Upcoming Developments in Security and Privacy for 2018

This article discusses some of Symplectic's development plans for 2018, where they relate to the security and privacy of information in Elements.

In 2018 we will be working to more clearly signpost and document within Elements the parts of the user interface that allow researchers to indicate whether data can be shared publicly. As a general principle, where privacy controls are offered to users within Elements, they should clearly indicate with whom the associated data will be shared, and we believe there are opportunities for Elements to be a little clearer in this respect. Examples of existing such functionality are the "hiding" of phone numbers when editing a user profile, and the button in a user's claimed publication list that advertises to "hide" a publication from being shown on a user's Elements profile page.

We plan to focus on researcher-facing privacy controls.

We wish to advise you of our planned work in this area as each institution may need to plan adjustments to any feeds to public facing systems. Privacy controls in Elements can only promise to describe how Elements itself will handle data. Ultimately, because each institution can extract data in a variety of ways from Elements, each institution is in a position to decide how and with whom data from Elements is shared.  With each change, we will provide guidance on how this can be taken into account by your local feeds. If you decide to share data more widely than some of the preferences made available to the users of Elements, it will be critical that you inform your user base.

Where possible, we will aim to allow institutions to configure which privacy settings will be made available to researchers within Elements to avoid situations where researchers select privacy preferences which are inconsistent with the way you intend to handle data. Currently, these are fixed - any user is able to mark their association with a publication as "hidden". We anticipate that some institutions may not want researchers to be able to restrict its sharing for certain types of information. We welcome your feedback on this. 

To help with transparency, we hope to introduce a new optional, configurable, researcher-facing page within Elements that describes how your institution uses Elements to share information. This page could be used to give an overview of how Elements is used to share data, and with whom. It could describe clearly how the privacy settings on the user's profile (e.g ."hiding" email addresses) and their list of claimed publications ("hiding" publications) work. You might wish to include a link to your own Privacy Notice, along with a line that indicates that this should be read to understand how personal data in Elements will be used by your institution.

During 2018, we plan to release the Elements Discovery Module, introducing new researcher profile pages as a separately licensed component of Elements. The Discovery Module will be an option institutions could choose to surface researcher data from Elements publicly that sits alongside the existing ability to export data to your own system of public facing web pages.

For security reasons, researcher profile pages in the Discovery Module will belong to a completely new and separate set of components to the rest of Elements: a public facing sub-system. Data will be transferred from the main part of Elements to the Discovery Module, with data marked by your institution as unsuitable for public display being filtered out by Elements before crossing the boundary.

In v5.9.1 (targeted for February 2018), we are introducing the ability for you to mark a user's profile as "for public sharing". The Discovery Module will automatically respect this setting by not allowing any profile information for users without this setting to be transferred to its data store, including any relationships to other data (such as publication authorships). This option would also allow a profile that has been made public using the Discovery Module to be withdrawn from public display there, should the need arise.

On 25 May 2018, the European General Data Protection Regulation (GDPR) becomes enforceable. It extends the scope of EU data protection law, much of which enhances the rights individuals have in respect of their personal data.

Symplectic, and Digital Science more widely, is in the process of ensuring its own compliance with the GDPR in time for May 2018. Your institution will also be preparing for the impact of compliance with the GDPR. A natural part of this will be for you to review how Symplectic as a team, and Elements as a product, can help you meet its requirements.

Symplectic has been in a position for a long time to support you in the protection of data. Many of the security principles followed by Symplectic and which relate to data protection and the exercising of data subject rights are detailed in a long technical document entitled Symplectic Elements Security due for release on the support site soon. This includes explanations of when and why Symplectic staff members access data in a Symplectic hosted instance of Elements, as well as addressing the location, correction and deletion of personal data. We have also developed a GDPR contract addendum, should the existing agreement we have in place with your institution not meet the new requirements of the GDPR - please let us know if you would like a copy.

The GDPR demands greater levels of responsibility in several areas, including transparency in how you handle personal data. To help you understand how personal data is used and shared via Elements, we will begin maintaining a new article on the support site: Introduction to Data Privacy and Personal Data in Elements. Together with knowledge about how your institution uses the data managed in Elements, this should put you in a good position to be able to explain to your data subjects how personal data in Elements is used.