleth) Single Sign-On functionality for their users. Schools may wish to use this information within their fair use policy.

This document also explains the technical construction of SAML2 attributes released by Groupcall IDaaS when acting as an Identity Provider within the UK federation to provide full transparency of data usage.

janet_logo

Transfer and Use of Personal Information

  1. Personal information about pupils who are currently on roll:
    • Internal MIS record ID
    • Name
  2. Personal information about adults currently in the employ of the school:
    • Internal MIS record ID
    • Name and title
    • Teaching or Non-Teaching
  3. Personal information about pupil contacts with parental responsibility:
    • Internal MIS record ID
    • Name and title
  4. Information about your school:
    • School establishment number

Use of Data

The Use of Data policy is provided for schools to ensure that, as data controllers they have the ability to share data, and that they consider there to be appropriate measures in place, ensuring that the data is held securely and confidentially.

This document sets out how Groupcall supports these objectives.

Groupcall and its suppliers will be acting as ‘data processors’ as defined by the 1998 Data Protection Act. Groupcall has taken all reasonable measures to ensure the safety and security of the personal information, and continues to review these measures on an on-going basis.

UK Federation Data Security

This information is an appendix to that detailed in Groupcall IDaaS Data Sharing Agreement and applies specific additions when using Groupcall IDaaS in conjunction with UK federation (Shibboleth) Single Sign-On (SSO).

When carrying out SSO requests using Groupcall IDaaS within UK federation there is Personally Identifiable Information (PII) both released to and potentially stored by third parties. Such third parties have consented to the data security and sharing policies of the UK federation. The nature of released PII is covered within this document in both summary and detail.

The scope of these providers at any given time can be determined by reviewing active membership of the UK federation. The UK federation makes daily releases of this information at a technical level and Groupcall IDaaS applies changes to this information, also on a daily basis. In the event of an organisation being removed from UK federation the maximum delay in Groupcall IDaaS reflecting this change is one day.

During SSO, data is transferred over industry standard SSL encryption and protected by cryptographic signature to prevent forgery.

Obtaining Support

Your first port of call for support should be the partner organisation that provided Groupcall IDaaS to you, who are fully trained in IDaaS support.  Should the partner organisation need further assistance then they will escalate their case to Groupcall.

You are reminded that you should avoid sending personal information, such as student records, to Groupcall directly.  You certainly should only send such information when supported by strong encryption, if there is a specific requirement to do so.  Groupcall staff will advise the most secure method for transfer in such cases.

Data Life Cycle

Your data’s point of origin remains in the school MIS. Changes made in the MIS are transmitted to Groupcall IDaaS.

Technical Construction of Attributes

Groupcall IDaaS releases the following attributes when completing Shibboleth single sign-on requests.

NameId

This transient attribute is a randomly generated GUID that is assigned at the start of a login session within IDaaS and persists only for the duration of that session.

 

eduPersonalTargettedId

This is a persistent hash of the following information from IDaaS:

  • IDaaS person
  • IDaaS school
  • IDaaS entity ID
  • Service provider entity ID

 

The identifier is thus unique to the service provider but consistently presents the same value for each session.

 

Changes to properties of the person and school, such as names and usernames, do not affect the generation of this identifier.

 

eduPersonScopedAffiliation

This attribute releases the role of the person and the organisation they are from.  The school is identified by its LA and DfE number at the time of school configuration in IDaaS.

 

The granularity of the role is limited to the following:

  • Student
  • Teaching staff
  • Non-teaching staff
  • Parental
  • Other

 

IDaaS also releases a related attribute eduPersonAffiliation that repeats the role of the person.

 

eduPersonPrincipalName

This attribute contains an internal record identifier for the person.  It is constructed from:

  • A short-code of person type
  • A fixed, persistent identifier from the school MIS
  • The IDaaS school identifier, typically the school LA and DfE number at the time of school configuration in IDaaS.

The same attribute value is released to all parties which means that parties could reconcile their activity records for the signed in IDaaS user with activity records from other parties or with corresponding data from the school MIS, where they to have agreed and permitted access to do so.

While common practice for UK federation identity providers, this attribute does not provide detail of the IDaaS username that was used to log into the service; this information is not released.

 

displayName

Unlike other technical attributes this attribute contains the display name of the logged in IDaaS user.

 

The specific contents of this value are driven by both source MIS data and per-school configuration of IDaaS but typically the following rules apply:

  • Students: {Forename} {Surname}
  • Staff: {Title} {Initial} {Surname}
  • Parents: {Title} {Forename} {Surname}

 

Any issues with this value must be addressed at the school MIS level and will then cascade through IDaaS on the next update.

transparent_10x10

Next Steps...

If you need any further assistance or get in to any difficulty, then please contact Groupcall Support. If the issue affects Groupcall Partner products you should refer to the support arrangements for that specific Groupcall Partner.

…And Finally

Have you followed Groupcall on Twitter and Facebook? Stay informed, get the latest news, updates and useful tips on all of our products!


 

Print Friendly