One of ORCID’s core principles is that individuals control their ORCID iD and the information attached to it. ORCID systems are designed so that nothing can be added to an individual’s ORCID record without his/her explicit consent.
ORCID privacy tenets
- Each individual creates and owns his/her ORCID iD and record
- Each individual controls who accesses the information in his/her ORCID record - what is made publicly available, what is shared with trusted parties, and what is kept completely private
- Each individual may change access rights to the information in his/her ORCID record at any time
- An individual may close his/her ORCID account at any time, removing all information about or associated with him/her from the ORCID site and systems. While the iD itself will remain, the individual will no longer be connected to this iD on the ORCID site
- Organizations may only add, update, or remove information in an ORCID record if the individual has granted permission for them to do so
We are currently updating our APIs, a part of which has involved reviewing how we are applying these core tenets. At present, it is possible for permissioned organizations to override default visibility settings with a more restrictive visibility setting on items that they add. Going forward, we have decided to change this practice as it may be misleading and confusing to individuals.
The next update to the ORCID Registry will be between March 31 and April 13. With this update, the individual’s default visibility preference will be used for all items added to their ORCID record, even if a trusted organization using the ORCID API specifies a different level of visibility. Specifically, two changes will be made:
- Visibility attributes included when adding or updating items via the API will be ignored, in favor of the default privacy set by the individual. No error will be returned.
- The default visibility for new items set by an individual will apply to all information added to the ORCID Record via the API, including biographical, affiliations, funding, and works information. Note that email addresses cannot be added by Trusted Organizations via the API; the visibility of email addresses are always explicitly set by individuals when they add them to their records.
No immediate action necessary for API users
We expect this update to affect very few users of the member API, as most already rely on the individual’s default setting rather than specifying visibility when adding items. Organizations that we believe may be directly affected already have been contacted.
Organizations that are specifying a visibility do not need to make any immediate technical updates with this change. Organizations that are currently posting private or limited items should be aware these items may start displaying publicly by default depending on an individual’s chosen visibility settings.