Orchid User Privacy Notice
ORCHID USER PRIVACY NOTICE
1. Data protection - We (the University of Oxford) make the ORCHID database available as a resource for conducting research. This notice pertains to the personal data of researchers from the University of Oxford and other Universities within the UK who apply for and receive access to the ORCHID database. These researchers provide their name, email, data of birth, academic credentials as well as the name and postal address of the University where they work (‘personal data’).
When users sign into their ORCHID accounts, we also conduct a process called "2 Factor Authentication 2FA" in which users prove that they are who they say they are. This process collects user location, name, phone number, email and internet protocol (IP) address. This information is used solely for the authentication process and the application is managed via a third-party supplier (“DUO”).
We act as the “data controller” when we administer this database and conduct our own research using ORCHID data. Similarly, when we share ORCHID data with researchers from other Universities to conduct research, they act as the data controller. The data controller explains how it uses personal data in separate privacy notice for each research project.
The legal basis on which we rely for processing data to administer the ORCHID database and share information from ORCHID with other Universities is Article 6(1)(f) (legitimate interests) under the UK General Data Protection Regulation (GDPR). This processing satisfies the University of Oxford’s mission to the advancement of learning through research and contributes to the body of research by providing access to an integrated data base, which helps facilitate the completion of research activities through the use of the ORCHID database resource.
When we process personal data from ORCHID for our specific research projects, we do so in accordance with Articles 6 (1e) and 9(2)(j) of the UK GDPR, which allows for this processing as a means to perform a task in the public interest (research). We are also permitted to process special category data as it is necessary for research purposes under Article 9(2)(j) of the UK GDPR. These legal bases (public interest/research) also apply to researchers from other Universities when they access the ORCHID database for their research projects. In those instances, they act as the data controller for their own projects.
2. How we use your data - We use your data to review and correspond with you about your ORCHID user registration request. We also coordinate the annual review of existing user accounts to confirm whether to initiate the renewal process or deactivate them. We need to process your data for these purposes in order to meet our legitimate interests in administering the registration process for the ORCHID research database resource. We process your data because you have given us your consent to do so.
You can withdraw your consent at any time by contacting us at firstname.lastname@example.org. In this event, we will remove your access to ORCHID and stop the processing as soon as we can. However, this will not affect the lawfulness of any processing carried out before your withdrawal of consent. We will only use your data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another related reason and that reason is compatible with the original purposes. If we need to use your data for an unrelated purpose, we will seek your consent to use it for that new purpose.
3. Who has access to your data? We will provide access to your data to only those who need to view it as part of their work in carrying out the purposes described above. We share your data with DUO, which hosts user data in the UK, but is based in the United States (US). DUO helps us authenticate users who have successfully completed the ORCHID user registration process.
DUO is required to implement security measures, which protect your data in line with University of Oxford’s policies and procedures. We do not allow DUO to use your data for their own purposes. We permit DUO to process your data only for the specified purpose and in accordance with our instructions. Where we share your data with DUO, we will seek to share the minimum amount necessary.
4. Retaining your data - We will retain your data for up to 15 months from the date on which you originally received ORCHID access or from the renewal date of that access, if applicable.
5. Security – We hold your data securely in accordance with the University’s policies and procedures. Further information is available on the University’s Information Security website: www.infosec.ox.ac.uk.
6. Where we store and use your data - We store and use your data electronically on University systems in the UK and on a third-party system, which resides in the EEA, but whose parent company is based in the US. We have entered into a contract with this company, which incorporates the required data protection clauses recognised or issued in accordance with the UK data protection regime. These are available upon request (refer to Section 8 below).
7. Your rights – We explain your information on your rights in relation to your personal data here.
8. Contact – If you have any questions about how your data will be used, please contact the ORCHID Team at email@example.com. If you wish to exercise any of your rights as mentioned above or if, for any reason, you are not happy with the way that we have handled your data, please contact the University’s Information Compliance Team or the University’s Data Protection Officer using this email address: firstname.lastname@example.org.
If you are still not happy, you have the right to make a complaint to the Information Commission’s Office (https://ico.org.uk/).
This notice is posted and available here:
Effective: 01 07 2021 Last revised: 27 October 2023 (v 3.0)