Last updated: June 28th 2021
1.0 Introduction
This Privacy Policy applies to the websites at the orcid.org domain (the “Websites”) and mailing lists owned and operated by ORCID, Inc. (referred to as “ORCID”, “us”, “our” and “we”). ORCID is a nonprofit organization whose mission is to solve the name ambiguity problem in scholarly communication by operating an open-access registry (referred to as the “Registry”) of persistent unique identifiers for individual researchers, and an open and transparent linking mechanism with other ID schemes and research objects such as publications, grants, and patents. (We have no subsidiaries or affiliated companies to which this Privacy Policy applies.)
This Privacy Policy describes how ORCID collects, receives, uses, stores, shares, transfers, and processes your personal information, as well as your rights in determining what we do with the information that we collect through our Websites. It also describes the choices available to you regarding the use of your personal information and how you can access, update and correct your personal information. Researcher privacy is important to ORCID, and we believe that following community-sanctioned privacy practices is essential to the success of ORCID and the Registry it operates. Our privacy practices are based on three levels of openness and privacy, which owners of ORCID Records and their appointees have the ability to set: Everyone (Public), Trusted (Limited Access), and Only Me (Private). These levels are further described in section 3.0 (Choices You Have about Sharing Information) of this policy.
This Privacy Policy focuses primarily on people who have ORCID Records or are considering creating ORCID Records. This Privacy Policy also covers your use of the Websites and Registry if you are only visiting our Websites or searching the Registry. In this document we use “you” to refer to researchers, scholars, and other users of the Websites and Registry.
Our Websites and Registry may contain links to and from sites maintained by third parties. This Privacy Policy does not cover your activities on those sites, any information you may provide to those sites, or information that may be collected about you by those sites.
If you have a question about our Privacy Policy, please contact ORCID at https://orcid.org/help/contact-us.
By using our Websites, and/or by permitting the deposit (addition), editing, and/or publication of your personal information on or through the Registry, you agree to the terms of this Privacy Policy, including the transfer of personally identifiable information to the United States or another jurisdiction whose privacy laws may be different from those in your country.
2.0 Definitions
We use the following terms frequently in this Privacy Policy:
- Member: An organization that has entered into a fee-based Membership Agreement with ORCID.
- ORCID Record or Record: The composite data set other than system data (e.g., user ID, password, log files), including the ORCID iD, pertaining to a specific individual and stored in the Registry.
- Record Holder: The person who owns and is referenced in an ORCID Record. (See also Section 4.2.2 (Information Provided by a Third Party-Members) for limited exceptions.)
- ORCID Account or Account: An account created by the Record Holder as part of the ORCID iD registration process, required for access to and management of the Record Holder’s ORCID Record.
- Trusted Organization: An ORCID Member organization to which you have given the right to view, edit, and/or deposit specific data in your ORCID Record. (For example, you may grant a publisher the right to update information about your publications, or grant a funder the right to read information about grants that is otherwise not viewable by the public through the Registry.) (See section 3.1.2.(Settings for Visibility & Sharing – TRUSTED))
- Trusted Individual: A person to whom you have given the authority to manage your ORCID Record on your behalf, including selecting settings for visibility & sharing, naming Trusted Organizations, and editing and depositing data. (See section 3.3 (Trusted Individuals))
- Visibility & Sharing Settings: ORCID allows Record Holders to determine who can see their Record Data through three distinct options:
- Everyone Data: Data from an ORCID Record that the Record Holder has given a visibility setting of “visible by everyone”. This data can be seen by anyone and is included in the ORCID public data file. (See section 3.1.1 (Settings for Visibility & Sharing – EVERYONE))
- Trusted Data: Data from an ORCID Record that the Record Holder has given a visibility setting of “visible by those I trust”. This data can be seen by the Record Holder, and the Trusted Individuals and Trusted Organizations that the Record Holder designates (See section 3.1.2 (Settings for Visibility & Sharing – TRUSTED))
- Only Me Data: Data from an ORCID Record that the Record Holder has given a visibility setting of “visible by only me”. This data can be seen by the Record Holder and any Trusted Individual(s) the Record Holder designates. If the data was deposited by a Trusted Organization, it can also be seen by that organization. (See section 3.1.3 (Settings for Visibility & Sharing – ONLY ME))
3.0 Choices You Have About Sharing Information in your ORCID Record
We are committed to providing you with meaningful choices about your privacy and the ability to control how your information is used. A core ORCID principle is that you control the settings for visibility & sharing of your own ORCID Record data. To that end, ORCID allows you the right to control how your information is published on and shared via the ORCID Registry through various opt-in features.
3.1 Privacy – Settings for Visibility & Sharing
As a Record Holder, you can choose the visibility for each data item in your ORCID Record other than the ORCID iD, which is always visible by everyone. You may choose between visible to everyone, visible to those you trust, or visible only to you. You will choose the default visibility level, which applies to any data items you add to your Record, when you register, and can change this default and item-level visibility settings at any time. This section describes the visibility settings in detail.
3.1.1 EVERYONE visible by everyone | ![]() |
Accessible by:
|
Data items which you have set with the visibility of Everyone (Everyone Data) will be available to the public for viewing and use through the Registry, the ORCID API and via the ORCID public data file. Everyone Data is released under a Creative Commons CC0 1.0 Public Domain Dedication. This designation is a dedication to the public domain that allows anyone to copy, modify, distribute, store, or otherwise use Everyone Data for any purpose without asking for further permission.
3.1.2 TRUSTED visible to those you trust | ![]() |
Accessible by: People and Organizations I trust
|
Data items which you have set with the visibility of Trusted (Trusted Data) may be viewed through the Registry by you and your designated Trusted Individual(s) (if any) and Trusted Organizations (if any). It may also be used via the ORCID API by Trusted Organizations. You can elect to share specific data items with Trusted Organizations. Trusted Organizations will have these permissions for the time period indicated on the ORCID authorization page or, if no time period is specified,until you revoke these permissions. At any time, you can elect to revoke permissions for any Trusted Organization on the Account Settings page of your Record. Under ORCID’s Membership Agreement, Trusted Organizations agree not to disclose to any other person or entity Trusted Data unless (i) the data is publicly available from another source, or (ii) the organization provides notice to you about how and to whom such data will be disclosed. However, ORCID has no control over how the organization uses the Trusted Data, including sharing it with others. Therefore, you should only grant Trusted Organization status to those that you trust.
3.1.3 ONLY ME visible by only me | ![]() |
Accessible by:
|
Data items which you have set with the visibility of Only Me (Only Me Data) may be viewed through the Registry only by you, any Trusted Individual(s) you designate, and any Trusted Organization that deposited the data (if you gave it permission to do so in the past).
Only Me Data is not shared with the public, Trusted Organizations or other Members of ORCID, except in the following limited circumstances. If you sign into a Trusted Organization’s system using your ORCID Account, and an email address is required for the sign in to work or for the Trusted Organization to communicate with you directly, then we will ask you to release your email address to the Trusted Organization even though it is marked as “Only me”. It will be made clear to you in the ORCID user interface when this is required, and you will be given the opportunity not to proceed. If you do proceed, but later want your email address removed from the Trusted Organization’s system, then you will need to contact the Trusted Organization, or use an interface provided by them.
In addition, our staff, and our agents’ or contractors’ staff, with a “need to know” to manage the Registry and process data for us are able to view Only Me and Trusted Data. Those who gain access under this provision have signed confidentiality agreements with us. See section 4.0 (Information We Collect and How We Collect It) and section 10.0 (Information Security), below.
3.2 Changing Settings
You can change your settings for visibility & sharing at any time. However, the new settings will only apply after you have made the change. ORCID has no control over uses of data already made available via the Registry or disclosures made in places other than the Registry.
3.3 Trusted Individuals
You may delegate management of your ORCID Record to one or more Trusted Individuals (such as your research administrator or administrative assistant). A Trusted Individual can act on your behalf with respect to your ORCID Record, including editing and depositing data, naming Trusted Organizations, and designating settings for visibility & sharing (see section 3.1 (Privacy – Settings for Visibility & Sharing).) A Trusted Individual cannot name other Trusted Individuals, change passwords or Account access settings, or remove email addresses. A Trusted Individual will have access to all information in your ORCID Record, including Trusted and Only Me data. Therefore, you should only grant Trusted Individual status to a person you trust. ORCID cannot control how a Trusted Individual will interact with your ORCID Record. Trusted Individual status remains in place until you revoke it, which you may do at any time at the Account Settings page of your Record. (Also see section 8.0 (Records of Deceased Persons) for more information.) Trusted Individuals must agree to ORCID’s Terms and Conditions of Use.
4.0 Information We Collect and How We Collect It
ORCID collects information from users in four ways: information you directly give us; information given to us by third parties; information we collect from your use of the ORCID Websites; and information we collect from cookies, also known as tracking technologies.
4.1 Information You Give Us
To use certain features of the ORCID Websites, users must register with ORCID. Registration requires that you provide us with personal information including your name and email address. You are not required to register with us to use the ORCID Websites; however, if you do not register, certain features (e.g., creating an ORCID Record or serving as a Trusted Individual) are not available.
If you want to create an ORCID Record, we require you to provide at minimum, your first name and email address. Optionally you may include certain additional information about yourself in your Record, such as last name, affiliations, title, education, grants, patents, and publications.
We also collect information from you if you contact the Help Desk, the ORCID Ombudsperson or Executive Director, or make posts in any online chat rooms, blogs or other public forums offered from time to time on the Websites. ORCID may associate your Account information (e.g., name, email address, and ORCID iD) with these activities.
4.2 Information Provided by a Third Party
4.2.1 Trusted Organizations & Trusted Individuals
Trusted Organizations may add new information to your Record only if you give them the authority to do so through an opt-in mechanism. You may provide this authorization via a link on a Member website that has integrated with ORCID, via a link sent to you by a Trusted Organization, or directly in the ORCID Registry. A Trusted Organization which is the source of specific data in your Record will continue to be able to delete that data from your Record, even if you have revoked permission. This is to ensure continued accuracy of data in the Registry. If you do not wish the Trusted Organization to be able to delete such data after revoking permission, then you must delete the data from your record yourself.
In some instances, an ORCID Member or its agent may contact us to let us know that they have information about new publications or other research activities that are connected to your ORCID iD. ORCID will contact you and ask if you would like to make this Member organization one of your Trusted Organizations to deposit information about these activities to your Record. You may regulate the frequency of these messages using your Account Settings.
Your Trusted Individuals may edit and deposit information in your Record. You may specifically designate or remove Trusted Individuals in the ORCID Registry at the Account Settings page of your Record.
4.2.2 Members
Today, all ORCID Records are created by the individual to whom the Record refers. Although no longer offered, functionality existed until early in 2015 that provided an option for Members to create ORCID Records on behalf of their employees and students, including obtaining an ORCID identifier, populating the Record with data, and setting the initial settings for visibility & sharing on the Record. Such Members are referred to in this Section as “Member Creators”. This functionality is no longer provided by ORCID, however, we describe how this functionality worked at Member Creators.
4.3 Information ORCID collects from your use of the Websites
ORCID collects information about your use of the Websites, Registry and mailing lists. We do this for a variety of reasons, including to monitor when and by whom Registry information has been changed, to maintain information security and help identify and block some spammers, and to provide troubleshooting and support services. This information may include details about your use of the site such as the date and time of edits that you have made to your Record or when you added and removed an organization to/from your Trusted Organizations list. If you contact us for help, we may collect information to assist us in providing support such as the type and version of the Internet browser you are using, the page from which you requested help, the type of device being used (e.g. computer, smart phone, tablet), or the screen resolution. We may combine this automatically collected log information with other information we collect about you.
4.4 Information from Cookies and other Tracking Technologies
We and our analytics and customer support service providers use cookies or similar technologies to analyze trends, administer the Websites, track users’ movements around the Websites and to gather demographic information about our user base as a whole. We may receive reports based on the use of these technologies by these companies on an individual as well as aggregated basis. The use of cookies by our service providers is covered by their own Privacy Policies, and we do not have access to or control over these cookies.
We also use cookies to remember users’ settings such as language preference or interface display preferences. Users can control the use of cookies at the individual browser level. If you reject cookies, you may still use our Websites, but your ability to use some features or areas of our site may be limited.
We partner with third party(ies) to provide better functionality to the ORCID website. While ORCID does not gather information about your activities on third-party sites, our third party(ies) may do so. Our third party(ies) may use technologies such as cookies to gather information about your activities on this website and other sites and may provide you advertising based upon your browsing activities and interest. We do not serve ads on our website, but rather the third party(ies) may use interest-based ads on other websites you browse. If you wish to not have information that may be collected by third parties using our site used for the purpose of serving you interest-based ads on other sites, you may opt-out by clicking here (or if located in the European Union click here)
4.5 Identity Providers
When you sign in to your ORCID record using institutional credentials or social sign-in providers, for example with Google or Facebook credentials, certain information is provided by them to enable the connection. This may include personal names, email address, and unique persistent identifiers. This information is used by us to prepopulate the registration form when creating a new ORCID account, and to create a persistent link to your account. You may remove this information by removing the link to your institutional or social sign in, using the Account Settings page of your ORCID account, but otherwise will be retained indefinitely as Only Me Data on your account.
5.0 How We Use Information We Collect
We use the information we collect in ways that are compatible with the purposes for which it was intended to be used. For example,
- We use the information we collect to operate, protect, evaluate and improve ORCID Websites and Registry, its features, and ORCID operations generally. Note that this use includes Only Me and Trusted data; for example, we may use such data for disambiguation or to resolve any disputes about identity and Records.
- We also use the information we collect about when and by whom information was deposited in your ORCID Record to help verify questions you have about your Record or resolve any disputes about the accuracy of information in a Record.
We also use the information we collect to send messages to you. We send messages either to the email address you provide us, or to an ORCID Inbox that is created when you register for an ORCID iD. We will send you an email with a summary of the information in your ORCID Inbox at the frequency you request in Account Settings. Reasons we may contact you include:
- We will use personal information to contact you with service messages related to or affecting your ORCID Account, including, without limitation: changes to our Privacy Policy or functionality that affects how a user manages privacy; changes to Terms and Conditions; changes to registration procedures or fields included; and changes in the type of information collected. As this information may affect your visibility (privacy) settings and the functioning of your ORCID Account, you may not opt-out of service messages.
- We may contact you with requests from Members for your permission to become Trusted Organizations and to deposit or edit information in your ORCID Record.
- We may also contact you about your use of ORCID Websites, Registry, or mailing lists.
- We may contact you to send you newsletters, and information about ORCID. You may subscribe or unsubscribe here, by changing your email preferences in your Account Settings, or by clicking on the unsubscribe message included in each newsletter.
- You may regulate the frequency of non-service messages by adjusting your email and contact preferences in the Account Settings of your ORCID Record.(See the Knowledgebase article ORCID inbox notifications and frequency settings for more information)
We may use the information we collect to train machine learning models that detect patterns of abuse in Registry usage. These models are used to detect and lock ORCID Records that may be in breach of our terms and conditions or otherwise contravene our policies, such as Records for business, organizations, and advertising content. Locked Records are not accessible by anyone other than the Record Holder.
If we lock your Record, you will be notified by email. If you believe we have locked your Record erroneously, you may contact our Help Desk so that we can review your information and if appropriate, reactivate the Record.
Except as set forth in this in this Privacy Policy, or as required by law (see section 6.4 (Government Data Requests)), ORCID only shares personal information about you as per your instructions, either by your setting the visibility of data to Everyone, or setting data visibility to Trusted, and adding Trusted Organizations that may access this data. For example, we do not share your personal information with Members except as set forth herein, and we do not share or sell your personal information to marketers, advertisers, or other entities.
6.1 With the Public & Members
6.1.1. The Registry
In addition to ORCID’s commitment to giving Record Holders control over their ORCID Records, ORCID seeks to support open access to information for the research community. ORCID shares with the public free of charge Everyone Data through the Registry for viewing and use.
Your designated Trusted Individuals have access to all of your Record information (other than your password and Account access security information) including your Trusted and Only Me Data. Your designated Trusted Organizations are able to view your Everyone data and the Trusted data you have approved sharing. Your Trusted Organizations also may see any data that you have authorized them to deposit to your Record, even if this data has a visibility setting of Only Me; they cannot see Only Me Data that they have not deposited.
If there is a dispute regarding data in your Record, we may share your email address with your permission with the disputing or depositing party or a third party dispute resolution agent, so that the dispute may be resolved. The visible deposit history (e.g., what data was deposited by whom) may also be used for this purpose.
Our Terms and Conditions of Use (for individuals) and our Membership Agreement (for Members) state that data from an individual’s Record may not be used in any manner that is defamatory or misleading; cannot be modified so as to make it false, incomplete, or misleading; is subject to your rights of publicity; and if any person or entity uses the data for marketing purposes, they must give you the right to opt-out of such communications. Although we post this requirement, ORCID does not undertake the responsibility to police third party uses of data. If you object to a third party use of your data, you should contact and make a complaint directly to the third party.
6.1.2 The Public Data File
In addition, annually, ORCID will release to the public a downloadable data file, the “Public Data File”, containing all Everyone Data from active ORCID Records. The public will have free access to the data for viewing and use. ORCID releases the Public Data File under a CC0 1.0 Public Domain Dedication developed by Creative Commons, in which ORCID waives all copyright and related rights it owns in the Public Data File to the extent permitted by law. Accordingly, ORCID does not impose restrictions or conditions (including those contained in the Terms and Conditions of Use and the Membership Agreement) on use of the Public Data File, but it has posted recommended community norms for use. ORCID is sharing the Public Data File to ensure that all scholarly communication stakeholders, including organizations that are not Members of ORCID, have broad access to what has become a vital part of the scholarly communication infrastructure. Additionally, this serves as a method to allow ORCID data to be archived in the public interest and for scientific and historical research purposes.
6.2 With our Vendors
We may share your information with agents or contractors (for example, a vendor may host ORCID’s servers, or an ORCID contractor may need to check Records for inconsistencies), but only on a “need to know” basis to help us operate ORCID, the Registry and the Websites, and only if the vendor agrees to maintain the confidentiality and security of your information and not to use it for other purposes. These companies are authorized to use your personal information only as necessary to provide these services to us.
6.3 Commercial Use of Data
ORCID’s Terms and Conditions of Use for the Registry bar the following re-uses of ORCID data:
- Users of the Registry may not use the email addresses obtained from the Registry to send any marketing or other commercial communication to anyone, unless they give the person the right to opt-out of such communications.
- Users may not use any Record data to send junk mail, spam, chain letters, pyramid schemes, or other similar communications.
Although we post this requirement, ORCID does not undertake the responsibility to police third party uses of data. In addition, because the Public Data File is released under a CC0 Waiver, we cannot impose any restrictions on use; however we do suggest that people follow community norms in using the Public Data File as well. ORCID does not otherwise limit commercial use of Everyone Data by third parties or of Trusted Data by entities to which you (or a Trusted Individual) gives access and cannot control actual use despite these terms and suggestions. You can block commercial re-use of any data by setting the visibility of it to Only Me and by controlling to whom you grant permissions as a Trusted Organization.
6.4 Government Data Requests
If we are required by law, or we are served with a warrant, court order, or subpoena, we may provide your information, including Trusted and Only Me Data to regulators, enforcement agents, courts and/or other government entities. To protect the privacy interests of our users, ORCID will provide only such data as we deem necessary in the situation and which can be defined as lawful processing under Article 6, Lawfulness of processing, of the General Data Protection Regulation (if applicable). To the extent allowed, we will promptly provide information about any government data requests received and accounts affected to the relevant Record Holders.
6.5 Other
- Aggregated Data: We may share aggregated, or summarized, usage data and Record data with our Members or others in the research community or publish information based on aggregated usage data so Members and others can understand how the ORCID Registry is being used. We will only do so in a way that your personal identity is protected.
- Legal Reasons: We may provide your information if we need to defend against legal claims or in bankruptcy proceedings. We will only do so in a lawful manner. We may also use and share your information, including Trusted and Only Me Data, to enforce our Terms and Conditions of Use and Membership Agreements (including investigation of potential violations). To the extent possible in the relevant situation, we will promptly provide information about any such disclosures to the relevant Record Holders.
- Corporate Reorganization: If ORCID is involved in a merger, acquisition, joint venture, dissolution, we will give Record Holders notice (by posting on the ORCID Website), and the option to opt-out of the transfer, before Trusted and Only Me Data is transferred or becomes subject to a different privacy policy.
7.0 Reviewing and Controlling your Data
You may review, delete, and edit information in your ORCID Record and change preferences. Please note that changes will be applied prospectively. For example, if you change a setting for visibility & sharing from Everyone to Only Me, or Trusted, there is no way to stop people who have previously viewed or downloaded the Everyone data from using it.
- You may review information about you and change your sharing settings (section 3.1 (Privacy – Settings for Visibility & Sharing)) in your ORCID Record by logging into your ORCID Record. If you think that any information in your Record is wrong, we strive to give you ways to update it quickly or delete it, subject to legitimate business or legal purposes, including the Dispute Procedure outlined below in section 9.0 (Transparency, Disputed Records and Removal of Data.)
- You may not directly edit data provided by another source that you have given permission as a Trusted Organization. However, you may change the item’s visibility, delete the incorrect data, or make your own corrected version of data.
- You may choose to disable your ORCID Record in the Registry by deactivating the Account from the Account Settings page of your Record. In the event that your ORCID Record is disabled, we will delete all of your Record data other than your ORCID iD and a cryptographically hashed form of your email address. We retain your ORCID iD, marked as deactivated and with no personal data attached, to ensure your former identifier is not reassigned to someone else. We maintain a non-reversible, cryptographically hashed form of your email address that is unreadable, to allow you to re-claim your identifier in the future if you choose to do so. This also enables us to fulfil any legal obligation to keep a record of your request to be removed from our system. (Note that some residual copies of data may take a period of time before they are deleted from our active servers and may remain in our backup systems and log files.)
- You may make your personal data on ORCID sites “invisible” to the public by setting the visibility of all data items other than the ORCID identifier to “Only Me.”
- You may revoke Trusted Organization or Trusted Individual status at any time using the Account Settings page.
- You may update your password, email, and notifications preferences at any time using the Account Settings page.
- If you discover that you accidentally have more than one ORCID iD/Record, you may combine the Records.
In limited circumstances, ORCID may proactively correct data in a Record where errors are a result of system errors, changed standards specifications, or other obvious errors not caused by you or your Trusted Individuals or Organizations. To ensure transparency of our processes, we will post information on our Websites when we make record changes. See the Integrity page for more information.
8.0 Records of Deceased Persons
An ORCID Record of a person that was created before the person deceased is maintained as is, according to the following practices:
- Record data, settings for visibility & sharing, Trusted Individual, and Trusted Organization designations of the ORCID Record remain as set by the Record Holder before becoming deceased.
- If the ORCID Record Holder selected one or more Trusted Individuals, such persons may continue to manage the record as per the Record Holder wishes.
- Any current Trusted Organizations may still write/access the record according to the settings at the time before the person is deceased. However, Trusted Individuals (if they exist) may modify these settings as outlined previously.
- Posthumous publications may be deposited to the ORCID Record only if arrangements had been made prior to death (e.g., one or more Trusted Individuals were assigned who deposit the publication(s), and/or a Trusted Organization relationship had been made that would allow for the addition of the publication(s) without further action.)
- A person who has assumed management of the deceased Record Holder’s email account may request that all email from ORCID to the individual be turned off.
- No indication is made by ORCID to highlight Records of deceased persons, though Trusted Individuals, at their discretion, could use existing fields to provide this detail, if desired, for example, including such information in the biography field, or after the person’s name.
- If ORCID is contacted to remove or correct a Record for someone who is deceased, the requestor will be referred to the Record’s Trusted Individual(s) (if any), or, if needed, the request will be handled according to ORCID’s established Dispute Procedure described in 9.0 (Dispute Handling).
9.0 Transparency & Removal of Data
9.1 Transparency and Removal
To ensure the transparency of the ORCID Registry, we keep server access logs and application logs from which it is possible to determine when and by whom Registry information has been deposited or changed and any changes to settings for visibility & sharing (see section 3.1 (Privacy – settings for Visibility & Sharing)). ORCID will use this information to assist you in addressing concerns about the provenance of data in the Registry and questions about identity ambiguity or theft. Upon request ORCID will provide you with information about whether we hold any of your personal information. If you have a concern about the accuracy of data in your ORCID Record, you may correct, update, amend, delete, or remove it by signing into your account and making the change, or by submitting a ticket to our Help Desk for assistance. (Also see section 7.0 (Access, Review, Editing and Changing Data)).
9.2 Data Retention
We will retain your information for as long as your Account is active, or as needed to provide you services, including reactivation. We will retain and use your information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.
10.0 Information Security
We are committed to protecting the Registry and our users from unauthorized access to or unauthorized alteration, disclosure or destruction of personal information in the ORCID Registry or which we otherwise hold. For example:
- We store information about you in a data center with restricted access, and we use a variety of technical security measures to secure your data. We also use intrusion detection and virus protection software.
- We encrypt the database that stores your data (encrypted “at rest”) and the digital methods for transporting your data (secure socket layer (SSL))
- We periodically review our information collection, storage and processing practices, including physical security measures.
- We restrict access to Only Me Data to ORCID employees, contractors and agents who need to know that information to manage the ORCID Registry and process such data for us, and who are subject to confidentiality obligations. This is in addition to any Trusted Individual(s) the Record Holder designates, and the Trusted Organization that deposited the data (if the data was deposited by a Trusted Organization).
- We restrict access to Trusted Data or data which is otherwise not Everyone Data to (i) Trusted Individuals, (ii) Trusted Organizations granted permissions by users, and (iii) ORCID employees, contractors, and agents with a need to know to manage data in the ORCID Registry and process such data for us, and who are subject to confidentiality obligations.
- All passwords are protected by a salted hash and are not visible by ORCID, its contractors or agents, or even you.
Despite these measures, we cannot guarantee that unauthorized persons will not be able to hack our system or otherwise defeat our security measures. More details can be found in our ORCID Trust Program and ORCID security Knowledgebase article. If you have any questions about security on our Websites, please contact us at https://orcid.org/help/contact-us.
Your Responsibilities in Securing Your Data
Your access to some of our services and content may be password protected. You share the responsibility of maintaining the security of your information (or information in another person’s ORCID Record that you are authorized to view.) You will be solely responsible for any action, activities, and access to our Websites and Registry that were taken through your username and password, and that occurred before you notified us of their loss. Please follow best practices to help keep your information secure, such as:
- Keep your username(s) and password(s) strictly confidential and do not disclose them to anyone
- Use unique passwords for each website that you use, including ORCID
- Sign out of your Account at the end of each session and close your browser window when you have finished your work, especially if you share a computer with someone else or are using a computer in a public place
- Use two-factor authentication to provide additional confidence that others can not sign into your Account. (see the Knowledgebase article for more information)
11.0 International Data Transfer
Note that we may store and process personal information on servers located outside of the country where you originally deposited the data, and that the primary location for processing is the US. The data protection laws of the country or countries where this personal information will be stored or processed might not be as comprehensive or protective as those in your country. Regardless of where we store and process data, we take steps to protect your information, consistent with the principles set forth in this Privacy Policy, which are intended to be in line with the European General Data Protection Regulation (GDPR) and to honor our past commitment to the principles enshrined in the EU–U.S. and the Swiss–U.S. Privacy Shield Program. If there is any conflict between the terms in this privacy policy and your rights under the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, please visit https://www.privacyshield.gov/ . You can view more details at ORCID, GDPR, and your rights as a user.
This attestation letter indicates that we have demonstrated that our privacy policy and practices have met the assessment criteria of an independent customer data assessment . We have taken this additional verification step to demonstrate our commitment to your privacy rights.
By using our Websites, Registry and/or mailing lists, or permitting the deposit and/or publication of personal information on or through the Registry, you agree that (i) your personal information may be transferred to our facilities and those of the third parties with whom we share it as described in this Privacy Policy and (ii) any claims of any kind that you have regarding this Privacy Policy and our use and sharing of data shall be resolved in accordance with the procedures set forth in sections 12 (Enforcement and Arbitration; Governing Law) and 16 (Questions or Concerns).
12.0 Enforcement and Arbitration; Governing Law
If you have any questions or concerns about this Privacy Policy or the accuracy of data stored at ORCID, please contact us at https://orcid.org/help/contact-us. You may escalate any concerns via our U.S. based third-party resolution provider as indicated in section 16 (Questions or Concerns).
If you are not able to resolve your concerns through ORCID’s internal mechanism or escalation process, arbitration, as set forth in this paragraph, will be your final and exclusive recourse for dispute resolution, except if you are data subject of the European Union or Switzerland, in which case you may also have recourse through your local Data Protection Agency. If arbitration is necessary, it will be conducted by telephone and email, and if it must be done in person, it will be conducted in New York, NY, and by using our Websites, Registry, and/or mailing lists, you consent to such jurisdiction. The arbitration will be conducted by one arbitrator who is a member of the American Arbitration Association, and under the rules of commercial arbitration of the American Arbitration Association. Both parties will bear equally the cost of arbitration (exclusive of legal fees and expenses). All decisions of the arbitrator(s) will be final and binding on both parties and enforceable in any court of competent jurisdiction.
This Privacy Policy is governed by and any disputes shall be resolved under the laws of the State of New York (United States), without giving effect to its conflict of laws principles.
13.0 Children’s Privacy
ORCID provides general audience Websites and does not offer services directed to children. Should a child whom we know to be under 13 send personal information to us, we will delete that information immediately. Parents may also contact us through our request form to request removal of any personal information about a minor.
14.0 Community
Our Websites offer publicly accessible blogs or community forums. You should be aware that any information you provide in these areas may be read, collected, and used by others who access them. To request removal of your personal information from our blog or community forum, contact us at https://orcid.org/help/contact-us. In some cases, we may not be able to remove your personal information, in which case we will let you know if we are unable to do so and why. Alternatively, if you used a third-party application to post such information, you can remove it, by either logging into said application and removing the information or by contacting the appropriate third party application.
15.0 Changes to this Policy
We may change our Privacy Policy from time to time. We will post any changes to this Privacy Policy on this page. Your continued use of the Websites, Registry, and/or mailing lists will be deemed conclusive acceptance of modifications. Please check this Privacy Policy from time to time for changes. We will not reduce your rights under this Privacy Policy with respect to data previously deposited without your consent. If in our discretion we think that any changes are significant, we will take additional steps to inform you (for example, by posting a notice of changes on our Websites and/or Registry homepage and/or by sending you an email to inform of such changes) prior to the change becoming effective and obtain your consent through an opt-in mechanism (for example, by having you agree to the changes the next time you log onto the Websites or clicking an “I consent” button in an email).
16.0 Questions or Concerns
16.1 Questions or Concerns About our Privacy Policy
If you have any additional questions or concerns about this Privacy Policy or our practices, please contact ORCID at ombud@orcid.org or by writing to Executive Director, ORCID Inc., 10411 Motor City Drive, Suite 750, Bethesda MD 20817, USA. If your concerns are not addressed, please escalate as described in section 16.3 (Escalation Process).
16.2 Questions or Concerns About the Accuracy of Stored Data
If you have questions or concerns about the accuracy of data in your or another person’s Record, please submit a request to our Help Desk. We will investigate and attempt to resolve any complaints and disputes regarding Record data accuracy.
If your concern is not resolved through this process, you may use our Dispute Procedure to formalize your concern. We will respond to your request within a reasonable timeframe, not to exceed 45 days. ORCID reserves the right (but shall not be required) to remove or hide from the Registry and its servers any Record data that violates the privacy, publicity or other rights of any person, is the subject of a dispute, or for any other good cause, including without limitation, in any situation in which ORCID is advised by legal counsel that the retention or public availability of such data poses a legal risk to ORCID. If your concerns are not addressed by our Dispute Procedure, you may escalate as described in section 16.3 (Escalation Process).
16.3 Escalation Process
If your complaint or dispute cannot be resolved through our internal processes, and ORCID does not adequately respond to your question, please contact our U.S. based third party dispute resolution provider as indicated in section 17.0 (Privacy Feedback Button). If you are not able to resolve your concerns through ORCID’s internal mechanism or escalation process, arbitration as described in section 12.0 (Enforcement and Arbitration, Governing Law) will be your final and exclusive recourse for dispute resolution.
16.4 Privacy Feedback Button
If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.
17.0 ORCID Member Portal
The ORCID Member Portal is a system used by ORCID Member Organizations to manage their membership information, and provides other functionality such as the ability to request permission from Registry users to add affiliations to their Records. The Member Portal is not part of the Registry, and access is only for administrators at Member Organizations who have been invited to use it.
A minimal set of personal data about administrators is stored and processed in the Member Portal in order to provide access to it.
- Given name
- Family name
- Email address
Additionally, ORCID Member Organizations may upload personal data to the Member Portal about users who are affiliated with that organization (“Member Data”). Member Data is stored in the Member Portal pending transfer to the Registry, if and when the user chooses to grant permission for the Member Organization to do so.
ORCID acts as a data processor with respect to the Member Data. The legal basis for processing Member Data is determined by the Member Organization as the data controller, and should be explained in its privacy policy. Data subject rights, such as the right to erasure, should be handled by the relevant ORCID Member Organization.