Personal Data Collection and Retention
1. SBP Journal collects only the following data on users: names, affiliations, postal and email addresses, and research interests. Previously registered users may have added a phone number and/or URL. IP addresses are held for institutional subscribers only. A user’s history of activity with SBP Journal is recorded (including, for example, reviews, subscription history, or published articles). No sensitive personal information is held; payments are processed through a secure third party, Payment Express or PayPal, and SBP at no time has access to credit or debit card information.The collected data mentioned above are gathered from users when they register on the SBP website, www.sbp-journal.com. At times, potential peer reviewers are located from online generic databases or university websites and their publicly available information is added to our database so that we can contact them with a review invitation. Users receive an email explaining this process and can ask to be deleted at any stage (see point 5 below).
2. SBP Journal holds this information based on legitimate interest for business purposes and to uphold agreements with users who have registered with SBP for subscription access, newsletter mailings, reviewing, or publishing of their manuscripts, and any other stated journal purpose. Consent for data retention is inferred from the registration of personal data by a user, or by the use of publicly available information only. At times, SBP may use our database to contact users with additional journal news, special offers, or other promotional information (from SBP only). This use is explained on the registration page on www.sbp-journal.com. Some information may be shared with a few third parties that help us to provide the journal’s services: our web developers (Triotech), publishing platform (Ingenta), review tracking service (Publons), and occasionally a survey platform (Survey Monkey).Personal data will not be shared with any other individuals or organizations without a user’s explicit consent.
User Rights to Access and Erasure
4. Users can request access to all their personal data held by SBP Journal; this will usually be the same data that a user views when accessing their online SBP account. Requests should be sent to [email protected].
5. Users may also request erasure of all personal data from SBP records. At any time authors may click “unsubscribe” on any SBP newsletter or mailing to be removed from this database. Users may also contact SBP at [email protected] to request removal from SBP databases.
If a user does not want to be contacted with invitations to review, SBP will remove their details from the reviewer database. However, an alternative is offered: a note can be added to a user’s registered data stating “do not contact for reviews.” This ensures that the user will not be contacted by “cold calling” after a search for researchers with relevant expertise on generic online databases (e.g., university websites).
GDPR Compliance and Processes
6. SBP has conducted an audit of personal data retention to ensure compliance with GDPR, which went into effect on May 25, 2018. All personal data are storedsecurely on the SBP website and on secure online servers . Access to data by SBP team members is through secured devices.
7. Any user with a query about GDPR compliance (or any other privacy concern) is welcome to contact SBP at [email protected] for information. An individual may also contact the ICO if he or she perceives a problem with how SBP is managing personal data.
8. SBP is obligated under GDPR regulations to notify the ICO of a data breach when it is likely to result in a risk to the rights and freedoms of individuals, such as financial loss, damage to reputation, or other significant disadvantage.1 As SBP does not hold any sensitive personal information, such a breach is highly unlikely. However, SBP is committed to reporting any breach that fits this description to the ICO within 48 hours of becoming aware of it.
Personal Data in Published Research Articles
9. SBP Journal and its publisher are not responsible for the consent of participants in scientific research reported in its published articles. Anonymous data do not come under the GDPR principles. Also, the GDPR recognizes that “the processing of special categories of personal data may be necessary for reasons of public interest in the areas of public health without consent of the data subject.”2
Authors are requested to provide confirmation that participant consent was obtained; this is to be shown in a cover letter upon submission of a manuscript and in the manuscript text itself. See the SBP Ethics Policy for more information.