Activity Data Synthesis

Wednesday, 18 May 2011

How To Guide [Draft]: 'How to inform your users about data processing'

[This is a draft of a How To Guide that will be published as an deliverable of the synthesis team's activities. Your comments are very much welcomed and will inform the final published version of this How To Guide.]

The problem:

In planning the OpenURL Router activity data project, EDINA became aware that by processing activity data generated by the OpenURL Router service it effectively acts as a ‘data processor’. Even the act of deletion of data constitutes processing so it is difficult to avoid the status of data processor if activity is logged. In the project, EDINA is collecting, anonymising and aggregating activity data from the Router service but has no direct contact with end users. Thus, it can only discharge its data protection duties through individual institutions that are registered with the Router.

The solution:

After taking legal advice, EDINA drafted a paragraph to supply to institutions that use the OpenURL Router service for them to add into their institutional privacy policies:
“When you search for and/or access bibliographic resources such as journal articles, your request may be routed through the UK OpenURL Router Service (openurl.ac.uk), which is administered by EDINA at the University of Edinburgh. The Router service captures and anonymises activity data which are then included in an aggregation of data about use of bibliographic resources throughout UK Higher Education (UK HE). The aggregation is used as the basis of services for users in UK HE and is made available so that others may use it as the basis of services. The aggregation contains no information that could identify you as an individual."
EDINA wrote to the institutional contacts for the OpenURL Router service giving them the opportunity to ‘opt out’ of this initiative, i.e. to have data related to their institutional OpenURL resolver service excluded from the aggregation. Institutions opting out had no need to revise their privacy policies. Fewer than 10% of institutions that are registered with the OpenURL Router opted out and several of those only did so temporarily, pending revision of their privacy policies.

Taking it further:

If you plan to process and release anonymised activity data, you may use the EDINA example above as the basis of a paragraph in your own privacy policy – in consultation with your institution’s legal team. If your institution has already incorporated the paragraph because you are registered with the OpenURL Router, you may simply amend it to reflect the further activities that you undertake.

Additional resources:

The research undertaken by EDINA and the advice received prior to adopting this approach: http://edina.ac.uk/projects/Using_OpenURL_Activity_Data_Initial_Investigation_2011.pdf

The University of Edinburgh’s Data Protection policies and definitions: http://www.recordsmanagement.ed.ac.uk/InfoStaff/DPstaff/DataProtection.htm
http://www.recordsmanagement.ed.ac.uk/InfoStaff/DPstaff/DPDefinitions.htm

The University of Edinburgh’s Website Privacy policy:
http://www.ed.ac.uk/about/website/privacy-policy

JISC Legal’s ‘Data Protection Code of Practice for FE & HE’ [2008]:
http://www.jisclegal.ac.uk/Portals/12/Documents/PDFs/DPACodeofpractice.pdf

Information Commissioner’s Office’s ‘Privacy by design’ resources:
http://www.ico.gov.uk/for_organisations/data_protection/topic_guides/privacy_by_design.aspx

Information about the EDINA 'Using OpenURL Activity Data' project:
http://edina.ac.uk/projects/Using_OpenURL_Activity_data_summary.html

[n.b. revised on 23 May with minor amendments]

1 comment:

  1. IN RISE http://www.open.ac.uk/blogs/rise we've faced a slightly different challenge with informing users. Our base data is coming from EZProxy logfiles. Because we push as many of our systems through EZProxy as we can the logfiles contain requests made via our Ebsco Discovery Service, via SFX, through links on our website, and our Moodle VLE. So we've had to try to make sure that as many of those places have a link to a new Library Privacy policy that covers activity data explicitly http://library.open.ac.uk/rise/?page=privacy We've also given people an opt-out option and will be looking as part of the work to comply with the new EU Cookies legislation to move to an opt-in arrangement

    ReplyDelete