OpenAthens GDPR statement

The administration and recording of NHS OpenAthens accounts should be carried out with
due regard to Regulation 2016/679 (General Data Protection Regulation).

How we use your data

In your role as an administrator for OpenAthens, we ask for your name, email, job role and organisation so that we can set up your account.

The details you provide to us will only be used in relation to your role as an administrator. We will retain your data for as long as you hold this role; we will delete your data once you inform us that you are no longer an administrator. Your data will be visible to NICE’s national administrator and other administrators of the OpenAthens system.

Your responsibilities

As an OpenAthens administrator, you will be able to see the personal data of people within your administration(s) who have an OpenAthens account. This data can only be used in relation to their OpenAthens account. For example, this means that you can use their email addresses to send out alerts about OpenAthens downtime or issues, or to make them aware of services and resources that they are entitled to access using OpenAthens. You cannot use their email addresses for any other purpose.

In addition, you must keep any personal details of users secure. For example, when dealing with bulk upload files that list the personal details of users: the files must not be shared with anyone who is not authorised to see the data and must not be saved to a shared network drive; the data must be deleted from an administrator’s computer once the upload is completed.

You must not share your OpenAthens administrator username or password with anyone else. All authorised users must read this email and confirm that they have understood and agree. In the event that there is a new administrator for your organisation you must inform your regional OpenAthens administrator. This is to ensure that data protection responsibilities are met.

Please note that you do not need to ask your registered OpenAthens users to consent to their data being held for the purpose of providing them with an OpenAthens account and communicating with them about OpenAthens issues and resources. This is because it is necessary to process their data for the contractual purpose of providing them with an OpenAthens account, and they will have agreed when they registered. Please also see the Eduserv privacy notices (opens in a new window) and terms and conditions (opens in a new window), and NICE’s privacy statement (opens in a new window). NICE is the data controller, and this is why we are asking you to confirm that you understand how OpenAthens data may and may not be used.