Standard Contractual Clauses and the GDPR
On 1 October 2021 Jisc signed, on behalf of all members of the UK ORCID Consortium, the Standard Contractual Clauses (SCC) issued by ORCID. This was communicated, via email, to the main contacts of all consortium members on 28 October. The email included the signed SCCs and the letter from ORCID to Jisc referencing the “New Standard Contractual Clauses for GDPR Compliant Data Transfers”.
The signing of the SCCs allowed members to request credentials for the Affiliation Manager via the Member Portal. To support our members in using the new tools in the Member Portal, we ran a webinar with ORCID on 8 November (a recording will be available to members via the UK ORCID Community on Teams). ORCID will be producing a demo to supplement the workshop and we’ll share this when it becomes available.
I’m writing this post as a few members have asked if we could provide clarification of the GDPR implications in signing the SCCs. If, after reading this, you do have further questions, please do not hesitate to contact us via firstname.lastname@example.org with ORCID in the subject field.
As mentioned in the ORCID “New Standard Contractual Clauses for GDPR Compliant Data Transfers” letter, the SCCs are issued by the European Commission and parties aren’t allowed to change them.
This letter also points out why the SCCs are required:
“ORCID Member organisations in the EU, EEA and UK that use the ORCID Member API and/or ORCID Member Portal may be engaging in transfers of personal data to our servers in the US that are subject to European privacy laws and regulations. Therefore, we are sending you the new form SCCs for your review and signature. These describe the measures both you and ORCID will take to protect any transferred personal data.”
ORCID have determined that when members use the ORCID Member API to transfer personal data to ORCID, ORCID acts as the Controller of the received personal data (Controller-to-Controller), whereas in the case of a member using the Member Portal, ORCID acts as a Processor (Controller-to-Processor). Therefore, both the Controller-to-Controller and Controller-to-Processor SCCs are applicable to ORCID membership.
Both SCCs were reviewed by Jisc’s legal team and our Chief Regulatory Adviser and both gave approval for signing. They benefit data exporters (consortium members and, to a lesser extent, consortium operators) by satisfying Article 49 – Derogations for specific situations of the (UK) GDPR. The Data Processor ones also ensure we satisfy Article 28 – Processor.
For now, at least, the UK has decided to continue to recognise the EU ones, rather than issue its own. That ORCID are offering them as an additional protection for the limited data that we export to them is seen, by our Chief Regulatory Advisor, as excellent news and we have signed them as a formal reassurance to ourselves and consortium members.
Where there is a UK/EU difference is in the additional checks that data exporters are required to make. Before the Schrems II case it was sufficient just to sign SCCs, however exporters are now also required to examine the legal regime and practice in the country to which data are being exported. The UK Information Commissioner has published *draft* guidance on what that examination should look like. As described in our Chief Regulatory Advisor’s blog, that guidance is much more realistic than what is being proposed by the EU. As and when the ICO finalises their guidance (expected some time in the new year), we intend to follow their risk assessment process. We don’t foresee any problems in concluding that the export of data to ORCID is very low risk and high benefit. That should be true both for the consortium operator (where we are just exporting contact details of member contacts) and for consortium members (who may be exporting details – possibly minimal – of researchers).