Definitions

User definitions

Registered user: Describes a user that has agreed to participate in a panel or product.

Sample user: Describes a user that has been imported without explicit consent, or a user for which we act as data processor (I.e. an import from a client), or a user that has visited an external link of some kind and ends in a setup.

Product user: Is a user that has login rights to a product, administrate panel or view dashboard etc. A consultant is a product user. A product user is also a registered user. A user that is member of a panel is NOT a product user. If a user is member of multiple products, then the data deletion follows the requirements of each product, but user deletion follows the least restrictive.

Active user: Describes a registered user that has in some way been registered as interacting with us within a predefined timespan.

Possible inactive user: Describes a registered user that has in no way been registered as interacting with us within a predefined timespan and has been given no warning that their participation has lapsed.

Inactive user: Describes a Possible inactive user that has in no way been registered as interacting with us within a predefined timespan from the time of warning.

Optout user: Describes a user that has communicated with us that they do not wish to be an active user. This communication can either be through inactivity or through active optout. An active optout should add the user’s email/phone number to the blacklist.

Questionnaire definitions

Background questionnaire: Is all questionnaires that is made with the primary reason to collect historic data to use in other questionnaires.

Tracking questionnaire: Is all questionnaires in there is a continual or periodic collection of data.

Ad Hoc questionnaire: Is all questionnaires in which there is a clear start of collection and end of collection.

Recruitment questionnaire: Is all questionnaire in which a user is created during the qnaire in such a way that this user is identifiable as a physical person, or in which a sample user is converted to a registered user.

Workflow questionnaire: Is all questionnaire in which a user does not actively participate, but it does work on a user’s data and may copy parts of the user’s data.

A questionnaire may belong to multiple definitions, in which case it needs to follow the most restrictive data deletion requirements. It is also possible that a questionnaire has multiple different groups of users with their own set of deletion policies, in which case each group can be handled according to their own requirements.

User deletion types

Destroy user: Describes the permanent deletion of the user and all associated QAS and data.

Anonymize user: Describes the permanent deletion of all personal identifiable information for the user and in all associated QAS but preserves the link between all QAS. Then mark user as disabled. Usage of this feature is dependent on questions marked with the proper GDPR privacy setting.

Unset user: Describes the permanent deletion of all personal identifiable information for the user and all associated QAS and convert all QAS to delete the user link. Then destroy the user. Usage of this feature is dependent on questions marked with the proper GDPR privacy setting.

The technical implementation of achieving any of these deletion methods may take advantage of marking the user as disabled or deleted and then batch up the actual deletion to a later date, but no more than 45 additional days delay. This will also make it possible to undo any wrongful deletions and make it possible to undo.

Questionnaire deletion types

Delete Data: Describes the permanent deletion of all collected data in a QAS, but not affect the user, the user link or the QAS itself (I.e. user, completion, CATI, mail and many other statistics is maintained).

Delete QAS: Describes the permanent deletion of all collected data in a QAS, but not affect the user or any of the user’s other info.

Anonymize QAS: Describes permanent deleting all personal identifiable information in the QAS and disconnecting the QAS from the user that filled it out but maintains the collected data. This can be done by converting it to No user, the Anonymous user or a new anonymous user. Usage of this feature is dependent on questions marked with the proper GDPR privacy setting.

Destroy questionnaire: Describes the permanent deletion of the questionnaire and all associated QAS, including all children of the questionnaire. I.e. if sample users are imported as children to questionnaire, these are destroyed as well. Same with DCS’ that are children of the questionnaire.

DCS Data

When a questionnaire is deleted (Any type), all DCS associated with the questionnaire should either be deleted with it or rebuilt to remove any previous personal data.

When a user is deleted (Any type), then it is nearly impossible to detect which DCS that user is included in. Any DCS policy must therefore specify that no personal data is included in a DCS, or that the DCS must be periodically rebuilt/deleted to prevent retention of data that should be deleted.

Possible policies

Keep collected data

Yes – When need to see historic data

Applicable for questionnaire types:

• Background

• Tracking

• Completed recruitment

• Products

No – When data usage eventually expires

Applicable for questionnaire types:

• Ad-Hoc

• Incomplete recruitment

• Workflows

Methods:

• Delete Questionnaire – When nothing needs to be kept. Must be NO to keep user link.

• Delete QAS – When statistics doesn’t matter. Must be NO to keep user link.

• Delete Data – Otherwise.

Keep user link

Yes, keep all – When need to see link between questionnaires, keep statistics/personal history, use for sampling.

Applicable for questionnaire types:

• Background

• Tracking

• Completed recruitment

• Products

Applicable for user types:

• Registered users

• Sample user to another questionnaire

Yes, anonymize – When need to see link between various questionnaire, but no need to be able to contact or identify physical person later.

Applicable for questionnaire types:

• Ad-hoc

Applicable for user types:

• Optout of Registered users

• Multi questionnaire sample users

No, destroy user – When user should stay not in the system, and statistics/history per user does not matter.

Applicable for user types:

• Sample user private to this questionnaire

No, keep user (Unset) – When deleting data, but still need access to the user, or when keeping data but no longer want to see who answered what or keep statistics.

Applicable for user types:

• Sample user from another questionnaire

• Registered users, where end-result must be anonymized completely

Appendix: How to

Scenario 1

Do nothing

Scenario 2

Option 1 (Via GUI):

0. Check that the user isn’t used in any other questionnaire
1. Delete all those data marked with "delete when anonymizing" in the questionnaire
2. Delete email/phone number/name/address … from user in such a way we cannot undo it

Option 2 (Via CgScript):

number qnaireRId = xxxx;
number userRId = xxxxx;
array otherQnaireRId;
array qas = QAS_getByUserResourceId (userRId);
for(i for 0; qas.Count)
{
    if (qas[i][QAS_QUESTIONNAIRE_RESOURCE_ID] == qnaireRId)
    {
        //Delete data marked with "delete when anonymizing" in the questionnaire
        //	TODO
    }
    else otherQnaireRId.Add(qas[i][QAS_QUESTIONNAIRE_RESOURCE_ID]);
}
if(otherQnaireRId == empty)
{
    array user = User_getUserByResourceId(userRId);
    user[USER_FIRST_NAME] = "";
    user[USER_MIDDLE_NAME] = "";
    user[USER_LAST_NAME] = "";
    user[USER_PHONE_NUMBER] = {};
    user[USER_EMAIL] = "";
    user[USER_CURRENCY] = "";
    user[USER_TIMEZONE] = 0;
    user[USER_ADDRESS] = "";
    user[USER_CITY] = "";
    user[USER_ZIPCODE] = "";
    user[USER_REGION] = "";
    user[USER_COUNTRY] = "";
    user[USER_POSTBOX] = "";
    user[USER_WEBSITE] = "";
    User_save(user);
    print("The user is anonymized");
}
else print("The use is not anonymize due to being use on another qnaire:"+ convertToString(otherQnaireRId));

Scenario 3

Option 1 (Via GUI):

0. Check that the user isn’t used in any other questionnaire
1. Delete the User
2. Converting the QAS to no user
3. Delete data marked with "delete when anonymizing" in the questionnaire
4. Destroy the user

Option 2 (Via CgScript):

 
number qnaireRId = xxxx;
number userRId = xxxx;
array otherQnaireRId;
array qas = QAS_getByUserResourceId (userRId);
for(i for 0; qas.Count)
{
    if (qas[i][QAS_QUESTIONNAIRE_RESOURCE_ID] == qnaireRId)
    {
        //Delete data marked with "delete when anonymizing" in the questionnaire
        //TODO
        qas[i].UserResourceId = 0;
        qas[i].Save();
    }
    else otherQnaireRId.Add(qas[i][QAS_QUESTIONNAIRE_RESOURCE_ID] );
}
if(otherQnaireRId == empty )
{
    Resource_delete(userRId);
    print("Already deleted user and remove user link ");
}
else print("The use is not deleted due to being use on another qnaire:"+ convertToString(otherQnaireRId)+". So just remove user link");

Scenario 4

Option 1 (Via GUI):

0. Converting the QAS to no user
1. Delete all those data marked with "delete when anonymizing" in the questionnaire

Option 2 (Via CgScript):

number qnaireRId = xxxx;
number userRId = xxxx;
array qas = QAS_getByUserResourceId (userRId, qnaireRId);
for (i for 0; qas.Count)
{   
    qas[i].UserResourceId = 0;
    qas[i].Save();
    //Delete data marked with "delete when anonymizing" in the questionnaire
    //TODO
}

Scenario 5

Option 1 (Via GUI):

0. Check that users of the questionnaire aren’t used in any other questionnaire
1. Delete all associated users of the questionnaire
2. Converting all QASs of the questionnaire to no user
3. Destroy all associated users of the questionnaire
4. Delete the Questionnaire

Option 2 (Via CgScript):

number qnaireRId = xxxx;
number newParentRId = xxxx;
Dictionary userUsedInOtherQnaire;
array userRIdChangedPath;
array qQAS = QAS_getByQuestionnaireResourceId(qnaireRId);
for(j for 0; qQAS.Count)
{
    number userRId = qQAS[j].UserResourceId;
    if(userRId != 0)
    {
        array otherQnaireRId;
        array qas = QAS_getByUserResourceId (userRId);
        for(i for 0; qas.Count)
        {
            if(qas[i][QAS_QUESTIONNAIRE_RESOURCE_ID] == qnaireRId)
            {
                QAS_deleteData({qas[i].Id});
                qas[i].Test= true;
                qas[i].UserResourceId = 0;
                qas[i].Save();
            }
            else
            {
                otherQnaireRId.Add(qas[i][QAS_QUESTIONNAIRE_RESOURCE_ID]);
            }
        }
        if(otherQnaireRId == empty )
        {
            Resource_delete(userRId);
        }
        else
        {
            array userParent  = Resource_getParentResource(userRId);
            if (userParent[0][RESOURCE_RESOURCE_ID] == qnaireRId)
            {
                Resource_setParentResource(userRId, newParentRId);
                userRIdChangedPath.Add(userRId);
            }
            userUsedInOtherQnaire.Add(convertToString(userRId),otherQnaireRId);
        }
    }
}
Resource_delete(qnaireRId);
print("The qnaire is delete. Associated users also deleted. Some user are not deleted due to being use on another qnaire"+convertToString(userUsedInOtherQnaire)+". And some of them change to new Path because under the deleted qnaire"+convertToString(userRIdChangedPath));

Scenario 6

Option 1 (Via GUI):

0. Converting all QAS of the questionnaire to no user
1. Delete all those data marked with "delete when anonymizing" in the questionnaire
2. Delete the questionnaire

Option 2 (Via CgScript):

number qnaireRId = xxxx;
number newParentRId = xxxx;
array isChangedPathUserRId;
array qas = QAS_getByQuestionnaireResourceId(qnaireRId);
for(i for 0; qas.Count)
{
    number userRId = qas[i].UserResourceId;
    if (userRId !=0)
    {
        array userParent  = Resource_getParentResource(userRId);
        if (userParent[0][RESOURCE_RESOURCE_ID] == qnaireRId)
        {
            Resource_setParentResource(userRId, newParentRId );
            isChangedPathUserRId.Add(userRId);
        }
    }
    QAS_deleteData({qas[i].Id});
    qas[i].Test= true;
    qas[i].UserResourceId = 0;
    qas[i].Save();
}
Resource_delete(qnaireRId);
print("The qnaire is deleted. List UserRId under qnaire already moved to other parent:"+ convertToString(isChangedPathUserRId));

Scenario 7

Option 1 (Via GUI):

0. Check that the user isn’t used in any other questionnaire
1. Delete User
2. Delete QAS
3. Destroy user

Option 2 (Via CgScript):

number qnaireRId = xxxx;
number userRId = xxxx;
array otherQnaireRId;
array qas = QAS_getByUserResourceId (userRId);
for (i for 0; qas.Count )
{
    if(qas[i][QAS_QUESTIONNAIRE_RESOURCE_ID] == qnaireRId)
    {
        QAS_deleteData({qas[i].Id});
        qas[i].Test= true;
        qas[i].UserResourceId = 0;
        qas[i].Save();
    }
    else otherQnaireRId.Add(qas[i][QAS_QUESTIONNAIRE_RESOURCE_ID]);
}
if(otherQnaireRId == empty)
{
    Resource_delete(userRId);
    print("Already deleted user and associated QASs, data");
}
else print("The use is not deleted due to being use on another qnaire:" + convertToString(otherQnaireRId) + ". So just delete associated QASs and data, remove user link");

Scenario 8

Option 1 (Via GUI):

0. Converting the QAS to no user
1. Delete the QAS

Option 2 (Via CgScript):

number qnaireRId = xxxx;
number userRId = xxxx;
array qas = QAS_getByUserResourceId (userRId, qnaireRId);
for(i for 0; qas.Count)
{
    QAS_deleteData({qas[i].Id});
    qas[i].Test= true;
    qas[i].UserResourceId = 0;
    qas[i].Save();
}

Scenario 9

Option 1 (Via GUI):

0. Set data of all questions in the QAS to empty

Option 2 (Via CgScript):

number qnaireRId = xxxx;
number userRId = xxxx;
array qas = QAS_getByUserResourceId (userRId, qnaireRId);
for(i for 0; qas.Count)
{
    QAS_deleteData({qas[i].Id});
}