diff --git a/source/features.rst b/source/features.rst index b051525e75db979d6cfc0237839afb2a4019df7d..74009e15c1083cbfefc6d9dac5b3486779a95e33 100644 --- a/source/features.rst +++ b/source/features.rst @@ -17,6 +17,8 @@ Relevant guides: - :ref:`subject-delete` - :ref:`study-create` - :ref:`study-delete` +- :ref:`data-protection-dashboard` +- :ref:`subject-export` .. TODO:: diff --git a/source/guides/data-protection.rst b/source/guides/data-protection.rst new file mode 100644 index 0000000000000000000000000000000000000000..d5b8febf6152e40fedb352e11ed3a31ec9c3c900 --- /dev/null +++ b/source/guides/data-protection.rst @@ -0,0 +1,50 @@ +.. _data-protection-dashboard: + +Use the date protection dashboard +================================= + +Click on **Data protection** on the front page to go to the data protection +dashboard. This dashboard lists tasks you need to take care of by initiating +follow-up steps for each category. + +- **Export requested** lists all subjects who requested a GDPR export. See + :ref:`subject-export` for the necessary steps. +- **To be deleted**, **No legal basis**, and **Unreachable** all list + subjects who should be deleted for different reasons. See + :ref:`subject-delete` for the necessary steps. + +In all those categories it usually makes sense to contact the subjects before +taking any action. For example, subjects often want only a part of their data +deleted. + +Most of the categories have legal time limits, so you should check the +dashboard regularly. + +.. note:: + + It is recommended to configure an email address that should receive email + notifications about new data protection tasks. Please ask your system + administrator to setup ``CASTELLUM_DELETE_NOTIFICATION_TO``. + + +.. _subject-export: + +Export all data related to a subject +==================================== + +According to GDPR, subjects have the right to get an export of all their data. +This is especially important for scientific measurements that need to be +provided in a common file format. Compared to that, the data stored in +castellum is rather simple (e.g. name and address). Still, it is possible to +generate a complete list of all the information that is stored in castellum on +a single subject. + +1. In the subject details, go to the **Export** tab + +2. If you see a message saying **No export requested**, you need to + explicitly **Request export**. The date of the request will be stored. + +3. The complete list can be printed or otherwise stored. + +4. Once the subject has received the export, click **Mark as answered** to + record how long it took to process this request. diff --git a/source/index.rst b/source/index.rst index b64377065c35cf1cc7b4578ea80d4f7394705467..5ccf6915c865bf69c90e746f51d0c8b9e03cfc12 100644 --- a/source/index.rst +++ b/source/index.rst @@ -21,6 +21,7 @@ Welcome to Castellum's documentation! guides/subject-management guides/study-management guides/subject-get-pseudonym + guides/data-protection guides/admin guides/consent-management diff --git a/source/roles.rst b/source/roles.rst index 4f240a41c03a1e02f6b320661ee8152d4c933591..770743372b3c0ec9ed70a968600d29723cfe8796 100644 --- a/source/roles.rst +++ b/source/roles.rst @@ -64,36 +64,15 @@ Relevant guides: Data Protection Coordinator ~~~~~~~~~~~~~~~~~~~~~~~~~~~ -The group of people who deal with data protection issues in the workplace should -take on the role of **Data Protection Coordinator** in Castellum. Technically, -Castellum provides a Data Protection Dashboard for this purpose. In this -dashboard, the **Data Protection Coordinator** can see subjects divided into -four categories: - -- Subjects that requested information regarding their personal data, -- Subjects that have been marked as **To be deleted** - - - This applies when a subject demanded a deletion of all scientific data - related to them. - - The **Data Protection Coordinator** can see all studies the subject - participated in. He will contact all **Principal Investigators** and demand - the deletion of collected study data (provided that these are still - attributable to the respective subject). - - Once all links to studies have been removed, the subject can be deleted - from the database. - -- Subjects for whom there is no (or no longer any) legal basis for keeping - them in the database and -- Subjects who cannot be contacted due to missing or wrong information regarding - their contact details. - -The **Data Protection Coordinator** has the task of cleaning up the dashboard by -initiating follow-up steps for each category. -To initiate such follow-up actions, the **Data Protection Coordinator** is enabled -to perform the following functions in the database: +The group of people responsible for data protection should take on the role of +**Data Protection Coordinator**. Castellum supports these users by providing a +**data protection dashboard** that collects all relevant information in a +single place. Relevant guides: +- :ref:`data-protection-dashboard` +- :ref:`subject-export` - :ref:`subject-delete` - :ref:`study-delete`