Difference between revisions of "DeletionPolicy"

From Catglobe Wiki
Jump to: navigation, search
Line 137: Line 137:
  
 
= Appendix: How to =
 
= Appendix: How to =
 +
== Scenario ==
 +
== Scenario ==
 +
== Scenario ==
 +
== Scenario ==
 +
== Scenario ==
 +
== Scenario ==
 +
== Scenario ==
 +
== Scenario ==
 +
== Scenario ==

Revision as of 11:25, 17 September 2019

Definitions

User definitions

Registered user: Describes a user that has agreed to participate in a panel or product.

Sample user: Describes a user that has been imported without explicit consent, or a user for which we act as data processor (I.e. an import from a client), or a user that has visited an external link of some kind and ends in a setup.

Product user: Is a user that has login rights to a product, administrate panel or view dashboard etc. A consultant is a product user. A product user is also a registered user. A user that is member of a panel is NOT a product user. If a user is member of multiple products, then the data deletion follows the requirements of each product, but user deletion follows the least restrictive.

Active user: Describes a registered user that has in some way been registered as interacting with us within a predefined timespan.

Possible inactive user: Describes a registered user that has in no way been registered as interacting with us within a predefined timespan and has been given no warning that their participation has lapsed.

Inactive user: Describes a Possible inactive user that has in no way been registered as interacting with us within a predefined timespan from the time of warning.

Optout user: Describes a user that has communicated with us that they do not wish to be an active user. This communication can either be through inactivity or through active optout. An active optout should add the user’s email/phone number to the blacklist.

Questionnaire definitions

Background questionnaire: Is all questionnaires that is made with the primary reason to collect historic data to use in other questionnaires.

Tracking questionnaire: Is all questionnaires in there is a continual or periodic collection of data.

Ad Hoc questionnaire: Is all questionnaires in which there is a clear start of collection and end of collection.

Recruitment questionnaire: Is all questionnaire in which a user is created during the qnaire in such a way that this user is identifiable as a physical person, or in which a sample user is converted to a registered user.

Workflow questionnaire: Is all questionnaire in which a user does not actively participate, but it does work on a user’s data and may copy parts of the user’s data.

A questionnaire may belong to multiple definitions, in which case it needs to follow the most restrictive data deletion requirements. It is also possible that a questionnaire has multiple different groups of users with their own set of deletion policies, in which case each group can be handled according to their own requirements.

User deletion types

Destroy user: Describes the permanent deletion of the user and all associated QAS and data.

Anonymize user: Describes the permanent deletion of all personal identifiable information for the user and in all associated QAS but preserves the link between all QAS. Then mark user as disabled. Usage of this feature is dependent on questions marked with the proper GDPR privacy setting.

Unset user: Describes the permanent deletion of all personal identifiable information for the user and all associated QAS and convert all QAS to delete the user link. Then destroy the user. Usage of this feature is dependent on questions marked with the proper GDPR privacy setting.

The technical implementation of achieving any of these deletion methods may take advantage of marking the user as disabled or deleted and then batch up the actual deletion to a later date, but no more than 45 additional days delay. This will also make it possible to undo any wrongful deletions and make it possible to undo.

Questionnaire deletion types

Delete Data: Describes the permanent deletion of all collected data in a QAS, but not affect the user, the user link or the QAS itself (I.e. user, completion, CATI, mail and many other statistics is maintained).

Delete QAS: Describes the permanent deletion of all collected data in a QAS, but not affect the user or any of the user’s other info.

Anonymize QAS: Describes permanent deleting all personal identifiable information in the QAS and disconnecting the QAS from the user that filled it out but maintains the collected data. This can be done by converting it to No user, the Anonymous user or a new anonymous user. Usage of this feature is dependent on questions marked with the proper GDPR privacy setting.

Destroy questionnaire: Describes the permanent deletion of the questionnaire and all associated QAS, including all children of the questionnaire. I.e. if sample users are imported as children to questionnaire, these are destroyed as well. Same with DCS’ that are children of the questionnaire.

DCS Data

When a questionnaire is deleted (Any type), all DCS associated with the questionnaire should either be deleted with it or rebuilt to remove any previous personal data.

When a user is deleted (Any type), then it is nearly impossible to detect which DCS that user is included in. Any DCS policy must therefore specify that no personal data is included in a DCS, or that the DCS must be periodically rebuilt/deleted to prevent retention of data that should be deleted.

Possible policies

Keep collected data

Yes – When need to see historic data

Applicable for questionnaire types:

  • Background
  • Tracking
  • Completed recruitment
  • Products

No – When data usage eventually expires

Applicable for questionnaire types:

  • Ad-Hoc
  • Incomplete recruitment
  • Workflows

Methods:

  • Delete Questionnaire – When nothing needs to be kept. Must be NO to keep user link.
  • Delete QAS – When statistics doesn’t matter. Must be NO to keep user link.
  • Delete Data – Otherwise.

Keep user link

Yes, keep all – When need to see link between questionnaires, keep statistics/personal history, use for sampling.

Applicable for questionnaire types:

  • Background
  • Tracking
  • Completed recruitment
  • Products

Applicable for user types:

  • Registered users
  • Sample user to another questionnaire

Yes, anonymize – When need to see link between various questionnaire, but no need to be able to contact or identify physical person later.

Applicable for questionnaire types:

  • Ad-hoc

Applicable for user types:

  • Optout of Registered users
  • Multi questionnaire sample users

No, destroy user – When user should stay not in the system, and statistics/history per user does not matter.

Applicable for user types:

  • Sample user private to this questionnaire

No, keep user (Unset) – When deleting data, but still need access to the user, or when keeping data but no longer want to see who answered what or keep statistics.

Applicable for user types:

  • Sample user from another questionnaire
  • Registered users, where end-result must be anonymized completely


Appendix: How to

Scenario

Scenario

Scenario

Scenario

Scenario

Scenario

Scenario

Scenario

Scenario