This policy establishes the principles, responsibilities and approach for ensuring the EIDC meets the requirements of the UKRI Privacy Notice, the UKEH Privacy Policy, the NERC Data Protection Policy and the EIDC Privacy Notice, which sets out the approach for handling personal information in accordance with UK data protection laws.
The policy also supports the EIDC Acquisition Policy and aligns with the NERC Data Policy.
UK data protection laws stipulate that personal data held by organisations should be accurate, kept up-to-date, can only be used for the purposes stated at the time of collection and must be held for no longer than necessary.
This document only relates to personal data collected as part of the EIDC's scientific data management activities.
Personal data is here defined as any information that can be used to identify a living individual.
The EIDC's specific responsibility for the handling of personal data pertaining to scientific data management has been divided into the following three categories:
1. Personal information collected to enable access to EIDC data holdings
The management of user personal data will be in accordance to a user's data protection rights, be sympathetic to the Data Originator's attribution rights and satisfy EIDC's business needs.
The EIDC will ensure that information is accurate and secure, and is not kept longer than necessary.
2. Personal information collected to provide provenance for scientific data deposited with the EIDC
This includes information relating to individuals involved at some point in the data lifecycle. For example during data collection, data processing, data distribution or governance. It covers a variety of roles such as data originators/authors, EIDC staff, Principal Investigators (PI), data governors and project participants.
3. Personal information collected to develop and agree plans with NERC grant holders to deposit scientific data they generate with NERC Data Centres
This includes information relating to individuals involved at some point in the data lifecycle. For example during data collection, data processing, data distribution or governance. It covers a variety of roles such as data originators, Principal Investigators (PI), data governors and project participants.
The purposes for collecting personal data are:
The purposes for the collection of personal data will be directly communicated during the registration process and will also be available on the EIDC public website as part of EIDC's Privacy Policy.
The registration process will discourage children so that EIDC does not need to gain parental consent for the processing of children's personal data.
The wording will be such that continuation with the registration process is the means whereby active consent is gained for the processing of personal data.
The purposes for the collection of personal data will be communicated directly during the order process and will also be available on the EIDC public website as part of EIDC's Privacy Policy.
The order process will discourage children so that the EIDC does not need to gain parental consent for the processing of children's personal data.
The wording will be such that continuation with the order is the means whereby active consent is gained for the processing of personal data.
Where a helpdesk request is received, we reserve the right to collect and retain personal data for evidence of compliance with legal regulations (e.g. Environmental Information Regulations)
Access to personal data held at EIDC will be restricted to authorised EIDC individuals as required by their role. This will be limited to the information they need to fulfil their duties.
Personal data relating to user transactions will be used in the compilation of annual performance reports, which will be kept indefinitely. Any such statistical data will be anonymised.
No personal data will be shared with third parties.
The onus falls on the user to keep their information up-to-date.
When requesting data, information or products, it is the responsibility of the requester to notify the EIDC of any change of status. Provenance will be maintained for historic requests so the change will only apply to subsequent requests.
Following the receipt of a verifiable notification of change of status, members of the EIDC are responsible for responding to and acting on the notification of change.
Following a verified request for the removal of a user account:
If no data have been downloaded, users' accounts will be deleted after a period of 10 years of inactivity.
The purposes for this data are:
Provenance data relate to individuals involved at some point in the scientific data lifecycle. This could be during collection, processing, distribution or governance. Examples include authors, Principle Investigators (PI), data originators, data governors, project participants and EIDC staff.
The purposes for the personal data will be communicated to the data provider during the submission of data (and metadata) and will also be available as part of the EIDC Data Deposit Conditions on the EIDC public web site.
As these individuals will not be children, the issue of parental consent for the processing of personal data does not arise.
The wording will be such that continuation of a data/metadata deposit is the means whereby active consent is gained for the processing of personal data.
In the interests of maintaining and supporting the integrity and transparency of the scientific research process, it is common practice within the scientific publications for attribution to be included. In accordance with this, personal information relating to the provenance of Open scientific data will be in the public domain.
The onus falls on the data provider to keep their information up-to-date and this expectation will be explicitly stated during all communications. It will also be made available via the EIDC Data Deposit Conditions on the EIDC public web site.
Following the receipt of a verifiable notification of change of status, the EIDC are responsible for responding to and acting on the notification of change.
Provenance data will be kept indefinitely for scientific data governance purposes.
This personal data is used to develop and agree with NERC grant holders, a Data Management Plan for the pupose of depositing scientific data they generate with NERC Data Centres (or agreed alternatives).
This includes information relating to individuals involved at some point in the data lifecycle. For example during data collection, data processing, data distribution or governance. It covers a variety of roles such as data originators, Principal Investigators (PI), data governors and project participants.
Personal data of the NERC grant holder will be securely accessed and copied by EIDC adminstration staff from the NERC grants administration portal and held on secure EIDC administration systems. The purposes for the personal data will be communicated during the initial communication with the Principal Investigator and will also be available on the EIDC public web site.
As these individuals will not be children, the issue of parental consent for the processing of personal data does not arise.
The wording will be such that continuation of a data/metadata deposit is the means whereby active consent is gained for the processing of personal data.
No personal information relating to the NERC grant will be shared with third parties.
The onus falls on the grant holder to keep their information up-to-date and this expectation will be explicitly stated during all communications.
Following the receipt of a verifiable notification of change of status, the EIDC are responsible for responding to and acting on the notification of change.
NERC grant data will be kept indefinitely as part of the evidence of meeting grant conditions.
The Head of EIDC owns this EIDC Policy.
The EIDC Management Group will review the policy annually or sooner if required by changes in the governance, legal or contract obligations of the EIDC.