UH Login Privacy Policy
Table of Contents
- 1 Background
- 2 The UH Login Privacy Policy
- 2.1 Introduction
- 2.2 Privacy Statement
- 2.3 Sharing of Data with Campus and UH Online Applications
- 2.4 Sharing of Data with Third-Party Hosted Applications
- 2.5 UH Data Governance Oversight
- 2.6 Why is Data Shared with Online Applications
- 2.7 How Data Is Protected
- 2.8 Notice for Updates and Changes to Policy
- 2.9 Who to Contact if You Have Questions
Background
With InCommon Federation's membership to the Research and Education FEDerations group (REFEDS) and its growing global reach, the normalization of authentication and identity management operational practices and policies across all Federation participants is well underway. Participation requires that an Identity Provider to provide a Privacy Policy.
The UH Login Privacy Policy
Introduction
The University of Hawaii (“UH”) recognizes and respects the privacy interests of its community members. This document describes UH Login privacy policy with regard to data that the UH Central Authentication Service (CAS) and the UH Shibboleth IdP (Shib) share with UH online applications and with select third parties.
The UH Login service allows UH members to use their credentials (UH Username and password) to single sign-on (SSO) to a variety of UH and cloud-hosted applications supporting academic, research, and administrative activities. Example applications include Kuali Financial System, Banner for student information, Google@UH for Google services, and Kuali Curriculum Management.
The ITS Identity and Access Management team (IAM) is responsible for the authentication and identity management operational practices and for ensuring that these practices comply with both the InCommon Federation participation requirements and the UH Data Governance policies and practices.
Privacy Statement
The UH Login service ensures that applications do not have have access to your password. UH Login will handle confirmation of a successful authentication on behalf of the application. This is important for ensuring the security of your credentials.
Permission to release information about you:
If upon review of this information you do not want to release the indicated attributes about you to an application, you may elect not use it. Note that this does not imply that there are alternatives.
Re-use or distribution of information about you:
The attributes released to an application are deemed necessary for the appropriate use that application; that is the only purpose for which the attributes are released. Any subsequent re-use for other purposes may be in violation of UH Institutional Data Governance policies. If you detect such misuse of your information, see below for how to contact us.
Sharing of Data with Campus and UH Online Applications
In order to support online services, a standard set of attributes is released to UH applications. Note that each UH applications must be officially registered before it is enabled to utilize UH Login. The CAS Attribute Release policy is documented here:
Sharing of Data with Third-Party Hosted Applications
Third-party (AKA Cloud) applications are subject to an additional Data Governance vetting and approval process.
In order to provide federated services for teaching, research, and administration, UH Login will release a minimal set of required attributes as determined by the Data Governance process.
UH Data Governance Oversight
The Identity and Access Management (IAM) practices are subject to UH Data Governance oversight. The UH Data Governance Office reviews the standard operating procedures for IAM handling of application integration requests for authentication (and subsequent release of attributes). All requests for authentication are vetted, logged, fully documented, and are available for review at any time by the UH Data Governance Office. IAM practices define which requests the IAM team may fullfull and which must be vetting directly by the UH Data Governance Office.
Why is Data Shared with Online Applications
Online applications often need to authenticate you to know who you are. Once a person is successfully authenticated the application requires a unique identifier in order to access any personal preferences or other information it needs to track in order to efficiently support you. The application may also need to know if you are student, faculty, staff, etc in order to know what information or functions to present. An application may also save your name if needed to identify you to others, say for an automated workflow.
How Data Is Protected
UH provides a set of policies to ensure privacy and the protection of sensitive information.
EP 2.214 - Security and Protection of Sensitive Information
EP 2.215 - Institutional Data Governance
EP 2.216 - Institutional Records Management and Electronic Approvals/Signatures
These policies are documented here:
<http://hawaii.edu/policy/index.php?action=viewChapter&policySection=ep&policyChapter=2&menuView=open>
Notice for Updates and Changes to Policy
This policy will be updated on occasion and the most current version will always be posted here. We encourage you to review it regularly.
Who to Contact if You Have Questions
Questions can be directed to <its-iam-help@lists.hawaii.edu>.