Informing users about data collection

The problem:
In planning the OpenURL Router activity data project EDINA became aware that by processing activity data generated by the Router service being, which is used by around 100 HE institutions, it effectively acts as a ‘data processor’. Even the act of deletion of data constitutes processing so it is difficult to avoid the status of data processor if activity is logged. In the project, EDINA is collecting, anonymising and aggregating activity data from the Router service but has no direct contact with end users. Thus, it can discharge its data protection duties only through individual institutions that are registered with the Router.
The solution:
After taking legal advice, EDINA drafted a paragraph to supply to institutions that use the OpenURL
Router service for them to add into their institutional privacy policies.
“When you search for and/or access bibliographic resources such as journal articles, your request may be routed through the UK OpenURL Router Service (openurl.ac.uk), which is administered by EDINA at the University of Edinburgh. The Router service captures and anonymises activity data which are then included in an aggregation of data about use of bibliographic resources throughout UK Higher Education (UK HE). The aggregation is used as the basis of services for users in UK HE and is made available so that others may use it as the basis of services. The aggregation contains no information that could identify you as an individual."
EDINA wrote to the institutional contacts for the OpenURL Router service giving them the opportunity to ‘opt out’ of this initiative, i.e. to have data related to their institutional OpenURL resolver service excluded from the aggregation. Institutions opting out had no need to revise their privacy policies. Fewer than 10% of institutions that are registered with the OpenURL Router opted out and several of those did so temporarily, pending revision of their privacy policies.
Taking it further:
If you plan to process and release anonymised activity data, you may use the EDINA example as the basis of a paragraph in your own privacy policy - in consultation with your institution’s legal team. If your institution has already incorporated the paragraph because you are registered with the OpenURL Router, you may simply amend it to reflect the further activities that you undertake.
Additional resources:
The research undertaken by EDINA and the advice received prior to adopting this approach: http://edina.ac.uk/projects/Using_OpenURL_Activity_Data_Initial_Investigation_2011.pdf
The University of Edinburgh’s Data Protection policies and definitions: http://www.recordsmanagement.ed.ac.uk/InfoStaff/DPstaff/DataProtection.htm
http://www.recordsmanagement.ed.ac.uk/InfoStaff/DPstaff/DPDefinitions.htm
The University of Edinburgh’s Website Privacy policy:
http://www.ed.ac.uk/about/website/privacy-policy
JISC Legal’s ‘Data Protection Code of Practice for FE & HE’ [2008]:
http://www.jisclegal.ac.uk/Portals/12/Documents/PDFs/DPACodeofpractice.pdf
Information Commissioner’s Office’s ‘Privacy by design’ resources:
http://www.ico.gov.uk/for_organisations/data_protection/topic_guides/privacy_by_design.aspx