ORCID and Data Protection

Who is behind ORCID?

ORCID is an independent non-profit organization whose members come from institutions and companies in the field of research and scientific publication. These include universities, libraries, research funders and publishers - you can find a list of all members on the ORCID website. The board is elected from these members, with a balanced distribution in terms of skills (people from the technical, financial and management sectors) and sector (universities, funders, government institutions, publishers, etc.). The majority of the board must come from non-profit organizations. In addition, members elect two researchers to the board who do not necessarily have to be affiliated with a member organization.

ORCID is funded by contributions from member organizations. In return, members receive an API. This API is used to connect ORCID to other systems, such as a university's CRIS. The reason for membership is therefore to facilitate the management of researchers' work.

Transparent, open, non-proprietary: ORCID values

ORCID is international, interdisciplinary, transparent, open and non-proprietary. Therefore, ORCID is open to all organizations interested in research and scientific communication. Decisions within ORCID are made collaboratively: employees, the board, members and researchers, as those affected by ORCID's decisions, are involved in the process.

Since ORCID is an independent non-profit organization, they provide their service to researchers free of charge. They do not sell data for advertising purposes and do not generate advertising revenue. Any software developed by ORCID is also released under an open source license.

Researchers control their own data

One of the most important pillars on which ORCID's work is based is the protection of the privacy of all users and the control of data by researchers. Therefore, researchers themselves decide on the visibility of their data on the platform. ORCID also offers a range of privacy settings that allow researchers to control who has access to their data. You can choose from three options: your data is displayed publicly ('everyone'), your data is only visible to you ('only me') or you grant access to your data to so-called 'trusted parties'.

Personal data is not encoded in the ID itself. This means that the ID can also be used in situations where no information about the person behind the ORCID is to be shared with the appropriate visibility settings. The ID also does not contain data on employment relationships, as ORCID is designed as a lifelong identifier.

Trusted parties

You can not only make your data available exclusively for yourself or the general public, but also grant so-called 'trusted parties' access to the data in your profile. 'Trusted parties' are either individual people to whom you entrust the management of your ORCID profile (so-called 'trusted individuals', who can view and modify all data in the profile) or organizations that are members of ORCID (so-called 'trusted organizations'). You can grant different rights to such organizations. You can allow them to only store your ORCID iD and use it in their workflows, read your data or update or add data to your profile. You can assign the status 'everyone', 'only me' or 'trusted parties' separately to each data set in your profile.

You can revoke permission to use your ID or read or update data at any time. If you revoke the status 'trusted party' from the relevant organization or person, they can only view public data and data they have added themselves. The 'trusted party' is no longer able to add, modify or delete data.

Data protection and privacy at ORCID

Data protection and the control of data by researchers are anchored in the statutes of ORCID. ORCID acts transparently in the data protection provisions and addresses various aspects of data protection. This includes the implementation of the European General Data Protection Regulation and the certification of the data protection provisions by third parties (via TrustArc). This certification ensures that the provisions meet the EU-US Privacy Shield criteria. In addition, ORCID undergoes an annual audit by third parties to ensure compliance with data protection regulations.

The German Research Foundation (DFG) commissioned a data protection legal opinion on ORCID 2017. This opinion examined user scenarios on the one hand and relevant considerations against the background of the European General Data Protection Regulation on the other. The expert - the law firm iRights.Law - concluded that ORCID is unobjectionable from a data protection point of view.

Data storage and encryption

Secure storage and encryption of your data is another important aspect of data protection for ORCID. All ORCID systems are protected by local and network firewalls. ORCID uses cloud service providers such as Rackspace and AWS to store your data on their servers. These are subjected to an annual review to ensure that they comply with ORCID's own and international data protection regulations.

ORCID uses encryption at various levels. Both data transmissions and data 'at rest' on servers are encrypted. On the website, ORCID uses SSL to encrypt pages where you can log in or register.

Conclusion

ORCID is an independent non-profit organization that facilitates the management of research work. Its values include transparency, openness and non-proprietary. ORCID is committed to protecting the privacy of its users and allowing researchers to control their own data. It has implemented a number of measures to ensure the security of data on the platform. All of these factors make ORCID a reliable partner for researchers in the management of their work.

If you want to know what practical benefits ORCID offers for your research work, we recommend our blog post “ORCID - What you always wanted to know about the ID for researchers”.

Links

ORCID’s privacy policy
Data protection legal opinion of DFG (German only)
ORCID members
ORCID board