Topic:

Data Privacy Policy.

Description:

What is Data Privacy Policy

Data Privacy Policy is a more granular control built on top of our current role-based access control (RBAC) framework.  It provides org administrators the capability to define and configure specific data protection rules to control view/edit capability on different sections of contact data for specific roles.

What Data Is Controlled by the Data Privacy Policy?

The following contact data can be controlled by the Data Privacy Policy. Please note that Visual Command Center (VCC), Resident Connection contacts and scheduling REST APIs are out of scope at this time.

Where Can I Find the Data Privacy Policy Setting Page?

The Data Privacy Policy is available at the Organization level for an Organization Administrator only. You can find the Data Privacy Policy setting in the manager portal under the Access tab in the top menu bar for your organization.

How to Apply a Data Privacy Policy

After a privacy policy is named and configured, it needs to be assigned to a specific role to really take effect. (Note: Currently, privacy policy can be applied to the Group Manager Role Type ONLY.)

There are two ways to assign a policy:

1. Bulk assign a policy to multiple roles in the data privacy policy configuration page, or

2. Assign the policy to an individual role when creating a new role or updating an existing role.

 

Note:

A role that has been assigned with a privacy policy can be restricted to accessing certain fields of contact data and this may result in a failure to perform some actions. For example, a group manager role has the feature permission to create a contact but has no data permission to edit the general information of a contact. Creation of a new contact will fail in this case since the contact fields External ID and Record Type are mandatory fields for new contact creation. Please double-confirm that you do not have conflict settings for feature permission and data privacy policy to avoid unexpected errors.

Frequently Asked Questions

1. What is the relationship between permissions (we also call them feature permissions) and data privacy policy?

Feature permissions control a feature (what you can do) while data privacy focuses on data access (what data you can see or edit). As an example, you might be able to download a contact record file, but you will not be able to view restricted fields within the download file that are controlled by a data privacy policy.

2. How are restricted users prevented from viewing restricted data in the user interface?

There are different scenarios on how data will be prohibited from viewing
In the majority of cases, data will be masked as “***” to indicate they are restricted from viewing by your role.

3. How are restricted users prevented from editing restricted data in the user interface?

There are different scenarios on how data will be prohibited from editing.
In the majority of cases, edit icon or editable fields will be greyed out to indicate users are restricted from editing them.

4. Can a new privacy policy be created or assigned as an existing policy to a role through REST API?

Yes. A new set of REST API for privacy policy management is provided. 
For more information, please see the Everbridge Developer Hub.

5. Does data privacy policy enforce restriction on existing contact data retrieving/updating/creating REST APIs?

Yes, we will check the privacy policy applied to the API users and restrict them from retrieving/updating/creating contact data.

6. How are restricted API users prevented from retrieving restricted data through the API?

• If you are retrieving something for which you do not have view permission to the whole content, a 403 error will occur with the following response:

• If you are retrieving something for which you do not have view permission to part of the content, the API will response without error, but restricted content will not be available in the response.

For more information, please see the Everbridge Developer Hub.

7.  How restricted API users are prevented from updating/creating restricted data through API?

• If you are updating/creating something for which you do not have edit permission to the whole content, a 403 error will occur with the following response message:

• If you are updating/creating something you don’t have edit permission to part of the content, it will response without error, but restricted content won’t update.

 For more information, please see the Everbridge Developer Hub.