Cochrane Accounts
Everyone involved with Cochrane should have a Cochrane Account. When people activate their Cochrane Account, they consent to us storing and using their data.
Please encourage people who want to get involved in Cochrane's work to create their own Cochrane Account. This has benefits for both Groups and individuals.
Groups can:
- avoid collecting personal data on Group contact forms
- reduce the creation of duplicate accounts
- ensure we track people's contributions to Cochrane across the organisation
Cochrane Account holders can:
- view and edit their own personal details
- choose which newsletters they wish to receive
- access training
- find out more about ways to contribute to Cochrane
Any existing contacts who have not yet activated their Cochrane Account, can do so by clicking on the ‘Reset password’ link on any Cochrane Account login page.
If you create a new contact record using the Archie New Person Wizard, this will automatically also create a linked Cochrane Account. Newly-created contacts receive an email informing them that we are storing their data and inviting them to activate their account. If the contact provided their personal details on a Group contact or registration form, delete or shred the form once the person’s details are stored in Archie.
The Archie Knowledge Base provides guidance on dealing with deceased contacts, contacts with no valid email address, merging duplicate contacts and contacts who request that their personal information be deleted from our systems.
You should not need to collect data on individuals outside of our core systems. If you do this, you should inform the individual about how you will store and process their data and seek their consent for doing so. You must have a lawful basis for storing personal data - such as outlined here.
Storing data
Cochrane provides central systems to store personal data (such as Archie and Editorial Manager) and you should use these systems. Our central storage is regularly backed up and is secure (accessible only to those with permissions). Personal data (for example, names and email addresses) should not be stored locally in Group files or on spreadsheets.
Archie is becoming obsolete and we are gradually moving away from this. New groups won't have access to Archie and should instead use other specified systems.
To comply with GDPR legislation, you need to:
- keep data secure,
- keep data up to date,
- ensure data held are correct; and
- ensure data held are relevant.
Archie and Editorial Manager can do this for you. If you use Archie and/or Editorial Manager to store personal data, you do not need to worry about your Group’s compliance with GDPR. You also help to ensure that all our systems contain up to date information.
If you store personal data on spreadsheets or other local systems, the burden of updating these is greater, and the risk of the information being out of date, inaccurate and insecure is higher. Externally-stored data will also become out of date if a user changes their own contact details in My Account, or requests that their Cochrane Account is deleted.
GDPR requires that data be kept up to date. With a single database we can control what personal data are stored and be GDPR compliant. Importantly, if a person requests disclosure or deletion of their personal data, this can also be shared or erased from one source. If they are listed in external spreadsheets these also need to be searched and that data erased. The burden of doing this is the primary argument for avoiding spreadsheets.
Storing data safely outside central systems
If you need to keep data on external files or spreadsheets, you should only include minimal personal information. Please avoid storing several types of personally identifying information together, such as lists of names and email addresses. If they are necessary, spreadsheets and local files must be securely stored, with password protection, encryption and written procedures on how they are kept up to date, relevant and correct. Do not print spreadsheets or other files out or send them via email.
You can store mailing lists in a dedicated secure emailing app such as Brevo or MailChimp. Newer Cochrane Groups (for example Thematic Groups) have access to centrally managed mailing lists.
If you have any questions about this or need further assistance, please contact the Cochrane Support Team: support@cochrane.org.