1KA application and preparations for GDPR (General Data Protection Regulation)

The new GDPR (General Data Protection Regulation) legislation will be enforced across all member states starting on 25 May 2018. The GDPR is a complex regulation that seeks to ensure the personal data protection of European residents. It includes rules on how organisations collect, process, archive and use personal data.

The 1KA is an open-source application that supports and integrates all stages of the web survey data collection process. Within this context, a registered 1KA user who is the author of a specific questionnaire (and related data) is the controller while the 1KA application plays the role of processor.

The following preparations are being carried out by 1KA to comply with the GDPR regulations:

1. With respect to security backup copies (backup versions) of the data, 1KA will take account of the generally accepted practice that requests for the deletion of personal data (Right to Erasure, Article 17) are processed only at the primary source. The erasure in security backup copies is conducted only at eventual restoration of a specific security backup copy. However, what it is essential here is that any restoration procedure is controlled by a strict system for documenting any access to backups. The responsible person in charge of a particular survey should whenever a backup is restored therefore also re-perform the required deletion of the corresponding data.
2. The Centre for Social Informatics, Faculty of Social Sciences, University of Ljubljana will take care of all installations of 1KA located on its servers so that they comply with the GDPR. These installations are all based on the Linux operating system (Red Hat), including the main 1KA installations at the domain www.1ka.si and all subdomains *.1ka.si. The following functionalities will be ensured and documented:         
   1. fully encrypted security backups of MySQL Server databases; and
   2. full tracking for all logs on the server (via Linux Audit daemon), including the documenting of all changes and interventions.
3. Concerning the 1KA user interface, the author of a survey (i.e. the controller) will be offered new functionalities to help ensure surveys satisfy the GDPR:
   1. An overview (i.e. browsing interface) of all surveys by a certain author will be provided where they can indicate whether a particular survey must comply with the GDPR. In the first stage, 1KA will automatically identify surveys that potentially include personal data. This will be done using the names of variables (e.g., email, name, surname, address) and any use of the integrated 1KA email system.
   2. An interface will be created to enter the general GDPR information for all surveys by a specific author. This particularly includes the name of the DPO (data protection officer) in the organisation, a description of how information is processed (usage, analysis, publication, archiving), erasing request procedures, contact information etc. This information will then be made available to (potential) respondents of all surveys prepared by a certain author.
   3. An interface for reviewing and managing requests for erasing submitted by respondents will be created for each author for the corresponding surveys.
   4. In addition to the above-mentioned functionalities which concern general aspects of managing the GDPR for all surveys for which a certain author (i.e. controller) is responsible, the following features will be available at the level of a specific survey for collecting personal data and to comply with the GDPR:
      1. An interface for entering and modifying additional information for a specific survey will be created. The author of a survey will be able to make a precise statement about the set of personal data collected in the survey, the nature and purpose of processing the data, and indications as to whether and when certain personal data will be (automatically) deleted (e.g. e-mail address).
      2. The survey’s author will also be offered a standard template to inform respondents, who will then be automatically exposed to a special intermediate page that gives information about the GDPR. At the same time, the page will include a request to explicitly confirm their agreement to the contents of the survey by each respondent. Without this explicit consent, a respondent will be unable to proceed with the questionnaire.
4. For the respondents, preparations are being made for the following templates that the author of a survey can further modify, if required:
   1. Respondent's agreement form, which will be shown before starting the questionnaire (see 3/d/ii). If the questionnaire does not collect any GDPR-related personal data, the respondent will only be additionally notified about the privacy of the data collection.
   2. A generic form will be created at the 1KA website for respondents to submit requests for erasing personal and/or other survey response data collected by 1KA. The completed forms will be delivered to the author of the survey who is responsible for the erasing process. Automatic monitoring, reminders, alerts and acknowledgments will be provided by the 1KA system.
5. The integrated 1KA email system for invitations to survey questionnaires will be updated to provide for the simplified deletion of the corresponding email address (and related data on the respondent) in accordance with the GDPR. With respect to the strict separation of personal data (e.g. invitation email) and survey responses, 1KA already technically keeps the data apart and the controller is unable to make any matches.
6. The tracking and documentation of all changes in the survey data (as well as changes in the questionnaire) is already established at 1KA. This is also true for all insights into the data made by the author of a specific 1KA survey, as well as by the manager or administrator. This documentation is already available in full detail within the 1KA Archives, accessible on the second level of all navigations when a certain 1KA survey is being dealt with. In addition, the interface for browsing and for insight into archives will be updated to make it more user-friendly.
7. According to Article 28 of the GDPR, a corresponding annex to the contract will be signed with the cloud service provider (Akson d.o.o.) which hosts the main 1KA installation at www.1ka.si.
8. In cases when 1KA is installed on the own server of the user (i.e. an organisation or the survey author), the user/author (i.e. controller) is also responsible for points (1) and (2) described above. Should other processors (e.g. cloud service) also be involved, the user/author needs to also formally establish responsibility with these other processors (see point 7 above).