Feature Wiki

Information about planned and released features

Tabs

Declaration of Data Protection

Definitions:

  • 'Terms of Service' » 'Nutzungsvereinbarung'
  • 'Declaration of Data Protection' » 'Datenschutzerklärung'

1 Initial Problem

ILIAS has an area for 'Terms of Service', which is often used for providing of 'Declaration of Data Protection'.
This is often done in the following way:

  1. Renaming the service 'Terms of Service' in all its language variables ('Terms of Service' »» 'Declaration of Data Protection'.)
  2. Addition of the service 'Terms of Service' in all its language variables ('Terms of Service' »» 'Terms of Service and Declaration of Data Protection')
  3. Place a content page 'Declaration of Data Protection', which is then either made available via mainbar entry or placed in the footer, if a custom skin exists.

All this is rather bad than good.

  • In case 1 only the 'Declaration of Data Protection' is available for use. The procedure for misappropriation is rather tinkered.
  • In case 2, the combination must be maintained. If one document is modified, the other must be approved again. Two inseparable parts.
  • In case 3 an approval is not possible. An entry in the mainbar is oversized. No country-specific solution is feasible.

2 Conceptual Summary

The requirements of providing a 'Declaration of Data Protection' are often as following:

  • Active consent to the document (a common requirement, although not always).
    • The document should be visible as part of the registration process.
    • The document should be re-consent when changes are made - as a requirement for using the system.
    • When consent is given, there should be a history of consent.
  • Easy access to the document that has been approved or placed.
  • The document should be able to be placed in different languages (from the knowledge of the legal framework of the 'Terms of Service', it is also assumed that country-specific differences must be taken into account. It is a legally reliable document).

Many of the requirements that have already been made and implemented on the 'Terms of Service' are also to be applied to the 'Declaration of Data Protection'.
The principal features are as following:

  • Providing of different 'Declaration of Data Protection's (Similar to 'Terms of Service')
    • for different languages of the document
    • for different countries of users
    • for different roles
  • Selection to mandatory consent and thus consent as the basis of use
    • The option "Mandatory Approval" applies to the entire platform. This means for all placed documents or for none.
    • If consent is withdrawn, the user account can be deleted, if the corresponding feature is activated. [*1]
    • Not to consent to an updated document will delete the user account, if corresponding feature is activated. [*1]
  • Withdrawal of consent to the agreed 'Declaration of Data Protection'
  • Historisation of consents to 'Declaration of Data Protection' (including consent time and date in properties of an user)
  • The service is administered via a separate administration node called 'Declaration of Data Protection' - almost equivalent to the 'Terms of Service'.

*1 The feature Withdrawl of Consent  provokes deleting User Account (published with ILIAS 7) is moving to 'Declaration of Data Protection'.
It is no longer available in the context of 'Terms of Service'. This feature is only available for local Users with ILIAS Auth. The feature is deactivated by default. The setting made for 'Terms of Service' is not transferred to the Declaration of Data Protection, as there is no way of ensuring that the service is activated and what is in the texts of the documents.

ILIAS should inform administrators about the change and that an action may be possible required. This could be placed in the two admin nodes, similar to the migration of certificates (ILIAS 5.4), or communicated in the setup of the update or with an administrative notification to global role 'adminstrator' only showing after update.

The user will receive the 'Declaration of Data Protection' in the following ways:

  •  In case of mandatory approval to consent the document:
    • In case of self-registration (ILIAS Auth) at the end of the registration form, with correspondingly required checkbox. (1st: 'Declaration of Data Protection' 2nd: 'Terms of Service')
    • For all other registrations/authentications when the user logs in for the first time.
    • For existing accounts and first-time presentation of the 'Declaration of Data Protection' at the next log-in.
    • For existing accounts for which the previous approved document is no longer valid, a new document will be submitted based on the validity of criteria that now apply. An updated document only, will not be submitted for confirmation, if the user's validity of criteria have not changed. (This is the same behaviour as for 'Terms of Service'.)
  • In case of non-mandatory approval
    • Access to 'Declaration of Data Protection' via footer (in order before 'Terms of Service').
      • In case of prior consent, option to withdrawl. Withdrawl leads to the user's logout.

3 User Interface Modifications

3.1 List of Affected Views

  • New Admin-Node "Declaration of Data Protection"
    • Structure almost equivalent to the 'Terms of Service'
    • Declaration of Data Protection | Settings (Landing Page) | Acceptance History | Permissions
  • Additional form element in registration process
  • New Entry in Footer

3.2 User Interface Details

  • New Admin-Node 'Declaration of Data Protection' is listed before 'Terms of Service' (MockUp shows wrong order in 'Administration'-Slate, sorry)
  • Setting for mandatory approval of 'Declaration of Data Protection' and reevaluate-setting on this.
  • New Entry in Footer is calling a modal as known by 'Terms of Service'. Contains the uploaded documents.

New Admin-Node 'Declaration of Data Protection'

Setting Screen in Administration

Changes in Settings of 'Terms of Service' and 'User Management'

Function is not longer provided in Terms of Service.
changed basis of the function (now: Declaration of Data Protection)

Acceptance History (functionally identical to 'Terms of Service')

Acceptance History

Information of user contains consent of 'Declaration of Data Protection'

History of consent in User Management-view // Access to the document that has been approved or placed

Presentation of 'Declaration of Data Protection' and Request for first Approval or Re-Approval 

(If there is a 'Terms of Service' it is shown within an own Approval Process after the Appoval Process of 'Declaration of Data Protection'.)

After first Login or change of the document, also the "Declaration of Data Protection" should be accepted separately before "Terms of Service".

Presentation of 'Declaration of Data Protection' and 'Terms of Service' in Registration Form

During self registration process the area "Declaration of Data Protection" should be listed additionally. With consent requirement if configured. (Listed before 'Terms of Service')

3.3 New User Interface Concepts

None. 
We need an Icon for 'Declaration of Data Protection'. It should be different from that of 'Terms of Service'. 
(possibly a paragraph with a lock and a silouhette of an user to 'Declaration of Data Protection' and a paragraph with a document to 'Terms of Service')

3.4 Accessibility Implications

There are no special requirements that will degrade or improve the Accessibility.

4 Technical Information

"Terms of Service" and "Declaration of Data Protection" should share most of the code base. This means, that there will be an abstraction for some parts of these components. Furthermore we would like to intrdocue the "Repository Pattern" instead of "ActiveRecord" (which is used for the model/storage purposes).

5 Privacy

The feature is intended to cover request for better accessible data protection-relevant documents. In addition, it should be possible to maintain them separately from the 'Terms of Service', if the 'Declaration of Data Protection' is also agreed to.

If mandatory approval is required, a acceptance history is kept.
More legal compliance can be created on the user and operator side.

6 Security

Nothing special. No general implications on this feature.

7 Contact

8 Funding

If you are interest in funding this feature, please add your name and institution to this list.

9 Discussion

Samoila, Oliver [oliver.samoila], 10 JAN 2023 :

This Request is related to two other: (a) consolidation of all legally relevant texts in a New administration node ‘Legal Regulations‘ and (b) more compact access to the »Legal Regulations« for users.

JourFixe, ILIAS [jourfixe], 06 MAR 2023: We highly appreciate this suggestion and schedule the feature for ILIAS 9 - but would like to keep the option for a mandatory ToS and the related mechanism to delete account in case of withdrawl of the ToS acceptance. Please clarify the FR accordingly. In general, we highly appreciate to get a common code base for all legal documents, incl. accessiblity information and the legal notice.

10 Implementation

Settings Screen of Declaration of Data Protection
Acceptance History
Optional Account Deletion on Withdrawal
Informations about Agreement on User Management
Terms of Service and Declaration of Data Protection in Self-Registration
Access to Declaration of Data Protection in Footer

Test cases completed at 2023-10-25 by Samoila, Oliver [oliver.samoila]
The test cases are based on those of the Terms of Service. The contents of these were updated, expanded and corrected, and necessary additional cases were added.
The test cases are subject to further attention, as many identifiers have changed with ILIAS 8 as well as 9 and the test cases do not yet reflect this.

  • Globale Einstellungen
    • C63560 Anzeige der Formulars
    • C63561 Aktivieren der Datenschutzerklärungen (keine Dokumente vorhanden)
    • C63562 Aktivieren der Datenschutzerklärungen (Dokumente vorhanden)
    • C63563 Deaktivieren der Datenschutzerklärungen
    • C63564 Hinweis über fehlende Datenschutzerklärungen
    • C63565 Re-Evaluation von Datenschutzerklärungen
  • Pflege der Dokumente
    • C63566 Auflistung von Dokumenten
    • C63567 Datenschutzerklärungen global für alle Benutzer zurücksetzen
    • C63568 Dokument hinzufügen: Darstellung des Formulars
    • C63569 Dokument für eine Datenschutzerklärungen hinzufügen: Absenden des Formulars
    • C63570 Dokument bearbeiten: Darstellung des Formulars
    • C63571 Dokument bearbeiten: Absenden des Formulars
    • C63572 Löschen von Dokumenten der Datenschutzerklärungen (Bestätigungsdialog)
    • C63573 Löschen von Dokumenten
    • C63574 Sortieren von Dokumenten
  • Kriterien festlegen
    • C63575 Kriterium hinzufügen: Darstellung des Formulars
    • C63576 Kriterium hinzufügen: Absenden des Formulars
    • C63577 Zuweisung des Kriteriums bearbeiten: Darstellung des Formulars
    • C63578 Zuweisung des Kriteriums bearbeiten: Absenden des Formulars
    • C63579 Zuweisung des Kriteriums löschen
  • Zustimmungshistorie
    • C63557 Auflistung der Zustimmungshistorie
    • C63558 Anwenden eines Filters
    • C63559 Anzeige im Benutzerkonto
  • Anzeige/Akzeptieren von Datenschutzerklärungen
    • C63580 Ermittlung/Evaluierung von Datenschutzerklärungen
    • C63581 Anzeige einer zutreffenden Datenschutzerklärung bei der Selbstregistrierung
    • C63582 Verlinkung und Anzeige auf der Anmelde-Seite
    • C63583 Vorlage nach erfolgreicher Anmeldung/Authentifizierung in der Benutzeroberfläche
    • C63584 Auswirkungen nicht akzeptierter Datenschutzerklärungen auf den Mail-Service
    • C63585 Optionale Re-Evaluation der Datenschutzerklärung nach dem Login
  • Datenschutzerklärungen ablehnen  
    • C63586 Einstellungen zur Ablehnung von Datenschutzerklärungen
    • C63587 Anzeige der Widerrufsoption im Datenschutzerklärungs-Modal
    • C63588 Re-Login Prozedur beim Widerruf der Zustimmung zur einer Datenschutzerklärung
    • C63589 Finalisierung Widerruf der Datenschutzerklärungen
    • C63590 Anzeige der Nicht-Akzeptanzoption bei initialer Anzeige der Datenschutzerklärung 

Approval

Approved at 2023-10-26 by Samoila, Oliver [oliver.samoila].

Last edited: 8. Jan 2024, 09:53, Kunkel, Matthias [mkunkel]