Privacy and Security Policies

From SmartWiki
Revision as of 14:24, 13 May 2024 by Ann Vincent (talk | contribs)

Jump to: navigation, search

Overview

This article is about managing privacy and security policies within your SmartSimple system. Privacy and security policies are essential to aligning your system with regulation, mitigating risks, and fostering user trust by outlining how user privacy and data will be secured. In this article, you will learn to create and update policies, attach policies to collection points, and view policy acceptance. Privacy is a shared responsibility. To learn more, review SmartSimple's own privacy policies.

About Privacy Policies

What are privacy and security policies?

Privacy policies outline how a website collects, uses, stores, and protects user data, providing visitors with the assurance that their personal information is handled with care and respect. Security policies, on the other hand, detail the technical and procedural measures implemented to defend against cyber threats and data breaches. Together, these policies protect users from identity theft, fraud, and other online risks. For example, SmartSimple has its own privacy and security policies which can be read in full at the Trust & Security Center on our website.

Are policies mandatory to have?

Privacy and security policies may be mandatory by law depending on the end-user’s location. For example, the General Data Protection Regulation (GDPR) is an information privacy regulation enacted by the European Union (EU) to protect individuals' privacy and personal data. The GDPR gives EU citizens more control over their personal data and sets strict guidelines for data processing and privacy practices for organizations operating within and outside the EU. Having privacy and security policies aligned with the GDPR is required for legal compliance and helps safeguard individuals' rights to privacy.

Can I use this feature to track other compliance activities?

The privacy and security policies feature can be utilized to track and manage various other policies and compliance activities. For instance, you might opt to use this feature to monitor conflict of interest attestations or agreements to other terms and conditions.

What are the differences between the new privacy policies feature and the old one?

The new privacy and security policies feature will be available starting July 2024. Policies created using the old feature must be recreated in the new privacy feature as they will not be migrated. You must opt in to using the new privacy and security policies feature.


The new feature includes the following enhancements:

  • Added ability to attach policies to key interaction points (login, signup, and record creation) to ensure compliance
  • Enhanced control over who sees which policies and when to ensure users only see relevant policies
  • Easier language translation management to save configuration time and ensure users have access to policies in their desired language
  • Added customizable acceptance options and behaviors giving you greater flexibility to meet your specific business needs
  • Strengthened the process for policy revisions for improved compliance management
  • User-friendly policy section builder for easier policy creation to increase administration efficiency without the need for technical skills
  • Streamlined access to view user acceptance records for improved transparency and accountability

Note: There is currently no mechanism to migrate existing policies into the new format. If you wish to keep using an existing policy, you'll need to recreate it using the new policy builder. Old policy acceptance data will still be retained.

Policy Life Cycle

There are three states in the policy life cycle:

  1. Draft Status - When a policy is first created, it will enter “Draft” status. In this status you may make changes to the contents of the policy freely.
  2. Active Status - Once a policy has been moved to the active status, its contents cannot be edited without creating a new policy version. While a policy may have several versions with each version containing different content, only one version may be active at a time. Note: For an active policy to be enforced, it must have an “Effective Date” set in the past.
  3. Expired Status - When a policy becomes unnecessary, it can be marked as "Expired." An expired policy won't be enforced at any collection point. However, users can still see that they accepted the policy in the past by accessing the lock icon in the header labeled "Privacy and Security." Expired policies can be reinstated with an “Active” status at any time without creating a new version.

How Users Interact with Policies

Users may encounter privacy and security policies in a number of collection points within your system depending on the configuration. As an example, let’s walk through some different areas of the system where the user may encounter a policy and be asked to accept it.

Login Pages

Before logging in, users may be able to preview specific policies based on configuration as seen below.

(image placeholder)

Note: Since the user has not yet logged in, only policies without any role or country permissions will be visible to the user.


After logging in, most systems require users to accept some policies before the user is granted access to the system. These policies typically outline the responsibilities and expectations of each party when using the system. Depending on the configuration, the end user will have the option to acknowledge, accept, or decline a given policy.

(image placeholder)

Signup Pages

Users may be required to acknowledge or accept a set of policies before being shown the signup page form. This ensures the user is aware of the terms and conditions of using the system as well as how their data may be collected, used, and stored.


On Record Creation

When a user creates a Level 1 record (such as when applying to a program), they may be prompted to accept or acknowledge a set of policies tailored to the Level 1 type being created. Similarly, when a user creates a Level 2 record (like a review), they may also be asked to accept or acknowledge a set of policies which may include a conflict-of-interest attestation. These policies will be displayed to the user before the user can fill out the form and will be shown each time the user creates a new Level 1, 2, or 3 record of a specific type.


Note: If you are creating records using the web-enabled template page, the policies visible to the user cannot be determined by any user roles or country as the user cannot have any roles or countries attached to them when they are not logged in. To have these policies be displayed to a user who is not logged in, all permissions on the policy retaining to user roles or countries must be left empty.


Viewing Accepted Policies

Users can view a list of accepted or acknowledged policies at any time by clicking on the lock icon labeled "Privacy & Security" in the global header. This list view displays the collection point, version, and the date when the policy was accepted. Additionally, users can open a PDF to view the contents of the policy as it was at the time of acceptance.

(image placeholder)

Administrators can see who has accepted any policy at a given time by navigating to Menu Icon > Global Settings > Security tab > Privacy and Security Policies > Edit the desired policy > Click on “User Logs” in the left navigation. Here you will see a list view of all users that have accepted a policy along with pertinent information and a PDF of what the policy contained at the time of acceptance. A search is also available to easily find users by name or email.


Configuration

Setting Up a Global Policy

Attaching Policies to a Login Page

Attaching Policies to Other Collection Points

Attaching Policies to a Signup Page

Attaching Policies to a a Level 1, 2 or 3 Type

Activating a Draft Policy

Periodically Enforcing an Active Policy

Editing an Active Policy

Expiring a Policy

Creating Language Translations

Viewing Policy Acceptance