Informing users about data collection
In planning the OpenURL Router activity data project EDINA became aware that by processing activity data generated by the Router service being, which is used by around 100 HE institutions, it effectively acts as a ‘data processor’. Even the act of deletion of data constitutes processing so it is difficult to avoid the status of data processor if activity is logged. In the project, EDINA is collecting, anonymising and aggregating activity data from the Router service but has no direct contact with end users. Thus, it can discharge its data protection duties only through individual institutions that are registered with the Router.
After taking legal advice, EDINA drafted a paragraph to supply to institutions that use the OpenURL
Router service for them to add into their institutional privacy policies.
“When you search for and/or access bibliographic resources such as journal articles, your request may be routed through the UK OpenURL Router Service (openurl.ac.uk), which is administered by EDINA at the University of Edinburgh. The Router service captures and anonymises activity data which are then included in an aggregation of data about use of bibliographic resources throughout UK Higher Education (UK HE). The aggregation is used as the basis of services for users in UK HE and is made available so that others may use it as the basis of services. The aggregation contains no information that could identify you as an individual."
EDINA wrote to the institutional contacts for the OpenURL Router service giving them the opportunity to ‘opt out’ of this initiative, i.e. to have data related to their institutional OpenURL resolver service excluded from the aggregation. Institutions opting out had no need to revise their privacy policies. Fewer than 10% of institutions that are registered with the OpenURL Router opted out and several of those did so temporarily, pending revision of their privacy policies.
Taking it further:
The research undertaken by EDINA and the advice received prior to adopting this approach: http://edina.ac.uk/projects/Using_OpenURL_Activity_Data_Initial_Investigation_2011.pdf
The University of Edinburgh’s Data Protection policies and definitions: http://www.recordsmanagement.ed.ac.uk/InfoStaff/DPstaff/DataProtection.htm
JISC Legal’s ‘Data Protection Code of Practice for FE & HE’ :
Information Commissioner’s Office’s ‘Privacy by design’ resources: