Terms and conditions – OpenAthens version 7.6

A person signing a contract

If you submit an Order Form for any OpenAthens services, you accept that the Order Form and the following OpenAthens Terms and Conditions create a legally binding contract between your institution, organisation or company and Jisc (as defined below). These terms and conditions also govern trials of OpenAthens services. Therefore please read these OpenAthens Terms and Conditions carefully and only submit an Order Form if the terms and conditions are acceptable to your institution, organisation or company.


Changes from OpenAthens Terms and Conditions v7.5 Feb 2023 to v7.6 Dec 2023:

These changes are introduced in accordance with clause 6 of the terms and conditions

Clause Old clause (v7.5) New clause (v7.6)
Definition of “Agreement” the Order Form and these Terms & Conditions together with any documents referred to herein. In the event of conflict an Order Form accepted by Jisc prevails over these Terms & Conditions; the Order Form and these Terms & Conditions together with any documents referred to herein. In the event of conflict, the Order Form prevails over these Terms & Conditions;
Definition of “Commencement Date” the date which is fourteen days after the date when the Customer submits an Order Form. Unless Jisc rejects the Order Form beforehand, fees for the Products accrue from the Commencement Date irrespective of whether the Products were made available from an earlier date; the date which is the earlier of: a) the “Licence start date” written in the Order Form; and b) the date on which the Products have been made available to the Customer and a corresponding invoice has been issued. Unless Jisc advises the Customer otherwise, Prices for the Products accrue from the “Licence start date”, irrespective of whether the Products were made available from an earlier date;
Definition of “Customer” the institution, organisation or company identified on the Order Form, who will use the Products; the institution, organisation or company identified in the “Customer name” section of the Order Form, who will use the Products;
Definition of “Initial Term” the initial term of the Agreement, identified on the Order Form and starting from the Commencement Date. This will usually be either a one year or three year period. As explained further below, prices are fixed and both parties are committed for the duration of the Initial Term; the initial term of the Agreement, starting from the Commencement Date and ending on the date written as the “Licence end date” in the Order Form.
Definition of “Jisc” means either: • Jisc, a registered charity and company limited by guarantee with company number 05747339; or • Jisc Services Limited, the wholly owned subsidiary of Jisc with company number 02881024 as detailed on the Order Form; means Jisc Services Limited, the wholly owned subsidiary of Jisc, with company number 02881024;
Definition of “Order Form a Jisc order form completed and submitted by or on behalf of the Customer. The party submitting the Order Form must ensure that it shows any special price or payment details agreed with Jisc; a Jisc order form, quotation or order confirmation issued by Jisc and signed by the Customer and which references these Terms & Conditions;
New definition for “Prices” [N/A] the fees payable by the Customer for the Products as described in the Order Form; [And associated capitalisations throughout]
2.1.c) the party submitting the Order Form or the intended Customer has an inadequate credit rating or poor trading history with Jisc; the intended Customer has an inadequate credit rating or poor trading history with Jisc;
New clause 2.4 [N/A] The Agreement commences on the Commencement Date and will continue for the Initial Term, unless terminated earlier in accordance with the terms of this Agreement.
5.8 Payments are due within thirty days of invoice date. In the event of late payment, Jisc will be entitled to suspend the Service by giving the Customer not less than ten days prior notice and/or to levy interest in accordance with the Late Payment of Commercial Debts (Interest) Act 1998 The Customer will pay the Prices. Payments are due within thirty days of invoice date. In the event of late payment, Jisc will be entitled to suspend the Service by giving the Customer not less than ten days prior notice and/or to levy interest in accordance with the Late Payment of Commercial Debts (Interest) Act 1998.
Deleted 16.b) by fax to the authorised representative of the other party to any fax number shown on the Order Form, or to any other fax number as one party has notified the other of, and will be valid at the time shown on a successful transmission report, or [Deleted]
4.1.10 (Data protection schedule) … cease Processing any of the Personal Data and, within sixty (60) days of the date being applicable under this Clause 4.1.10, return or destroy (as directed, in writing, by the Customer) the Personal Data belonging to, or under the control of, the Customer and ensure that all such data is securely and permanently deleted from its systems, provided that Jisc shall be entitled to retain copies of the Personal Data for evidential purposes and to comply with legal and/or regulatory requirements; … cease Processing any of the Personal Data and, within six (6) months of the date being applicable under this Clause 4.1.10, return or destroy (as directed, in writing, by the Customer) the Personal Data belonging to, or under the control of, the Customer and ensure that all such data is securely and permanently deleted from its systems, provided that Jisc shall be entitled to retain copies of the Personal Data for evidential purposes and to comply with legal and/or regulatory requirements;

Some minor grammatical amendments have also been made.

1. Definitions

1.1 When starting with a capital letter, the following words and phrases have the meanings shown:

Agreement the Order Form and these Terms & Conditions together with any documents referred to herein. In the event of conflict, the Order Form prevails over these Terms & Conditions.
Commencement Date the date which is the earlier of: a) the “Licence start date” written in the Order Form; and b) the date on which the Products have been made available to the Customer and a corresponding invoice has been issued. Unless Jisc advises the Customer otherwise, Prices for the Products accrue from the “Licence start date”, irrespective of whether the Products were made available from an earlier date;
Customer the institution, organisation or company identified in the “Customer name” section of the Order Form, who will use the Products;
Initial Term the initial term of the Agreement, starting from the Commencement Date and ending on the date written as the “Licence end date” in the Order Form.
Intellectual Property copyright, rights related to or affording protection similar to copyright, rights in databases, patents and rights in inventions, specifications, formulae, processes, semi-conductor topography rights, trade marks, rights in internet domain names and website addresses and other rights in trade, product or business names and logos, designs, know-how and trade secrets and all rights in derivative works created or developed by or on behalf of the owner or licensor of such rights; and all other rights having equivalent or similar effect to any of the foregoing in any country or jurisdiction;
Jisc means Jisc Services Limited, the wholly owned subsidiary of Jisc, with company number 02881024;
Order Form a Jisc order form, quotation or order confirmation issued by Jisc and signed by the Customer and which references these Terms & Conditions;
Prices the fees payable by the Customer for the Products as described in the Order Form;
Products the Software and/or Services applicable to the Customer;
Service the authentication, authorisation, administration and support services described in the applicable product description, documentation and service levels published on the Website and/or supplied with the Software. The term “Service” includes any necessary OpenAthens software which is both installed and operated remotely by Jisc. Service also includes any OpenAthens ad hoc consultancy which Jisc agrees to provide to the Customer for an agreed price;
Software the machine readable modules and version of the OpenAthens software ordered by the Customer or any versions subsequently deployed by the Customer. The modules and versions are described in the relevant product description and documentation published on the Website and/or supplied with the software;
Subscriber a party who has the right to access the Customer’s on-line resources and also has the right to use Jisc services to do so;
Terms & Conditions these OpenAthens Terms and Conditions; and
Website the www.openathens.net website, or such other URL as Jisc may from time to time advise.

1.2 Headings are included for ease of reference only and do not affect the interpretation of any provision.

2. Commencement and Duration

2.1 Jisc may reject any Order Form for any of the following reasons:

a) it has not been fully and accurately completed;

b) the intended Customer is not entitled to receive the Products;

c) the intended Customer has an inadequate credit rating or poor trading history with Jisc;

d) monies due prior to the Products being made available have not been received by Jisc;

e) the Customer requires purchase orders to be issued in order for payments to be made but the Order Form is not accompanied by the Customer’s purchase order;

f) on any other reasonable and similar grounds.

2.2 Jisc will be deemed to have accepted the Order Form if:

a) it has made the Products available to the Customer and has issued a corresponding invoice; or

b) it has not rejected an Order Form by the Commencement Date.

2.3 Except where clause 2.1 applies, Jisc will make the Products available to the Customer by the Commencement Date.

2.4 The Agreement commences on the Commencement Date and will continue for the Initial Term, unless terminated earlier in accordance with the terms of this Agreement.

2.5 The Customer may terminate the Agreement at the end of the Initial Term by giving Jisc not less than ninety days prior written notice.

2.6 If notice has not been given by the Customer under clause 2.5, the Agreement will continue for successive one year periods. The Customer may terminate the Agreement at the end of any successive one year period by giving Jisc not less than ninety days prior written notice.

3. Jisc Obligations and Warranties

3.1 For the duration of the Agreement and subject to its terms and conditions, Jisc:

a) grants the Customer a non-exclusive, non-transferable licence to load, install and use the Software and the documentation supplied with the Software;

b) warrants that it has proper authority to grant the foregoing licence;

c) will from time to time make available to the Customer such bug fixes and upgrades of the Software that are made available generally to customers of the Software;

d) warrants that the Software will perform in all material respects in accordance with its product description and the documentation supplied with the Software, except that Software supplied for trial purposes is provided “as-is” without warranty and clause 3.1i) does not apply. The Customer acknowledges that software, by its nature, is not error-free and agrees that the existence of such errors will not constitute a breach of the Agreement;

e) warrants that it has checked the Software for viruses using commercially available virus checking software;

f) will perform the Services in accordance with the service descriptions published on the Website with the degree of skill and diligence which would ordinarily be expected from a skilled and experienced provider of similar services under similar circumstances. The Customer agrees that computer and communications systems may not be uninterrupted or fault free and that occasional periods of downtime for repair, maintenance and upgrading may be required. Jisc will endeavour to minimise any such periods of nonavailability and will give the Customer not less than forty-eight hours’ notice of each planned shutdown period;

g) will use reasonable endeavours to achieve the service levels and performance indicators published on the Website; and to keep the Customer informed where the targets may be exceeded and to give estimates of the expected resolution time;

h) will apply appropriate system security measures to the database of user details as necessary to meet its obligations under these Terms and Conditions;

i) will promptly correct any material non-conformity in the above undertakings that is notified to it by the Customer within ninety days from delivery of the Software or performance of the non-conforming Service, provided that the Customer will provide such information and assistance as is reasonably necessary for the non-conformity to be identified and analysed;

j) will not sell, rent or trade personal data which is collected as an essential part of the Service. Such personal data will only be used by Jisc and its service providers in accordance with the Service’s Privacy Policy published on the Website;

3.2 Jisc’s obligations in this clause 3 replace all other warranties express or implied in contract, law or tort, including but not limited to any implied warranties of satisfactory quality or fitness for any particular purpose.

4. Customer Obligations

4.1 In respect of the Products, the Customer will ensure that:

a) all use is in accordance with and for the purposes of the Agreement;

b) all use is in accordance with the documentation made available to the Customer at https://docs.openathens.net or supplied to the Customer in writing by Jisc;

c) appropriate measures are put in place to prevent unauthorised access to and use of the Products;

d) appropriate measures are taken to supervise and control the use of the Products and that all users and administrators have training adequate to their role;

e) no person or party responsible to the Customer attempts to by-pass any security measures put in place by Jisc or put in place by any third party service provider in connection with the Service;

f) no administrator or authorised user of the Products attempts to gain unauthorised access to any other Jisc software, services, systems or websites;

g) appropriate action is taken and that Jisc and any relevant third party service provider are promptly informed, in the event of any abuse of the Products arising under clauses 4.1c), d) or e) or otherwise;

h) the Customer’s nominated administrators are familiar with and adhere to the OpenAthens Administrator Regulations published on the Website;

i) all users and administrators are familiar with and adhere to any guidelines published by Jisc on the Website or at https://docs.openathens.net;

j) all users and administrators are familiar with the Service’s Privacy Policy published on the Website.

4.2 In respect of the Software, the Customer will:

a) not sell, sub-license, lease, rent or loan the Software to any third party;

b) not retain copies of the Software except as uninstalled back-ups, or as permitted by law;

c) not disassemble, decompile, reverse engineer or otherwise interfere with the Software except as permitted by law;

d) not translate, adapt, vary, modify, alter, develop, customise or create any derivative work of the Software or any part thereof;

e) copy and use the documentation supplied with the Software solely for the proper use of the Software;

f) abide by any terms, notified by Jisc in writing, of any third party licences for software incorporated into or distributed with the Software;

g) not remove any copyright notices or trademarks from the Software or the documentation supplied with it and shall reproduce the same on all copies;

h) comply with Jisc’s requirements, as notified to the Customer in writing, concerning any diagnostic or statistics gathering facilities incorporated in or supplied with the Software;

i) keep all copies of the Software secure and maintain accurate records of the number and location of all copies;

j) remove the Software from any hardware onto which it has been loaded prior to decommissioning or disposing of the same.

4.3 In respect of Products supplied for trial purposes, in addition to any other provision of the Agreement the Customer will:

a) use such Products solely for the purpose of evaluation and not for any administrative, management, operational or commercial purpose;

b) raise all support calls and queries by email or through Jisc’s web interface and not by telephone.

5. Prices and Payment

5.1 Prices for the Products are not subject to change during the Initial Term and thereafter on each anniversary of the Commencement Date, may be adjusted at Jisc’s discretion by the annual movement in the latest available All Items Retail Prices Index excluding Mortgage Interest Payments published by the UK Office for National Statistics.

5.2 As an alternative to the adjustment described in clause 5.1, the Prices for Products may be adjusted after the Initial Term with effect from any anniversary of the Commencement Date, by any general change to Jisc’s prices applicable to all customers or all customers of particular Jisc software or services. In such case Jisc shall give the Customer at least ninety days written notice of the Price change. If the Customer does not accept the new Price it may terminate the Agreement in accordance with clause 2.5 or 2.6 but where the required notice period is, for this purpose only, reduced to not less than sixty days.

5.3 In addition to clauses 5.1 and 5.2, all Prices which were established by reference to a number of users, Subscribers, servers, registered online resources or some other licensing constraint, shall be appropriately adjusted if any such constraint is exceeded. In addition, if the Customer is a UK Higher or Further Education Institution, all Prices which were established by reference to the Customer’s Jisc band or any similar scale, shall be appropriately adjusted where the Customer becomes re-classified to a higher Jisc band or scale point.

5.4 Prices exclude UK VAT and any sales or purchase taxes, taxes on property or use, withholding tax, duties, levies or similar in any territory whether relating to the Agreement or the Products; which shall be paid by the Customer at the prevailing rate.

5.5 If the Customer is a UK Higher or Further Education Institution, Jisc may issue its first invoice on the Commencement Date to cover the period from the Commencement Date until the next thirty-first of July that occurs. Thereafter payments are due by the first of August each year. Jisc will invoice not less than thirty days in advance.

5.6 If the Customer is not a UK Higher or Further Education Institution, Jisc (or its duly appointed agent) may issue its first invoice on the Commencement Date to cover the first twelve months from the Commencement Date. Thereafter payments are due each year by the anniversary of the Commencement Date. Jisc (or its duly appointed agent) will invoice not less than thirty days in advance.

5.7 Where clause 5.3 applies, a supplementary invoice will be raised and the provisions of this clause 5 will apply to the revised price derived under clause 5.3.

5.8 The Customer will pay the Prices. Payments are due within thirty days of invoice date. In the event of late payment, Jisc will be entitled to suspend the Service by giving the Customer not less than ten days prior notice and/or to levy interest in accordance with the Late Payment of Commercial Debts (Interest) Act 1998.

6. Revisions

6.1 In order to continuously improve its operations, Jisc may from time to time revise the Service or these Terms & Conditions or any of the documents referenced herein.

6.2 Revisions are intended to clarify or improve customers’ rights or benefits rather than reducing them.

6.3 Revisions will be automatically effective ninety days after being published on the Website.

6.4 If any revision would reduce customers’ rights or benefits, then Jisc will notify the Customer as well as publishing the revision on the Website.

6.5 If the Customer (acting reasonably) cannot accept any revision it may terminate the Agreement by giving Jisc written notice not less than sixty days prior to the date when the revision would become effective. In such case the Customer will be entitled to a pro-rata rebate of Prices already paid for Products that would have been supplied subsequent to the date of termination.

7. Liability

7.1 In any twelve month period, neither party’s aggregate liability to the other for direct loss or damage, howsoever arising, shall exceed 110% of the value of Products supplied in the twelve months prior to the event giving rise to the liability.

7.2 Neither party shall be liable to the other for any indirect, special or consequential loss or damage, loss of profits, business, revenue or goodwill howsoever arising.

7.3 Notwithstanding any of the foregoing, neither party excludes or limits liability for death or personal injury arising from its negligence or for liability resulting from its wilful misconduct or fraud.

8. Intellectual Property

8.1 The Customer retains ownership of any Intellectual Property in data and information supplied by the Customer and in any online resources of the Customer. Jisc or its licensors own all Intellectual Property in the Products and the documentation supplied with the Products.

9. Intellectual Property Indemnity

9.1 Jisc will indemnify the Customer from all claims that the Products infringe the Intellectual Property of any third party provided that:

a) such indemnity shall not apply to the extent that the infringement arises out of misuse of the Software or any combination, operation or use of the Software with software, systems or equipment not approved by Jisc;

b) the Customer does not knowingly make or intimate any admission, settlement, opinion or undertaking that may be detrimental to Jisc’s defence;

c) the Customer gives Jisc prompt written notice of any claim made against the Customer and Jisc shall have the right to defend and settle such claims at its own discretion;

d) the Customer, at Jisc’s cost, gives such assistance as Jisc may reasonably require to settle or oppose any such claim;

e) the Customer applies all reasonable endeavours to mitigate Jisc’s exposure under this indemnity;

f) Jisc shall be entitled to secure the right for the Customer to continue using the Products or to avoid the infringement by modifying the Products or replacing the Products or infringing part with software or service of similar capability.

10. Data Protection and Confidential Information

10.1  Jisc’s data protection assumptions and commitments are published in its Privacy Policy on the Website.

10.2 Jisc and the Customer shall each comply with the provisions of the Data Protection Schedule that is appended to these Terms and Conditions.

10.3 In the event of any conflict between the Data Protection Schedule and any other provision of these Terms and Conditions, the relevant provision of the Data Protection Schedule shall take precedence.

10.4 Each party will treat as confidential and not disclose to any third party, all information relating to or received from the other in connection with the Agreement or the Products. This obligation does not extend to any information which was rightfully in the possession of the party prior to the commencement of the negotiations leading to the Agreement; or which is or becomes public knowledge other than as a result of a breach of this clause 10. The foregoing obligations survive any termination of the Agreement.

10.5 The Customer agrees that Jisc may include the Customer in its list of customers. Jisc will secure the Customer’s prior written approval for all other publicity and the Customer agrees that this will not be unreasonably withheld or delayed.

11. Suspension and Termination

11.1 Either party may terminate the Agreement by written notice if the other party:

a) is in breach of any material term, condition or provision of the Agreement or of any material provision required by law and fails to remedy any such breach within thirty days of written notice; or

b) presents a petition or has a petition presented by a creditor for its winding up, or convenes a meeting to pass a resolution for voluntary winding up, or enters into any liquidation (other than for the purposes of a bona fide reconstruction or amalgamation), or calls a meeting of its creditors, or has a receiver of all or any of its undertakings or assets appointed, or is deemed by any relevant statutory provisions to be unable to pay its debts.

11.2 The Customer may terminate the Agreement in accordance with clauses 2.5, 2.6, 5.2 and 6.5.

11.3 Jisc may suspend or terminate the Service upon written notice to the Customer in the event of any material breach or persistent lesser breaches of these Terms and Conditions or the OpenAthens Administrator Responsibilities, both of which are published on the Website.

11.4 By giving the Customer not less than twelve months prior written notice Jisc may:

a) terminate the Agreement; or

b) withdraw any versions of the Software that have been generally available for at least three years; or

c) terminate the Service, or any part of the Service, in respect of versions of the Software that Jisc will specify.

11.5 All rights and obligations of the parties under the Agreement cease upon termination except for such rights of action that have accrued prior to termination and any rights or obligations under the Agreement or at law, which expressly or by implication come into or continue in force upon termination.

11.6 Within seven days of termination of the Agreement, the Customer will de-install and destroy all copies of the Software and the documentation supplied with it and shall not attempt to access the Service. Following termination, Jisc will remove personal data provided by the Customer in accordance with the Privacy Policy published on the Website.

12. Assignment

12.1 Neither party may assign or transfer all or part of the Agreement, nor subcontract any of its rights or obligations nor appoint any agent to perform such obligations without the other’s prior written agreement. This provision does not apply to clause 5 of the Data Protection Schedule or to work that Jisc subcontracts in the normal course of its business nor to the transfer by Jisc of all of its rights and obligations to a wholly owned subsidiary or a parent undertaking.

13. Waiver

13.1 Failure by either party to enforce any of the provisions of the Agreement shall not represent a waiver of such rights and shall not affect the validity of the Agreement nor affect that party’s rights to take subsequent action.

14. Amendments

14.1 The Agreement may only be amended as set out in clause 6 or by the written agreement of the parties; such written agreement shall state that it is intended to be an amendment to the Agreement.

15. Severability

15.1 If any competent authority finds any part of the Agreement to be invalid, unlawful or unenforceable, the Agreement will be deemed to be amended to the extent required but so as to allow the rest of the Agreement to remain valid and unaffected to the fullest possible extent.

16. Notices

16.1 Any notice or written agreement may be given as follows:-

a) by delivery recorded mail or courier to the authorised representative of the other at any address shown on the Order Form, or to any other address as one party has notified the other of, and will be valid on the date of recorded receipt, or

b) by email to the email address of the other party’s authorised representative and will be valid at the time of sending but will not be deemed served if the email system has generated an unsuccessful transmission or delivery report.

17. Force Majeure

17.1 Except for the obligation to make payments properly due, neither party will be liable for any delay or failure to perform obligations caused by circumstances beyond its reasonable control provided that the affected party promptly gives the other written notice of such delay or failure and circumstances and that the affected party uses reasonable endeavours to mitigate the delay or failure.

18.1 No term of the Agreement is enforceable by any person who is not a party to it whether pursuant to the Contracts (Rights of Third Parties) Act 1999 or otherwise.

18.2 The parties agree to use the English language for all matters relating to the Agreement.

18.3 The Agreement is governed by English law and subject to the exclusive jurisdiction of the English courts. The United Nations’ Convention on Contracts for the International Sale of Goods does not apply to the Agreement.

18.4 The Agreement is effective from the Commencement Date and represents the entire agreement and understanding between the parties in respect of the Products. Jisc is not a party to agreements for the provision of online resources by third parties to Subscribers.

18.5 Any terms and conditions relating to purchase orders issued by the Customer in connection with the Products will have no effect and it is understood that Jisc will accept these purchase orders subject to the terms and conditions of the Agreement only.

18.6 To confirm their agreement with all the foregoing, the Customer has authorised the Order Form to be issued to Jisc.


Supplementary Terms and Conditions for Customers Providing Access to Online Resources

In addition to clauses 1 to 18, the following supplementary terms and conditions apply where the Customer uses the Products in order to allow authorised and/or authenticated access to its online resources. In case of any inconsistency, these supplementary terms and conditions prevail over clauses 1 to 18.

A1 Additional undertakings by Customers providing access to online resources

Customers providing access to online resources additionally undertake to not knowingly do anything which may adversely affect Jisc’s reputation;

A2 Additional undertakings by Jisc to Customers providing access to online resources

If the Customer provides access to online resources, Jisc additionally undertakes the following:

a) to ensure that the relevant modules of the Software meet the access management specifications, technologies or standards that Jisc shall from time to time publish at https://docs.openathens.net. Jisc cannot make any commitment that the foregoing versions, specifications and standards will meet the requirements of the Customer;

b) to provide the Customer with an administration account for the duration of the Agreement to be used for the purposes only of: (i) carrying out tests in relation to the Software, (ii) providing potential Subscribers with trial accounts not exceeding forty-two days duration and (iii) logging service calls on the support interface;

c) to provide support during normal business hours in the UK for problems with the Products or service offered to Subscribers, which prevent or hinder access to any online resource other than where such problem results from the Customer’s default. Any agreed arrangements for additional coverage and any attendant charges must be set out on the Order Form;

d) to publish on the Website or at https://docs.openathens.net, best practice guidelines on passwords and access control for all customers. In addition, although it does not control and therefore cannot accept responsibility where breaches may have occurred, Jisc will investigate instances where it becomes aware that such guidelines appear to have been breached or where unauthorised access to the Customer’s online resources appears to have occurred.

Data protection schedule

1. Definitions

1.1  The following additional definitions apply to this Data Protection Schedule

Applicable Law means all applicable laws, statutes, regulations, decree directives, legislative enactments, orders, binding decisions of a competent Court or Tribunal, rule, regulatory policies, guidelines, codes, other binding restriction, regulatory permits and licences applicable under law which are in force from time to time during the term of this Agreement to which a party and/or any Processing of Personal Data is subject from time to time;
Controller, Processor and Data Subject shall have the meaning given to those terms in the UK GDPR;
Data Protection Legislation means (a) any law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding restriction which relates to the protection of individuals with regards to the Processing of Personal Data to which a Party is subject for the purposes of this Agreement, including the Data Protection Act 2018 and the General Data Protection Regulation 2016/679 (EU GDPR) as each is amended in accordance with the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (as amended by SI 2020 no. 1586) and incorporated into UK law under the UK European Union (Withdrawal) Act 2018, as amended to be referred to as DPA 2018 and the UK GDPR respectively; and (b) any code of practice or guidance published by the ICO or European Data Protection Board from time to time;
Data Protection Particulars means, in relation to any Processing under this Agreement: a) the subject matter and duration of the Processing; b) the nature and purpose of the Processing; c) the type of Personal Data being Processed; and d) the categories of Data Subjects.
Data Subject Request means an actual or purported subject access request or notice or complaint from (or on behalf of) a Data Subject exercising his rights under the Data Protection Legislation;
Data Transfer means transferring the Personal Data to, and / or accessing the Personal Data from and / or Processing the Personal Data within, a jurisdiction or territory that is not a Permitted Country;
ICO means the UK Information Commissioner (including any successor or replacement);
Permitted Country means a country, territory or jurisdiction that is either: (a) within the UK or the European Economic Area; or (b) outside of the UK or European Economic Area but which is the subject of an adequacy determination by the UK Secretary of State or the European Commission (as applicable);
Permitted Purpose means the purpose of the Processing as specified in the Data Processing Particulars;
Personal Data has the meaning given to it in the UK GDPR and for the purposes of this Agreement includes Sensitive Personal Data;
Personal Data Breach has the meaning given to it in the UK GDPR and, for the avoidance of doubt, includes a breach of clause 4.1.3;
Personnel means all persons engaged or employed from time to time by Jisc in connection with this Agreement, including employees, consultants, contractors and permitted agents;
Processing has the meaning given to it in the UK GDPR (and “Process” and “Processed” shall be construed accordingly);
Regulator means the ICO and any other independent public authority which has jurisdiction over a party, including any regulator or supervisory authority which is responsible for the monitoring and application of the Data Protection Legislation;
Regulator Correspondence means any correspondence from a Regulator in relation to the Processing of Personal Data under or in connection with this Agreement;
Security Requirements means the requirements regarding the security of the Personal Data, as set out in the Data Protection Legislation (including, in particular, the measures set out in Article 32(1) of the UK GDPR (taking due account of the matters described in Article 32(2) of the UK GDPR)) as applicable;
Sensitive Personal Data means Personal Data that incorporates such categories of data as are listed in Article 9(1) of the UK GDPR; and Personal Data relating to criminal convictions and offences;
Service means the provision of OpenAthens services as defined within this Agreement;
Schedule means this schedule which forms part of the Agreement;
Third Party Request means a written request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by law or regulation.

2. Arrangement between the parties

2.1 The Parties shall each Process the Personal Data in accordance with the terms of this Schedule. The Parties acknowledge that the factual arrangement between them dictates the classification of each Party in respect of the Data Protection Legislation. Notwithstanding the foregoing, the Parties anticipate and agree that the Customer shall act as Controller and Jisc shall act as Processor, as follows:

2.1.1 The Customer shall be a Controller where it is Processing the Personal Data in relation to the services being supplied by Jisc; and

2.1.2 Jisc shall be a Processor where it is Processing the Personal Data in relation to the Permitted Purpose in connection with the performance of its obligations under these service terms.

2.2 Each of the Parties acknowledges and agrees that the following table sets out an accurate description of the Data Protection Particulars:

The subject matter and duration of the Processing OpenAthens is an identity and access management tool. The Customer is granted access to tools allowing them to create accounts for users. As a minimum, only a name and email address are needed. OpenAthens encrypts this information so that individual identities are not disclosed to the publishers whose resources are accessed without the Customer’s consent. When a Customer creates an account, it will choose what information to collect and what information to disclose to the publishers. The duration of the Processing will be for the term of the Agreement between the Customer and Jisc.
The nature and purpose of the Processing The Personal Data will be Processed in order to provide the Service ordered by the Customer.
The type of Personal Data being Processed Identifiers required to operate OpenAthens depend on whether the Customer uses OpenAthens for its account directory or connects it to its own directory or authentication system. If OpenAthens is used as an account directory, an account username, password, name and e-mail address are required by default. If OpenAthens is connected to the Customer’s own directory or authentication system only a unique account identifier is required by default. Any additional identifiers are entirely under the control of the Customer.
The categories of Data Subjects Identifiers required to operate OpenAthens are decided upon by the Customer.

3. Controller Obligations

3.1.1 it is not subject to any prohibition or restriction which would prevent or restrict it from disclosing or transferring the Personal Data to Jisc in accordance with the terms of this Schedule; and

3.1 As the Controller in respect of the Processing of the Personal Data, the Customer shall ensure that:

3.1.2 all fair processing notices have been given (and/ or, as applicable, consents obtained) and are sufficient in scope to allow the Customer to disclose the Personal Data (including any Sensitive Personal Data) to Jisc for the delivery of the Service in accordance with the Data Protection Legislation.

4. Processor Obligations

4.1 Jisc (as a Processor in relation to any Personal Data Processed by (or on behalf of) the Customer pursuant to the Agreement) undertakes to the Customer that it shall:

4.1.1 Process the Personal Data for and on behalf of the Customer in connection with the performance of the Service only and for no other purpose in accordance with the terms of this Agreement and any instructions from the Customer;

4.1.2 unless prohibited by law, promptly notify the Customer (and in any event within forty-eight (48) hours of becoming aware of the same) if it considers, in its opinion (acting reasonably) that it is required by Applicable Law to act other than in accordance with the instructions of the Customer, including where it believes that any of the Customer’s instructions under clause 4.1.1 infringes any of the Data Protection Legislation;

4.1.3 implement and maintain appropriate technical and organisational security measures to comply with at least the obligations imposed on a Controller by the Security Requirements. A description of the technical and organisational security measures that Jisc will implement and maintain is set out here: https://www.openathens.net/security;

4.1.4 take all reasonable steps to ensure the reliability and integrity of any of the Personnel who shall have access to the Personal Data, and ensure that each member of Personnel shall have entered into appropriate contractually-binding confidentiality undertakings;

4.1.5 notify the Customer promptly, and in any event within forty-eight (48) hours, upon becoming aware of any actual or suspected, threatened or ‘near miss’ Personal Data Breach, and:

(a) implement any measures necessary to restore the security of compromised Personal Data;

(b) assist the Customer to make any notifications to the relevant Regulator and affected Data Subjects;

4.1.6 notify the Customer promptly (and in any event within ninety-six (96) hours) following its receipt of any Data Subject Request or Regulator Correspondence and shall:

(a) not disclose any Personal Data in response to any Data Subject Request or Regulator Correspondence without the Customer’s prior written consent; and

(b) provide the Customer with all reasonable co-operation and assistance required by the Customer in relation to any such Data Subject Request or Regulator Correspondence;

4.1.7 not disclose Personal Data to a third party in any circumstances without the Customer’s prior written consent, other than:

(a) in relation to Third Party Requests where Jisc is required by law to make such a disclosure, in which case it shall use reasonable endeavours to advise the Customer in advance of such disclosure and in any event as soon as practicable thereafter, unless prohibited by law or regulation from notifying the Customer;

(b) to Jisc’s employees, officers, representatives and advisers who need to know such information for the purposes of Jisc performing its obligations under this Agreement and in this respect Jisc shall ensure that its employees, officers, representatives and advisers to whom it discloses the Personal Data are made aware of their obligations with regard to the use and security of Personal Data under this Agreement; and

(c) to a sub-contractor appointed in accordance with clause 5 below.

4.1.8 not make (nor instruct or permit a third party to make) a Data Transfer without putting in place measures to ensure the Customer’s compliance with Data Protection Legislation;

4.1.9 on the written request of the Customer, and with reasonable notice, allow representatives of the Customer to audit Jisc in order to ascertain compliance with the terms of this clause 4 and/ or to provide the Customer with reasonable information to demonstrate compliance with the requirements of this clause 4, provided that:

(a) the Customer shall only be permitted to exercise its rights under this clause 4.1.9 no more frequently than once per year (other than where an audit is being undertaken by a Customer in connection with an actual or ‘near miss’ Personal Data Breach, in which case, an additional audit may be undertaken each year by the Customer within thirty (30) days of the Customer having been notified of actual or ‘near miss’ Personal Data Breach);

(b) each such audit shall be performed at the sole expense of the Customer;

(c) the Customer shall not, in its performance of each such audit, unreasonably disrupt the business operations of Jisc;

(d) the Customer shall comply with Jisc’s health and safety, security, conduct and other rules, procedures and requirements in relation to Jisc’s property and systems which have been notified by Jisc to the Customer in advance; and

(e) in no case shall the Customer be permitted to access any data, information or records relating to any other customer of Jisc.

4.1.10 except to the extent required by Applicable Law, on the earlier of:

(a) the date of termination or expiry of the Agreement (as applicable); and/or
(b) the date on which the Personal Data is no longer relevant to, or necessary for, the performance of the Service, cease Processing any of the Personal Data and, within six (6) months of the date being applicable under this Clause 4.1.10, return or destroy (as directed, in writing, by the Customer) the Personal Data belonging to, or under the control of, the Customer and ensure that all such data is securely and permanently deleted from its systems, provided that Jisc shall be entitled to retain copies of the Personal Data for evidential purposes and to comply with legal and/or regulatory requirements;

4.1.11 comply with the obligations imposed upon a Processor under the Data Protection Legislation; and

4.1.12 assist the Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the UK GDPR taking into account the nature of Processing and the information available to Jisc, provided that Jisc shall be entitled to charge a fee to the Customer (on a time and materials basis and at such rate notified by Jisc to the Customer from time to time) in respect of providing any such assistance to the Customer.

4.2 Notwithstanding anything in this Agreement to the contrary, this clause 4 shall continue in full force and effect for so long as Jisc Processes any Personal Data on behalf of the Customer.

5. Sub-contractors

5.1 Jisc may from time to time use sub-contractors to perform all or any part of its obligations under this schedule. Notifications regarding the sub-contractors Jisc uses from time to time in connection with the performance of the Service can be found on the Website here: https://www.openathens.net/appointed-sub-contractors/. The Customer may object to the appointment of any sub-contractor and Jisc shall reasonably take into account the views of the Customer in appointing any such sub-contractor, but for the avoidance of doubt the appointment of any sub-contractor shall be at Jisc’s absolute discretion and Jisc shall have no obligation to act in accordance with any objection raised by the Customer.

5.2 Jisc may from time to time disclose Personal Data to its sub-contractors (or allow its sub-contractors to access Personal Data) for Processing solely in connection with the fulfilment of the Permitted Purpose.

5.3 Where Jisc uses a sub-contractor to Process Personal Data for or on its behalf, it will ensure that the subcontractor contract (as it relates to the Processing of Personal Data) is on terms which are substantially the same as, and in any case no less onerous than, the terms set out in clause 4 of this schedule.

5.4 Jisc shall remain liable to the Customer for the acts, errors and omissions of any of its sub-contractors to whom it discloses Personal Data, and shall be responsible to the Customer for the acts, errors and omissions of such sub-contractor as if they were Jisc’s own acts, errors and omissions to the extent that Jisc would be liable to the Customer under this Agreement for those acts and omissions.

Dec 2023 v7.6