C·A·S·C
Colleges’ Administrative Software Consortium

Privacy Policy

Cookies

The cookies that may be placed on your computer by systems in the casc.cam.ac.uk domain and its subdomains are:

Cookie Domain Purpose
.ASPXAUTH app.casc.cam.ac.uk This is a Microsoft ASP.NET cookie used to identify a user that has been authenticated.
ASP.NET_sessionId app.casc.cam.ac.uk This is a Microsoft ASP.NET cookie used to identify the user's current session.
cascBiscuit app.casc.cam.ac.uk This is a token used to indicate that the Cookie Notification Panel has been closed by the user and should not be presented again to the user until the cookie expires (usually 30 days after the panel was closed).
ckck app.casc.cam.ac.uk Used to check if the web browser supports cookies.
Ucam-WLS-Session app.casc.cam.ac.uk See the Privacy and Cookie Policy for Raven.
Ucam-WebAuth-Session-S app.casc.cam.ac.uk See the Privacy and Cookie Policy for Raven.
Ucam-WLS-ID app.casc.cam.ac.uk See the Privacy and Cookie Policy for Raven.
JSESSIONID app.casc.cam.ac.uk See the Privacy and Cookie Policy for Raven.
_idp_authn_ic_key app.casc.cam.ac.uk See the Privacy and Cookie Policy for Raven.
_idp_session app.casc.cam.ac.uk See the Privacy and Cookie Policy for Raven.

Privacy

This policy statement relates to personal data as defined by the EU General Data Protection Regulations (GDPR), held in connection with the operation of the Colleges' Administrative Software Consortium (CASC).

CASC acts as a Data Processor on behalf of other institutions. Each of these institutions is the Data Controller for the subset of the data stored in CASC's systems that relates to their activities.

CASC's systems also log access as follows as part of those activities:

Access to these logs is restricted to authorised staff at CASC. These logs are currently held for 12 months, but CASC does not guarantee to retain the information. Logs are used to create summary statistics which may be made publicly available. Summary statistics do not include personal data.

Personal information is not passed to any third party except where required by law, or when relevant subsets of data are passed to computer security teams within the University of Cambridge (eg CamCERT) as part of an investigation into computer misuse.

All information on CASC's servers is backed up and held within the University of Cambridge. The backups are held for the purpose of reinstatement of the data, eg in the event of failure of a system component.

Users are reminded that access to CASC's services is via the Cambridge University Data Network (CUDN) and that the Privacy Policy Statement for the CUDN is also relevant.

Processing of data

CASC processes data directly or where it is part of a contractual agreement (as a data processor) or where it is in CASC's legitimate interest to do so. This includes:

Data held by CASC's systems

Any data entered into a web form with a URL in the casc.cam.ac.uk domain and its subdomains is retained.

For users who identify themselves to the system with their Common Registration Scheme Identifier (CrsID) or Shibboleth Identifier using the University's Raven authentication system, CASC extracts and stores only that Identifier. Raven also uses cookies for its own purposes - visit their Privacy and Cookie Policy page to learn of their policies.

Access to your personal data

The Data Controller for data held within the various CASC products is the Data Controller of the institution that is using the CASC product to process that data.

The 'Data Controller' for CASC's system logs is the Office of Intercollegiate Services (OIS), 12b King's Parade, Cambridge, CB2 1SJ, at which the OIS Data Protection Officer may be contacted.

Changes to our Privacy Policy

If we decide to change our privacy policy, we will post those changes on this page.

Information and outside parties

We do not sell, trade, or otherwise transfer to outside parties any user’s personally identifiable information. This does not include trusted third parties who assist us in operating our systems or conducting our business, so long as those parties agree to keep this information confidential. We may also release information when we believe release is appropriate to comply with the law, enforce our policies, or protect our or others' rights, property, or safety.

Policy last updated 13 April 2018