Skip to main content

Use of personal data for identity verification and authentication

Find out how your personal data is held, used and kept secure


How is my personal data used

The personal details you share are used solely for the purpose of identity verification and authentication.

How is my information held by the University

The personal details you provide when you set up Self-Service Password Reset and Multi-Factor Authentication are held securely within Microsoft’s systems and only you can view your full data.

A small number of University of Bath System Administrators will be able to view your contact information but will not have access to the answers to your security questions.

Why is personal information required

In order to prove your identity to the system, the information you provide needs to be unique to you, for example, a personal phone number or email address.

We recommend that you use the Microsoft Authenticator App to authenticate where ever possible, as this allows for personal verification while reducing the amount of personal contact information you need to provide.

Statement from the University's Data Protection Officer

The University processes the information you provide in pursuit of its legitimate interests – ensuring the appropriate protection of University systems and the information held within. The data in question is kept and processed in accordance with the Data Protection Act 2018 and the UK GDPR; it will be permanently erased 30 days after an account is removed from the system. We consider that this interest is not outweighed by the interests or rights of the data subjects, taking into account the secure way in which we will hold the data and the fact that account holders would be adversely affected by any security breach of University systems. An alternative legal basis may be that this processing is necessary for compliance with the University’s legal obligations under the GDPR in terms of using appropriate technical and organisational measures to ensure the integrity and confidentiality of personal data.

If you have any questions or concerns about how your personal data is used, please email the Data Protection Officer

What information is stored by the Microsoft Authenticator App

Find out when and why information is stored:

  • Account information is stored when you add an account to the app. When an account is removed, the data is deleted
  • Diagnostic data is stored for providing feedback. This may include; email addresses, IP addresses, or server addresses as well as device name and operating system version. Only information required to enable troubleshooting is saved and can only be accessed by Microsoft if you submit your log files to them
  • Data related to app use, but not in any way identifiable, is stored in order to enable app improvements. This may include information about when accounts are added, or notifications are approved. It’s possible to turn off this data sharing within the Settings

What permissions does the app request

The app will request the following permissions when it is required to follow out certain actions:

On iOS:

  • User Content: this is only used if you report a technical issue through the app. Some information such as log files is collected when you do this to troubleshoot
  • Identifiers: user ID and Device ID are recorded for troubleshooting
  • Usage Data: product interaction (accounts being added or notifications being added) are recorded for the development of the application
  • Diagnostics: general diagnostic data is recorded for troubleshooting
  • Contact Info: email address will be recorded when an account is added

On Android:

  • Use of biometric hardware and fingerprint readers: this allows the app to use biometrics like facial recognition or fingerprint reading, if your device supports these, instead of entering a PIN to access the authenticator. This improves security
  • Camera: this allows the camera to be used to add an account using a QR code. It is possible to manually enter a code if you choose not to allow camera access
  • Contacts and phone: the app uses these to automatically add work or school accounts
  • SMS: this is used for receiving a verification code when you use a personal account
  • Draw over other apps: this allows notifications to be displayed while using other apps
  • Receive data from the internet: this is used for sending notifications
  • Prevent phone from sleeping: this setting allows the device to be kept awake to ensure that notifications are received.
  • Control vibration: this allows the app to vibrate the device when a notification arrives
  • View network information: this allows the app to check your device is connected
  • Read the contents of your storage: this is only used if you report a technical issue through the app. Some information such as log files is collected when you do this to troubleshoot
  • Full network access: this is required to send notifications when verifying identity
  • Run at startup: this ensures that you can receive notifications after a restart

Help and Support

If you have any questions or concerns relating to your personal data and how it is used for MFA, please contact our IT Service Desk Team, via the IT Help Form.

On this page