Privacy Policy

The following Privacy Policy applies to the Federated Research Data Repository (FRDR) website (the Site), https://www.frdr-dfdr.ca/ and the services available on or at the Site. The Service is offered by the Canadian Association of Research Libraries (CARL) (hereafter: the Service Host).

Privacy Statement

The Service Host respects the privacy of individuals and will only collect, use, and disclose Personal Information in keeping with applicable privacy laws. The Service Host will not process your personal information without your consent.

By submitting Personal Information to the Service Host or by otherwise using the Site or Service, you hereby consent to the collection, use and disclosure of your Personal Information in accordance with this Privacy Policy.

If you do not agree with some or all of this Privacy Policy, please do not use the Service or the Site. Further, if you are not of the age of majority in your place of residence, please do not use the Service or the Site.

Definitions

Collaborators: Submitters may designate other FRDR users as Collaborators on a submission. Collaborators will be able to edit Content prior to publication.

Content: Data and associated material (e.g., metadata records, software code, ReadMe text, etc.) uploaded to the Service by Submitters.

Curator: An individual who has responsibility for managing a set of Content in the Service. This may include but is not limited to making acceptance decisions on submission of Content, auditing and improving metadata, and migrating the Content if necessary.

FRDR: Federated Research Data Repository

Personal Information: Personal information is any recorded information that identifies an individual.

Service: The services available on or at the Site offered by the Service Host.

Service Host: The legal entity responsible for offering the Service, being the Canadian Association of Research Libraries (CARL). Site: Federated Research Data Repository (FRDR) website, https://www.frdr-dfdr.ca/

Submitter: An individual who publishes Content to the Service. It is anticipated that, in the majority of cases, the Submitter will be an author of the Content or associated datasets or a researcher collaborating with the author(s).

User: An individual who makes use of the Service by either browsing the Site or downloading Content.

1.0 Collection of Personal Information

Most of the services relating to FRDR do not require any form of registration, allowing you to visit and browse the Site and Service without telling the Service Host who you are. However, some aspects of the Site and Service may require registration, including where a User wishes to download multiple data files concurrently, or datasets over a defined file size, from the Service. In these situations, if you choose to withhold any Personal Information requested via the Site or Service, it may not be possible for you to gain access to certain parts of the Site or Service, or for the Service Host to respond to your query.

In keeping with applicable privacy laws, the Service Host will only collect Personal Information for the purpose of providing the Service to Users and Submitters or to communicate with Users and Submitters regarding inquiries for information or customer or technical service requests.

1.1As per the Terms of Use Agreement, Submitters should not submit Content which contains Personal Information, unless appropriate written consent has been received from the individuals, or in keeping with information access and privacy law.
1.2Submitters are required to create an account with Globus and are subject to the Globus Terms of Service and Privacy Policy. In order to create an account, Globus collects Personal Information including name, an affiliated institution, and an email address. For the purpose of identity verification, the Service Host collects information about your department (optional), your role within your organization, and your faculty Sponsor (if applicable).
1.3Users who do not wish to submit data to FRDR or use Globus to download Content are not required to provide any Personal Information. However, IP addresses and location data of Users of the system may be collected automatically in order to provide the Service to Users and Submitters. User comments are collected (via web-based feedback option) on a voluntary basis.
1.4For all visitors to the Site, administrative information is collected—such as pages viewed on the site, page access times, browser type, version and language, location, and operating system.

2.0 Use of Personal Information

In keeping with data protection and privacy law, the Service Host will only use Personal Information for the purpose of providing the Service to Users and Submitters.

2.1Personal Information collected will be used for the following purposes:
2.2For all visitors to the Site, administrative information collected will be used:
2.3Internally, only staff with a direct use for the data will have access to Personal Information collected.
2.4Wherever you have given your consent to use your Personal Information, you may withdraw your consent at any time by contacting the Service Host at privacy@frdr-dfdr.ca. You may no longer be able to access some or all of the Site or Service if you withdraw your consent.

The Service Host may also receive, use and process Personal Information provided by third parties in order to provide the Site and Service. For example, Personal Information collected by Globus will be disclosed to the Service Host in order to enable access to certain Content download functionality and to enable other features of the Service for Users and Submitters.

3.0 Disclosure of Personal Information

In keeping with data protection and privacy laws, the Service Host will only disclose Personal Information as required by law, or with the express written consent of the individual whom the information is about.

3.1Comments of Users, regarding Content, provided via the webform to the Dataset Administrator will be shared with the Submitter of that Content.
3.2The Service Host will not sell Personal Information or mailing lists.
3.3Administrative information and usage data will only be disclosed publicly in a de-identified or aggregate format. For example, the Service will make statistics available regarding the aggregate number of Content submissions, the total volume of data held by the Service and the total and unique number of views, downloads and page clicks related to Content. Views and downloads may also be reported on a country or city basis.
3.4Disclosure of Personal Information contained in Content:
3.4.1 It is the responsibility of Submitters to ensure that proper authority or consent has been obtained if Content or metadata contains Personal Information. Submitters will provide authority or consent documentation if requested by the Service Host.
3.4.2 If a Privacy Impact Assessment (PIA) has been completed by the Submitter in respect to Content that will be uploaded to the Service, a copy of such will be provided to the Service Host by the Submitter, upon request.
3.4.3 At the time of submission Submitters may decide whenif their Content will be disclosed publicly. If the Content contains Personal Information, this decision is subject to data protection and privacy laws.
3.4.4 At the time of submission Submitters may request that Content be embargoed for a period that shall not exceed one year, unless approved by the Service Manager, after which point the Content will become publicly accessible. If the Content contains Personal Information, this request is subject to data protection and privacy laws.
3.4.5 The Service Host will use commercially reasonable efforts to honour the disclosure/non-disclosure requests of Submitters, subject to applicable laws including data protection and privacy laws.

4.0 Storage of Personal Information

The Service Host will store Personal Information securely in keeping with accepted records management processes.

4.1Server storage of Personal information
4.1.1 Personal Information collected by the Service Host will be stored on secure servers located in Canada, currently in British Columbia, Canada and in Ontario, Canada.
4.1.2 Personal Information collected by Globus will be stored on Globus servers in the United States, subject to the Globus Privacy Policy.
4.2Personal Information collected or used will be held securely and confidentially by the Service Host.
4.3The Service Host routinely destroys Personal Information that is no longer required for the purposes for which it was collected, in accordance with applicable laws. The Service Host will delete your Personal Information when it is no longer required to retain the Personal Information as set out in this Policy.
4.4Any Personal Information received in error by the Service Host will be securely returned to the individual or securely destroyed after the individual has been advised of the error.

5.0 Security of Personal Information

The Service Host uses reasonable and appropriate physical, administrative and technical measures, including encryption software, designed to help you secure Personal Information against accidental or unlawful loss, access or disclosure. Only staff and service providers who have a legitimate business purpose for accessing Personal Information collected by the Service Host are authorized to do so. Unauthorized use of Personal Information by anyone affiliated with the Service Host is prohibited and constitutes grounds for disciplinary action. Even though the Service Host takes steps to protect Personal Information, security breaches cannot be eliminated and the Service Host cannot guarantee that Personal Information will not be disclosed or used contrary to this Privacy Policy.

You and you alone are responsible for ensuring that sufficient security software is installed and running on your computer, smartphone or tablet and that your network firewall is of sufficient quality and that your wireless connection is encrypted to a degree that will prevent third party access. The Service Host is not responsible for any failure by you to secure your own device and its access to the Internet or your use of public, unsecured networks. The Service Host also is not responsible for any failure by you to eliminate malware. These failures and others can make you vulnerable to privacy breaches and would put you and your data at risk.

6.0 Privacy Breach Protocol

6.1The Service Host will maintain a Privacy Breach Protocol to address the management and mitigation of the breach.
6.2The Privacy Breach Protocol will be reviewed every two years, or as required.
6.3In the event of a privacy breach (unauthorized access to, or collection, use, or disclosure of Personal Information) authorized persons at the Service Host will follow the Privacy Breach Protocol to assess and contain the breach and provide information about the relevant details and mitigation of the breach.
6.4Where required by law, any persons impacted by a privacy breach will be advised by the Service Host. Where large numbers of users may be impacted by a privacy breach, notification will be provided on the Site.

7.0 Access, Correction or Removal of Personal Information

7.1By written request, individuals have the right to request access to Personal Information about themselves that is in the custody of, or under the control of, the Service Host.
7.2The Service Host takes reasonable steps to ensure that any Personal Information in their custody is accurate and up-to-date for the purposes for which the Personal Information is to be used by the Service Host. In most instances, the Service Host relies on Users of the Site and Service to provide notice of any changes to Personal Information provided by them. However, individuals may request, in writing, the correction of, or changes to, Personal Information about themselves that is in the custody of, or under the control of, the Service Host.
7.2.1 Should a requested correction or change not be made to the Personal Information, a copy of the request plus the reason for not granting the request will become part of the administrative record.
7.3Submitters may request, in writing, to have their Personal Information removed from the system administered by the Service Host.
7.3.1 Should the requested deletion of the Personal Information not be done, a copy of the request plus the reason for not granting the request will become part of the administrative record.
7.4Submitters who have created an account with Globus and wish to request a correction, change, or deletion of Personal Information in the custody of Globus, must submit a request directly to Globus.
7.5Persons wishing to have Content containing Personal Information edited, amended, or removed from the Service should contact privacy@frdr-dfdr.ca.

8.0 Updates to this Privacy Policy

The Service Host recommends that you take the time to read this Privacy Policy so that you understand how your Personal Information is handled. The Service Host may update or modify this Privacy Policy at any time by posting the revised Privacy Policy to the Site or making the revised Privacy Policy available through the Service or Site. The Privacy Policy displayed on the Site will include a “last revised” date. The Service Host strongly encourages you to refer back to the Privacy Policy periodically.

This Privacy Policy applies only to the Site and the Service. The Service Host may provide links to other websites that may be of interest to visitors. However, as the Service Host is not responsible for every website link provided on the Site, it is important to familiarize yourself with the privacy policies of the linked websites before providing your personal information to them.

Contact Us

Should you have any questions or concerns about the collection, use, or disclosure of Personal Information as regards FRDR, or about this Privacy Policy please contact our privacy officer at privacy@frdr-dfdr.ca

The Service Host reserves the right to suspend use by any party (Submitter or User) if that party engages in, or is suspected of engaging in, activities that violate applicable information access and privacy laws.

Last Revised: 2020-09-24