ORCID is an international nonprofit organization with users and members throughout the world. We are aware that values and community norms regarding data collection, use, and privacy vary from region to region, and recognize that it is important that our policies and practices reflect our global scope.
Our Trust program was set up specifically to provide greater transparency into the components that are foundational to our principles - individual control, a reliable Registry, community accountability, and information integrity.
The ORCID Registry was developed with security at the start, also referred to as security by design. Details of ORCID security can be founded in ORCID data security.
Our data privacy considerations are consistent with the principles set forth in the Privacy Shield Framework. Most recently, ORCID has aligned with the European Union General Data Protection Regulation (GDPR). This article informs you of your GDPR-related rights.
Transfers of personal data
We take steps to protect your information, consistent with the principles set forth in our privacy policy. These are designed to comply with the Privacy Shield Framework issued by the US Department of Commerce and with article 26 of the EU Data Protection Directive covering data transfers.
The GDPR sets out that transfers of personal data to non-EU countries require safeguards. The most commonly approved safeguard is the adequacy decision. The United States adequacy decision is based on compliance with Privacy Shield. As a nonprofit organization, ORCID is not subject to the jurisdiction of the US Federal Trade Commision overseeing the implementation of the Privacy Shield program; as a result, we cannot self-certify compliance. Instead our policy and practices are independently audited annually -- see section 2 of our privacy privacy (TrustArc Certification) for further information.
We therefore follow the GDPR guidance set out in Article 49 on transfers of personal data. ORCID continues to monitor the development of potential alternatives, such as nonprofit privacy shield programs and GDPR-approved seals.
Individual control
A core principle of ORCID is individual control. You, the record-holder, are in control of your data in the ORCID Registry. You control what data to add to your ORCID record, who can add data to your record as a trusted individual or organization, and whether any of that data can be seen by the public or trusted parties. As a result, all information about you in the ORCID Registry was provided either by you or by your trusted parties, when you registered and/or updated your ORCID account. You also are in control of how long the data stays in the Registry, and whether it remains in the Registry.
The only information that ORCID requires to register your iD is your first name and email address. This is for basic identification purposes and to ensure that your account is unique to your email address. During and after registration, you can choose whether to add more information to your account yourself, such as your last or family name (if you have one), your affiliation, works, etc.; or to grant trusted parties (ORCID member organizations or individuals you trust) permission to do so. Any data added to your ORCID record remains in the ORCID Registry until it is deleted - either by you or by a trusted party, or until you deactivate your ORCID account.
Data control exceptions
A founding principle of ORCID is that we provide an annual snapshot of all public data in the ORCID Registry at a given time. This file is provided to the public for research and statistical purposes and is available under a CC0 license. For more information, see section 4 of the ORCID privacy policy and the ORCID public data file use policy.
ORCID security logs and backups may contain information associated with you. This information is stored for the legitimate interest of the security and reliability of the ORCID Registry. It will only be used for diagnosing security issues and for restoring the system, in the event the server needs to be restored.
ORCID may also store contact information relating to you that is used for a business purpose, such as being a named party in a contract or in a working group. This information is saved in our customer relationship management database, Salesforce; it cannot be accessed directly by you, but is available upon request.
Individual rights
Under the GDPR, you have many rights relating to information about you. Individual control is a core ORCID principle, including control of your data in the ORCID Registry. There are very few cases where you do not have direct access to information relating to you (see “Data control exceptions” above).
The following sections explain your rights under the GDPR and how you can exercise them in the context of ORCID. Contact us with any questions or concerns relating to your rights.
Right to data portability
Article 20 of the GDPR sets out your right to data portability – the right to have access to all your personal data in a common, machine-readable format. To access your data, use the Download your ORCID data feature in your Account settings to download all your personal data in XML format.
Right to access
Article 15 of the GDPR sets out your right to access – the right to learn from ORCID whether any of your personal data is being stored and processed.
Right to object
Article 21 of the GDPR sets out your right to object to the processing of data relating to yourself.
Right to erasure
Article 17 of the GDPR sets out your right to erasure – the right for any personal data concerning yourself to be erased. Sometimes referred to as the “right to be forgotten”, this right includes the erasure of data added to your ORCID record by you or by any of your trusted individuals and organizations.
Right to rectify
Article 16 of the GDPR sets out your right to rectification – the right to edit any inaccurate personal data about you stored in the ORCID Registry.
You can edit any data for which you are the source directly -- data which you or a trusted individual has added -- by signing into your ORCID account and clicking the pencil icon next to the data. If a trusted organization added the data, you can edit the visibility of the data or delete it altogether. If needed, we can assist in contacting the organization to ask them to correct it. If you believe your circumstances fall outside of this criteria, we can assist you in raising a claim and disputing the validity of the data in accordance with ORCID’s dispute procedures.
Legal
ORCID is not required to have a legal representative in the European Union as set out in Article 27 of the GDPR. For any issues that cannot be rectified by the individual or ORCID support, please raise a claim to escalate to the ORCID Ombudsperson in accordance with our dispute procedures.
In the event you feel that your issue has not been resolved using our escalation process, including our dispute procedures, you have the right to lodge a complaint with your local supervisory authority. Each EU country has a supervisory authority field all GDPR-related inquiries. ORCID will act within the bounds of the GDPR when responding to any complaints.