Policy on retention and use of personal data

Purpose

This policy establishes the principles, responsibilities and approach for ensuring the EIDC meets the requirements of the UKRI Privacy Notice, the UKEH Privacy Policy, the NERC Data Protection Policy and the EIDC Privacy Notice, which sets out the approach for handling personal information in accordance with UK data protection laws.

The policy also supports the EIDC Acquisition Policy and aligns with the NERC Data Policy.

Scope

UK data protection laws stipulate that personal data held by organisations should be accurate, kept up-to-date, can only be used for the purposes stated at the time of collection and must be held for no longer than necessary.

This document only relates to personal data collected as part of the EIDC's scientific data management activities.

Personal data is here defined as any information that can be used to identify a living individual.

Introduction

The EIDC's specific responsibility for the handling of personal data pertaining to scientific data management has been divided into the following three categories:

1. Personal information collected to enable access to EIDC data holdings

The management of user personal data will be in accordance to a user's data protection rights, be sympathetic to the Data Originator's attribution rights and satisfy EIDC's business needs.

The EIDC will ensure that information is accurate and secure, and is not kept longer than necessary.

2. Personal information collected to provide provenance for scientific data deposited with the EIDC

This includes information relating to individuals involved at some point in the data lifecycle. For example during data collection, data processing, data distribution or governance. It covers a variety of roles such as data originators/authors, EIDC staff, Principal Investigators (PI), data governors and project participants.

3. Personal information collected to develop and agree plans with NERC grant holders to deposit scientific data they generate with NERC Data Centres

This includes information relating to individuals involved at some point in the data lifecycle. For example during data collection, data processing, data distribution or governance. It covers a variety of roles such as data originators, Principal Investigators (PI), data governors and project participants.

1. Personal information collected to enable access to EIDC data holdings

Purpose of user data 

The purposes for collecting personal data are:

  • To record agreement with a licences for EIDC data resources
  • To notify the user of the location of secure links to access the data
  • To notify the user in the event of problems encountered during data delivery
  • To notify the user in the event of changes to the data supplied
  • and, in an anonymised form, to produce performance statistics

Collection of user data

The registration of users on the public EIDC data catalogue

The purposes for the collection of personal data will be directly communicated during the registration process and will also be available on the EIDC public website as part of EIDC's Privacy Policy.

The registration process will discourage children so that EIDC does not need to gain parental consent for the processing of children's personal data.

The wording will be such that continuation with the registration process is the means whereby active consent is gained for the processing of personal data.

Online ordering of data products

The purposes for the collection of personal data will be communicated directly during the order process and will also be available on the EIDC public website as part of EIDC's Privacy Policy.

The order process will discourage children so that the EIDC does not need to gain parental consent for the processing of children's personal data.

The wording will be such that continuation with the order is the means whereby active consent is gained for the processing of personal data.

Helpdesk requests 

Where a helpdesk request is received, we reserve the right to collect and retain personal data for evidence of compliance with legal regulations (e.g. Environmental Information Regulations)

Access to user data

Data management activities

Access to personal data held at EIDC will be restricted to authorised EIDC individuals as required by their role. This will be limited to the information they need to fulfil their duties.

Information for Key Performance Indicators

Personal data relating to user transactions will be used in the compilation of annual performance reports, which will be kept indefinitely. Any such statistical data will be anonymised.

Dissemination outside of EIDC

No personal data will be shared with third parties.

Accuracy of information

The onus falls on the user to keep their information up-to-date.

When requesting data, information or products, it is the responsibility of the requester to notify the EIDC of any change of status. Provenance will be maintained for historic requests so the change will only apply to subsequent requests.

Following the receipt of a verifiable notification of change of status, members of the EIDC are responsible for responding to and acting on the notification of change.

Retention of user data

Requested removal of user accounts

Following a verified request for the removal of a user account:

  • If no data have been downloaded, the user's account will be deleted.
  • Personal information will be maintained for download activities as this forms an record of the licence terms agreed for the dataset.

Inactivity of user accounts

If no data have been downloaded, users' accounts will be deleted after a period of 10 years of inactivity.

 

2. Personal information collected to provide provenance for scientific data deposited with the EIDC

Purpose of provenance data

The purposes for this data are:

  • To support the transparency and integrity of the research process and if necessary, provide additional information to enable data re-use and re-purposing.
  • To facilitate data citation through the assignment of Digital Object Identifiers.
  • To provide a point of contact to raise or respond to questions concerning the data or metadata.

Provenance data relate to individuals involved at some point in the scientific data lifecycle. This could be during collection, processing, distribution or governance. Examples include authors, Principle Investigators (PI), data originators, data governors, project participants and EIDC staff.

Collection of provenance data

The purposes for the personal data will be communicated to the data provider during the submission of data (and metadata) and will also be available as part of the EIDC Data Deposit Conditions on the EIDC public web site.

As these individuals will not be children, the issue of parental consent for the processing of personal data does not arise.

The wording will be such that continuation of a data/metadata deposit is the means whereby active consent is gained for the processing of personal data.

Access to provenance data

In the interests of maintaining and supporting the integrity and transparency of the scientific research process, it is common practice within the scientific publications for attribution to be included. In accordance with this, personal information relating to the provenance of Open scientific data will be in the public domain.

Accuracy of information

The onus falls on the data provider to keep their information up-to-date and this expectation will be explicitly stated during all communications. It will also be made available via the EIDC Data Deposit Conditions on the EIDC public web site.

Following the receipt of a verifiable notification of change of status, the EIDC are responsible for responding to and acting on the notification of change.

Retention of provenance data

Provenance data will be kept indefinitely for scientific data governance purposes.

3. Personal information collected to develop and agree plans with NERC grant holders to deposit scientific data they generate with NERC Data Centres

Purpose of grant data

This personal data is used to develop and agree with NERC grant holders, a Data Management Plan for the pupose of depositing scientific data they generate with NERC Data Centres (or agreed alternatives).

This includes information relating to individuals involved at some point in the data lifecycle. For example during data collection, data processing, data distribution or governance. It covers a variety of roles such as data originators, Principal Investigators (PI), data governors and project participants.

Collection of grant data

Personal data of the NERC grant holder will be securely accessed and copied by EIDC adminstration staff from the NERC grants administration portal and held on secure EIDC administration systems. The purposes for the personal data will be communicated during the initial communication with the Principal Investigator and will also be available on the EIDC public web site.

As these individuals will not be children, the issue of parental consent for the processing of personal data does not arise.

The wording will be such that continuation of a data/metadata deposit is the means whereby active consent is gained for the processing of personal data.

Access to grant data

No personal information relating to the NERC grant will be shared with third parties.

Accuracy of information

The onus falls on the grant holder to keep their information up-to-date and this expectation will be explicitly stated during all communications.

Following the receipt of a verifiable notification of change of status, the EIDC are responsible for responding to and acting on the notification of change.

Retention of NERC grant data

NERC grant data will be kept indefinitely as part of the evidence of meeting grant conditions.

Policy ownership

The Head of EIDC owns this EIDC Policy.

Policy review

The EIDC Management Group will review the policy annually or sooner if required by changes in the governance, legal or contract obligations of the EIDC.