As many of you know, each year we review our privacy policy and undergo an external assessment of our data protection practices. I am delighted to announce that we have now published our updated privacy policy and have been awarded the TrustArc International Privacy Verification Seal.
The changes to our privacy policy are described below:
Privacy Shield. In July 2020, the European Court of Justice ruled the EU-U.S. Privacy Shield Program to be invalid. This was the legal framework for safeguarding transfer of data from the EU/EEA to the US, and this was referenced in our privacy policy as our primary systems are hosted in the US. We have changed the wording in the privacy policy to reflect this development, while reaffirming our commitment to the underlying principles of the framework. We recently published an FAQ for our EU/EEA/UK Members regarding the impact of these changes on transfers of personal data from their organizations to ORCID.
ORCID Member Portal. Another major development is the rollout of the ORCID Member Portal. This is a new suite of tools intended to help institutions make the most of their ORCID membership. As this is a brand new system and provides a new way of transferring data between Members and ORCID, we conducted a full Data Protection Impact Assessment, as required by GDPR. As a result, we added a new section to our privacy policy covering the Member Portal. While this new platform is an exciting development for our Members and will drive useful functionality for researchers, most Registry users will not be impacted by this change to the privacy policy.
Machine Learning. At ORCID, we are continually looking at ways to benefit our community by upgrading our systems to take advantage of the latest and greatest technologies. It is becoming increasingly clear that machine learning is being used widely across the technology industry to deliver value to users, including within the world of scholarly communication. Many tools and services are now available free of charge or at reasonable cost, and we announced recently that we are working on a machine learning approach to reduce the occurrence of spam in the Registry. We have added a section about this to our privacy policy, to be as transparent as we can about the use of this technology. We still have plenty of work to do to get this functionality into production, and this will include a full assessment of the impact on data protection and of the fairness of any decision making models. For now, we are just laying the groundwork in this privacy policy update.
Permission Revocation. Last year, we changed the privacy policy in anticipation of changes related to the revocation of permissions. The previous changes would have allowed Members to update items on Records of which they are the source, even after permission to add new items to the Record had been revoked by the record holder. This capability was requested by several of our Members. However, after further analysis and discussions with Members, we have determined their use case can be met by enabling Members only to delete items they have previously added to records after permissions are revoked, but not to update them. The reasoning behind these changes has always been to increase trust in the data on the Record and reduce the possibility of incorrect or disputed data. The privacy policy has been updated to reflect this change.
There were several other minor updates to the privacy policy:
- We added more detail about data we collect when you use single sign in systems to access your ORCID account, such as Facebook, Google, or institutional federated identity providers.
- We improved transparency about our audit trail, which is composed of raw server and application logs which can be analyzed and interpreted if necessary.
- We updated the definition of ‘Only Me Data’ to summarize behavior that was previously only described in other sections of the policy.
- We provided further reasoning for retaining a cryptographically hashed form of your email address, explaining that this is part of our obligation to keep a record of data erasure requests.
- We clarified that we may use information we collect about your use of our websites for the purpose of maintaining information security.
- We confirmed that although we post restrictions on commercial use of Registry data, ORCID does not undertake the responsibility to police third party uses of data.
- We made various other minor changes to improve clarity and readability, without changing the underlying meaning.
If you wish to review the Privacy Policy in full please check it out here.
