ORCID and Data Privacy in Germany

Laure Haak's picture

In the implementation of ORCID at member institutions, we frequently receive questions about our privacy policy and how it aligns with national and international data privacy frameworks.  Researcher privacy and control are foundational ORCID principles, and we work very diligently to maintain community trust. We undergo an annual privacy audit, performed by a third party, to ensure our Privacy Policy aligns with EU-US data transfer frameworks. We also established the ORCID Trust program, overseen by a Board-led working group, to advise us regarding new and evolving global practices and regulations.

In addition to these internal programs and practices, we are thankful to receive guidance from our community. When ORCID was readying for its launch back in 2012, Jisc, a UK expert body for digital technology and resources in higher education, commissioned a legal review of our privacy practices as part of its national researcher identifier initiative.  

More recently, the German ORCID DE project commissioned an expert report, funded by the German Research Foundation | Deutsche Forschungsgemeinschaft, to review our data privacy practices. The law firm iRights.Law, which specializes in digital media, produced their opinion in a report entitled "ORCID aus datenschutzrechtlicher Sicht." The report examines user scenarios and describes relevant legal considerations under German data protection law and the European GDPR framework. It can be accessed (in German) at DOI: http://doi.org/10.2312/lis.17.02. A blog post about the report (also in German) is available on the ORCID DE website, here.

We have since received a number of inquiries from other European countries about the report, and have been working with ORCID DE and iRights.Law to translate key sections. This work is now complete and, with our colleagues in ORCID DE, we are pleased to share the translation with our community.

The conclusion of the report states:

"The data protection assessment of ORCID has not been able to identify any serious deficiencies. On the contrary, with its privacy functionalities, the system supports users in exercising their right to informational self-determination and at times has a role model in this regard. By designing it as a user-controlled identity management system, users of the portal can view and control at any time which data is processed as on the platform and who has access to it when and when. Although the examination of the technical implementation details at the program code level could not be the subject of this investigation, it should also be noted that the fact that the system was implemented as open software can provide additional confidence. Likewise, the fact that a consortium made up of different stakeholders, and that the consortium does not intend to make a profit, has been chosen for the operation, is another source of confidence."

We recognized ORCID DE for their leadership on this initiative in our first Consortium Awards ceremony in January. We thank them for their continuing work in helping to develop community understanding of data privacy requirements, and their guidance in ensuring ORCID practices meet or exceed these standards.

Related resources

ORCID Blog posts: