Changes

Privacy and Security Policies

11,370 bytes added, 14 May
m
no edit summary
==About Privacy Policies==
'''===What are privacy and security policies?'''===
Privacy policies outline how a website collects, uses, stores, and protects user data, providing visitors with the assurance that their personal information is handled with care and respect. Security policies, on the other hand, detail the technical and procedural measures implemented to defend against cyber threats and data breaches. Together, these policies protect users from identity theft, fraud, and other online risks. For example, SmartSimple has its own privacy and security policies which can be read in full at the [https://www.smartsimple.com/trust-security-overview Trust & Security Center on our website].
'''===Are policies mandatory to have?'''===
Privacy and security policies may be mandatory by law depending on the end-user’s location. For example, the [[General Data Protection Regulation (GDPR)]] is an information privacy regulation enacted by the European Union (EU) to protect individuals' privacy and personal data. The GDPR gives EU citizens more control over their personal data and sets strict guidelines for data processing and privacy practices for organizations operating within and outside the EU. Having privacy and security policies aligned with the GDPR is required for legal compliance and helps safeguard individuals' rights to privacy.
'''===Can I use this feature to track other compliance activities?'''===
The privacy and security policies feature can be utilized to track and manage various other policies and compliance activities. For instance, you might opt to use this feature to monitor conflict of interest attestations or agreements to other terms and conditions.
'''===What are the differences between the new privacy policies feature and the old one?'''===The new privacy and security policies feature will be available starting July 2024. Policies created using the old feature must be recreated in the new privacy feature as they will not be migrated. You must opt in to using use the new privacy and security policies feature.
# '''Draft Status''' - When a policy is first created, it will enter “Draft” status. In this status you may make changes to the contents of the policy freely.
# '''Active Status''' - Once a policy has been moved to the active status, its contents cannot be edited without creating a new policy version. While a policy may have several versions with each version containing different content, only one version may be active at a time. : <u>'''Note:'''</u> For an active policy to be enforced, it must have an “Effective Date” set in the past.
# '''Expired Status''' - When a policy becomes unnecessary, it can be marked as "Expired." An expired policy won't be enforced at any collection point. However, users can still see that they accepted the policy in the past by accessing the lock icon in the header labeled "Privacy and Security." Expired policies can be reinstated with an “Active” status at any time without creating a new version.
Users may encounter privacy and security policies in a number of collection points within your system depending on the configuration. As an example, let’s walk through some different areas of the system where the user may encounter a policy and be asked to accept it.
'''===Login Pages'''===
Before logging in, users may be able to preview specific policies based on configuration as seen below.
(image placeholder)[[File:2024-07-ticket-145858.png|thumb|none|800px|A sample login page containing a link to view the organization’s privacy and security policies before logging in.]]
<u>'''Note:'''</u> Since the user has not yet logged in, only policies without any role or country permissions will be visible to the user.
After logging in, most systems require users to accept some policies before the user is granted access to the system. These policies typically outline the responsibilities and expectations of each party when using the system. Depending on the configuration, the end user will have the option to acknowledge, accept, or decline a given policy.
(image placeholder) '''Signup Pages'''[[File:2024-07-ticket-145858-2.png|thumb|none|800px|A list of possible user policy options are available in the settings.]]
===Signup Pages===
Users may be required to acknowledge or accept a set of policies before being shown the signup page form. This ensures the user is aware of the terms and conditions of using the system as well as how their data may be collected, used, and stored.
'''On Record Creation'''
===On Record Creation===
When a user creates a Level 1 record (such as when applying to a program), they may be prompted to accept or acknowledge a set of policies tailored to the Level 1 type being created. Similarly, when a user creates a Level 2 record (like a review), they may also be asked to accept or acknowledge a set of policies which may include a conflict-of-interest attestation. These policies will be displayed to the user before the user can fill out the form and will be shown each time the user creates a new Level 1, 2, or 3 record of a specific type.
<u>'''Note:'''</u> If you are creating records using the web-enabled template page, the policies visible to the user cannot be determined by any user roles or country as the user cannot have any roles or countries attached to them when they are not logged in. To have these policies be displayed to a user who is not logged in, all permissions on the policy retaining pertaining to user roles or countries must be left empty. ===Viewing Accepted Policies===Users can view a list of accepted or acknowledged policies at any time by clicking on the lock icon labeled "Privacy & Security" in the global header. This list view displays the collection point, version, and the date when the policy was accepted. Additionally, users can open a PDF to view the contents of the policy as it was at the time of acceptance. [[File:2024-07-ticket-145858-3.png|thumb|none|800px|Users can click the lock icon in the global header to see a list of policies they have accepted or acknowledged.]]
Administrators can see who has accepted any policy at a given time by navigating to '''Menu Icon''' > '''Global Settings''' > '''Security''' tab > '''Privacy and Security Policies''' > Edit the desired policy > Click on "User Logs" in the left navigation. Here you will see a list view of all users that have accepted a policy along with pertinent information and a PDF of what the policy contained at the time of acceptance. A search is also available to easily find users by name or email.
'''Viewing Accepted Policies'''[[File:2024-07-ticket-145858-4.png|thumb|none|800px|Administrators can see which users have interacted with a given policy by clicking the "User Logs" link the left-hand navigation.]]
Users can view =Configuration=In this section, we will outline how to set up a list of accepted or acknowledged new policy, how to manage policy enforcement and revisions, how to attach policies at any time by clicking on the lock icon labeled "Privacy & Security" in the global header. This list view displays the to various collection point, versionpoints, and the date when the policy was acceptedhow to view acceptance. Additionally, users can open You must be a PDF Global Administrator to view the contents of the policy as it was at the time of acceptanceconfigure policies.
(image placeholder)
Administrators can see who has accepted any policy at a given time by navigating to '''Menu Icon''' <u> '''Global SettingsNote:''' </u> '''Security''' tab > '''Privacy and Security Policies''' > Edit the desired policy > Click on “User Logs” in There is currently no mechanism to migrate existing policies into the left navigationnew format. Here If you will see a list view of all users that have accepted a wish to keep using an existing policy along with pertinent information and a PDF of what , you'll need to recreate it using the new policy builder. Old policy contained at the time of acceptance. A search is also available to easily find users by name or emaildata will still be retained.
=Configuration=
==Setting Up a Global Policy==
===Creating a New Policy===
To establish a global privacy and security policy that all system users must accept, follow the steps below:
 
 
 
# Go to '''Global Settings''' > '''Security''' tab > '''Privacy and Security Policies''' > Click the “New Policies” button (plus sign).
# Under the '''Name''' field, give your policy a descriptive name such as “Privacy and Security Policy”. This name will be displayed to the end user.
# (Optional) If you have an existing policy number in a third-party system, you can enter the same policy ID under '''Custom ID''' for reference purposes.
# For '''Effective Date''', schedule a date in the past to immediately activate this policy and force users to accept this policy at all collection points which we will set at a later stage. If you select a date in the future, policies will be automatically moved from “Draft” to “Active” status on that future date. An '''Effective Date''' is required to enforce an active policy.
# (Optional) If you need users to periodically re-accept this policy after a set interval of time on login only, specify a period under '''Enforcement Interval'''. By default, the interval is set to “None”.
# (Optional) For '''Expiry Date''', schedule a date for the current version of this policy to expire. After this date, the status of this policy will change from “Active” to “Expired” and the policy will no longer be enforced.
# Under '''User Policy Options''', choose the compliance option that will be presented to the user. In this example, we will choose the second option (“Users must accept the policy to proceed”) since we want all users to have a choice to accept the policy, however, we will not allow them to use the system unless they consent to the terms of our policies.
# (Optional) Toggle on''' Enforce Scrolling''' if you want to force the user to scroll to the bottom of the policy before seeing the options to acknowledge, accept, and/or decline. Otherwise, the acceptance options will be immediately visible to the user and they will not be forced to read it.
# Click''' Save'''.
 
===Creating Policy Sections===
Now that we have created a policy, we need to add the content of the policy using the new policy builder.
 
 
 
# In the left-hand navigation, select “Policy Builder”. A policy can be built section by section, with each section getting its own independent permissions. This allows you to set up a single policy that can show different sections to different user roles if needed.
# To create a new section, click the “New Policy Section” button which looks like a plus sign.
# Provide a relevant title for the section under '''Section Header'''.
# Under '''Content''', add the content for the first section of your policy. Then click '''Save'''.
# Repeat steps 2 to 4 adding additional sections and content as needed.
# (Optional) If a certain policy section should only be displayed to specific users and/or countries, navigate to the '''Permissions''' tab to define this in more detail.
 
 
===Adding Permissions to a Policy===
While each policy section can have its own permissions, you can also add permissions to the policy as a whole. To do this, navigate to '''Global Settings''' > '''Security''' tab > '''Privacy and Security Policies''' > Edit the desired policy > '''Permissions''' tab.
 
<u>'''Note:'''</u> A policy must not contain any role-based or country-based permissions in order to be visible to users not logged into the system.
 
 
 
===Attaching Policies to a Login Page===
Once we have created a new policy and set up the appropriate permissions, we can attach the policy to a global location such as a login page. This will force all users who log in to the system to accept or acknowledge the policy before gaining further access. In this article, we refer to any location where a policy has been attached as a “collection point”. To attach a policy to a login page, follow these steps:
 
# Go to '''Global Settings''' > '''Branding''' tab > '''Login Pages'''
# Edit the desired login page.
# Under the “Privacy Policies” section, add the new policy to the '''Attach Policies''' field.
# Click '''Save'''.
 
 
<u>'''Note:'''</u> For a policy to be enforced at a collection point, it must have a status set to “Active” and it must have an '''Effective Date''' set in the past.
 
==Attaching Policies to Other Collection Points==
===Attaching Policies to a Signup Page===
If you have a specific policy for users to accept prior to registering, you can attach it to a user signup page. Navigate to '''Global Settings''' > '''Users''' tab > '''Signup Pages''' > Edit the desired signup page > Under '''Attach Policies''', select the desired policies and click '''Save'''. Now when a user navigates to the signup page, the specified policies will be displayed as part of the signup process. If the user signup page is attached to an organization signup page, the policies will also be displayed.
 
===Attaching Policies to a a Level 1, 2 or 3 Type===
If you want users to accept a policy upon creation of a Level 1, 2 , or 3 record of a specific type, you can navigate to the desired '''UTA Configuration Settings''' > Click the desired '''Level''' tab > '''Types''' > Edit the desired type > '''Process''' tab > Under '''Attach Policies''', select the desired policies and''' Save'''.
 
 
<u>'''Note:'''</u> The policy will only be enforced when a user manually creates a new record of the specified type. Policies will not be enforced when records are created in bulk (such as a data import) or created in batch (such as using the '''Advanced Data''' table).
 
==Activating a Draft Policy==
When a new policy or a new version of a policy is created, it is automatically set to “Draft” status.
 
There are two ways to activate a draft policy so the policy can be enforced:
 
* Click the '''Activate Version''' button in the submit bar of the policy settings page.
* Set an''' Effective Date''' in the future on the policy settings page. When the selected date is reached the policy will be automatically moved from “Draft” to “Active” status.
 
<u>'''Note:'''</u> A policy must be in “Active” status, have an '''Effective Date''' set in the past, and be attached to a collection point before the policy will be enforced at the collection point defined.
 
==Periodically Enforcing an Active Policy==
In some scenarios, it may be advantageous to force users to re-accept the same policy after a set interval of time. For example, users may need to re-accept a policy on an annual basis. Instead of creating a new version of the policy each year, you can set an '''Enforcement Interval''' to automatically force the re-acceptance of a policy. For example, if users need to re-accept a policy on an annual basis, go to '''Global Settings''' > '''Security''' tab > '''Privacy and Security Policies''' > Edit the desired policy > Under '''Enforcement Interval''', select “Annual”. Currently, policies can be enforced periodically on an annual, quarterly, monthly, weekly, or daily basis.
 
 
<u>'''Note:'''</u> The '''Enforcement Interval''' only applies to policies attached to login pages.
 
==Editing an Active Policy==
Once a policy enters “Active” status, no changes can be made to the content within policy sections. If changes are needed, a new version of the policy must be created. To make changes to an existing policy, follow these steps:
 
# Go to '''Global Settings''' > '''Security''' tab > '''Privacy and Security Policies''' > Edit the desired policy > Click the '''New Version''' button in the submit bar.
# An alert will display warning you that a new version of this policy will be created in “Draft” status. Once the new version is activated, it will replace the previous version. Click “Yes” to proceed.
# A new version of the policy will be created in “Draft” status. Make the necessary changes to this version.
# Once you are happy with the changes, click the '''Activate Version''' button in the submit bar to replace the previous version.
 
<u>'''Note:'''</u> Previous policy versions will continue to be enforced until a new version is moved to “Active” status.
 
==Expiring a Policy==
An expired policy will no longer be enforced but may be activated again in the future. Acceptance data for an expired policy will still be available. For compliance reasons, there is no option to completely delete a policy.
 
 
To retire an active policy, go to '''Global Settings''' > '''Security''' tab > '''Privacy and Security Policies''' > Edit the desired policy > Click the '''Expire Version''' button in the submit bar.
 
==Creating Language Translations==
To create language translations of a policy, follow these steps:
 
 
 
# Go to '''Global Settings''' > '''Security''' tab > '''Privacy and Security Policies''' > Edit the desired policy > Click the “Policies Translation Settings” button in the top action bar.
# Select the target language under the '''Language''' dropdown.
# Enter a translated title inside the '''Name''' field.
# Click '''Save'''.
# Exit the translation modal and click the “Policy Builder” link in the left-navigation bar.
# Edit the desired policy section by clicking the pencil icon.
# Click the “Policies Section Translation Settings” button at the top of the modal window.
# Enter the relevant translated text and click '''Save'''.
# Continue to add text translations to the remaining policy sections.
 
==Viewing Policy Acceptance==
User acceptance logs can be accessed in three ways:
 
 
 
# Users can view a list of accepted or acknowledged policies by clicking on the lock icon labeled "Privacy & Security" in the global header. This list view displays the collection point, version, and the date when the policy was accepted. Additionally, users can open a PDF to view the contents of the policy as it was at the time of acceptance. Depending on configuration an administrator could emulate a user to see what that user accepted.
# Administrators can see who has accepted any policy, and when, by navigating to '''Menu Icon''' > '''Global Settings''' > '''Security''' tab > '''Privacy and Security Policies''' > Edit the desired policy > click on “User Logs” in the left navigation. Here you will see a list view of all users that have accepted a policy, along with pertinent information, and a PDF of what the policy contained at the time of acceptance. A search is also available to easily find users by name or email.
# Administrators can see a list of all accepted policies by navigating to '''Menu Icon''' > '''Global Settings''' > '''Security t'''ab > '''Privacy and Security Policies''' > '''User Logs''' tab.
 
[[Category:Security]]
Smartstaff
2,353
edits