In planning the OpenURL Router activity data project, EDINA became aware that by processing activity data generated by the OpenURL Router service it effectively acts as a ‘data processor’. Even the act of deletion of data constitutes processing so it is difficult to avoid the status of data processor if activity is logged. In the project, EDINA is collecting, anonymising and aggregating activity data from the Router service but has no direct contact with end users. Thus, it can only discharge its data protection duties through individual institutions that are registered with the Router.
After taking legal advice, EDINA drafted a paragraph to supply to institutions that use the OpenURL Router service for them to add into their institutional privacy policies:
“When you search for and/or access bibliographic resources such as journal articles, your request may be routed through the UK OpenURL Router Service (openurl.ac.uk), which is administered by EDINA at the University of Edinburgh. The Router service captures and anonymises activity data which are then included in an aggregation of data about use of bibliographic resources throughout UK Higher Education (UK HE). The aggregation is used as the basis of services for users in UK HE and is made available so that others may use it as the basis of services. The aggregation contains no information that could identify you as an individual."EDINA wrote to the institutional contacts for the OpenURL Router service giving them the opportunity to ‘opt out’ of this initiative, i.e. to have data related to their institutional OpenURL resolver service excluded from the aggregation. Institutions opting out had no need to revise their privacy policies. Fewer than 10% of institutions that are registered with the OpenURL Router opted out and several of those only did so temporarily, pending revision of their privacy policies.
Taking it further:
The research undertaken by EDINA and the advice received prior to adopting this approach: http://edina.ac.uk/projects/Using_OpenURL_Activity_Data_Initial_Investigation_2011.pdf
The University of Edinburgh’s Data Protection policies and definitions: http://www.recordsmanagement.ed.ac.uk/InfoStaff/DPstaff/DataProtection.htm
JISC Legal’s ‘Data Protection Code of Practice for FE & HE’ :
Information Commissioner’s Office’s ‘Privacy by design’ resources:
Information about the EDINA 'Using OpenURL Activity Data' project:
[n.b. revised on 23 May with minor amendments]