Skip to main content

Privacy and Security Policies

Updated

Overview

This article provides an overview of the management of privacy and security policies within your SmartSimple system. Privacy and security policies are essential for ensuring compliance with relevant regulations, mitigating risks, and enhancing user trust by clearly defining how user privacy and data will be protected. In this article, you will learn how to create and update policies, associate policies with collection points, and review policy acceptance. It is important to recognize that privacy is a shared responsibility.

 

About Privacy Policies

What are privacy and security policies?

Privacy policies delineate how a website collects, utilizes, stores, and safeguards user data, offering visitors assurance that their personal information is handled with care and respect. In contrast, security policies describe the technical and procedural measures implemented to protect against cyber threats and data breaches. Collectively, these policies serve to shield users from identity theft, fraud, and other online risks. For instance, SmartSimple has established its own privacy and security policies, which can be reviewed in full at the Trust & Security Center on our website.

Are policies mandatory to have?

The requirement for privacy and security policies may be legally mandated depending on the jurisdiction of the end-user. For example, the General Data Protection Regulation (GDPR) is a regulation enacted by the European Union (EU) aimed at protecting individuals' privacy and personal data. The GDPR grants EU citizens enhanced control over their personal data and establishes rigorous guidelines for data processing and privacy practices for organizations operating both within and outside the EU. Compliance with the GDPR necessitates the existence of privacy and security policies, thereby safeguarding individuals' rights to privacy.

Can I use this feature to track other compliance activities?

The privacy and security policies feature can be utilized to monitor and manage various other policies and compliance activities. For example, you may opt to use this feature to oversee conflict of interest attestations or agreements to other terms and conditions.

What are the differences between the new privacy policies feature and the old one?

The new privacy and security policies feature will be available starting July 2024. Policies created using the previous feature must be recreated in the new privacy feature, as they will not be transferred. It is necessary to opt in to utilize the new privacy and security policies feature.


The new feature includes the following enhancements:

  • Ability to attach policies to key interaction points (login, signup, and record creation) to ensure compliance
  • Enhanced control over visibility of policies based on user roles and timing, ensuring users only see relevant policies
  • Improved management of language translation to save configuration time and ensure users have access to policies in their preferred language
  • Customizable acceptance options and behaviors providing greater flexibility to meet specific business needs
  • Strengthened revision processes for improved compliance management
  • User-friendly policy section builder to facilitate policy creation and increase administrative efficiency without requiring technical skills
  • Streamlined access to view user acceptance records for enhanced transparency and accountability

Note: Currently, there is no mechanism to migrate existing policies into the new format. If you wish to continue using an existing policy, it will need to be recreated using the new policy builder. However, old policy acceptance data will still be retained.

 

Policy Life Cycle

The policy life cycle consists of three states:

  1. Draft Status - Upon initial creation, a policy enters “Draft” status, allowing for unrestricted modifications to its contents.
  2. Active Status - Once a policy is transitioned to active status, its contents cannot be modified without generating a new version. While multiple versions of a policy may exist, only one version can be active at any given time. Note: For an active policy to be enforceable, it must have an “Effective Date” set in the past.
  3. Expired Status - A policy may be designated as "Expired" when it is no longer necessary. An expired policy will not be enforced at any collection point. However, users can still view their acceptance of the policy by accessing the lock icon in the header labeled "Privacy and Security." Expired policies can be reinstated with an “Active” status at any time without the need to create a new version.

How Users Interact with Policies

Users may encounter privacy and security policies at various collection points within your system, depending on the configuration. Below, we will explore several areas of the system where users may be prompted to accept policies.

Login Pages

Before logging in, users may have the opportunity to preview specific policies based on configuration, as illustrated below.

 

A sample login page featuring a link to view the organization’s privacy and security policies prior to logging in.

Note: As the user has not yet logged in, only policies without any role or country permissions will be visible to them.


After logging in, most systems require users to accept certain policies before granting access. These policies typically delineate the responsibilities and expectations of each party in relation to system usage. Depending on the configuration, the end user will have the option to acknowledge, accept, or decline a given policy.

 

A list of possible user policy options available in the settings.

Signup Pages

Users may be required to acknowledge or accept a set of policies prior to accessing the signup page form. This ensures that users are informed of the terms and conditions associated with using the system, as well as how their data may be collected, utilized, and stored.

On Record Creation

When a user creates a Level 1 record (such as applying to a program), they may be prompted to accept or acknowledge a set of policies specific to the Level 1 type being created. Similarly, when a user creates a Level 2 record (such as a review), they may also be asked to accept or acknowledge a set of policies that may include a conflict-of-interest attestation. These policies will be presented to the user prior to filling out the form and will be displayed each time the user creates a new Level 1, 2, or 3 record of a specific type.


Note: If records are created using the web-enabled template page, the policies visible to the user cannot be determined by user roles or countries, as the user cannot possess any roles or countries when not logged in. To display policies to a user who is not logged in, all permissions on the policy related to user roles or countries must be left unassigned.

Viewing Accepted Policies

Users can access a list of accepted or acknowledged policies at any time by clicking on the lock icon labeled "Privacy & Security" in the global header. This list view displays the collection point, version, and the date when the policy was accepted. Additionally, users can open a PDF to view the contents of the policy as it was at the time of acceptance.

 

Users can click the lock icon in the global header to view a list of policies they have accepted or acknowledged.

Administrators can ascertain who has accepted any policy at a given time by navigating to: 

System Administration (gear icon) >> Global Settings >> Security (tab) >> Privacy and Security Policies

[Edit] the desired policy and Click on "User Logs" in the left navigation - this will display a list view of all users who have accepted the policy, along with relevant information and a PDF of the policy contents at the time of acceptance. A search function is also available to facilitate the identification of users by name or email.

 

Administrators can view which users have interacted with a specific policy by selecting the "User Logs" link in the left-hand navigation.

Configuration

This section outlines the procedures for establishing a new policy, managing policy enforcement and revisions, attaching policies to various collection points, and reviewing acceptance. Only Global Administrators are authorized to configure policies.


Note: Currently, there is no mechanism to migrate existing policies into the new format. If you wish to retain an existing policy, it must be recreated using the new policy builder. However, historical policy acceptance data will still be preserved.

 

Establishing a Global Policy

Creating a New Policy

To establish a global privacy and security policy that all system users must accept, please adhere to the following steps:

System Administration (gear icon) >> Global Settings >> Security (tab) >> Privacy and Security Policies
  1. Click the “New Policies” button (plus sign).
  2. In the Name field, provide a descriptive name for your policy, such as “Privacy and Security Policy.” This name will be visible to the end user.
  3. (Optional) If you possess an existing policy number in a third-party system, you may enter the corresponding policy ID under Custom ID for reference purposes.
  4. For Effective Date, select a date in the past to activate this policy immediately and require users to accept it at all collection points, which will be configured subsequently. If a future date is selected, policies will transition from “Draft” to “Active” status on that specified future date. An Effective Date is mandatory to enforce an active policy.
  5. (Optional) If it is necessary for users to periodically re-accept this policy after a specified interval upon login, indicate a period under Enforcement Interval. By default, this interval is set to “None.”
  6. (Optional) For Expiry Date, set a date for the current version of this policy to expire. After this date, the status of the policy will change from “Active” to “Expired,” and the policy will no longer be enforceable.
  7. Under User Policy Options, select the compliance option that will be presented to the user. In this instance, we will select the second option (“Users must accept the policy to proceed”) as we require all users to have the option to accept the policy; however, they will not be permitted to use the system unless they consent to the terms of our policies.
  8. (Optional) Activate Enforce Scrolling if you wish to mandate that users scroll to the bottom of the policy before they can see the options to acknowledge, accept, or decline. Otherwise, the acceptance options will be immediately visible to users without requiring them to read the policy.
  9. Click Save.

Creating Policy Sections

Having established a policy, we now need to add the content of the policy using the new policy builder.

  1. In the left-hand navigation, select “Policy Builder.” A policy can be constructed section by section, with each section receiving its own independent permissions. This allows for the establishment of a single policy that can display different sections to various user roles as necessary.
  2. To create a new section, click the “New Policy Section” button, which resembles a plus sign.
  3. Provide a relevant title for the section under Section Header.
  4. Under Content, add the content for the first section of your policy. Then click Save.
  5. Repeat steps 2 to 4 to add additional sections and content as needed.
  6. (Optional) If a specific policy section should only be displayed to certain users and/or countries, navigate to the Permissions tab to define this in greater detail.

Adding Permissions to a Policy

While each policy section can have its own permissions, it is also possible to add permissions to the policy as a whole. To do this, navigate to Global Settings > Security tab > Privacy and Security Policies > Edit the desired policy > Permissions tab.

Note: A policy must not contain any role-based or country-based permissions in order to be visible to users who are not logged into the system.

Attaching Policies to a Login Page

Upon creating a new policy and establishing the appropriate permissions, we can attach the policy to a global location, such as a login page. This will require all users who log in to the system to accept or acknowledge the policy prior to gaining further access. In this document, any location where a policy has been attached is referred to as a “collection point.” To attach a policy to a login page, please follow these steps:

  1. Navigate to Global Settings > Branding tab > Login Pages
  2. Edit the desired login page.
  3. Under the “Privacy Policies” section, add the new policy to the Attach Policies field.
  4. Click Save.

Note: For a policy to be enforced at a collection point, it must have a status set to “Active” and an Effective Date set in the past.

 

Attaching Policies to Other Collection Points

Attaching Policies to a Signup Page

If you have a specific policy that users must accept prior to registration, you can attach it to a user signup page. Navigate to Global Settings > Users tab > Signup Pages > Edit the desired signup page > Under Attach Policies, select the desired policies and click Save. Consequently, when a user navigates to the signup page, the specified policies will be displayed as part of the signup process. If the user signup page is linked to an organization signup page, the policies will also be displayed.

Attaching Policies to a Level 1, 2, or 3 Type

If you wish for users to accept a policy upon the creation of a Level 1, 2, or 3 record of a specific type, you may navigate to the desired UTA Configuration Settings > Click the desired Level tab > Types > Edit the desired type > Process tab > Under Attach Policies, select the desired policies and Save.


Note: The policy will only be enforced when a user manually creates a new record of the specified type. Policies will not be enforced when records are created in bulk (such as during a data import) or created in batch (such as using the Advanced Data table).

 

Activating a Draft Policy

When a new policy or a new version of an existing policy is created, it is automatically assigned a “Draft” status.

There are two methods to activate a draft policy so that it may be enforced:

  • Click the Activate Version button located in the submit bar of the policy settings page.
  • Set an Effective Date in the future on the policy settings page. When the selected date is reached, the policy will automatically transition from “Draft” to “Active” status.

Note: A policy must be in “Active” status, have an Effective Date set in the past, and be attached to a collection point before it will be enforced at the defined collection point.

 

Periodically Enforcing an Active Policy

In certain scenarios, it may be beneficial to require users to re-accept the same policy after a specified interval of time. For instance, users may need to re-accept a policy on an annual basis. Instead of creating a new version of the policy each year, you can set an Enforcement Interval to automatically compel the re-acceptance of a policy. For example, if users need to re-accept a policy annually, navigate to Global Settings > Security tab > Privacy and Security Policies > Edit the desired policy > Under Enforcement Interval, select “Annual.” Currently, policies can be enforced periodically on an annual, quarterly, monthly, weekly, or daily basis.


Note: The Enforcement Interval applies solely to policies attached to login pages.

 

Editing an Active Policy

Once a policy achieves “Active” status, modifications to the content within its sections are prohibited. Should changes be necessary, a new version of the policy must be generated. To amend an existing policy, please adhere to the following steps:

  1. Select the policy to [Edit] and click the New Version button located in the submission bar.
  2. An alert will appear, notifying you that a new version of this policy will be created in “Draft” status. Upon activation, this new version will supersede the previous one. Click “Yes” to proceed.
  3. A new version of the policy will be created in “Draft” status. Implement the necessary changes in this version.
  4. Once satisfied with the changes, click the Activate Version button in the submission bar to replace the prior version.

Note: Prior versions of the policy will remain in effect until a new version is transitioned to “Active” status.

 

Expiring a Policy

An expired policy will no longer be enforced but may be reactivated in the future. Acceptance records for an expired policy will still be accessible. For compliance purposes, policies cannot be completely deleted.


To retire an active policy select the policy to Edit and click the Expire Version button in the submission bar.

 

Creating Language Translations

To generate language translations for a policy, please follow these steps:

System Administration (gear icon) >> Global Settings >> Security (tab) >> Privacy and Security Policies
  1. Select the policy to edit > Click the “Policies Translation Settings” button in the top action bar.
  2. Select the target language from the Language dropdown menu.
  3. Input a translated title in the Name field.
  4. Click Save.
  5. Exit the translation modal and click the “Policy Builder” link in the left navigation bar.
  6. Edit the desired policy section by selecting the pencil icon.
  7. Click the “Policies Section Translation Settings” button at the top of the modal window.
  8. Input the relevant translated text and click Save.
  9. Continue to add text translations for the remaining policy sections.

Viewing Policy Acceptance

User acceptance logs can be accessed in three ways:

  1. Users can view a list of accepted or acknowledged policies by clicking on the lock icon labeled "Privacy & Security" in the global header. This list view displays the collection point, version, and the date when the policy was accepted. Additionally, users can open a PDF to view the contents of the policy as it was at the time of acceptance. Depending on configuration, an administrator may emulate a user to observe what that user accepted.
  2. Administrators can view who has accepted any policy, and when, by navigating to Menu Icon > Global Settings > Security tab > Privacy and Security Policies > Select the policy to edit > click on “User Logs” in the left navigation. Here, you will find a list view of all users who have accepted a policy, along with pertinent information and a PDF of what the policy contained at the time of acceptance. A search function is also available to easily locate users by name or email.
  3. Administrators can view a comprehensive list of all accepted policies by navigating to Menu Icon > Global Settings > Security tab > Privacy and Security Policies > User Logs tab.

Configuring the Privacy and Security Settings

It is essential to create a policy for the Default Country and English language initially. The default policy will be displayed to all users prior to login.

  1. From the Configuration menu, select Global Settings.
  2. Select the Security tab.
  3. Select the Privacy and Security Policies link within the Security Settings.
  4. The list of configured Privacy and Security policies will be displayed.
  5. Click the New Policy icon to configure a new policy, or click on the "Edit Policy" icon to modify an existing policy.
  6. Complete the privacy settings field options.
  7. Click Save to preserve the policy.

Privacy and Security Field Options

The following are field options for configuring Privacy and Security policies:

Policies

This section allows for the creation of specific country and language policy combinations.

  • Country - Select the country to which this specific policy will apply from the dropdown list. Choose the Default Country option when creating a general (non-country specific) policy. The Default Country is displayed prior to login. After login, the privacy policy displayed is determined by the user's settings.
  • Language - Select the language that will be associated with the country selected in the previous option.

Policy Details

This section allows for the labeling of policies and the addition of policy details via rich text or external links. Each policy can be labeled individually using the label field adjacent to the policy name.

  • Enforce User Acceptance - Determine if and when policies require acceptance from end-users. This is used in conjunction with the User Acceptance Required option to enforce acceptance specific to individual policies.
  • Interval - A dropdown with fee interval options. If one of the options is selected, it will require users to re-accept the policies at the specified interval.
  • Introduction - This defines the first policy page displayed and can be utilized to introduce the policies that have been defined. Only the rich text option is available for defining the introduction (no URL option).
  • Privacy Policy - This option allows for the definition of the privacy policy.
  • Communications Policy - This option allows for the definition of the communication policy.
  • Data Access - This option allows for the definition of the data policy.
  • Accountability - This option allows for the definition of the accountability policy.
  • Data Confidentiality - This option allows for the definition of the data confidentiality policy.
  • Performance Integrity - This option allows for the definition of the performance integrity policy.
  • International Data Privacy - This option allows for the definition of the international data privacy policy.

The policies (excluding Introduction) have three options: None, Rich Text, and URL. . .

  • The None option indicates that this policy is not defined for this country/language policy combination.
  • The Rich Text option enables the creation of the specific policy utilizing the rich text editor.
  • The URL option allows for the specification of a URL link resource to be referenced from an external site.

They also include a User Acceptance Required option to indicate that user acceptance is required for individual policies after the date specified in the Enforce User Acceptance setting.

If the User Acceptance Required option is activated, an additional Role Lookup option will be displayed. If roles are selected here, the policy will only affect users with those roles.

 

Adding the Privacy & Security Link to Existing Login Pages

For login pages created prior to the introduction of this feature (April 2016), the Privacy & Security link will not be displayed by default. This can be manually added by updating the Standard Template located on the Login Screen Content page. Note: Updating the Standard Template will remove any previous formatting. It is advisable to start with the Standard Template and subsequently customize the page to meet your requirements. In cases where you opt not to use the Standard Template, the code below includes the link for manual insertion:

[s_viewpolicies.jsp?companyid=@companyid@&policylang=@lang@&isexternal=1 Privacy & Security]

Notes

  • Each field includes a last modified by and modified date stamp.
  • Policy formats encompass both rich text format and URL links to webpages containing the policy.
  • Additional policies can be added by clicking the + plus icon at the bottom of the Policy Details section.

Privacy Logs

When a user confirms and completes the Privacy policy, a PDF version is stored against the corresponding policy under the View Log tab.

The PDF is named following the structure [userid]-[firstname]_[lastname]_policy-[policyid]-[countryid]-[langid]_V_[version].pdf.

PrivacyViewLog.png

Was this article helpful?

0 out of 0 found this helpful
Return to top

Helpful Links