ORCID Trust

Our tools and services provide you control over your registration, what is connected to your iD, and who can access your information. We provide system security and protection to ensure that user control is maintained.

Have confidence that ORCID will:

• Provide unique person identifiers
• Respect my privacy by letting me decide what information is associated with my iD
• Be clear and consistent about how I control access to my information
• Allow me to decide who has access to what information and to change those permissions at any time
• Follow the data protection rules in my country

We work hard to ensure you are proud to associate your ORCID iD with your name and are confident about using it in the systems and services you encounter. Individual ownership and control over your ORCID iD is one of ORCID’s core principles. As a user, you control what information is connected to your iD and who has access to your data. ORCID works with the community to ensure that best practices are employed in collecting ORCID iDs, and that our privacy and data control practices ensure you always maintain control of your record.

You. Not someone like you.

Names are complex. The same name can refer to different people, and one person can have many names. ORCID provides you with a unique digital identifier or “name” that you can use throughout your career as you share ideas, join new organizations, or use research facilities. You register for your own identifier, use it, and manage the connections between your identifier and your work.

Who can have an ORCID iD?

Anyone in the research community can register for an ORCID iD! The definitions of “researcher,” “scholar,” and “contributor” evolve over time and vary from field to field. Rather than have a rigid—and likely incomplete—definition of who would “qualify” for an iD, ORCID enables everyone who finds benefit from using the ORCID Registry to be able to obtain and use an ORCID iD. To further remove barriers, the Registry is translated into several languages. ORCID does not charge individual users a fee for creating or maintaining their ORCID record or for exporting data. We work with individuals and organizations across disciplines and sectors to ensure that iD-holders can connect their iD to their affiliations and contributions.

ORCID privacy principles

• You own your ORCID iD and record
• You control who accesses the information in your ORCID record
• You may change access preferences at any time
• You may close your ORCID account at any time
• Organizations may only add information to your ORCID record if you have granted permission for them to do so, and they may only update or remove information that was added by them

Only relevant data

ORCID limits the types of data that are included about you.

The data ORCID collects and holds

The data stored in the ORCID Registry consists of information that you, as a user, have provided or your authorized trusted individuals or organizations have added with your permission. Other than the identifier itself, we do not require information in an ORCID record to be publicly accessible.

When registering for an ORCID iD, only three items are required:

• Your given name. This is included in your public ORCID record initially, but you may make it private at any time. We encourage—but do not require—inclusion of a family name.
• Your email address. This is hidden from others initially, but you may choose to share it with others, including the public. We require you to validate your primary email if you want to manually update your record, and we encourage you to include additional email addresses and to choose a primary email for the purpose of receiving messages.
• A password. this is encrypted before being stored in our database through a “salted one-way hash,” a secure encryption method. To verify your password when you sign in, we apply the same encryption process and compare it to what is stored in our database.

In addition to these required fields, an individual ORCID record may include the following information:

• Biographical information, such as your name variations in any language, keywords, country/ies where you do your work, websites, person identifiers from other systems, and/or a short biography.
• Affiliation information, such as the post-secondary schools you attended and/or places you have worked.
• Funding information, such as the grants, contracts, and/or awards that you have received or contributed to.
• Research contributions, such as publications, creative works, videos, compositions and publications, data sets, peer reviews, conference presentations, patents, software, and/or dissertations and theses that you have authored, led on, or contributed to.

The data NOT collected or held by ORCID

ORCID does NOT collect or store other identifying or sensitive information such as date of birth, gender, credit card numbers or other financial information, medical information, physical address, phone numbers, social security numbers, passport, or national identity numbers. There are no fields in the ORCID data structure to hold any of this information.

Your data, controlled by you

It is an ORCID principle, protected by our bylaws, that you control your own ORCID record. Our systems are designed so nothing can be added to your ORCID record without your explicit consent. As a user, you have fine-grained control over the visibility of information in your ORCID record, and you may change visibility, share, or remove information in it at any time. Our internal policies and practices prevent us from sharing information in any way other than how you specify or you agree to under our privacy policy. For example, we are unable to answer questions about you that would require us to share data that you have not made publicly available in the ORCID registry.

We work with the community to use authenticated workflows for requesting ORCID iDs and permissions to access ORCID records. This means your iD can be connected to an activity, idea, or organization only with your direct permission. This is not only in line with best practices for data security, but also ensures data quality and enables users to opt into auto-update functionality.

International policies to support our values

ORCID is an international organization, with users throughout the world and members in each region. We are aware that values and community norms regarding data collection, use, and privacy vary from country to country, and we recognize it is important that our policies and practices reflect our scope. Thus, we engage external counsel and auditors to review our policies and practices. Details about how ORCID handles user information can be found in our Privacy Policy. We have established Dispute Procedures to manage questions about data accuracy. Our privacy policy is certified annually by an independent third-party organization. Questions about this policy may be addressed by ORCID or this independent organization. Learn more about ORCID’s policies.

We understand that dependability, availability, security, and durability are required of the systems and services we provide for you and the organizations you work with in the research community.

Have confidence the ORCID Registry will:

• Be accessible to the public
• Be available when needed, now and in the future
• Support the use of my iD and record
• Keep my personal information safe
• Continue to be driven by and respond to community needs
• Be prepared for challenges that may be hard to predict
• Evolve to the changing needs of its users

We understand that for ORCID iDs to be widely adopted and used by the community, our systems and services must be dependable, available, durable, and have integrity. We are addressing these requirements in three ways: facilitating succession if needed, system security, and our international support team.

ORCID openness to ensure availability

Of our 10 principles, seven deal directly with openness in at least one of its meanings. In addition to providing free access, no barriers to access for individuals, democratic and transparent governance, and open source software, we also actively seek to work with the community. We know that for any standard to be implemented, it must work for any individual regardless of discipline or location and for any organization regardless of whether it is non-profit, governmental, commercial, etc. We live and breathe collaboration; it is our lifeblood.

We take our role seriously in ensuring access to information you choose to share publicly on the ORCID Registry. We make your public data available under a Creative Commons CC0 License through the ORCID website, a public API, and an annual public data file. We have enshrined individual access to the Registry in our bylaws: Any change to ORCID’s principle that researchers are able to create an ORCID iD and edit and maintain an ORCID record free of charge must be approved by our Board and our membership.

Succession planning

Similarly, we are committed to open source. We also recognize that trust is the key to adoption and sustainability. If you decide you don’t like what we are doing, you effectively have an insurance policy. Since our software code, technical specifications, and documentation are freely available, our openness means if circumstances require, the community could re-create ORCID by collecting and re-assembling our parts. You could use our CC0 public data, our open software source code, and/or our open documentation together with the community we are helping to build, to create a new community-led alternative and ensure the continuation of the ORCID vision.

Sign in with confidence

We provide options for you to secure access to your iD and record. You may choose to use your ORCID username and password, or you can sign-in with your Google, Facebook, or institutional sign-in credentials. Use the option that provides you the most confidence.

Securing your information and protecting against vulnerabilities

ORCID works hard to earn and maintain your trust by handling your data in a respectful, secure, and reliable environment. We follow best practices in information security and protection. We keep your data safe by using enterprise-level data security practices and limiting the information we collect and hold about our users. We use well-respected cloud service providers including Rackspace and AWS to host our data and servers. These organizations employ industry-leading security techniques, and they also certify their systems annually to assure compliance. We perform weekly application-level vulnerability testing, addressing concerns immediately, and we use rigorous deployment testing and code review processes to ensure our systems are free of errors that would leave your data compromised.

To mitigate the impact of failures, we use generally accepted practices for disaster recovery and backups to ensure nothing is lost if things do not go as planned.

Supporting your use and incorporating your feedback

Your feedback is important to us and helps us ensure we are on-track. Thank you to all who have shared your ideas. We make our roadmap publicly available, and we invite the community to participate in suggesting new functionality. To make suggestions, we invite you to Tweet us (using the hashtag #ORCID feedback), contact us directly, share your ideas in meetings, or tell us in person at events.

We have regional teams who provide assistance to our users and members around the world in several languages and across all time zones. Key pages on our website have been translated into many languages, with more in progress. In addition, our Outreach Resources page is designed as a one-stop shop for member and researcher resource needs. We also organize regional workshops and webinars throughout the year to engage directly with the community.

We make ourselves accountable to all who use and support ORCID activities through our non-profit status, our membership-based sustainability model, community governance, and data dispute procedures.

Have confidence ORCID will:

• Remain an open organization
• Persist as a service
• Be transparent when things don’t go as planned and enable users to fix things that aren’t right

Along with our users, our members—organizations in the research community—drive our growth. We make ourselves accountable to those who use and support ORCID activities through our non-profit status, membership-based sustainability model, community governance, and data dispute procedures.

We won’t be sold

As a membership organization, we are—by design—responsive to our community. In addition to being committed to openness and accessibility, ORCID is an independent not-for-profit 501(c)3 tax-exempt organization registered in the United States. As such, we are subject to US laws and regulations governing charitable entities, including the requirements that we must be organized and operated exclusively for charitable purposes and our activities cannot impermissibly benefit private interests. There are significant restrictions built into our governance structure and policies to ensure ORCID remains true to its nonprofit mission. Our bylaws require approval of the members to alter our commitment to free use for researchers, change in organizational structure, or sale or transfer of all or substantially all of our assets. In addition, our membership agreement forbids us from transferring the ORCID Registry or its operation without the consent of the members, except to a non-profit entity that is able to fulfill our existing commitments to members and to our Privacy Policy. Finally, our Privacy Policy requires us to provide you—as the ORCID iD holder and data subject—with the option to opt-out of any transfer of data to a third party in the case of a merger, sale, or other corporate restructuring, and this requirement cannot be changed without your consent.

The Registry is here to stay!

Our day-to-day operations are 100% supported by membership dues, and, thanks to community support, we became self-sustaining in 2019. While we built—and continue to build—our membership base, we received support in the form of long-term community loans (due to be repaid starting in 2021) and subawards from the The Andrew W. Mellon Foundation, the US National Science Foundation, and grants from the Alfred P. Sloan Foundation and the Leona M and Harry B Helmsley Trust.

We have monthly financial reviews by our Executive Committee, and we undergo an annual audit of our financial activities. We post an annual report on our website, and our US Internal Revenue Service Form 990 annual tax filings are publicly available.

Governance

We are grounded by 10 principles that guide our work. These principles emphasize our commitment to respecting the privacy and data-sharing needs of our users and to being a reliable, inclusive, and open partner with the research community. To ensure we abide by these principles, we are governed by a volunteer Board.

The ORCID Board of Directors, as per our bylaws, is elected from our membership and the majority must be from non-profit organizations. We endeavor to ensure that Board membership is balanced by region and community sector, and we reserve up to two seats on the Board for non-member researchers. Our Nominating Committee receives recommendations and all members may participate in elections, which are carried out by electronic ballot in November.

The ORCID Principle that researchers are able to create an ORCID iD and edit and maintain an ORCID record free of charge is enshrined in our bylaws, and any proposed change to that provision needs to be approved not only by the Board of Directors, but also by our members. More than 70% of ORCID members are research performing organizations or funders, placing the future of ORCID squarely under their control.

Handling disputes

We have established policies about how information is associated with an ORCID iD, and how the information contained in an ORCID record can be challenged. Further, all items attached to an ORCID iD contain a “source” and date field that shows the provenance of that information. Other than the iD holder and any trusted individuals to whom they grant access, only ORCID members—all of whom have agreed to our privacy and openness principles—may request user permission to write to ORCID records. We have a set of dispute procedures that outlines how we handle reports of incorrect data and transparently involve all parties to address the issue.

Transparency and notification

If you have specific questions about our security practices, please contact us.

Trust is built on understanding, and understanding requires transparency. You can always access and review the data in your ORCID record and its source. We notify users and ORCID members if our policies or practices change or if something happens that presents a challenge to our privacy and security commitments.

• Security breaches. Should non-public data be released, either due to an internal or external challenge to the system, ORCID will endeavor to notify affected users and members within 24 hours of the breach. We will describe the issue, provide information on how it is being or has been addressed, and indicate what action should be taken by users, if any.
• Government requests. Should ORCID receive any data requests from governments, we will consult with our legal team to make sure such requests satisfy legal requirements and ORCID policies. Unless prohibited by law or court order, ORCID will notify users about legal demands when appropriate.

Integrity
We work with the community to enable high-fidelity connections between individuals and their contributions and affiliations. We have developed processes and tools for creating, managing, and interpreting ORCID Registry information.

Have confidence:

• ORCID enables high-fidelity connections with other identifiers
• You will understand how to interpret information stored in an ORCID record

We work with the community to enable high-fidelity connections between individuals and their contributions. We have developed processes and tools for creating, managing, and interpreting ORCID Registry information.

Managing assertions

ORCID provides tools for you as a user, or any organizations you permit, to assert connections between your ORCID iD and your research activities and affiliations. We store and display metadata that indicate the source of the assertion (e.g., yourself, a search and link wizard, or a funder). Only member organizations—all of whom have agreed to abide by our privacy policy in their interactions with users—may request permission from you to make these assertions, and they must use the ORCID APIs to do so.

In addition, we:

• Support grouping of related information in an ORCID record. When there is information from different sources about the same paper, data set, or other research activity, ORCID will group the data based on shared identifiers.
• Enable automatic updates. You may opt to allow automatic update of your ORCID record by organizations you trust.

Managing duplicates

We strive to ensure you are consistently linked to the ORCID iD that you have established. To help prevent duplicate iDs from being created for you, we provide the following controls:

• Only you can create an iD for you. We have found the best way to prevent duplicates is to ensure you know about any iD being created to represent you. So, we put you in control by establishing processes and policies for an iD to only be created by the individual that it represents.
• Email addresses can only be associated with a single ORCID iD. If you try to link an email address that is already connected to an ORCID iD, you will receive an error with instructions on how to proceed. To help minimize the risk of duplicates, we encourage you to include all of your email addresses in your ORCID account. You can even include past ones! You may mark any or all of them private, but you must indicate which one we may use to contact you with specific service messages (such as potential outages).
• Alternate sign-ins. Duplicates sometimes happen because an individual loses access to his or her account. To help ensure you never lose access to your account, we have enabled you to link your ORCID account to other accounts, such as the one you use at your institution or your Google or Facebook account.
• Is this you? If we notice you are creating a new iD that looks like it could be a duplicate, we’ll let you know by suggesting other accounts that might be yours. If one is, you will be directed to sign into your existing account. We’ll even help you retrieve your password if you can’t remember it.
• When duplicates happen anyway. You may use the functionality in account settings to link your records or contact our Support Desk if you have inadvertently registered more than once. ORCID will never delete an identifier; rather, any duplicates are deprecated and will resolve to the primary record you designate.

Managing corrections

One of the core ORCID Trust principles is “Individual Control.” This means your data is controlled by you. However, in limited circumstances, ORCID may proactively correct data in a record where system errors have resulted in invalid data. We will not correct incorrect data.

• Invalid Data (may be corrected by ORCID) – This includes information that does not match data entry rules or where a data standard has changed. For example, modifications to:
  • Clean up null or empty fields.
  • Fix formatting issues in the data, such as changing carriage returns for new lines, replacing two spaces with one space, or trimming white space. Changing “ Example title ” to “Example title” would fall under this classification.
  • Address a change to a standard. For example, changing an identifier display that is no longer case sensitive.
• Incorrect Data (will not be corrected by ORCID) – This includes information that may be intentionally or unintentionally factually incorrect, such as:
  • Spelling mistakes.
  • Incorrect or out-of-date identifiers.
  • Identifiers or URLs that should be resolving identifiers.

ORCID recognizes the importance of transparency. As a result, all changes of invalid data will be publicly accessible for viewing. We publish a list of all invalid data changes, updated when invalid data corrections are made.