Our policies and procedures are laid out within the Federation rules. This particular section of the Federation rules can be found in point 8.8 and relates to the data retention specific logs of Identity and Service Providers.
The rules that govern what data we retain, the duration and type of information is formed using the Federation rules which are determined by the Australian Access Federation Board and will be periodically reviewed and/or amended without notification to subscribers. An updated version of this document can be found on our website along with this document which will also be updated as needed or as changes occur.
Identity Provider Logs:
Identity provider logs will automatically be sent to a third party server secure location, maintined and accessed only by the relevant staff in order to troubleshoot and rectify issues on behalf of the Identify Provider and may be retained for up to 24 months. These will include error and warn logs, all of which will be stripped of any sensitive user data before any transportation of sensitive information. The transportation of information will be sent using a secure method of transport to avoid any security issues. Logs must be able to associate a particular End User with a given session that it has authenticated.
Service Provider Logs:
Service Provider Logs are not collected nor recorded directly by the Australian Access Federation. The Service Provider is permitted to: Record End User access, retain those records in order to facilitate traceability
of End Users via an Identity Provider. The AAF may request or gain through a third party such as an IDP these logs, similarly some logs from Identity Providers may contain logs relating to the authentication as well as user information related to a particular service provider.
If you feel this policy impacts you in a certain way, we welcome your comments and feedback. We will also from time to time, make suggestion to the AAF board for amendments and updates to this policy as it becomes pertinent or required.
Download the Federation Rules here, for a more comprehensive overview of how data is collected, why and where it is stored.