eduroam(UK) Privacy Notice for end users

When you use eduroam when roaming away from your home organisation, we will collect an identifier of your device ('calling-station-identifier') and the time stamp of any connection attempt. Whilst not personally identifiable information, we will also collect an identifier of the organisation providing the eduroam Wi-Fi service you are connecting to ('operator-name'). We will also collect the 'outer' identity username in the authentication request. The outer identity username is used to route the request to your home organisation and if you have not set this to be anonymous it will contain your user identity. You should configure your device to use an anonymous identity and in this case the information we collect only identifies your home organisation. The items of personal data we collect are not sufficient in themselves to enable eduroam(UK) to identify you as an individual, but may be passed to legitimate authorities.

We collect this information in order to enable a secure and trusted eduroam service to be provided, to produce anonymised usage statistics, to facilitate troubleshooting and to provide compliance with the Janet Security Policy and Acceptable Use Policy and to maintain the private network status of Janet. The collection of this information is also mandated by the European eduroam confederation of which eduroam(UK) is a member and which facilitates international roaming.

When you use eduroam away from your home institution, the local eduroam service provider will collect an identifier of your device ('calling-station-identifier') and the IP address. It will also collect the 'outer identity' you have set on your device (which may be anonymous, but you may have set this to contain your user identity) and it will collect the time stamp of any connection attempt. This information is collected in order to enable a secure and trusted eduroam service to be provided, to produce anonymised usage statistics, to facilitate troubleshooting and to provide compliance with the Janet Security Policy and Acceptable Use Policy and to maintain the private network status of Janet. This information on its own cannot be used by the visited site to identify you as an individual, but may be passed to legitimate authorities. When you use eduroam away from your home institution, your home organisation will also collect authentication event data.

When you use eduroam at your home organisation, eduroam(UK) does not collect any data. Your home organisation however does collect authentication event, IP address allocation details, timestamp and your username as these are necessary to allow you to use the organisation's network - you should refer to your organisation's privacy policy for further details.

The data we collect will be held for a maximum of 12 months. Access to it will be restricted will only be passed on to other eduroam member organisations, Geant the European eduroam operator or to UK national authorities, in order to co-operate in investigations of breach of Security or AUPs or the law; except that the device identifier may be passed on to Geant to produce anonymised usage statistics. In general we will only use your information in line with the Jisc GDPR Policy.