Privacy Policy Configuration

How to configure and activate Privacy Policies

What are Privacy Policies?

Privacy Policies can be created to display to users on first login and any time the privacy policy is updated. Any number of privacy policies can be created with personal attribute rule conditions to determine which privacy policy is to be displayed to different users. These privacy policies contain configurable text that generally describe the information fields held against users and the purpose. Where there are Privacy policies in use the users must agree to the terms of use in order to access the LMS; otherwise the user will receive a Passive authentication status until they accept the terms.

Configuration Steps

Privacy Policies are configured and activated in the Configuration function by editing the Platform access menu. The Privacy Policies tab contains a list of available privacy policies. All systems come with a single privacy policy that is Inactive by default

Privacy Policy Fields

Privacy policy text is referenced from wording bundles defined in the System texts function where there are twenty standard wordings or new can be created.

• Identifier: System generated value

• Status: Determines whether the privacy policy will be shown (Active) or not shown (Inactive)

• Cancellation URL: Mandatory field that determines the URL where the user will be taken if they decline the privacy policy

• Bundle name: Is the string value shown in the ‘Name’ column; this bundle refers to the privacy policy title

• Confirmation text bundle name: System text bundle that defines the text to prompt approval of General Terms and Conditions (will be displayed next to the check box)

• Policy changes text bundle name: System text bundle that defines a text that contains the most important recent changes to the general terms and conditions

• Policy changes confirmation text bundle name: System text bundle that specifies the name of the localization variable that contains the text of the most important changes to the general terms and conditions; this text will be shown next to a check box

• Text 1-5: Each of the five Text areas essentially represent a separate section or paragraph of the privacy policy. Many customers do not use all five by simply extending the length of a single wording bundle. A minimum of one paragraph is to be used.

  • Bundle name: In the System texts function there are twenty standard Privacy Policy bundle sets or new bundles can be created. The ‘Bundle name’ is the string value shown in the Name column. The standard bundles sets can be found by searching privacyPolicy1 to privacyPolicy20 and each will have five sub-bundles (_1 to _5).

  • Show frontend profile: Enabling this setting will show the user all the personal attributes that will be stored against their record in the ' front end' user profile (that they can see).

  • Show backend profile: Enabling this setting will show the user all the personal attributes that will be stored against their record in the back end user profile (that administrators see).

• Conditions: An assignment condition rule file can be uploaded where multiple Privacy Policies are required for different groups or clients. This requires a specific XML format described below.

Conditions XML File

The Privacy Policy assignment conditions XML file enables single or multiple personal attribute based ‘and’ or 'or' conditions to be defined. The most commonly used condition would be the CLIENT_ID personal attribute where a matching operator EQUAL to the client object ID value. The matching operator UNEQUAL is also often used.

The ‘orCondition’ requires only one of the personal attribute conditions to be true to assign the Privacy policy. In the example below the user can have the Master client (CLIENT_ID) of 1 or 2.

<?xml version="1.0" encoding="UTF-8"?>
<policyAssignmentCondition xmlns="http://www.imc.de/clixConfiguration/businessProcess">
	<ns1:orCondition xmlns:ns1="http://www.imc.de/clixConfiguration/common">
		<ns1:ruleCondition expression="CLIENT_ID" matching="EQUAL" value="1" mode="VALUE" listSeparator=","/>
		<ns1:ruleCondition expression="CLIENT_ID" matching="EQUAL" value="2" mode="VALUE" listSeparator=","/>
	</ns1:orCondition>
</policyAssignmentCondition>

The ‘andCondition’ requires all of the personal attribute conditions to be true to assign the Privacy policy. In the example below the user must have the Master client (CLIENT_ID) of 1 and be in the DEPARTMENT of SALES.

<?xml version="1.0" encoding="UTF-8"?>
<policyAssignmentCondition xmlns="http://www.imc.de/clixConfiguration/businessProcess">
	<ns1:andCondition xmlns:ns1="http://www.imc.de/clixConfiguration/common">
		<ns1:ruleCondition expression="CLIENT_ID" matching="EQUAL" value="1" mode="VALUE" listSeparator=","/>
		<ns1:ruleCondition expression="DEPARTMENT" matching="EQUAL" value="SALES" mode="VALUE" listSeparator=","/>
	</ns1:andCondition>
</policyAssignmentCondition>

A sample of a condition file is embedded blow:

policy_assignment_condition.xml

Privacy Policy Selection Rules

There are rules in the code to determine which Privacy policy is to be assigned in the case of multiple condition matches. The below description is based on how the code is implemented:

• Given there are multiple privacy policies in the code there are variables called:

  • numberOfRulesSatisfied=0

  • UniqueValidPolicy=null

• The code analyses each privacy policy to determine which to apply:
  for (int = 0; i<=10; i++)
  if for the processed policy the condition rules are satisfied then it increments numberOfRulesSatisfied++ and sets UniqueValidPolicy=policy processed.

• After processing all privacy policies defined:

  • if numberOfRulesSatisfied = 1 then the last UniqueValidPolicy stored will apply.

  • if numberOfRulesSatisfied > 1 then an error will be logged for a multiple rules error (PRS0159) and the 'default' privacy policy will be assigned.

Privacy Policy Display Rules

There are two ‘System’ Personal attributes related to Privacy policies that are used to determine if users need to accept a privacy policy. These are:

• Privacy policy (POLICY_ID): The ID of the Privacy policy assigned to the user.

• Date of most recent declaration of consent (DECLARATIONTIME): The date when the user last accepted the Privacy policy.

The Privacy policy will be presented to a user if either of the following conditions are met:

• If there is a Privacy policy assigned and the Date of most recent declaration of consent is empty.

• If there is a Privacy policy assigned and the Date of most recent declaration of consent is earlier than the last update of the privacy policy.

System Texts

In the System texts function there are twenty standard sets of privacy policy bundles. Each set essentially contains six standard bundles. These bundles can be edited, updated, and then activated as required. It must be noted that each time privacy policy system text bundles are updated with changes activated, the users assigned to the privacy policy will need to re-accept the privacy policy on their next login.

Considerations

When using privacy policies the following points must be considered:

• Once there is an Active privacy policy all users will need to accept the privacy policy regardless of the rule conditions.

• There must always be a Privacy policy flagged as the Default as soon as there is an active Privacy policy. The ‘Default’ Privacy policy is essentially a fallback policy that is assigned to users that do not meet rule conditions.

• Whenever the system text of a privacy policy is changed, the updated privacy policy will need to be re-accepted the next time all effected users log in.

• Make sure the System text wording is thoroughly checked before activating a Privacy policy.

📋 Related Articles

Configuration Manager - Platform Access