This notice, the Multi-VO Rucio Privacy Notice, is effective from 12/10/2021
The UK e-Infrastructure for Research and Innovation for STFC (“IRIS") is a body of peer participant organisations co-ordinated for the purpose of sharing IT resources and services to further the science goals and missions supported by those organisations.
The Multi-VO Rucio provides data management solutions to research communities. Multi-VO Rucio acts as a service to allow users to manage their data across many sites and integrate with workflows for data analysis and storage. Multi-VO Rucio operates under IRIS and in association with EGI
General Principals
Multi-VO Rucio considers it important to only process personal data that is required for the proper functioning of Rucio and its supporting infrastructure.
The personal data detailed below is collected for the purposes of identification, authentication, authorisation, access control, and information security. The legal basis for processing this data is for the purposes of legitimate interests pursued by IRIS, EGI, and the science communities that IRIS and EGI supports in order to provide IT services to its users
What personal data is collected from you and why?
1. Registration
When you register with Multi-VO Rucio for an account to use Multi-VO Rucio services, the following data is collected and associated with your account:
- Personal Name
- Professional email address
- Subject Distinguished Name (DN) from your personal certificate
- The VO you are associated with
This data is necessary for security and accounting purposes to uniquely and properly identify and authenticate you when creating an account for subsequently accessing Multi-VO Rucio services.
2. Access
When you access Multi-VO Rucio services, log records of your access to and actions on Multi-VO Rucio resources are created. These records may contain:
- Subject Distinguished Name (DN) from your personal certificate
- The VO you are associated with
- The time and date of access
- Details of actions you perform
- the network (IP) address from which you access the services
In combination with the registration data above, these log records are necessary to meet the reliability and security requirements of Multi-VO Rucio services and for resource management purposes. This includes authentication, authorisation, accounting, security incident handling, assisting in the analysis of reported problems and for contacting you if a problem is identified with your account.
For how long will your Personal Data be kept?
Access logs and accounting records are kept for up to 18 months before being anonymised or deleted.
Multi-VO Rucio will keep your user registration data for as long as you remain a registered member of your Science Community. In order to enable Multi-VO Rucio to support the user employment life cycle, e.g. to confirm your identity when you return after a period of absence, and unless you explicitly request otherwise, Multi-VO Rucio may keep your registration data for up to 36 months after you leave.
How is your personal data protected?
The Multi-VO Rucio service is committed to following the REFEDS Data Protection Code of Conduct. Your personal data will be protected according to the Code of Conduct for Service Providers, a common standard for the research and higher education sector to protect your privacy. Your personal data is protected against unauthorised disclosure, modification or deletion, by technical and organisational measures, including during transfer as described below.
Who has access to your personal data?
Multi-VO Rucio will make your personal data accessible only to those authorised by STFC and the Multi-VO Rucio service owner, and only for the purposes described above.
To whom do we transfer your data?
Your personal data may be transferred only to the following parties, and only as far as is necessary to provide the Multi-VO Rucio services that you make use of:
- IRIS participants where necessary for the provisioning, operation and security of IRIS services
- trusted third parties for the purposes of security incident response
Other transfers are not allowed except where legally required.
What rights do you have related to our processing of your personal data?
You have the right to access a copy of the personal data we hold about you and you may request that we:
- rectify them if inaccurate
- cease their processing
- delete them.
If your request is not admissible, we will write to tell you of this including the reasons why.
Changes to or removal of personal data may limit your access to Multi-VO Rucio services.
Please make your request using the contact details given below.
What legal basis do we use for processing your personal data?
We use legitimate interest as the legal basis for processing data as it is reasonable to expect that we process such data for the purpose of providing you with Multi-VO Rucio services in a safe and secure manner.
Who to contact if you have a query about this privacy notice?
Please e-mail Rucio-Support@stfc365.onmicrosoft.com, with subject "ATTN: Privacy Policy"
The Multi-VO Rucio is operated by the Science and Technology Facilities Council which is part of UK Research and
Innovation (UKRI), at:
Scientific Computing Dept., R89
Science and Technology Facilities Council
Rutherford Appleton Laboratory
Harwell Campus, Didcot OX11 0QX
United Kingdom
How to complain to a supervisory authority
Details of the UKRI Data Protection Officer and your right to raise issues with the UK Information
Commissioner's Office are available at: https://www.ukri.org/about-us/privacy-notice/
The applicable jurisdiction for Multi-VO Rucio is the United Kingdom of Great Britain and Northern Ireland (GB-UKM).
This work, the “Multi-VO Rucio Privacy Notice" by the Multi-VO Rucio Policy Team on behalf of UKRI-STFC, is licensed under a CC BY-NC-SA 4.0 license.
Other Sources / Attribution / Acknowledgements: The authors acknowledge input from the WLCG and EGI security policy groups.