Data Management and Privacy Policy

Nordic Research in Music Education is published by Cappelen Damm Akademisk, the academic publishing division of Cappelen Damm AS, on its platform NOASP (Nordic Open Access Scholarly Publishing). The NOASP platform is a customized version of Open Journal Systems created by Public Knowledge Project.

If you have any questions regarding this Data Management and Privacy Policy, please contact Cappelen Damm Akademisk's division leader for open research publishing, Simon Aase: Simon.Aase@cappelendamm.no

1. Data controllers

PKP Publishing Services (Simon Fraser University) and Cappelen Damm Akademisk (CDA) (hereinafter referred to as “Site Administrator”) and the journals (hereinafter referred to as “Journal Managers”) using the NOASP platform (hereinafter referred to as “Service”) are joint controllers in accordance with Article 26 of the GDPR.

Their respective responsibilities for compliance with the obligations under the regulation are determined in document.

2. Contact persons

Editor and journal manager Katia Stieglitz: katia.stieglitz@cappelendamm.no 

3. Name of register

Nordic Open Access Scholarly Publishing (NOASP).

4. The lawful basis and purpose for processing personal data

The data collected from users of the Service falls within the scope of the standard functioning of peer-reviewed journals. It includes information that makes communication possible for the editorial process; it is used to inform readers about the authorship and editing of content; it enables collecting aggregated data on readership behaviors, as well as tracking geopolitical and social elements of scholarly communication. The collected data is not used for profiling or automated decision-making. The basis for processing personal data is user consent.

5. Processed data

The Open Journal Systems software used in the Service processes personal data in several ways. Personal data in the Service includes a) User Registration Data, b) Contributor Metadata Information, c) Workflow Data, d) General Visitor Information.

A) User Registration Data

User accounts are Service-wide. The user can register with several journals using the same account by acquiring or choosing a user role in a new journal. The following personal information is processed and stored when the user registers:

  • First name
  • Middle name
  • Last name
  • Affiliation
  • Country
  • Password (encrypted)
  • Email address
  • Role registrations
  • Reviewing interests

By editing the user profile, the registered user can also provide and/or edit:

  • Salutation
  • Initials
  • Suffix
  • Username
  • Gender
  • Email signature
  • ORCiD ID
  • Website
  • Mailing Address
  • Phone
  • Fax
  • Biography
  • Locales
  • Notification settings

The Service automatically saves:

  • Registration date
  • Last login date

Only the username, first name, last name, email and password fields are required. The Site Administrator and the Journal Managers can create new user accounts based on a request from a new user.

STORAGE

This information is stored in the application database. Only the user password is encrypted.

AVAILABILITY AND ACCESS

This information is available to the user via their User Profile (and, with the exception of the username and dates, can be edited). The Site Administrator can access and edit the data via the application back end. Journal Managers can access and edit data for users that are only registered in their journal. The data is not otherwise publicly available.

ERASURE

The data in user accounts can be erased. A written request for removal should be sent to the Site Administrator. The Site Administrator may refuse to remove the data if it is still necessary for the purpose it was collected.

B) Contributor Metadata Information

When a manuscript is submitted to a journal, contributor information is included. Contributors can be authors, translators, volume editors, and so on. This information is stored as submission metadata and is provided as part of any published manuscript record. The user who submits the manuscript usually provides the contributor data. If there are other contributors involved, the submitting user needs to have their permission to provide their personal data to the manuscript metadata. The editors of the journal may edit and/or add additional contributor details after the submission is finished.

The following contributor information is collected:

  • Salutation
  • First name*
  • Middle name
  • Last name*
  • Email address*
  • Suffix
  • ORCiD ID
  • Website
  • Country*
  • Affiliation
  • Biography

Only the first name, last name, email address and country fields are required.

Contributors who engage in other transactions with NOASP – by paying publication fees, for example – are asked to provide additional information, including as necessary the personal and financial information required to process those transactions. In each case, NOASP collects such information only insofar as is necessary or appropriate to fulfill the purpose of the visitor’s interaction with NOASP.

STORAGE

This information is stored in the application database.

AVAILABILITY AND ACCESS

This information is available to almost any submission participant, with some restrictions to preserve the blind peer-review process. In short: contributing authors, editors and editorial assistants can all see this data; in most cases, only editorial staff can edit this data after submission. Once a submission has been published, this data is made publicly available online, and the data may be transferred to other services upon the journal’s request (see section 7).

ERASURE

The contributor data can be erased. A written request for removal should be sent to the Site Administrator. The Site Administrator may refuse to remove the data if it is still necessary for the purpose it was collected. The contributor data is an integral part of the manuscript metadata and will be erased only in special circumstances. The Site Administrator is not obliged to erase contributor data that was transferred to other services.

C) Workflow Data

The Service tracks workflow information, mostly as submission-specific editorial history. The system tracks:

  • All actions taken on a submission, and by whom;
  • All notifications sent regarding a submission (including who sent and received the notification);
  • All reviewer recommendations and reports;
  • All editorial decisions;
  • All files uploaded as part of the submission process, including files that may have personally identifying information in the form of file metadata or in the files themselves.

STORAGE

This information is stored in the application database, with the exception of any uploaded submission files, which are stored in the application’s submission files directory on the web server.

AVAILABILITY AND ACCESS

Submission participants have access to different amounts of workflow data depending on their role. Site Administrators can access all data. Journal Managers and editors can access all submission data; section editors and editorial assistants can access all submission data only for those submissions to which they have been assigned; authors have limited access to their own submissions and are only able to see the data they have supplied, or that editorial staff have explicitly made available to them. Reviewers only see the data required for the review.

ERASURE

The workflow data can be erased. A written request for removal should be sent to the Site Administrator. The Site Administrator may refuse to remove the data if it is still necessary for the purpose it was collected. The workflow data is an integral part of the journal’s archive and will be erased only in special circumstances.

D) General Visitor Information

The Service also collects general visitor usage data, including:

  • Cookie information, to manage session history. Cookies are required to maintain a login session in the Service. The cookie itself does not contain personal data. The session stored to the database contains the IP address and the user browser information.
  • Usage log data (IP address; pages visited; date visited; and browser information). Additionally, some journals may collect country, region and city information based on the IP address.
  • We use Google Analytics to analyze user behaviour and traffic on the website. The purpose is to improve functionality, ease of use and content. Examples of statistics are downloads, how many people visit the page, how long the visit lasts and where users come from. None of the cookies allows us to link information about the user’s use of the website to the user as an individual. If a user does not want Google Analytics to collect visitor data, the user can install Google Analytics opt-out.

Other data may be tracked, either on the server or via third parties:

  • Script loads from CDN servers;
  • IP address information (including date, browser, etc.) in web server logs

STORAGE

  • Cookies: A cookie named “OJSSID” is created when first visiting the Service and is stored on the visitor’s computer. Detailed session data is stored in the application database.
  • Usage Statistics: The Service stores usage statistics to log files to the file system, and the data is transferred to the application database once a day.

Google Analytics:

Cookie

Supplier

Purpose

Expiration Date

_Go

Google

Used to distinguish between users. ID cannot be traced to user.

2 years

_gid

Google

Used to distinguish between users. ID cannot be traced to user.

1 day

_gat

Google

Used to limit the number of requests to the site.

 1 minute

AVAILABILITY AND ACCESS

  • Cookies: the user can access the cookie from the browser settings. The Service can read and write data to the cookie. Only the Site Administrator can access the session data stored to the database.
  • Usage Statistics: Only the Site Administrator can access the usage statistics log files.

The Journal Managers can only access the processed usage statistics saved to the database. Single users cannot be traced using this data, including the geolocation data. The journal may publish some usage statistics online, such as article download counts. Single users cannot be traced using this data.

ERASURE

  • Cookies: The user can delete cookies at any time. Usually, the choice is in a menu item in the browser called "Settings" or "Tools." Here are instructions on how to opt out of cookies: ChromeFirefoxSafariMicrosoft EdgeInternet Explorer 11
  • The session data stored to the database is automatically removed when the session has expired.
  • Usage Statistics data can be erased. A written request for removal should be sent to the Site Administrator. The Site Administrator may refuse to remove the data in its anonymized form.

6. Sources of personal data

The sources of data include the registration forms and the submission metadata forms. The users of the Service fill in these forms and give their consent to process the data. The Site Administrator and the Journal Managers may create new user accounts upon request.

Visitor Information is collected automatically using the information visible for the web server.

7. Data transfers

Contributor data for published manuscripts stored to the Service is transferred on a regular basis to other services designed to index and disseminate scientific publications. Contributor data for published manuscripts is also openly available for harvesting through an OAI-PMH service. Examples of services used are DOAJ and Crossref. Indexing services used by the journals may vary. Some of the services may be located outside of the EU and ETA.

Data that will assist in developing this publishing platform may be shared with its developer, Public Knowledge Project (PKP), in an anonymized and aggregated form, with appropriate exceptions such as article metrics. The data will not be sold by this journal or PKP, nor will it be used for purposes other than those stated here.

Other personal data is not transferred to third parties.

8. Principles of protecting personal data

The data is collected into databases and file systems that are protected with appropriate technical measures. The servers are located in locked facilities where only selected individuals have access. The data controllers provide access to the data only to selected data handlers taking part in the editorial process of the journals.

9. Right of access and rectification

Individuals have the right to be informed about the collection and use of their personal data. Individuals also have the right to have inaccurate personal data rectified, or completed if it is incomplete. Most of the personal data stored in the Service is accessible and editable for the user. The confidentiality of the editorial process especially in the case of peer reviews will limit the user’s right of access. Written requests for right of access and rectification should be sent to the Site Administrator. The Site Administrator may require identification. The response will be given within 30 days in accordance with GDPR.

10. Other rights

The users of the Service have the right to erase their personal data (”Right to be forgotten”) with the exceptions mentioned in section 5. The users also have the rights mentioned in the GDPR. Written requests should be sent to the Site Administrator. The Site Administrator may require identification. The response will be given within 30 days in accordance with GDPR.

11. Changes to privacy policy

Changes to this policy will be made by updating this document. If the changes are significant, we will inform users by publishing a notification or via email.