The cookies that may be placed on your computer by systems in the casc.cam.ac.uk domain and its subdomains are:
| Cookie | Domain | Purpose |
| .ASPXAUTH | app.casc.cam.ac.uk | This is a Microsoft ASP.NET cookie used to identify a user that has been authenticated. |
| ASP.NET_sessionId | app.casc.cam.ac.uk | This is a Microsoft ASP.NET cookie used to identify the user's current session. |
| cascBiscuit | app.casc.cam.ac.uk | This is a token used to indicate that the Cookie Notification Panel has been closed by the user and should not be presented again to the user until the cookie expires (usually 30 days after the panel was closed). |
| ckck | app.casc.cam.ac.uk | Used to check if the web browser supports cookies. |
| Ucam-WLS-Session | app.casc.cam.ac.uk | See the Privacy and Cookie Policy for Raven. |
| Ucam-WebAuth-Session-S | app.casc.cam.ac.uk | See the Privacy and Cookie Policy for Raven. |
| Ucam-WLS-ID | app.casc.cam.ac.uk | See the Privacy and Cookie Policy for Raven. |
| JSESSIONID | app.casc.cam.ac.uk | See the Privacy and Cookie Policy for Raven. |
| _idp_authn_ic_key | app.casc.cam.ac.uk | See the Privacy and Cookie Policy for Raven. |
| _idp_session | app.casc.cam.ac.uk | See the Privacy and Cookie Policy for Raven. |
All of the cookies set by CASC systems are essential to the correct operation of the software. CASC does not use any tracking or optional cookies.
This policy statement relates to personal data as defined by the DPA (Data Protection Act) 2018 and UK GDPR (General Data Protection Regulations), held in connection with the operation of the Colleges' Administrative Software Consortium (CASC).
CASC acts as a Data Processor on behalf of other institutions. Each of these institutions is the Data Controller for the subset of the data stored in CASC's systems that relates to their activities.
CASC's systems also log access as follows as part of those activities:
Access to these logs is restricted to authorised staff at CASC. These logs are currently held for 12 months, but CASC does not guarantee to retain the information. Logs are used to create summary statistics which may be made publicly available. Summary statistics do not include personal data.
Personal information is not passed to any third party except where required by law, or when relevant subsets of data are passed to computer security teams within the University of Cambridge (eg CamCERT) as part of an investigation into computer misuse.
All information on CASC's servers is backed up and held within the University of Cambridge. The backups are held for the purpose of reinstatement of the data, eg in the event of failure of a system component.
Users are reminded that access to CASC's services is via the Cambridge University Data Network (CUDN) and that the Privacy Policy Statement for the CUDN is also relevant.
CASC processes data directly or where it is part of a contractual agreement (as a data processor) or where it is in CASC's legitimate interest to do so. This includes:
Any data entered into a web form with a URL in the casc.cam.ac.uk domain and its subdomains is retained.
For users who identify themselves to the system with their Common Registration Scheme Identifier (CrsID) or Shibboleth Identifier using the University's Legacy Raven or UIS Single Sign On (SSO) authentication systems, CASC extracts and stores only that Identifier. Raven/UIS SSO also use cookies for their own purposes - visit their Privacy and Cookie Policy page to learn of their policies.
The Data Controller for data held within the various CASC products is the Data Controller of the institution that is using the CASC product to process that data.
The 'Data Controller' for CASC's system logs is the Office of Intercollegiate Services (OIS), 12b King's Parade, Cambridge, CB2 1SJ, at which the OIS Data Protection Officer may be contacted.
If we decide to change our privacy policy, we will post those changes on this page.
We do not sell, trade, or otherwise transfer to outside parties any user’s personally identifiable information. This does not include trusted third parties who assist us in operating our systems or conducting our business, so long as those parties agree to keep this information confidential. We may also release information when we believe release is appropriate to comply with the law, enforce our policies, or protect our or others' rights, property, or safety.