Environmental Data Initiative Privacy Policy

Version 1.0, Adopted 10 October 2019

The Environmental Data Initiative (herein EDI) publishes this Privacy Policy to inform you, our customers, of the collection, use, and disclosure (“Processing”) of personal data by the EDI project, its computational infrastructure, and scientific partners during the operation of data publication and archive (collectively, our “services”). This Privacy Policy is effective 2 October 2019, and may be amended in the future.

Definitions
Why and how we collect personal data
Security of collected personal data
Personal data found within science metadata
Transparency and sharing of personal data
Personal data retention, access and removal of personal data

Definitions

The following definitions are used throughout this Privacy Policy:

Authenticated customer. A customer who’s identity has been verified through a means of challenge, such as providing a password or other item of information that only the customer would know.

EDI authentication token. A custom web browser cookie that contains authentication information about the customer to enable PASTA+ software access control mechanisms.

EDI customer. An individual or organization that utilizes one or more services provided by EDI.

EDI data repository. An Internet-based scientific data repository service for scientific data publication and archive.

EDI data publication and archive. The process by which scientific data and metadata are made discoverable and available through EDI computational infrastructure, including the long-term curation and management of such data.

EDI website. The official EDI Internet website (https://environmentaldatainitiative.org) where general information about EDI, including policies, news, events, and featured scientific data may be accessed.

EDI workshop. An organized and scheduled effort by EDI (or scientific partner) personnel to disseminate educational materials related to scientific data publication and archive to EDI customers.

PASTA+ software. The software (https://github.com/PASTAplus/PASTA) developed, maintained, and used by EDI to provide its data publication and archive service.

Personal data. Data relating to an identified or identifiable natural person, which may include: common name, surname, given name, email address, organizational associations (name, address, phone), and or unique identifier (such as ORCID or GitHub identity).

Science Data. Data collected by external parties that is published and archived by EDI.

Science Metadata. Textual metadata describing scientific data that is published and archived by EDI
top

Why and how we collect personal data

  1. Dissemination of EDI news and updates. EDI sends news items and updates about our project, operation, and services to EDI customers who subscribe to such information. Customers must actively submit personal data, including: email (required), surname (optional), given name (optional), organization (optional), and organizational role (optional), to EDI’s MailChimp (https://mailchimp.com) account. These personal data are not shared with any 3rd party or partner.
  2. Customer identity information for authorization to EDI data repository services and scientific data and metadata. EDI restricts access to some data repository services (e.g., publishing and archiving scientific data) to a subset of customers who have agreed to our data publication policy. In addition, customers who contribute science data and metadata have the option to apply access control to their data and metadata to limit distribution of their products. Customers who identify through an EDI accepted authentication protocol can be filtered against one or more rules used to allow or deny access to EDI data repository services or scientific data and metadata. Customers who require the ability to publish and archive science data and metadata must request an EDI LDAP account through an EDI representative. An EDI LDAP account requires a unique customer identifier composed into an LDAP distinguished name, given name, surname, and valid email address. Customers who only require identification to access controlled science data or metadata may use a third party identity service (either Google, GitHub, or ORCID) to verify their identity; successful authentication through the third party stores either the customer’s gmail email address, GitHub home location, or ORCID identifier, respectively, into the active EDI web browser session, in addition to the customer’s common name.
  3. Customer email or other contact information. EDI customers may register contact information with EDI for the purpose of notification when the creation, addition, or modification of science data and metadata that is curated by EDI occurs within the EDI data repository. Notifications of this type serve to inform customers when new or updated science data are added to the system or to alert customers when science data are found to be suspect or erroneous post-publication. The collection of customer contact information is an option provided to EDI customers during an authenticated web browser session. Customer contact information includes only an email address.
  4. Web browser session cookies and authentication tokens. EDI websites utilize web browser session cookies and authentication tokens to maintain an authenticated state between the customer’s web browser and EDI’s website services. Session cookies are generated by the EDI website and authentication tokens are generated by the EDI authentication service at the point a customer self-identifies. EDI authentication tokens include the customer’s unique identifier, a token time-to-live, and any membership in recognized roles or groups.

top

Security of collected personal data

All collected personal data are transmitted using HTTP SSL encryption when on the open Internet and restricted behind EDI system firewalls when operated on within the EDI data repository service oriented architecture.
top

Personal data found within science metadata

Personal data may be found within science metadata in the form of contact information pertaining to the origin of the science data and metadata. EDI does not actively collect such personal data; such personal data is provided by EDI customers who wish to publish and archive science data and metadata. EDI does require customers to acknowledge that the owners of this personal data have agreed to its release as part of the publication process. This type of personal data (i.e., contact information) is critical for consumers of science data and metadata to better determine the nature and origin of the science data and metadata when ascertaining fitness for use. In addition, science metadata may contain customer unique identifiers to enable the processing of access control.
top

Transparency and sharing of personal data

EDI records customer identity information, if available, within EDI’s activity audit to better understand what and when published science data and metadata are accessed within the EDI data repository. This information is coupled with the date and time of access and the science data or metadata that is accessed. This information may be summarized and provided to our funding agencies to justify continued operations. In addition, EDI may share the same detailed audit information with customers who contribute science data and metadata so that they may better understand the reuse and efficacy of their science data and metadata publication.
top

Personal data retention, access and removal of personal data

EDI retains the aforementioned personal data within EDI’s computational infrastructure for an indefinite period of time. Upon written request to support@environmentaldatainitiative.org and with proper identification, EDI will provide the requested with a report of all recorded instances of personal data in digital format and or remove all instances of personal data.
top