The Privacy by Design foundation processes personal data with the aim of realising attribute-based authentication and signatures via the system IRMA, an abbreviation for I Reveal My Attributes. The foundation is responsible for this data processing and in doing so abides by Dutch (and European) data protection regulations.
The design of IRMA is such that personal data, attributes in particular, are stored locally at the user’s side on his/her own phone or tablet, and not at the foundation’s side on its computers. The foundation only stores a user’s email address together with a very limited set of historical usage data, as will be explained below.
A user of IRMA is asked to consent (agree) at every data processing step by the foundation. This consent forms the legal basis for the data processing. A user can at any stage terminate the foundation’s processing of his/her personal data by terminating (blocking) his/her personal IRMA account, via the MyIRMA webpage. The IRMA app asks the user to consent whenever attributes are received or revealed, not only via an OK button but also via confirmation with a personal PIN code. This forms the legal basis for the processing or the relevant attributes by these (third) parties, providing or receiving attributes.
The foundation processes personal data in three different ways.
Continuously. At registration an arbitrary username is automatically created for a new user of IRMA. The user can choose to associate a self-chosen email address with this IRMA account. This is not necessary, but optional. The email address is stored and protected by the foundation, until the user changes or removes or cancels his/her account, in the MyIRMA environment.
The arbitrarily chosen username is a pseudonym that identifies an account at the foundation. The (optionally added) email address can be used for communication with the user, for instance for logging into MyIRMA. The foundation keeps the email address secret and does not share it with others, unless there is a legal obligation to do so. The foundation uses the address exclusively for IRMA functionality.
The foundation records usage data (“logs”) per account. Its sole purpose is providing an IRMA user insight in the usage of his/her own account, associated with the user’s email address, in order to detect possible abuse and to (subsequently) block the account. With this access to a user’s own log data the foundation fulfils its obligation to provide users insight in their own data. These log data are stored and protected until they are deleted by the user. The logs contain only time stamps of actions, together with the kind of action that happened, such as PIN verified or IRMA session performed. In particular, these logs do not contain personal data, such as attributes, or information about the party to which attributes are revealed, or form which attribes are received. These log data are not shared with others, unless there is a legal obligation to do so. When an IRMA account is terminated, or when its data are removed, all these log data are immediately removed by the foundation.
Incidentally. When the IRMA app crashes or encounters a serious problem, an error report is made and sent to the foundation. These error reports are a critical instrument for the foundation in fixing problems and improving the IRMA app. An error repport never contains your attributes, or data about previous usage of the IRMA app and your attributes, but only technical data about what went wrong and about your phone (for example, IP address, the app version number, and the version number of Android or iOS). The foundation removes these reports when they are no longer neccesary, or at least within three months.
One time, only temporarily. At issuance of attributes by the Privacy by Design foundation, the foundation attaches its own digital signature to these attributes; subsequently, the signed attributes are placed in the IRMA app of the user. Immediately afterwards, these data are removed from the systems of the foundation. The foundation does not keep a record of attribute issuance.
For some forms of issuance the user is asked to first authenticate with necessary attributes. For instance, for issuance of healthcare professional BIG attributes, the name and date of birth of the user are asked first; these data are necessary for searching the associated BIG registration data in the BIG register. Also such necessary authentication attributes are deleted immediately hereafter.
The foundation publishes via its own dashbord how many IRMA users are registered in which country at any point in time. This only involves the number of registered usernames (pseudonyms) and the number of issued credentials (sets of attributes) per country. The foundation also reserves the right to publish statistical data about the registered logs, such as for instance the total number of transactions per unit of time (day, month or year).
For questions, remarks, or complaints about this data processing by the Privacy by Design foundation for IRMA functionality, please contact the foundation. For complaints about the foundation’s data processing you can also contact the Data Protection Authority of the Netherlands.
Date: April 22, 2018.