Keeping ORCID Trusted and Trustworthy
Highlights
- ORCID has revamped our Privacy Policy
- We have not changed any of our underlying privacy practices
- A major substantive change was how we present information about people’s data protection rights
- Read our updated Privacy Policy, and view a table of the updates.
We have recently released 2024 updates to our Privacy Policy.
Privacy is and has always been a fundamental concern for ORCID. This is reflected in our founding principles and values, in our Strategic Priorities, as well as in our day to day operations. Whether you are an ORCID record holder, an attendee at one of our events, a representative of one of our Member Organizations or a combination of the above, we want to make sure that we are clear about how and why we collect and use your personal information.
Keeping up with significant global changes to privacy regulation
ORCID regularly reviews how we use personal data to ensure that our ways of working are in line with our principles, the practices outlined in the ORCID Trust Program, as well as meeting our legal obligations. Although the ORCID Privacy Policy has been updated regularly since first drafted in 2012, the changes have mostly been incremental; the policy has never undergone a ground-up review until now. While our core personal data processing activities have not altered significantly in this time, several things have changed: there has been significant evolution in data protection regulations, the scope of our processing of personal data has expanded beyond just the ORCID Registry, and approaches to presenting privacy practices in a clear and understandable manner have also evolved. These developments, along with the appointment of ORCID’s first dedicated Data Protection Officer in late 2023, means it is now a good time to ensure ORCID’s Privacy Policy not only meets our legal obligations, but reflects current best practice in the provision of privacy information with a thorough re-write.
Our revision process included intensive reflection and analysis
Revamping our Privacy Policy was a carefully considered process that involved members of every single team across ORCID’s staff. We began by comparing the information in our 2021 Policy with the personal data uses listed in our ROPA (Records of Processing Activities), created as part of a 2022 data protection review project, and other internal documentation.
We also reviewed the requirements of the EU General Data Protection Regulation (GDPR) as well as the transparency requirements of other national data protection laws that could affect ORCID and our community. Finally, we conducted a survey of privacy policies published by a range of other organizations in different sectors and countries, gathering examples of good practice and to generate new ideas for how best to present our new Policy in terms of clarity, layout, and content.
We want ORCID’s Privacy Policy to be easier to understand
By nature, privacy policies are dry, information-heavy documents that are rarely engaging to anyone. There’s a lot of information to get across and different legal obligations to meet, but they fulfill an important purpose and our privacy policy is one way we demonstrate our Value of Openness. To ensure as wide a readership as possible, we wanted ORCID’s Privacy Policy to be written in a way that is simple to read and understand, and logically structured to make it easier to navigate. It’s important to us that those reading the policy can quickly understand their rights and our approach to data protection and so we have given this information more prominence in the new version.
During our review, we determined that some of the information in our 2021 policy belonged in other parts of the ORCID website. To improve clarity and reduce the length of the policy, we have moved the detailed privacy settings “how-to” information from the policy to our help pages, where people can more easily find this type of guidance. We’ve also moved the information about how we deal with records of deceased persons here.
Providing comprehensive data protection rights, regardless of location
One area where we have made significant changes is in the presentation of information about people’s data protection rights. We realize that although ORCID is a US-based organization, we have a global community of users and members and there is specific information that our stakeholders in different countries expect to see. We wanted to make this as clear as possible so our stakeholders have confidence in how we approach our data protection obligations around the world.
The new Policy confirms our position that, to the extent possible, we will extend the data subject rights found in the GDPR to everyone whose data we process, regardless of where they are located. Other privacy laws often include similar rights but they may not be as extensive as those found in the GDPR. As a US-based organization we have also added a handful of rights unique to emerging privacy regulations in various US States. By taking this approach, we aim to meet the highest level of privacy rights for all record holders and other stakeholders around the world.
Comprehensive coverage of all of our personal data use
While our 2021 Policy already included detailed explanations of our personal data uses in the ORCID Registry and websites, it didn’t cover our uses of personal information related to support requests, mailing lists, membership administration, grant applications, or ORCID events and community engagement channels — services which have been added or extended since the original policy was drafted. These are now included in the revised version, structured according to the different data use scenarios in Section 6 (The data we use and why we use it) so the reader can quickly see what is and is not relevant to them, depending on their relationship with ORCID. Together with Section 5 (How and when we collect your data), we now describe all the ways we collect and use personal data when providing our services, and why we need the specific information in each of these cases.
Our privacy practices have not changed
Although the structure of our privacy policy is now somewhat different, almost all of the information that is in the 2021 Policy is either included in the new version or has been moved to the new Privacy Settings help page. We have not changed any of our underlying privacy practices as part of this rewrite. For ease of comparison we have completed a line by line comparison between the two Policies — the table in the attached document summarizes the changes made.
ORCID’s Privacy Policy review process includes internal and external stakeholders
Prior to publication, our new Privacy Policy was extensively reviewed by a number of different internal and external stakeholders: the ORCID senior team; our Board of Directors; specialized external privacy counsel; and ORCID’s legal counsel. It has also been assessed by TrustArc, our external privacy certification vendor, who certifies ORCID’s data protection processes against their TRUSTe Verified International Privacy program every year. This year we received recertification against the new policy and, consequently, confirmation that it meets the transparency standards defined in the EU–US Data Privacy Framework (even though as a non-profit organization, we are not formally eligible to participate in this program).
We invite you to review our updated Privacy Policy and learn about your data protection rights as an ORCID stakeholder. If you have any questions or concerns about ORCID’s privacy policy or these changes, please let us know by emailing [email protected].
Thank you for your continued trust in ORCID!