09-28-2016 09:50 AM
is alfresco POPI compliant? Is there a list of all policies Alfresco is compliant with which I can point client and potential client to?Thanks!
09-28-2016 02:25 PM
Are you referring to Alfresco the company or Alfresco the product. Because in my experience it is difficult for a "generic" product to be compliant to any of these policies without taking the specific implementation at a specific company / customer and any procedures around the operation of such a system into account. As such, Alfresco the company may be compliant, but Alfresco the product (as it is downloaded) can't be just by itself.
09-28-2016 02:25 PM
Are you referring to Alfresco the company or Alfresco the product. Because in my experience it is difficult for a "generic" product to be compliant to any of these policies without taking the specific implementation at a specific company / customer and any procedures around the operation of such a system into account. As such, Alfresco the company may be compliant, but Alfresco the product (as it is downloaded) can't be just by itself.
09-29-2016 03:26 AM
Sorry about that, I meant the product.
What we usually look at is the following which is usually enough for most clients:
Passwords are not enough to ensure the integrity of sensitive material. We integrate Alfresco ECM with AD/LDAP to ensure the owner of the information can be identified and the people who accessed the content are known as well. An ACL is put in place to ensure the right people have the right permission on content and data encryption(optional) for privacy
I just wonder if its enough to say that POPI compliance depends on the implementation
Thanks!
09-29-2016 04:53 AM
This description - although still very generic - is what I meant with compliance being implementation-dependant. Alfresco does not require AD/LDAP integration and can even be used with ACLs deactivated. Only with this description that specifies how Alfresco is actually being used can compliance be documented / argued.
10-19-2016 01:12 PM
Let's try to do an exercise about how Alfresco can cover some of the main POPI requirements.
Notice that Alfresco is mainly a platform, it is not a product. This means that an Alfresco project is typically a development project, imagine to use it as a framework for building your own content management application on top of the Alfresco repository. You have to consider some effort for modeling, configuring, integrating and testing your extended components and features for your needs.
We can try to summarize the main POPI requirements matching the existent built-in features and the potential capabilities available in Alfresco below, please feel free to contribute with your comments
1. Accountability
You, as a business or data collector, must ensure that all of the Act’s principles and the measures are complied with and adhered to.
If you consider what Alfresco does when you upload a new document in the repo at 90% you are ok with this because if the content has a known mimetype Alfresco can extract standard metadata that allows you to easily find the content. The content itself is not modified but decorated with some properties and metadata for implementing a tailored content model focused on your specific business case.
2. Processing limitation
Processing of information must be done in a lawful manner that does not infringe on individual’s privacy rights. Personal information can only be processed if the processing is adequate and relevant, and in accordance to which the information is to be used.
Alfresco supports an advanced ACL configuration and it allows you to configure specific permissions and roles against spaces or a single content. You can also extend the built-in roles with your own specific definition of permissions for your roles.
3. Purpose specification
Personal information must only be collected for a particular purpose and the individuals whose information is being collected must be made aware of this. Records must not be kept for longer than necessary, once the purpose for which the information has been collected has been achieved, information must be disposed of safely and in accordance with the law.
Alfresco can be configured for managing the disposition and the lifecycle of contents according to due date or specific workflows that need to check a range of dates. In this way you can implement your lifecycle that define the behavior for importing contents, how and how long should be indexed and when contents must be archived or deleted. The main features related to this purpose is shown in any videos related to the Records Management module.
4. Further processing limitation
Further processing of the information must be in accordance with the purpose of the reason for the initial collection.
This clearly depends about what you are doing with the platform and how you are extending it for covering all the constraints and requirements.
5. Information quality
You, as a business, as a holder of the data, must take reasonable and actionable steps to ensure that personal information collected is complete, accurate, transparent and updated, in accordance with the original purpose for the collection of personal information.
Again this depends on you, this means that you can integrate Alfresco with external data sources, databases or web services for dropping for example some registries for decorating your contents in the right way. Creating your own scheduled actions and jobs you totally cover this POPI requirements.
6. Openness
Steps are required to ensure that individuals whose data is being collected is aware of the personal information being collected and the purpose of the collection.
You can add some notifications via email or any other channel for asking to update personal information in the system. You can configure your own job with your own custom email templates. In this way users can check their own contents in the platform directly, if it is possible by the business case. Otherwise you can extend the platform for generating some reports (CSV, Excel, Word, PDF and so on) to send for asking confirmation. Alfresco supports many trasformers and extractors and you can easily extend the platform for implementing your own rendition for reports.
7. Security safeguards
You, as a business and data collector, must secure the personal information under your possession/control. Should a security breach occur, you must notify the individual or individuals whose information is compromised.
This is just a monitoring operational feature, you can configure or add your own auditing system for avoiding any strange operation or activity.
Alfresco One includes JMX tools that allows you to change, enable and disable on the fly many of the core features of the repository such as: clustering, read/write mode, disable user authentication, disable user account, and so on.
8. Data subject participation
The individual whose data has been collected can request whether you as an organisation are holding their private information, and what information is it that is being held. They may also request the correction or deletion of information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully.
The Alfresco Administrator group can work on any content in the repo and they can do any gardening activity.
Consider that you can add an automatic behavior fired when any admin user add, change or remove some contents in a folder, owned by someone else, then Alfresco can send an email to confirm the requested change.
Tags
Find what you came for
We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.