This policy is intended to help you understand how the Birunisoft PLT manages personal information. Whenever you give us personal information, you are consenting to its collection and use in accordance with this policy.
It may be necessary to update this policy from time to time. The latest version will be made available on the SIFULAN Malaysian Federation (SIFULAN) website: https://sifulan.my
Your Personal Information and Birunisoft PLT
Birunisoft PLT provides a framework (including policies and technologies) which assists SIFULAN subscribers, for example Universities or other educational institutions (referred to in this policy as Subscribers or Identity Providers) and service providers registered with SIFULAN, for example providers of online education or research services or applications (referred to in this policy as Subscribers or Service Providers) to authenticate the end users of Identity Providers who wish to access the services or applications of the Service Provider.
The main circumstances, in which Birunisoft PLT will collect, store, use or disclose personal information about you is:
a) where you act as an account administrator or other representative of a Subscriber and your personal information is provided to Birunisoft PLT by you or the Subscriber; or
b) where you are an end user of a Subscriber (such as a student, academician or researcher of a Subscriber) and Birunisoft PLT provides a ‘virtual home’ or other similar service to that Subscriber, in which case your personal information may be provided to Birunisoft PLT by you or the Subscriber to assist Birunisoft PLT to provide such service to the Subscriber.
Further details regarding the above collection, storage, use or disclosure of personal information by Birunisoft PLT is set out below.
In most instances, personal information that is collected, stored, used, and disclosed as a result of an individual being authenticated via the SIFULAN framework will be collected, stored, used and disclosed by Subscribers and Service Providers, rather than by Birunisoft PLT.
For information about the privacy policies and procedures of the Subscribers and Service Providers, please contact the relevant Subscriber or Service Provider.
What personal information do we collect?
Birunisoft PLT web servers log all requests processed from client access storing information such as your Internet Protocol (IP) address, browser type and your computer’s operating system.
When you make an enquiry or join a Birunisoft PLT and/or SIFULAN mailing list you may be asked to provide some personal information such as your name, address, telephone number and email address. This enables Birunisoft PLT to respond to your enquiry or to provide you with information about the SIFULAN and its activities.
Birunisoft PLT provides some services through federated authentication. For example, the Federation Registry and the SIFULAN Support Desk. You may use these services if you use or administer a SIFULAN Identity Provider or Service Provider. If you log into one of these services through federated authentication, your Identity Provider will provide us some information about you in the form of user attributes. This may include some personal information such as your name, authorisation identifiers, and email address.
We will normally collect personal information about you either directly from you or from an SIFULAN Identity Provider or Service Provider.
Birunisoft PLT holds personal information in electronic forms in secure databases accessible only by authorised staff. Personal information may also be held by Birunisoft PLT in hard copy, for example at its secure premises. Personal information may also, in certain circumstances, be held on behalf of Birunisoft PLT in hard copy or electronic forms by its service providers (such as offsite document storage providers or electronic data storage providers).
Please note that most services available via SIFULAN federated authentication are not provided by Birunisoft PLT but by organisations that subscribe to the SIFULAN. The section below titled Your Personal Information and SIFULAN Subscribers explains more about this.
How do we use your personal information?
If you or your organisation have provided any personal information to us, this personal information is collected, held, used, and disclosed by Birunisoft PLT for the purpose of operating a Federation (including providing an authentication framework), to help us respond to enquiries you have made, or to tell you about SIFULAN activities and about services available via the SIFULAN.
If you use federated authentication to access an SIFULAN service such as the Virtual Home, SIFULAN e-ID, Federation Registry or the SIFULAN Support Desk, the personal information that is provided about you by your Identity Provider is collected, held, used, and disclosed by Birunisoft PLT for the following purposes:
- To authorise your access to the service you have requested;
- To record user access of our services. Records are retained in order to facilitate traceability of end users via the identity provider. This might be necessary, for example, to discontinue access to a service in the event of misuse;
- To personalise the service for you;
- To generate aggregated anonymised usage statistics for service development or for other purposes agreed in writing from time to time with the Identity Provider.
We will retain your personal information as long as necessary for the above purposes or to comply with relevant laws. We will not use your personal information for other purposes without your prior consent unless we are obliged to do so by law.
Whenever and wherever we collect, process or use personal information, we take steps to ensure that it is treated securely and in accordance with this policy.
How do we disclose your personal information?
If you use federated authentication to access an SIFULAN service such as Virtual Home, SIFULAN e-ID, Federation Registry or the SIFULAN Support Desk, we may disclose your personal information to a Service Provider and/or Subscriber to authorise your access to the service you have requested and otherwise provide our services and operate our authentication framework.
We may also disclose your personal information to third party service providers appointed by Birunisoft PLT, such a hosting or email service providers.
We will not otherwise disclose your personal information to any third party without your prior consent unless we are obliged to do so by law, or where we need to do so in order to carry out the successful operation of a Federation.
Some of the parties we disclose your personal information may be located overseas (for example if we disclose your personal information to a Service Provider located overseas to authorise your access to the service). It is not possible to specify the countries in which these overseas recipients are likely to be located.
Our websites or services may contain links to other websites. We are not responsible for the privacy practices or the contents of other sites.
Your personal information and SIFULAN subscribers
Most of the time when you access a service via the SIFULAN framework, the service is provided not by Birunisoft PLT but by an organisation that subscribes to the SIFULAN (for example a Subscriber which is a Service Provider). Within this framework, when you, as an end user, log in to a service through your Identity Provider (usually your university or research organisation), your Identity Provider passes some information about you to the Service Provider in the form of user attributes.
The Service Provider uses the attributes for authorisation and for providing a better service to you as the end user and SIFULAN does not normally collect, store, use or disclose any personal information regarding you.
The management of your personal information in these transactions is the responsibility of your Identity Provider that releases your attributes and the Service Provider that receives them. Where this information is incorrect you should contact your Identity Provider directly and seek their assistance. All SIFULAN subscribers (Identity Providers and Service Providers, including those located overseas) are bound by the SIFULAN Federation Rules (https://sifulan.my/federation-policy/) which include requirements to comply with the Malaysian Privacy Act and any amendments. The Federation Rules include restrictions on the conditions under which user attributes may be released and on the ways they may be used.
Your personal information and the virtual home
The SIFULAN Virtual Home (VH) service is an identity management system for individuals who need to access services via the SIFULAN framework but who do not have an account with an SIFULAN Identity Provider. Most SIFULAN Subscriber organisations each have their own section of the VH, where they manage their own users.
If you have an account on the Virtual Home, an SIFULAN Subscriber organisation will have created the account for you to enable you to access federated services. The username and password you have been issued are for your sole use and may not be assigned or transferred. Protect your username and password with adequate care. You are personally responsible for any abuse of your username and password.
To use the VH service SIFULAN core attribute information regarding you may be required, including name, email address, and authorisation identifiers. Any personal information about you that is stored in the Virtual Home may be stored on SIFULAN’s systems however it is placed there and maintained by the organisation that created the account for you, not by SIFULAN All such information is subject to that organisation’s policy on the management of personal information. This Subscriber organisation is acting as your Identity Provider and is required to manage your information as specified in the SIFULAN Federation Rules. Where this information is incorrect you should contact your Identity Provider directly and seek their assistance.
By using your VH service account to authenticate to a federated service, you are consenting to the organisation that created the account for you and SIFULAN disclosing your personal information to the Service Provider. The Service Provider is bound by the SIFULAN Federation Rules when using this information.
You have a right to request access to, and seek correction of your personal information held by Birunisoft PLT. You can make such a request by contacting our privacy compliance officer. Our privacy compliance officer can be contacted by post at Level 21, 179 Turbot Street, Brisbane, QLD 4000, or by emailing us at email@example.com
If you believe that Birunisoft PLT has not dealt with your personal information in compliance with the Privacy Act and/or the Malaysian Privacy Principles, you should contact our privacy compliance officer using the contact details set out above. Generally, you will be required to put complaints in writing.
Birunisoft PLT will deal with privacy complaints promptly and seriously. Birunisoft PLT will investigate your complaint and inform you of the outcome of the complaint following the completion of the investigation.
In the event you are dissatisfied with the outcome of the complaint, you may refer your complaint to the Office of the Malaysian Information Commissioner.