Using OpenURL Activity Data

The Using OpenURL Activity Data project sought legal advice which resulted in the following:
"The Router currently generates activity data, i.e. when a user clicks on a link to view a paper and their request is routed through the Router, the Router logs capture the IP address of the computer making the request along with the information in the request eg the OpenURL of the paper that has been requested. These are not currently collected and processed but the service envisaged here would involve anonymising IP addresses and creating an aggregation both of which constitute processing. We have been advised to err on the side of caution by seeking to ensure that collection and processing of activity data is disclosed to users. As the OpenURL Router service is middleware with no direct relationship with end users, we cannot expect end users to be aware that they are using an EDINA service and that EDINA is potentially processing their personal data (subject to the EDINA privacy policy). Instead, disclosure of this activity would have to be made by the institution whose end-users are routed through the Router, eg in the institution or library's privacy policy. There are currently 90 institutions registered with the Router.
"Our advisor suggested that EDINA post notification on the page where institutions register to use the Router which tells the institution that EDINA collects activity data and intends to include them in an anonymised form in such an aggregation and tells those institutions that they should advise
"their users of this activity (eg through their privacy policy). It would be important to offer the option for institutions to opt out of the aggregation. The 90 institutions that have already registered should be advised of the aggregation by email and also given the option to opt out. Data from those registered institutions which opt out will be excluded from the aggregation. (Identifying data related to a specific institution and deleting it constitutes processing of data but, again, this would be done to avoid inclusion in an aggregation and to protect the wishes of the institution with regard to data that may be construed as personal data. Thus, we seek to minimise the risk that privacy is breached). Clearly, data generated before this process of disclosure is undertaken cannot be included in the aggregation. "
Full details can be found in their report: Using OpenURL Activity Data: Legal and policy issues - initial investigation.