Client Consent and Privacy

In response to recent trends, laws, and regulation changes, including the European Union (EU) 2016 General Data Protection Regulations (GDPR), XenDirect is moving to require client consent before a client profile is created and before marketing options are selected. We are using this opportunity to make these updates globally because we believe they are fundamentally better for our communities.

There are three features regarding privacy and consent:

• Client Personal Information Consent
• Client Consent Removal
  
• Marketing Preferences Consent

Listed with each of these topics are modifications taken by Xenegrade and actions users should take to be in compliance.

The topic of privacy, security, and consent is fluid and constantly changing. Changes made to this page will be date stamped. The latest revision of this page was made 5/29/2018 10:15 AM ET.

• Suggested contents of a Consent Statement - added 5/29/18 10:15 AM

---

Client Personal Information Consent
This refers to obtaining the client's consent to have their personal information recorded and saved. Features have been added to both the Admin module and WebReg module. Clients being registered who are within the European Union must be given the opportunity to give consent. From the Admin module, the consent process is manual and up to the discretion of the user to utilize. From the WebReg module, consent is required.

In both modules, when a client gives consent, a case note is recorded in the client's record with the date and time the consent is given. From the WebReg module, the IP address of the client at the time consent is given is also recorded. If a client later removes or retracts that consent, another client case note is recorded noting that consent has been removed. Client records added prior to 5/29/18 will have neither a "Consent Approved" or "Consent Removed" case note record by default.

Admin Module

• When creating a new client profile, users will see a [Consent Statement] function in the blue toolbar where the [New Client] function displays. This function will display a popup containing a consent statement the user can read to the client at the time they register in person or over the phone before entering the new client profile.
  
  • To add a consent statement, see Admin module consent-related Instruction Boxes.
• Once a client profile has been created and the user is in the view mode of the client profile, the user will see a [Consent] function in the blue toolbar. This function displays a popup and form to easily add the consent for a new or existing client profile. The consent statement and client's consent status also displays for the user's convenience. There are three display states for this consent function:
  
  • Consent+: This means the client has given consent and consent approved record exists.
  • Consent-: Means the client has removed consent and a consent removed record exists. A user should take action on this request based on their organization's policies.
  • Consent: If a + or - does not display, a consent record has not yet been recorded.
• To add a consent approved record:
  • Click the [Consent] function while in the view mode of the client's profile. Select the Type and Method along with any desired notes. Click [Submit] to record the consent record.
    
  • The user can also manually record a Client Case Note if desired.

WebReg Module

• When a client adds a new client profile, clients will be required to reply to a consent question on the new account form. This consent question displays just before the submit button. CLIENTS MUST GIVE CONSENT APPROVAL TO SAVE THE NEW ACCOUNT PROFILE. If the client does not consent to record their personal information, they will not be able to save the profile and will not be able to register for courses online. Existing clients are not affected by this consent question as their profile already exists.
  
• Consent Question: This is the displayed text next to the Yes checkbox the client will see in the new account form. There is also a link to the Consent Statement if they desire to read the organization's entire consent statement.
  
  • To add a consent question and consent statement, see WebReg module consent-related Instruction Boxes.
  • If no consent question is recorded, the default question reads: Do you give consent for us to record your personal data for the lawful purpose of providing and managing an educational service?
  • If no consent statement is recorded, the organization's existing Privacy Policy will display instead.
• If the client does not give consent, they will see a message prompt with instructions on how to register via an alternative method or will see the organization's "Decline Consent" message. The organization should be prepared to handle clients that desire to register for courses but do not consent to record their personal data electronically.
  
  • To add consent declined instructions, see WebReg module consent-related Instruction Boxes.
  • If no consent declined Instruction Box exists, this default text will display: Without Profile Consent, please contact our office to register via an alternative method.
• If the client gives consent, a client case note is recorded and the client continues to register as usual.

Suggested Contents of a Consent Statement

• Lawful basis for collecting data
• Consent process for minors, underage, and persons with special monitoring needs
• Personal data collected and how it is used
• Third-party vendors data is shared with
• Data retention period
• Privacy policy
• Data breach plan
  
• How clients can access their data
• How data has portability
• How data inaccuracies are handled (internal and with third-party vendors)
• How clients can have their data erased
• How staff are instructed and trained to handle data

---

Client Consent Removal

Clients must be given an opportunity to request that their data be removed from the system. The WebReg module provides one method of submitting that request. Organizations may also have additionally supported methods handled internally.

• From within the WebReg module, clients can go to the MyAccount Profile option and edit their profile.
• The consent question will default to Yes based on their previous consent. The client can, however, remove their consent by changing the reply to No.
• When they submit this profile change:
  
  • A consent removed client case note is recorded.
  • An email is sent to the client confirming their removal request.
  • The same client email is CC copied to the organization via the Notification Email address.
    
  • The organization should action to delete the client's records or make their profile anonymous.
• To add an email template for the consent removal, create a new template using the reserved title "WebReg Consent Removed". If the organization's copy of the email should be sent to an email address other than the Notification Email address, add an Alt Return Email in the email template.

When an existing client requests that their personal data be removed from the system, XenDirect provides two options.

• Delete Client: This process deletes all the records for one client.
• Anonymous Client: This process removes fields that could identify a client.
• See Delete One Client for more detail on each of these two options.

---

Marketing Preferences Consent

Clients registering from within the European Union must be given an opportunity to Opt-In to marketing preferences. The WebReg module has the option to default the marketing preferences profile question as Opt-In or Opt-Out. This feature still exists. However, if organizations have clients that register from within the EU, an option has been added to display an additional question at the start of a new client profile asking the client if they are within the EU. If they reply Yes, the marketing preferences section of the client profile defaults to Opt-In regardless of the default setting. If the client replies No (the default value), the marketing preferences are set to Opt-In or Opt-Out based on the organization's setting.

The EU profile question only displays if enabled and is not a saved field. It is used only to determine if the marketing preferences profile question should default to Opt-In. To enable the display of the EQ profile question:

• Edit the Web Options of the Branch Profile.
• Go to the Client Profile tab of the Web Options settings.
• Change the [Enable UE Check] setting to Yes.
• Click OK to save the setting.
• This question will now display as the first field in a new account form in the WebReg module: Are you within the European Union?