A few weeks ago I presented on “ORCID and GDPR” at a UK Consortium event. I hope this was reassuring: I’ve always been very impressed with ORCID’s approach to Data Protection (in the European sense of “managed processing”, not the more limited one of “security”), but take it from the German Consortium’s lawyers, back in 2018:
The data protection assessment of ORCID has not been able to identify any serious deficiencies. On the contrary, with its privacy functionalities, the system supports users in exercising their right to informational self-determination and at times has a role model in this regard
The one circumstance where “a risk-free forecast cannot be made” – a remarkably high standard – was where individual researchers could not freely consent to processing of their ORCID IDs: for example where this was required by employers or funders.
Here, it’s important to recall that researchers’ personal data is already being processed by institutions, funders, publishers. And usually much more of it than is required for a functional ORCID record. Those data controllers ought to have identified a GDPR lawful basis for that processing, so the simplest approach is to consider the same lawful basis for ORCID IDs. As the Germans noted, Consent is unlikely to be valid, but there are at least three other possibilities:
- Necessary for (employment) Contract: in the sense that the substance of the contract can’t be achieved with any less processing;
- Necessary for Public Task;
- Necessary for organisation’s Legitimate Interest.
Each of those includes requirements to reduce both risk and – because they all include the word “necessary” – processing, and it may well be that an “ORCIDised” (sorry!) version of the process can deliver both of those. To check that, and to reassure individuals and regulators, I’d suggest following and documenting the following steps:
- What is the purpose of processing?
- Is that purpose legitimate?
- Can the purpose be achieved less intrusively (for example, can we let researchers choose whether or not to populate/release some fields in their records, using ORCID’s fine-grained controls?)?
- What organisational and technical safeguards can we apply?
- Does the remaining risk to the individual override the benefit of the purpose?
Those familiar with data protection will recognise this as the Article 6(1)(f) Legitimate Interest Assessment (which is effectively a superset of the requirements for the other lawful bases) and indeed an LIA or Data Protection Impact Assessment (DPIA) might be good ways to document this thinking.
This approach should also highlight opportunities to use ORCID itself as a safeguard: an ORCID ID already has the technical characteristics of a pseudonym (GDPR Art 4(5)). Using ORCID in your systems should also help with organisational safeguards, for example by reducing the need for re-typing, and the risk of confusing different researchers with similar names.
