Activity data to Enhance and Increase Open-access Usage (AEIOU)

The IP Address identifies the computer from which the request originated and is used to provide the notion of a user session. Although this may not directly identify a user (e.g. the computer maybe shared publicly), in terms of Data Protection Act (DPA), IP addresses may constitute personal data if an individual user can be identified by using a combination of that IP address and other information. This applies even when personal data are anonymised after collection.
New European legislation came into force from May 26th 2011 and The Information Commissioner's Office (ICO) Code of Practice has been revised. The Code now clearly states that in many cases IP addresses will be personal data, and that the DPA will therefore apply. These changes also apply to the use of cookies and methods for collecting and processing information about how a user might access and use a website. An exception exists for the use of cookies that are deemed "strictly necessary" for a service "explicitly" requested by a user. In general, the regulations advise that an assessment should be made on impact to privacy, whether this is strictly necessary and that the need to obtain meaningful consent should reflect this.
We also need to consider that the AEIOU project is aggregating and processing data (that includes IP Addresses) originating from other institutional Repositories with no direct end-user relationship. The Using OpenURL Activity Data project has addressed this by notifying institutions that sign up for their OpenURL resolver service. We have no explicit agreement with the partners involved in the current project but aim to review their existing privacy policies should the service be continued. For example, do policies for storing and processing user data include repository reporting software and Google analytics and should users be made aware of this through the repository website?
The current cookie policy for Aberystwyth University can be found here
In order to comply with recent changes to ICO code of practice we have been advised that as a minimum requirement we should include text in the header or footer of repository web pages and a link to a Data Privacy Policy that clearly informs users about how their data is being used and whether it is passed to third parties (e.g. Google). Where possible, they should also be given the option to opt out of supplying personal information (IP address) to the Recommendation service. This would not affect them receiving recommendations but their information would not be stored or processed as part of the service.
The AEIOU privacy policy:
Recommendation service
In order to provide a recommendation service (lists of items frequently viewed together) for this repository, usage data is collected and processed. Data is collected using software that tracks each web site visitor via their IP address and this is stored in an encrypted form to protect the users' privacy. The usage data may also be used for reporting purposes, i.e. most highly viewed article, most downloaded pdf file, etc. We do not gather any other personal information.
[Optional - if repository uses Google Analytics]
Tracking Cookies
This repository website also collects data using tracking Cookies*. The use of cookies to track web site usage is a widely used and well established technique. Each tracking cookie provides information to show how a visitor moves from page to page, but no personal data is stored by the tracking system. The tracking system used on this repository web site is called Google Analytics.
As the service provider, Google also has access to the data (for more information visit the Google Privacy Policy web page).
Rejecting Cookies
You can set up your web browser to reject all cookies and if you decide to do this you will still be able to use the repository web site. The documentation for your web browser will provide you with instructions on how to disable cookies.
* A cookie is a small piece of information in the form of a text file, sent by a web server and stored on the computer of a visitor to a web site. It can then be read back later by the web server when required.