Individual control is a core ORCID principle that we reaffirm each year during our audit of ORCID’s policies and practices. ORCID users control what information is added to their record, the visibility of that information, and which organizations can access a user’s record to read, write, or update their information. Individuals can store information such as their name, contributions, and affiliations in their ORCID record, or grant permission to organizations they trust to provide this information.
An ORCID record contains only metadata, so, for example, for a journal article, ORCID stores the title, author list, date, and DOI, but not the article itself. We also do not collect or store sensitive information, such as a user’s address, tax ID, or financial or medical information.
Since 2013 (just after our launch) we have sought independent audit and certification of our Privacy Policy against international standards. This year, ORCID again engaged with a third-party auditor to recertify our privacy policy, and included an assessment of our data privacy management practices against current European Union (EU) regulation. The independent auditor has verified our compliance under the EU-US Privacy Shield Framework.
Privacy Shield, a successor to Safe Harbor, is a framework designed by the US and European Commission to provide organizations on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the EU to the US. ORCID is committed to taking a proactive approach to meeting international privacy regulations, and we continuously monitor and align our operations with these regulations as they are released. We are currently taking steps to align with the EU’s new General Data Protection Regulation (GDPR) privacy regulations to ensure compliance when it takes effect in May 2018.
In recognition of another core ORCID principle, transparency, we want to highlight two changes in our privacy policy implemented during this year’s annual review.
Tracking technologies
While ORCID does not directly track individual users on our sites, we have always used industry standard third-party technologies to deliver a more secure and efficient website. Some examples of third-party tools that we use include spam protection technology to prevent bots from using the ORCID registry and Content Delivery Networks (CDNs) for faster graphic delivery. In some cases, these technologies may collect data about users, often for the purposes of serving interest-based advertising on other websites. We have now added a section in our policy to provide greater awareness of this use. ORCID does not display any advertising on our own site, nor do we receive any form of payment from such advertising, nor do we have access to the data collected. Those users who do not want their information used for interest-based advertising may opt-out by clicking here (or if located in the European Union click here). (See Section 5 Information we collect for more details.)
Correcting errors
We have added information about making corrections to data in your record when there is invalid data, for example, due to ORCID system errors, changes to standards, null fields, or formatting issues. This change has been made primarily to allow ORCID to correct any errors due to our work. This type of error is fundamentally different from what might be incorrect data such as spelling mistakes, or inaccurate metadata; we will never make corrections to what may be incorrect data without an explicit request from the ORCID record holder. (S/he can also make the corrections him/herself, of course.) For more details about invalid or incorrect data, please review the ORCID Trust Integrity page. (See Section 8 Access, Review, Editing and Changing Data for more information.)
As always, please don’t hesitate to contact me if you have any questions or concerns about our privacy policy, including the audit and these recent changes.