How to configure and activate Privacy Policies
What are Privacy Policies?
Privacy Policies can be configured to display on user first login and when the Privacy Policy is updated. Any number of privacy policies can be created and personal attribute rule conditions determine which Privacy Policy is displayed to specific users. The privacy policies contain configurable texts that generally describe the information fields held against users and the purpose. When there is an active Privacy Policy, all users must agree to the terms in order to access the LMS. Users who decline the Privacy Policy will receive a ‘Passive’ status and will not be able to login until they accept.
Configuration Steps
Privacy Policies are configured and activated in the Configuration function by editing the Platform access menu. The Privacy Policies tab contains a list of available Privacy Policies. All systems come with a single Privacy Policy that is Inactive by default. Any number of Privacy Policies can be configured and if there is an ‘Active’ policy there must be a ‘Default’.
Privacy Policy Fields
Privacy Policy text is referenced from wording bundles defined in the System texts function where there are twenty standard wordings or new can be created.
-
Identifier: System generated value
-
Status: Determines whether the Privacy Policy will be shown (Active) or not shown (Inactive)
-
Cancellation URL: Mandatory field that determines the URL where the user will be taken if they decline the Privacy Policy
-
Bundle name: Is the string value shown in the ‘Name’ column; this bundle refers to the Privacy Policy title
-
Confirmation text bundle name: System text bundle that defines the text to prompt approval of General Terms and Conditions (will be displayed next to the check box)
-
Policy changes text bundle name: System text bundle that defines a text that contains the most important recent changes to the general terms and conditions
-
Policy changes confirmation text bundle name: System text bundle that specifies the name of the localization variable that contains the text of the most important changes to the general terms and conditions; this text will be shown next to a check box
-
Text 1-5: Each of the five Text areas essentially represent a separate section or paragraph of the Privacy Policy. Many customers do not use all five by simply extending the length of a single wording bundle. A minimum of one paragraph is to be used.
-
Bundle name: In the System texts function there are twenty standard Privacy Policy bundle sets or new bundles can be created. The ‘Bundle name’ is the string value shown in the Name column. The standard bundles sets can be found by searching privacyPolicy1 to privacyPolicy20 and each will have five sub-bundles (_1 to _5).
-
Show frontend profile: Enabling this setting will show the user all the personal attributes that will be stored against their record in the ' front end' user profile (that they can see).
-
Show backend profile: Enabling this setting will show the user all the personal attributes that will be stored against their record in the back end user profile (that administrators see).
-
-
Conditions: An assignment condition rule file can be uploaded where multiple Privacy Policies are required for different groups or clients. This requires a specific XML format described below.
Conditions XML File
The Privacy Policy assignment conditions XML file enables single or multiple personal attribute based ‘and’ or 'or' conditions to be defined. The most commonly used condition would be the CLIENT_ID personal attribute where a matching operator EQUAL to the client object ID value. The matching operator UNEQUAL is also often used.
The ‘orCondition’ requires only one of the personal attribute conditions to be true to assign the Privacy Policy. In the example below the user can have the Master client (CLIENT_ID) of 1 or 2.
<?xml version="1.0" encoding="UTF-8"?>
<policyAssignmentCondition xmlns="http://www.imc.de/clixConfiguration/businessProcess">
<ns1:orCondition xmlns:ns1="http://www.imc.de/clixConfiguration/common">
<ns1:ruleCondition expression="CLIENT_ID" matching="EQUAL" value="1" mode="VALUE" listSeparator=","/>
<ns1:ruleCondition expression="CLIENT_ID" matching="EQUAL" value="2" mode="VALUE" listSeparator=","/>
</ns1:orCondition>
</policyAssignmentCondition>
The ‘andCondition’ requires all of the personal attribute conditions to be true to assign the Privacy Policy. In the example below the user must have the Master client (CLIENT_ID) of 1 and be in the DEPARTMENT of SALES.
<?xml version="1.0" encoding="UTF-8"?>
<policyAssignmentCondition xmlns="http://www.imc.de/clixConfiguration/businessProcess">
<ns1:andCondition xmlns:ns1="http://www.imc.de/clixConfiguration/common">
<ns1:ruleCondition expression="CLIENT_ID" matching="EQUAL" value="1" mode="VALUE" listSeparator=","/>
<ns1:ruleCondition expression="DEPARTMENT" matching="EQUAL" value="SALES" mode="VALUE" listSeparator=","/>
</ns1:andCondition>
</policyAssignmentCondition>
A sample of a condition file is embedded blow:
policy_assignment_condition.xml
Privacy Policy Selection Rules
There are rules in the code to determine which Privacy Policy is to be assigned in the case of multiple condition matches. The below description is based on how the code is implemented:
-
Given there are multiple privacy policies in the code there are variables called:
-
numberOfRulesSatisfied=0
-
UniqueValidPolicy=null
-
-
The code analyses each Privacy Policy to determine which to apply:
for (int = 0; i<=10; i++)
if for the processed policy the condition rules are satisfied then it increments numberOfRulesSatisfied++ and sets UniqueValidPolicy=policy processed. -
After processing all privacy policies defined:
-
if numberOfRulesSatisfied = 1 then the last UniqueValidPolicy stored will apply.
-
if numberOfRulesSatisfied > 1 then an error will be logged for a multiple rules error (PRS0159) and the 'default' Privacy Policy will be assigned.
-
Privacy Policy Display Rules
There are two ‘System’ Personal attributes related to Privacy policies that are used to determine if users need to accept a Privacy Policy. These are:
-
Privacy Policy (POLICY_ID): The ID of the Privacy Policy assigned to the user.
-
Date of most recent declaration of consent (DECLARATIONTIME): The date when the user last accepted the Privacy Policy.
The Privacy Policy will be presented to a user if either of the following conditions are met:
-
If there is a Privacy Policy assigned and the Date of most recent declaration of consent is empty.
-
If there is a Privacy Policy assigned and the Date of most recent declaration of consent is earlier than the last update of the Privacy Policy.
System Texts
In the System texts function there are twenty standard sets of Privacy Policy bundles. Each set essentially contains six standard bundles. These bundles can be edited, updated, and then activated as required. It must be noted that each time Privacy Policy system text bundles are updated with changes activated, the users assigned to the Privacy Policy will need to re-accept the Privacy Policy on their next login.
Considerations
When using privacy policies the following points must be considered:
-
Once there is an ‘Active’ Privacy Policy, there must also be a ‘Default’. Users that do not meet rule conditions of an Active Privacy Policy will need be presented the ‘Default’. This means there is no possibility to only have a Privacy Policy for select clients or groups; e.g. for External users.
-
The ‘Default’ Privacy Policy is essentially a fallback policy that is assigned to users that do not meet rule conditions.
-
Whenever a System text bundle of a Privacy Policy is changed, the assigned users need to re-accepted terms on their next login.
-
Make sure the linked System text bundles are thoroughly checked before activating a Privacy Policy.