Description of the eduroam Service

The eduroam  service eduroam (education roaming) is a secure, world-wide roaming access service developed for the international research and education community.  eduroam allows any user from an eduroam participating site to get network access at any institution connected to eduroam.

The eduroam roaming consortium is comprised of many legal entities. GÉANT is the body which is responsible for the international coordination and interoperability of eduroam. As such GÉANT operates a number of services for the eduroam consortium on the European level, some of which store data about ongoing usage by end users. Those services at a European level are maintained by eduroam Operations Team (OT). This privacy policy concerns part of the eduroam consortium that is operated and maintained by GÉANT including, but not limited to, the following services: the European international authentication proxy infrastructure, European F-Ticks collection and the eduroam Configuration Assistant Tool (CAT).

We are fans of privacy, and we are proud to say that eduroam was designed for minimal disclosure of end users personal data. The design of the system provides and favours the end user anonymization, i.e., a possibility to hide the end user’s identity from any third parties, including providers of the eduroam network access (Service Providers). The consortium's technical foundations have a built-in support for end user privacy throughout the authentication process. For all intermediate supporting services, like routing of authentication requests and F-Ticks (log format for distributed federations), we strive towards knowing *nothing* about the actual identity of an end user, while still maintaining log traces which allow for debugging and monitoring of usage statistics.

To view the general Privacy Notice for GÉANT, please visit the GÉANT website. 

Why We Process Personal Data

We process various data in order to provide the eduroam service and to ensure the quality of services we provide and to improve and protect them. The eduroam service is designed in a way that we don't need to know end user identity in order to provide the service: partners within eduroam federations can anonymise potential end user's private data.  We give advice and guidance to the community that recommends the highest levels of anonymity of data in all deployments. 

We also collect data related to National Roaming Operators (NRO) to help support the administration of the service through a contacts database. 

What Personal Data We Process

As part of the eduroam service, we process the following data:

• When you roam and visit other countries, the eduroam OT will receive the following data: your realm (denoting your institution and federation), your IP and MAC addresses. We can also receive your username if the visited institution choose to not anonymise this data. When you roam to another institution within your home country we don’t receive any data because the European international authentication proxy infrastructure is not included in that process.  The service has a legitimate interest in processing this information.
  
  
• When you roam and visit other countries or other institutions within your federation we may also process the following data for monitoring, measuring and reporting services: visited federation, producer of your NIC card and authentication outcome. We can also receive your username and your MAC address if visited institution choose to not anonymise this data and name of the visited institution if the visited federation choose to send this data. The service has a legitimate interest in processing this information.
  
  
• As part of supporting activities we maintain several public web sites (e.g. web of CAT service) where  we collect normal web server logs, i.e. timestamp of access, IP address which requested the page, the page being requested, the HTML result code, etc. The data collected is for the purpose of troubleshooting and debugging potential problems of with eduroam web servers and therefore the service has a legitimate interest in processing this information. 
  
  
• As part of administration activities, the eduroam Operational Team maintain a database of contacts for National Roaming Operators only. We process contact name, email address and phone numbers of Operator contacts to support incident response and operational information flow for between the Operators and the eduroam OT.  This information is only accessible by the eduroam OT and is provided with the consent of the NROs.
  
  
• TO DO: CAT.
  
  
• TO DO: eduroam Managed IdP.
  
  

Who Do We Share Data With?

Personal data gathered for website statistics is only shared within the GÉANT Association and the eduroam Operational Team for analysis and reporting. 

All other data is held and processed only by the eduroam OT.  (is this true?)

Personal Data Retention

Analytical data for website statistics is currently retained permanently.

All data related to roaming are kept for a period of six months, unless a different requirement is set by legislation in individual European countries. 

Your Rights

You have the following rights:

• You have the right to complain to the Supervisory Authority (Autoriteit Persoonsgegevens at https://autoriteitpersoonsgegevens.nl) about our data processing activities.

Contact Information