We've recently updated ORCID'S Privacy Policy to be simple to understand and easy to navigate. We invite you to read it here.
ORCID

Connecting research and researchers

You are here: Home / Our Policies / ORCID Guidance on Publishing Service Providers

ORCID Guidance on Publishing Service Providers

Introduction

In light of the growing trend of consolidation within the academic publishing industry whereby smaller publishers, learned societies and journals are increasingly outsourcing the publication process to larger academic publishers and hosting platforms through publishing contracts/agreements, this policy provides further guidance on the responsibilities of ORCID member publishers and service providers with regards to ORCID-integrated services.

This policy provides further detail on, and should be read in conjunction with, the ORCID Membership Term and Conditions.

Framework

The heart of ORCID’s service is the scholarly profile data that researchers choose to share with ORCID. Maintaining the trust of those researchers is of critical importance in maintaining and growing high levels of researcher participation in ORCID, and in turn increasing the value that ORCID offers to the scholarly community. Consequently, ORCID takes its commitments to Data Protection under the European General Data Protection Regulation (GDPR) and other various local, national and international data protection/privacy legislation very seriously, and we expect our member organizations to do the same. It is very important that disclosures made to ORCID users when they authorize a service to connect with their ORCID account are accurate and correctly describe the party that is taking responsibility for the personal data once it is transferred. 

In order for ORCID to be able to enforce our membership terms (if necessary) and protect our users’ personal data, ORCID needs to ensure that the party taking responsibility for personal data obtained by and used by an integrated service is bound by the relevant terms of our membership agreement. 

For this reason, the key factor used by ORCID in determining which party must take responsibility for integration with ORCID’s services (and therefore whose member credentials must be used for interacting with the ORCID APIs) is the party that takes responsibility for the personal data transferred from the service to ORCID, or vice-versa, as part of the integration. 

In GDPR terminology, this party is designated as the “Data Controller” — the party that determines the ‘how’ and ‘why’ in relation to the processing of personal data. Other privacy regulations around the world use similar terminology. 

Terminology

There is large variation in arrangements for the division of responsibilities between smaller publishers organizations and the publishers they partner with  and service providers they use for various aspects of the publishing process. Terminology varies across the industry, however in this policy, we use the following definitions:

  • An Outsourcing Publisher is a publisher that owns the publication, typically maintaining editorial control and owning intellectual property rights in the name and branding of the publication.
  • A Hosting Publisher is a service provider that hosts publications owned by Outsourcing Publishers on its platforms, often alongside its own publications.
  • A Publishing Service Provider is a service provider that provides services to publishers that interact with researchers in their roles as authors, reviewers, editors and or consumers of content. Examples of such services include manuscript submission and tracking systems and content hosting platforms.

In some cases, the same organization may act as both Hosting Publisher and Publishing Service Provider for a given Outsourcing Publisher.  

Note that we make no distinctions based on the form, format or business model of the publications that fall under these definitions. Traditional peer reviewed journals (whether open access or pay-to-read), books, pre-prints, etc. will all be evaluated under the same criteria. 

Policy

All integrations with ORCID involve some transfer of personal data between the ORCID system and the integrating party’s system. At the very minimum, ORCID IDs are exchanged, which themselves meet the definition of personal data under GDPR and other privacy regulations. Often, subject to privacy settings chosen by the user themselves, names, email addresses, affiliations and other additional items of personal data may be transferred. 

ORCID will review the privacy policy/policies provided to users of the service, along with other relevant documentation, in making a determination as to which party/parties are acting as Data Controller for personal data obtained from or contributed to ORCID, in order to apply the following rules:

  1. If the Outsourcing Publisher is the Data Controller of the personal data obtained from or contributed to ORCID by an ORCID-integrated publication, and if the publication is a commercial service, the Hosting Publisher and/or Publishing Service Provider is considered a “Service Provider” per the Terms and Conditions of ORCID membership. As a result, the Outsourcing Publisher must be a member of ORCID in its own right and its member API credentials must be used by the Service Provider for the integration.
  2. If the Hosting Publisher or Publishing Service Provider is the Data Controller of the personal data obtained from or contributed to ORCID by an ORCID-integrated service, and if the integrated platform is a commercial service, the Hosting Publisher/Publishing Service Provider is not acting as a “Service Provider” per the the Terms and Conditions of ORCID membership. As a result, its own member API credentials may be used for the integration, however as the service is commercial, the Hosting Publisher/Publishing Service Provider must be a member of ORCID in its own right.
  3. If both the Outsourcing Publisher and the Hosting Publisher/Publishing Service Provider are responsible for the personal data obtained from or contributed to ORCID by an ORCID-integrated service (a situation designated as “Joint Controllers” under GDPR), and if either party is operating the service commercially, then the parties which are deriving revenue from the service must all be members of ORCID, and either party’s member’s API credentials may be used for the integration.
  4. If the Outsourcing Publisher is the Data Controller of the personal data obtained from or contributed to ORCID by an ORCID-integrated publication and if the publication is NOT commercial, then ORCID membership is not required and the ORCID public API may be used for the purposes of collecting authenticated ORCID IDs and accessing public profile data. However, the public API key must be registered under the personal ORCID account of a person that works for the Outsourcing Publisher and is prepared to take responsibility for the personal data obtained from ORCID. Note however that this arrangement is not recommended, as organisations may lose control of the relevant API key should the individual who registered it leave their organization. ORCID membership is necessary for organizational ownership and administration of the API key.

In the above, we define non-commercial services as services that do not charge any re-use fees for access to ORCID services, and do not-generate revenue for the party providing the service, no matter how that revenue is derived. For the avoidance of doubt, revenue-generating services operated by non-profit or tax-exempt organizations are considered commercial under this definition.

Further note that if the publisher has outsourced various parts of the publishing process to different service providers (e.g. manuscript submission, content hosting, etc.), each platform will be evaluated separately according to these criteria. 

The ORCID Terms and Conditions relevant to this policy are detailed below.

Applicable Terms and Conditions

The Terms and Conditions of ORCID membership are available (for direct ORCID members) on our website. In particular,  the following provisions are most relevant to this policy:

Section 1.2 Service Providers. As used in this Section 1.2, “Service Provider” means an organization that provides services or products to other organizations based on the use of an API credential, other Member Benefits, or the creation or authentication of ORCID identifiers. Service Providers must require their customers to make use of their own API credentials, whether in the form of the free Public API Credential or a paid Member API Credential. ORCID reserves the right to determine if an application requires a separate API credential; therefore, Service Providers are encouraged to discuss their plans with ORCID in advance of implementation.

Section 1.10: Limitations on Member’s Use. Member is prohibited from and agrees to the following restrictions: 

Clause 1: Not to allow any other entity to use its Member API Credential(s) except to assist Member on Member’s own behalf;

Clause 10: Not to use any or all of the Member API Credential(s) or its Member Benefits, to create a service or product that allows organizations to obtain the benefits of those Member Benefits without being an ORCID Member


Section 4.2 Protection of the Member API Credential(s), the ORCID Registry and ORCID Record Data. Member agrees to use the Member APIs and its Member API Credential(s) only as set forth in these Terms and Conditions and shall take reasonable efforts to protect the Member API Credential(s) from any security breaches or other use that is in violation of these Terms and Conditions or applicable law. Member shall be liable for its intentional misconduct or negligent use of its Member API Credential(s). Member agrees to notify ORCID promptly upon (i) learning of any violation or alleged violation of these Terms and Conditions or security of a Member API Credential(s) or the ORCID Registry or (ii) becoming aware that any Record Data the Member has deposited/edited violates or may violate the rights of privacy, publicity or other rights of an Individual. Furthermore, Member shall cooperate fully with ORCID in investigating and curing any alleged violations, including without limitation, assisting ORCID in providing any Individuals with required notices. Additionally, in the event of a violation of the Agreement, Member understands and agrees that ORCID may (in addition to taking legal action) impose restrictions on the use of its Member API Credential(s) and access to the ORCID Registry until the violation is cured or the Agreement is terminated by ORCID pursuant to Article 8.

Our Public API Terms of Use further state: that our Public API may not be used for commercial purposes, by which we mean that “you may not charge any re-use fees for the Public APIs, and you may not make use of the public APIs in connection with any revenue-generating product or service.” 

The net effect of these provisions is that, ORCID members who offer ORCID-integration functionality in services which are offered to other organizations on a commercial basis must not extend the use of their own ORCID membership credentials and/or the benefits/services provided to them by ORCID, to their customers. Instead, commercial service providers may offer the ability for customers to “plug in” their own ORCID Member API credentials to their instance of the service provider’s platform. 

Do you have questions about this policy?

For further information, please contact [email protected], and our Engagement Team would be happy to answer your questions on membership and integrations.

Last updated: 8 August 2025