Purpose of this Policy
The document outlines DataverseNO’s commitment to facilitating maximum access and use of research data published in DataverseNO, describes the mechanisms DataverseNO implements to fulfil this commitment, and provides those depositing and accessing Datasets from DataverseNO with guidance on determining usage rights associated with each Dataset as well as data privacy in general.
Dissemination of Content
The goal of ensuring dissemination of Datasets published in DataverseNO is fundamental to DataverseNO’s mission. In order to uphold DataverseNO’s commitment to facilitating access and use of research data published in DataverseNO, DataverseNO disseminates its contents through as many means as possible, including:
- Facilitating the indexing of Descriptive Metadata by search engines.
- Providing and publishing URLs for harvesting (OAI-PMH) of individual collections on all levels.
- Providing persistent URLs and assigning Digital Object Identifiers (DOIs) for reliable citing and discovery of published Datasets.
- Registering Descriptive Metadata with the DataCite DOI Fabrica (https://doi.datacite.org/) for discovery of the content by harvesters and individuals seeking public information about Datasets.
DataverseNO is committed to investigating and implementing new methods for further dissemination of its contents as warranted.
Access to Content
Datasets published in DataverseNO are discoverable and openly available to anyone with access to the Internet. DataverseNO (by owner) is responsible for secure archiving and data availability for at least 10 years after assigned DOI. However, the intent for DataverseNO is to ensure access to archived data in a long-term perspective. Whenever possible and feasible, items are archived in formats that can be opened and read using freely available software. Additionally, items may also be archived in their original format.
Data Privacy Statement
About the privacy statement
This privacy statement describes how the data controller processes your personal data in DataverseNO. The purpose of this privacy statement is to inform you about what personal data we process, how they are processed, who is responsible for the processing, what your rights are and who you can contact about data privacy in DataverseNO.
By using the DataverseNO repository (including any sub-collection), you acknowledge and accept that these are the privacy practices governing the DataverseNO repository. The web sites used by DataverseNO may contain links to other web sites and use third-party applications and/or software. DataverseNO is not responsible for the privacy practices of these third parties, and you should read through their practices before clicking or using them.
What are personal data?
Personal data are all forms of data, information and assessments that relate to you as a person, cf. the Personal Data Act Section 2 and the GDPR Article 4(1) (for translations into other languages than Norwegian, see EUR-Lex Document 32016R0679). The decisive factor as to whether data constitute personal data is whether they can be related to a specific person. Data which, on their own, cannot be related to an individual person, may still constitute personal data in cases where the data are connected with other data.
The purpose of personal data processing in DataverseNO
The repository and associated web sites (henceforth “Service”) processes different types of personal data. The table below gives an overview of the types of users these data are about and the purposes for which these data are obtained.
| Types of users | Description | Purpose of registration and processing |
| Administrative users | System administrator, repository managers, collection managers. Typically, employees at the DataverseNO owner institution and at the partner institutions. | Administration of the Service including maintenance of content and configuration of access to functions and content. |
| Depositors | Persons or services who register metadata and upload files to the repository. | Registration of resources in the repository. Depositors must be registered with their identity to acquire rights to deposit data in the repository. |
| Other end users | Persons or services that access the Service, identified by IP address and cookies. | As a main rule, other end users are granted open access to deposited/published Datasets in the repository. DataverseNO logs necessary information to avoid misuse of the Service and to generate aggregated statistics of use of the resources, including which countries the users come from. |
| Persons linked to the Dataset | Author, co-author, data collector, and other possible contributors. Typically, employees or students at the DataverseNO owner institution or partner institutions. | Cataloguing, crediting and accountability of the persons behind the Dataset. |
| Persons identified in the Dataset | Any persons and pertaining information about them contained in the Dataset. | Making Datasets available. The person responsible for content together with the data controller must ensure data protection in the Dataset before it is published in the repository. |
Registered personal data, legal grounds and storage time
The processing of personal data related to user accounts in the Service is necessary for the fulfilment of the DataverseNO Deposit Agreement, which you as a (future) user must acknowledge that you have read and accept in order to use the services provided by DataverseNO. The legal basis for the processing of personal data related to user accounts in the Service is thus given by the Personal Data Act, and the GDPR Article 6(1)(b).
If you are affiliated with a DataverseNO partner organization or another organization with which UiT The Arctic University of Norway (owner of DataverseNO) has entered into a data processor agreement, the processing of your personal data in the Service is regulated through that data processor agreement.
Registered personal data about authors and contact persons are covered by the Personal Data Act, and the GDPR Article 6(1)(f) – to perform a task on grounds of legitimate interests.
DataverseNO does not allow processing of special categories of data, cf. the Personal Data Act, and the GDPR Article 9(1). In the cases where the users themselves can register information in the metadata schemas, file contents and similar, the user is obliged to meet the DataverseNO Accession Policy. Users are not permitted to register sensitive personal data about themselves or others or to use the repository for defamatory conduct.
The processing of technical user data is necessary to adapt functionality in the Service, and is thus necessary for the purposes of the legitimate interests pursued by the controller or by a third party, cf. the Personal Data Act, and the GDPR Article 6(1)(f).
The following personal data are processed in DataverseNO:
User data
| Type of data | Description | Source |
| Basic user data | Full name | Authentication and authorization infrastructure (AAI) sevices (eduGAIN, Feide, Microsoft Azure AD, ORCiD), local user registration |
| Contact information | Email address, affiliation (and optionally) position | Authentication and authorization infrastructure (AAI) sevices (eduGAIN, Feide, Microsoft Azure AD, ORCiD), local user registration |
| Additional information | If the guestbook feature is activated for a particular dataset, then any information filled out in the guestbook is made available to the system administrator, the repository and collection managers, dataset manager, and dataset curator. | End user interaction |
Technical user data
| Type of data | Description | Source |
| System identities | Identities in the repository and integrated systems. Authentication and authorization infrastructure (AAI) ID, internal ID. | Authentication and authorization infrastructure (AAI) sevices (eduGAIN, Feide, Microsoft Azure AD, ORCiD), the Service |
| System roles and affiliation to the organisation | The user is assigned roles in the system in order to provide adapted functionality and access to the repository. | Assigned in system |
| Session information and cookies | Information related to the user’s interaction with the Service. Necessary to adapt functionality in the service and to authenticate users. | Authentication and authorization infrastructure (AAI) sevices (eduGAIN, Feide, Microsoft Azure AD, ORCiD), the Service |
| Log | Log of system use related to the logged-in user and/or IP address of end users. IP addresses will be registered for anonymous users, which in certain cases can be traced back to a person. The purpose of logs is to ensure security and integrity in the system, provide user support and analyse use of the service. The data collected include time, user ID, IP address, information about browsers and hardware, session information and other information that browsers normally provide. | The Service |
| Web analytics services | Including device information and IP addresses, using cookies or similar technologies. DataverseNO uses this web analytics information to evaluate the use of the DataverseNO website, compiling reports on website activity for website operators, and providing other services relating to website activity and Internet usage.DataverseNO obtains this web analytics information using the open-source software tool Matomo, run on a local server at UiT. The software places a cookie on the user’s computer. The following data is saved for each access/retrieval of individual pages of the DataverseNO websites:
If JavaScript is activated, the following data is collected additionally for each access/retrieval:
The information is stored on the servers owned by the owner of DataverseNO, or on servers run by third parties on behalf of the owner of DataverseNO. Matomo may provide means which allow DataverseNO users who do not want their usage data collected to block usage data collection. On the DataverseNO repository website, usage data collection may be blocked by clicking the Manage tracking URL in the website footer. Blocking of usage data collection is in any case the sole responsibility of the DataverseNO users. Users of DataverseNO consent to the collection and storing of data about the users by web analytics services in the manner and for the purposes set out above. |
Matomo |
Other personal data
| Type of data | Description | Source |
| Metadata about the publication | Full name of author, co-author, (and if applicable) other contributors (e.g. data collector), unique ID to identify the author, researcher ID(s) if any (e.g., ORCID), research organisation ID(s) if any (e.g., ROR) to the Dataset. | Registered in DataverseNO or harvested from external sources. |
| Personal data in the deposited files | Arbitrary content that must be quality assured by the user and data controller. | Deposited into DataverseNO. |
Information about user activity is stored in order to provide user support and to gain an impression of general use of the Service.
Personal data is stored until one of the following occurs:
- The purpose of the personal data processing has been fulfilled.
- The data controller decides to discontinue the Service.
Logs and backups of the system data are stored for up to one year.
User information (except logs) is stored for the lifetime of the Dataset for users who register content in the repository.
Automatic case processing
Personal data related to the system users will not be subject to automated case processing or profiling.
Open personal data related to the Dataset can be subject to profiling by services that harvest information from the repository but will not be profiled as part of the Service.
Disclosure of your personal data to third parties
Disclosure or export of data is defined as all disclosure of data aside from to the Service’s own system/processing or to the data subjects themselves, or to someone who receives data on their behalf.
Personal data linked to users are not transferred to countries outside the EU/EEA. The Service is run on servers in the EU/EEA .
Your personal data are disclosed to UiT The Arctic University of Norway, which is the Service provider, and to the following subcontractors:
| Subcontractor | Function |
| Microsoft Corporation, Inc. | Delivers file storage and compute infrastructure. |
| University of Oslo | Delivers object storage for the repository. |
The subcontractors’ staff who need the personal data to perform their work have adapted access in order to provide on-site maintenance, user support and any rectification of errors in the Service.
Open personal data linked to Datasets are openly shared with external services. This includes search services such as B2FIND, BASE Bielefeld, DataCite Search, Google Dataset Search, Oria, and OpenAIRE, which harvest metadata from the repositories, as well as generic search engines such as Google, Baidu, Bing etc. that index data via the websites.
See the following table for the Service’s integrations:
| Integration | Purpose | Service provider |
| Feide | Information for secure login of users. | Uninett AS |
| Harvesting to the repository | The data processor can configure harvesting of metadata about Datasets held in other repositories. | To be defined by the data controller. |
| Harvesting from the repository | Open interface for harvesting metadata from the repository to external services. Dataverse provides open and free metadata about published Datasets. | Unknown (open interface) |
Security in relation to your personal data
Personal data processed in the Service are secured by several measures. All transfers to and from the service related to user accounts are encrypted. The data processor conducts regular risk and vulnerability analyses and tests the security of the Service to ensure your personal data are safe.
The data controller is responsible for procedures that address data protection in connection with the publication of content.
Your rights
Right to information and access
You have a right to receive information about how your personal data are processed in the Service. This privacy statement has been produced to provide the information you have a right to receive. You also have a right to see/access your personal data that are registered in the Service, and other personal data that are collected. You also have the right to request to receive a copy of your personal data.
To exercise their right of access, registered users can see their personal data after logging into the repository by navigating to the Account Information and the My Data page by selecting the respective items from the user account menu in the top right of the repository webpage. If these overviews do not provide complete information, users can send a written enquiry to the data controller’s user support to acquire access to more detailed information. See our contact details below.
Right to rectification
You have a right to have inaccurate personal data about you rectified. You also have a right to have incomplete personal data about you supplemented. If you feel that the Service shows inaccurate or incomplete personal data, please contact the data controller, stating the reason why the personal data are inaccurate or incomplete.
Please note that there is a limited possibility of rectifying data that are distributed via open interfaces.
Right to restriction of processing
In certain cases, you may have a right to request restrictions on the processing of your personal data. Restricted processing means that the personal data will still be stored, but that other processing in the Service is restricted. To request restricted processing of personal data, the conditions in the Personal Data Act, and the GDPR Article 18 must be met. You can request restricted processing in the following cases:
- Pending the data controller rectifying inaccurate or incomplete personal data.
- If you have submitted an objection to the processing (see below for more details).
- If the personal data are necessary to establish or defend a legal claim.
If restricted processing is granted, the data controller will notify you before the restriction is lifted.
Right to erasure
You have the right to demand that we erase personal data about you. If you would like your personal data to be erased, please contact the data controller. It is important that your request states why you want your personal data erased and, if possible, what personal data you wish to be erased.
Please note that legislation provides exemptions from the right to erasure in some cases. This could be cases where we process personal data to fulfil a statutory duty or to address important social interests, such as archiving, research and statistics. In cases where the users themselves have registered content in the repository, we are not able to erase user information without also erasing the registered content.
Please note that there is also a limited possibility of erasing personal data that are distributed via open interfaces.
Right to object
You have a right to object to processing of your personal data on certain conditions defined in the GDPR Article 21. This applies if:
- Legal grounds for the processing of personal data are based on legitimate interests, reasons of public interest or when exercising public authority.
- Processing of personal data entails direct marketing or profiling.
- Personal data are processed for scientific or historical research purposes or statistical purposes.
The Service does not generally satisfy these conditions, with the exception of the processing of author information and in cases where personal data are used for statistical purposes. When personal data are used for statistical purposes, the data are anonymised.
However, please note the following:
- If there is a special need to stop the processing, for example if you have a need of protection, or a confidential address or similar, please contact the data controller.
- When you have consented to the processing of personal data, you have a right to withdraw your consent.
Right to complain about the processing
If you feel that DataverseNO has not processed personal data in a correct or lawful manner, or if you feel that you have been unable to exercise your rights with DataverseNO, you have a right to complain about the processing. See our contact details below.
If DataverseNO does not uphold your complaint, you have the possibility of filing a complaint with the Norwegian Data Protection Authority. The Data Protection Authority is responsible for ensuring that Norwegian enterprises comply with the provisions of the Personal Data Act and the GDPR in their processing of personal data.
Contact
The data controller
The DataverseNO partner institutions are the data controllers for personal data in the Service and they are the primary contacts for users from the respective institution. For an overview of current partner institutions, see the DataverseNO support page: https://site.uit.no/dataverseno/support/.
The data processor
As the owner of DataverseNO, UiT The Arctic University of Norway processes data on behalf of the data controllers and has the role of data processor.
Contact details for UiT/DataverseNO:
Webpage: https://site.uit.no/dataverseno/support/
Email: support@dataverse.no
Phone: +47 776 44000
Address:
UiT The Arctic University of Norway
University Library
Postbox 6050 Langnes
NO-9037 TROMSØ
Norway
Copyright and Licensing
Creators of Datasets deposited in DataverseNO to which copyright applies retain copyright unless otherwise stated. If a Dataset is under copyright, a user may use the Dataset in accordance with the terms asserted by the copyright owner.
If copyright terms for, or ownership of, the submission change, it is the responsibility of the Depositor to notify DataverseNO of these changes.
Datasets in DataverseNO may be in the public domain or under a license that explicitly allows specific uses of the content. DataverseNO requires that Depositors define a license for their Dataset at the time of submission, and licensing information is displayed in the Descriptive Metadata for each Dataset. Creative Commons (that is, in this case CC0 or CC BY) licenses are currently recommended as these licenses are emerging as best for facilitating Dataset reuse. The default license for archived research data in DataverseNO is Creative Commons CC0 – “No Right Reserved”, accompanied by the following wording: “Our Community Norms as well as good scientific practices expect that proper credit is given via citation. Please use the data citation above, generated by the archive”. The CC0 license is considered best for optimal reuse of research data. However, given the complicated and evolving nature of Dataset licensing, Depositors may also define another license than CC0 by defining the terms of use when depositing their data. In line with the intention of DataverseNO to provide maximum public access to unrestricted research data, DataverseNO promotes licenses that are recommended for the re-use of research data, and only accepts licenses providing access to deposited data in one form or another.
In case non-compliance with any access and use license other than CC0 (or equivalent) is discovered, DataverseNO informs the contact person for the dataset. The use of the dataset must be terminated immediately at the initial demand by DataverseNO. If the use is not terminated, DataverseNO may bring action against the user.
DataverseNO (by owner) waives any and all rights DataverseNO might have with respect to Descriptive Metadata in DataverseNO. To the extent that DataverseNO’s own contributions to selecting and arranging Descriptive Metadata may be protected by copyright, DataverseNO (by owner) dedicates such contributions to the public domain pursuant to a CC0 Public Domain Dedication.
Acknowledgements
Dataverse. Harvard Dataverse General Terms of Use. http://best-practices.dataverse.org/harvard-policies/harvard-terms-of-use.html
Harvard Dataverse Privacy Policy. https://support.dataverse.harvard.edu/harvard-dataverse-privacy-policy
Illinois Data Bank. Illinois Data Bank Policy Framework and Definitions. http://hdl.handle.net/2142/91039
Privacy statement for Brage. https://www.unit.no/sites/default/files/media/filer/2019/04/Personvernerkl%C3%A6ring%20Brage%20NO_ENG.pdf
Contact support@dataverse.no with questions or to request an addition or revision to this policy.
|
Policy Document History and Version Control Table |
|||
| Version | Action | Approved By | Action Date |
| 4.0 | Policy revised. | Board of DataverseNO | 2024-04-05 |
| 3.0 | Policy revised. | Board of DataverseNO | 2021-05-10 |
| 2.0 | Policy revised. | Board of DataverseNO | 2019-03-06 |
| 1.0 | Policy issued. | Board of DataverseNO | 2018-06-21 |
