Technology | Martyn Jansen| May 24, 2018
As GDPR comes into effect, a variety of services may be affected. One of these services is authentication. Find out how OpenAthens is tackling this issue for its customers.
With General Data Protection Regulation (GDPR) on the horizon, a variety of services may be affected. One of these services is authentication. EBSCO’s partner, OpenAthens, which provides an authentication service that delivers access management and single sign-on along with intelligent statistics, has been working with EBSCO to assess compliance. To prepare for GDPR, Martyn Jansen, Contracts & Legal Manager for Open Athens’ parent company Eduserv, provides some background on GDPR and outlines the updates OpenAthens has made to become compliant.
As experts in federated access management and online identity, OpenAthens has always made data protection and online security a key focus as these are central to its industry-leading offering. However, we have viewed these changes as an opportunity to review and enhance our data collection and security processes. Here are highlights of the key forthcoming changes and what we are doing to ensure compliance:
OpenAthens only requires a username, password, e-mail address and the person’s name to create the unique identification needed for people to set up an account and access on-line content. The organization through which an individual is accessing the site — whether a university, employer, library etc. — can configure the account creation in OpenAthens to request additional details, for example job role or department, but this is not mandatory and is a choice on the part of OpenAthens’ customers. OpenAthens only collects and processes the information the organization specifies. This data is never used for OpenAthens or EBSCO’s own purposes. It is only processed to provide authentication and reporting services to customers.
The maximum amount of time that OpenAthens continues to store personal information is for one year after the account expires. All the data is then deleted from the system. Information can be kept for up to 12 months after the account expires because many individuals choose to return and renew their accounts within this time. Organizations can choose to set their expiry time at less than a year when creating an account, so the account information will only be kept while the organization administrator renews the account when it reaches its expiry.
OpenAthens only collects and processes the information the organization specifies. This data is never used for OpenAthens or EBSCO’s own purposes. It is only processed to provide authentication and reporting services to customers.
OpenAthens has in place a wide range of security features and adheres to internationally recognized information security standards. All data that is transmitted between the database and applications in a user’s browser and all crucial data is encrypted and stored behind a firewall. To support security features, it is vital that data controllers or identity providers ensure user accounts are kept up to date. For example, if a member of staff leaves, their account is automatically deleted or updated to reflect their alumni relationship with the organization.
Under GDPR, large fines can be imposed by the Information Commissioner’s Office in cases of severe compliance issues or breaches of the regulations. Even more significant is the reputational damage that would result from a data breach. Since its founding, OpenAthens has had mechanisms in place to rapidly identify potential data security breaches or cyber-attacks. The service is continually monitored and it alerts the support team whenever unusual behavior is detected (such as the same login being used from different geographic locations within 24 hours). The facilities and features in OpenAthens are designed to spot warning signs and prevent breaches before they happen.
Businesses must provide clear information before undertaking any automated decision and provide clear information notices explaining why they are taking personal data during the data collection process. When a user account is created with OpenAthens, an activation email is sent to the individual that explains why the information is needed and how it will be used. If people don’t activate their account after receiving this e-mail, then all the data is deleted.
OpenAthens has an established reputation for achieving high security standards. It supplies services to the UK government and is ISO 9001 and ISO 27001 certified. Data protection and internet security is at the heart of the unrivalled federated access service OpenAthens provides and always has.
View OpenAthens' privacy notice for more information about how they comply with the new data protection regulations.
For ten years, Martyn has provided legal and contracts support to all Eduserv’s lines of business. He has more than 20 years of experience successfully drafting, negotiating and managing sale and procurement contracts in engineering and IT in public and private sectors in the UK and overseas. Martyn has worked for start-ups and some of the UK’s largest companies. He helped develop the original NEC contract. Martyn was commercial manager for ICL’s Prestige project with London Underground which spawned the Oyster card. In a similar role on BT’s 21C fibre to the home project he led BT Infinity to being established. His central role was in the leading UK contract law case. Martyn has extensive general management experience and board exposure.
Your comment will be reviewed by a moderator for approval.