Memo published on Pure (Elsevier): four recommendations for institutions

SURF Vendor Compliance has published a memo on Pure, Elsevier’s Research Information System. Following careful consideration and in consultation with SURF’s member institutions, we have decided to draw up a memo for this application rather than a full Data Protection Impact Assessment (DPIA). 

Reasons for opting for a memo rather than a DPIA 

Based on our own analyses and in collaboration with the Pure User Group (PUG), we have performed an independent pre-DPIA. In this, we demonstrate that the use of Pure does not entail a high privacy risk. A full DPIA is therefore not legally required. By opting for a memo at this point, SURF Vendor Compliance can allocate its available resources more effectively to assess applications with a higher risk profile. 

What is Elsevier’s Pure? 

At its core, Pure is a workflow management system for managing publications and other research outputs from your own institution. Some institutions also use it as an archive. Pure helps to establish links between authors (researchers), documents (publications) and institutions (author affiliations). 

Recommended measures for institutions 

However, institutions must ensure that Pure is configured securely and in accordance with the principles of the GDPR. The memo describes four specific recommendations for institutions to implement. 

Read the full memo 

For more information about what Pure is, the conclusions of our pre-DPIA, the four measures and the responsibility of institutions, read the memo here. 

Contact  

Do you have any questions about this post? Please contact us at vendorcompliance@surf.nl.