Privacy and Security Policies

From SmartWiki
Revision as of 15:34, 13 May 2024 by Ann Vincent (talk | contribs) (Periodically Enforcing an Active Policy)

Jump to: navigation, search

Overview

This article is about managing privacy and security policies within your SmartSimple system. Privacy and security policies are essential to aligning your system with regulation, mitigating risks, and fostering user trust by outlining how user privacy and data will be secured. In this article, you will learn to create and update policies, attach policies to collection points, and view policy acceptance. Privacy is a shared responsibility. To learn more, review SmartSimple's own privacy policies.

About Privacy Policies

What are privacy and security policies?

Privacy policies outline how a website collects, uses, stores, and protects user data, providing visitors with the assurance that their personal information is handled with care and respect. Security policies, on the other hand, detail the technical and procedural measures implemented to defend against cyber threats and data breaches. Together, these policies protect users from identity theft, fraud, and other online risks. For example, SmartSimple has its own privacy and security policies which can be read in full at the Trust & Security Center on our website.

Are policies mandatory to have?

Privacy and security policies may be mandatory by law depending on the end-user’s location. For example, the General Data Protection Regulation (GDPR) is an information privacy regulation enacted by the European Union (EU) to protect individuals' privacy and personal data. The GDPR gives EU citizens more control over their personal data and sets strict guidelines for data processing and privacy practices for organizations operating within and outside the EU. Having privacy and security policies aligned with the GDPR is required for legal compliance and helps safeguard individuals' rights to privacy.

Can I use this feature to track other compliance activities?

The privacy and security policies feature can be utilized to track and manage various other policies and compliance activities. For instance, you might opt to use this feature to monitor conflict of interest attestations or agreements to other terms and conditions.

What are the differences between the new privacy policies feature and the old one?

The new privacy and security policies feature will be available starting July 2024. Policies created using the old feature must be recreated in the new privacy feature as they will not be migrated. You must opt in to using the new privacy and security policies feature.


The new feature includes the following enhancements:

  • Added ability to attach policies to key interaction points (login, signup, and record creation) to ensure compliance
  • Enhanced control over who sees which policies and when to ensure users only see relevant policies
  • Easier language translation management to save configuration time and ensure users have access to policies in their desired language
  • Added customizable acceptance options and behaviors giving you greater flexibility to meet your specific business needs
  • Strengthened the process for policy revisions for improved compliance management
  • User-friendly policy section builder for easier policy creation to increase administration efficiency without the need for technical skills
  • Streamlined access to view user acceptance records for improved transparency and accountability

Note: There is currently no mechanism to migrate existing policies into the new format. If you wish to keep using an existing policy, you'll need to recreate it using the new policy builder. Old policy acceptance data will still be retained.

Policy Life Cycle

There are three states in the policy life cycle:

  1. Draft Status - When a policy is first created, it will enter “Draft” status. In this status you may make changes to the contents of the policy freely.
  2. Active Status - Once a policy has been moved to the active status, its contents cannot be edited without creating a new policy version. While a policy may have several versions with each version containing different content, only one version may be active at a time. Note: For an active policy to be enforced, it must have an “Effective Date” set in the past.
  3. Expired Status - When a policy becomes unnecessary, it can be marked as "Expired." An expired policy won't be enforced at any collection point. However, users can still see that they accepted the policy in the past by accessing the lock icon in the header labeled "Privacy and Security." Expired policies can be reinstated with an “Active” status at any time without creating a new version.

How Users Interact with Policies

Users may encounter privacy and security policies in a number of collection points within your system depending on the configuration. As an example, let’s walk through some different areas of the system where the user may encounter a policy and be asked to accept it.

Login Pages

Before logging in, users may be able to preview specific policies based on configuration as seen below.

(image placeholder)

Note: Since the user has not yet logged in, only policies without any role or country permissions will be visible to the user.


After logging in, most systems require users to accept some policies before the user is granted access to the system. These policies typically outline the responsibilities and expectations of each party when using the system. Depending on the configuration, the end user will have the option to acknowledge, accept, or decline a given policy.

(image placeholder)

Signup Pages

Users may be required to acknowledge or accept a set of policies before being shown the signup page form. This ensures the user is aware of the terms and conditions of using the system as well as how their data may be collected, used, and stored.


On Record Creation

When a user creates a Level 1 record (such as when applying to a program), they may be prompted to accept or acknowledge a set of policies tailored to the Level 1 type being created. Similarly, when a user creates a Level 2 record (like a review), they may also be asked to accept or acknowledge a set of policies which may include a conflict-of-interest attestation. These policies will be displayed to the user before the user can fill out the form and will be shown each time the user creates a new Level 1, 2, or 3 record of a specific type.


Note: If you are creating records using the web-enabled template page, the policies visible to the user cannot be determined by any user roles or country as the user cannot have any roles or countries attached to them when they are not logged in. To have these policies be displayed to a user who is not logged in, all permissions on the policy retaining to user roles or countries must be left empty.


Viewing Accepted Policies

Users can view a list of accepted or acknowledged policies at any time by clicking on the lock icon labeled "Privacy & Security" in the global header. This list view displays the collection point, version, and the date when the policy was accepted. Additionally, users can open a PDF to view the contents of the policy as it was at the time of acceptance.

(image placeholder)

Administrators can see who has accepted any policy at a given time by navigating to Menu Icon > Global Settings > Security tab > Privacy and Security Policies > Edit the desired policy > Click on “User Logs” in the left navigation. Here you will see a list view of all users that have accepted a policy along with pertinent information and a PDF of what the policy contained at the time of acceptance. A search is also available to easily find users by name or email.

Configuration

In this section, we will outline how to set up a new policy, how to manage policy enforcement and revisions, how to attach policies to various collection points, and how to view acceptance. You must be a Global Administrator to configure policies.


Note: There is currently no mechanism to migrate existing policies into the new format. If you wish to keep using an existing policy, you'll need to recreate it using the new policy builder. Old policy acceptance data will still be retained.


Setting Up a Global Policy

Creating a New Policy

To establish a global privacy and security policy that all system users must accept, follow the steps below:


  1. Go to Global Settings > Security tab > Privacy and Security Policies > Click the “New Policies” button (plus sign).
  2. Under the Name field, give your policy a descriptive name such as “Privacy and Security Policy”. This name will be displayed to the end user.
  3. (Optional) If you have an existing policy number in a third-party system, you can enter the same policy ID under Custom ID for reference purposes.
  4. For Effective Date, schedule a date in the past to immediately activate this policy and force users to accept this policy at all collection points which we will set at a later stage. If you select a date in the future, policies will be automatically moved from “Draft” to “Active” status on that future date. An Effective Date is required to enforce an active policy.
  5. (Optional) If you need users to periodically re-accept this policy after a set interval of time on login only, specify a period under Enforcement Interval. By default, the interval is set to “None”.
  6. (Optional) For Expiry Date, schedule a date for the current version of this policy to expire. After this date, the status of this policy will change from “Active” to “Expired” and the policy will no longer be enforced.
  7. Under User Policy Options, choose the compliance option that will be presented to the user. In this example, we will choose the second option (“Users must accept the policy to proceed”) since we want all users to have a choice to accept the policy, however, we will not allow them to use the system unless they consent to the terms of our policies.
  8. (Optional) Toggle on Enforce Scrolling if you want to force the user to scroll to the bottom of the policy before seeing the options to acknowledge, accept, and/or decline. Otherwise, the acceptance options will be immediately visible to the user and they will not be forced to read it.
  9. Click Save.

Creating Policy Sections

Now that we have created a policy, we need to add the content of the policy using the new policy builder.


  1. In the left-hand navigation, select “Policy Builder”. A policy can be built section by section, with each section getting its own independent permissions. This allows you to set up a single policy that can show different sections to different user roles if needed.
  2. To create a new section, click the “New Policy Section” button which looks like a plus sign.
  3. Provide a relevant title for the section under Section Header.
  4. Under Content, add the content for the first section of your policy. Then click Save.
  5. Repeat steps 2 to 4 adding additional sections and content as needed.
  6. (Optional) If a certain policy section should only be displayed to specific users and/or countries, navigate to the Permissions tab to define this in more detail.


Adding Permissions to a Policy

While each policy section can have its own permissions, you can also add permissions to the policy as a whole. To do this, navigate to Global Settings > Security tab > Privacy and Security Policies > Edit the desired policy > Permissions tab.

Note: A policy must not contain any role-based or country-based permissions in order to be visible to users not logged into the system.


Attaching Policies to a Login Page

Once we have created a new policy and set up the appropriate permissions, we can attach the policy to a global location such as a login page. This will force all users who log in to the system to accept or acknowledge the policy before gaining further access. In this article, we refer to any location where a policy has been attached as a “collection point”. To attach a policy to a login page, follow these steps:

  1. Go to Global Settings > Branding tab > Login Pages
  2. Edit the desired login page.
  3. Under the “Privacy Policies” section, add the new policy to the Attach Policies field.
  4. Click Save.


Note: For a policy to be enforced at a collection point, it must have a status set to “Active” and it must have an Effective Date set in the past.

Attaching Policies to Other Collection Points

Attaching Policies to a Signup Page

If you have a specific policy for users to accept prior to registering, you can attach it to a user signup page. Navigate to Global Settings > Users tab > Signup Pages > Edit the desired signup page > Under Attach Policies, select the desired policies and click Save. Now when a user navigates to the signup page, the specified policies will be displayed as part of the signup process. If the user signup page is attached to an organization signup page, the policies will also be displayed.

Attaching Policies to a a Level 1, 2 or 3 Type

If you want users to accept a policy upon creation of a Level 1, 2 , or 3 record of a specific type, you can navigate to the desired UTA Configuration Settings > Click the desired Level tab > Types > Edit the desired type > Process tab > Under Attach Policies, select the desired policies and Save.


Note: The policy will only be enforced when a user manually creates a new record of the specified type. Policies will not be enforced when records are created in bulk (such as a data import) or created in batch (such as using the Advanced Data table).

Activating a Draft Policy

When a new policy or a new version of a policy is created, it is automatically set to “Draft” status.

There are two ways to activate a draft policy so the policy can be enforced:

  • Click the Activate Version button in the submit bar of the policy settings page.
  • Set an Effective Date in the future on the policy settings page. When the selected date is reached the policy will be automatically moved from “Draft” to “Active” status.

Note: A policy must be in “Active” status, have an Effective Date set in the past, and be attached to a collection point before the policy will be enforced at the collection point defined.

Periodically Enforcing an Active Policy

In some scenarios, it may be advantageous to force users to re-accept the same policy after a set interval of time. For example, users may need to re-accept a policy on an annual basis. Instead of creating a new version of the policy each year, you can set an Enforcement Interval to automatically force the re-acceptance of a policy. For example, if users need to re-accept a policy on an annual basis, go to Global Settings > Security tab > Privacy and Security Policies > Edit the desired policy > Under Enforcement Interval, select “Annual”. Currently, policies can be enforced periodically on an annual, quarterly, monthly, weekly, or daily basis.


Note: The Enforcement Interval only applies to policies attached to login pages.

Editing an Active Policy

Once a policy enters “Active” status, no changes can be made to the content within policy sections. If changes are needed, a new version of the policy must be created. To make changes to an existing policy, follow these steps:

  1. Go to Global Settings > Security tab > Privacy and Security Policies > Edit the desired policy > Click the New Version button in the submit bar.
  2. An alert will display warning you that a new version of this policy will be created in “Draft” status. Once the new version is activated, it will replace the previous version. Click “Yes” to proceed.
  3. A new version of the policy will be created in “Draft” status. Make the necessary changes to this version.
  4. Once you are happy with the changes, click the Activate Version button in the submit bar to replace the previous version.

Note: Previous policy versions will continue to be enforced until a new version is moved to “Active” status.

Expiring a Policy

An expired policy will no longer be enforced but may be activated again in the future. Acceptance data for an expired policy will still be available. For compliance reasons, there is no option to completely delete a policy.


To retire an active policy, go to Global Settings > Security tab > Privacy and Security Policies > Edit the desired policy > Click the Expire Version button in the submit bar.

Creating Language Translations

To create language translations of a policy, follow these steps:


  1. Go to Global Settings > Security tab > Privacy and Security Policies > Edit the desired policy > Click the “Policies Translation Settings” button in the top action bar.
  2. Select the target language under the Language dropdown.
  3. Enter a translated title inside the Name field.
  4. Click Save.
  5. Exit the translation modal and click the “Policy Builder” link in the left-navigation bar.
  6. Edit the desired policy section by clicking the pencil icon.
  7. Click the “Policies Section Translation Settings” button at the top of the modal window.
  8. Enter the relevant translated text and click Save.
  9. Continue to add text translations to the remaining policy sections.

Viewing Policy Acceptance

User acceptance logs can be accessed in three ways:


  1. Users can view a list of accepted or acknowledged policies by clicking on the lock icon labeled "Privacy & Security" in the global header. This list view displays the collection point, version, and the date when the policy was accepted. Additionally, users can open a PDF to view the contents of the policy as it was at the time of acceptance. Depending on configuration an administrator could emulate a user to see what that user accepted.
  1. Administrators can see who has accepted any policy, and when, by navigating to Menu Icon > Global Settings > Security tab > Privacy and Security Policies > Edit the desired policy > click on “User Logs” in the left navigation. Here you will see a list view of all users that have accepted a policy, along with pertinent information, and a PDF of what the policy contained at the time of acceptance. A search is also available to easily find users by name or email.
  1. Administrators can see a list of all accepted policies by navigating to Menu Icon > Global Settings > Security tab > Privacy and Security Policies > User Logs tab.