Informing users about data collection
The problem:
In planning the OpenURL Router activity data project EDINA became aware that by processing
activity data generated by the Router service being, which is used by around 100 HE institutions, it
effectively acts as a ‘data processor’. Even the act of deletion of data constitutes processing so it
is difficult to avoid the status of data processor if activity is logged. In the project, EDINA is
collecting, anonymising and aggregating activity data from the Router service but has no direct
contact with end users. Thus, it can discharge its data protection duties only through individual
institutions that are registered with the Router.
The solution:
After taking legal advice, EDINA drafted a paragraph to supply to institutions that use the
OpenURL
Router service for them to add into their institutional privacy policies.
“When you search for and/or access bibliographic resources such as journal articles, your request
may be routed through the UK OpenURL Router Service (openurl.ac.uk), which is administered by
EDINA at the University of Edinburgh. The Router service captures and anonymises activity data
which are then included in an aggregation of data about use of bibliographic resources throughout
UK Higher Education (UK HE). The aggregation is used as the basis of services for users in UK
HE and is made available so that others may use it as the basis of services. The aggregation
contains no information that could identify you as an individual."
EDINA wrote to the institutional contacts for the OpenURL Router service giving them the
opportunity to ‘opt out’ of this initiative, i.e. to have data related to their institutional OpenURL
resolver service excluded from the aggregation. Institutions opting out had no need to revise their
privacy policies. Fewer than 10% of institutions that are registered with the OpenURL Router opted
out and several of those did so temporarily, pending revision of their privacy policies.
Taking it further:
If you plan to process and release anonymised activity data, you may use the EDINA example as
the basis of a paragraph in your own privacy policy - in consultation with your institution’s legal
team. If your institution has already incorporated the paragraph because you are registered with
the OpenURL Router, you may simply amend it to reflect the further activities that you undertake.
Additional resources:
The research undertaken by EDINA and the advice received prior to adopting this approach:
http://edina.ac.uk/projects/Using_OpenURL_Activity_Data_Initial_Investigation_2011.pdf
The University of Edinburgh’s Data Protection policies and definitions:
http://www.recordsmanagement.ed.ac.uk/InfoStaff/DPstaff/DataProtection.htm
http://www.recordsmanagement.ed.ac.uk/InfoStaff/DPstaff/DPDefinitions.htm
http://www.recordsmanagement.ed.ac.uk/InfoStaff/DPstaff/DPDefinitions.htm
The University of Edinburgh’s Website Privacy policy:
http://www.ed.ac.uk/about/website/privacy-policy
http://www.ed.ac.uk/about/website/privacy-policy
JISC Legal’s ‘Data Protection Code of Practice for FE & HE’ [2008]:
http://www.jisclegal.ac.uk/Portals/12/Documents/PDFs/DPACodeofpractice.pdf
http://www.jisclegal.ac.uk/Portals/12/Documents/PDFs/DPACodeofpractice.pdf
Information Commissioner’s Office’s ‘Privacy by design’ resources:
http://www.ico.gov.uk/for_organisations/data_protection/topic_guides/privacy_by_design.aspx
http://www.ico.gov.uk/for_organisations/data_protection/topic_guides/privacy_by_design.aspx
