Privacy, Security & Compliance

9.1 Data Protection (GDPR/FADP/PIPEDA)

• Roles. GCRI is controller for Academy records; approved service providers act as processors. Partners may be joint controllers for co-badged programs (documented per MoU/DPA).
• Data classes. Identity (name/email), learning data (enrolments, attempts, grades), artifacts (dashboards, code, GIS outputs), telemetry (xAPI/Caliper), accessibility needs, billing (if applicable).
• Special categories. Processed only when strictly required (e.g., accessibility) with explicit safeguards; health/biometric data avoided unless legally necessary for a course and governed by an ethics review.
• Data subject rights. Access, rectification, erasure, restriction, objection, portability; channel published in Support.

9.2 Lawful Basis, Consent & Minimization

• Bases. Contract (teaching/assessment), legitimate interests (security, anti-fraud, service improvement with safeguards), consent (marketing, research participation), legal obligation (tax/audit).
• Minimization. Collect only fields needed for outcomes and verification. Use pseudonymized IDs in analytics.
• Transparency. Layered privacy notices at enrolment and before any secondary use.
• DPIA. Required for high-risk processing (e.g., proctoring, sensitive datasets, face/voice capture). Mitigations recorded before go-live.

9.3 Retention, Archiving & Portability

• Default schedule.
  • Transcripts & credentials (codes/revs, assertions, status): kept indefinitely for verification unless erasure is lawfully exercised.
  • Assessment artifacts & grade books: 6 years (or longer if law requires).
  • Telemetry (xAPI/Caliper): 1-year hot / 5-year warm, then aggregate.
  • Access/proxy logs: 12 months (security), shorter where law requires.
• Portability. Learners can export: OB3/VC badges, machine-readable transcript (JSON/CLR), artifact bundles (with provenance).
• Erasure. Where granted, revokes public access, deletes PII, preserves minimal cryptographic proofs (hashes) that cannot be related back without PII.

9.4 Dual-Use & Safety Review (Cyber/AI/Health/EO)

• Screening. Courses/labs flagged if they could materially enable misuse (adversarial ML, offensive cyber, sensitive bio/health, fine-grain EO).
• Controls. Gating (eligibility checks), environment sandboxing, red-team review, down-scoping of sensitive details, export/licensing checks, and ethics sign-off.
• Logging. All approvals and mitigations recorded; re-review on each MAJOR course rev.

9.5 Vendor & Processor Management (DPAs)

• DPAs & SCCs. Execute Data Processing Agreements with annexed technical/organizational measures; use Standard Contractual Clauses or equivalent for cross-border transfers.
• Sub-processors. Public list with notice window; opt-out process where feasible.
• Security assurance. Require independent attestations (e.g., ISO 27001/SOC 2), pen-test summaries, and incident SLAs.
• Data residency. Honor regional storage commitments where contractually required.

9.6 Key Rotation & Credential Security

• Issuer identity. did:web:nexus.gcri.org with KMS/HSM-backed keys; 12-month rotation or on incident.
• Storage. Encryption at rest (server-side) and in transit (TLS 1.2+); least-privilege access; MFA for staff; admin actions recorded.
• On-chain policy. Hash-only anchoring of assertions/status; no PII on public ledgers.
• Content integrity. Signed packages for assessments/labs; checksum verification for artifacts; tamper-evident logs.

9.7 Incident Response & Notification

• Runbook. Detect → contain → eradicate → recover → post-mortem with owner + timeline.
• Breach notification. Regulators without undue delay and, where feasible, ≤72h after awareness (GDPR-aligned). Affected users notified when high risk is likely.
• Severities. P1 (credential/signing compromise, large-scale PII), P2 (localized data exposure), P3 (availability only).
• Exercises. Tabletop at least annually; lessons learned drive control updates.

9.8 Legal Holds, Discovery & Audit Trails

• Holds. Freeze relevant data/archives on counsel instruction; suspend deletion jobs.
• Audit trails. Immutable logs (append-only) for issuance, revocation, grade changes, and admin access.
• Chain of custody. Checksums for artifacts; timestamped status changes; reproducible exports on request.

9.9 Terms of Use, Licenses & SPDX

• Terms. Acceptable Use (no cheating, abuse, or circumvention), content & IP policy, research ethics, export control caveats.
• Licensing. Course materials under stated license; learner artifacts remain the learner’s IP with a non-exclusive license to store and verify. All licenses tagged with SPDX identifiers.
• Third-party data. Respect upstream licenses; display attribution; restrict redistribution if required.
• Takedowns. Clear notice-and-action workflow for alleged infringement or rights violations.

9.10 Ethics Board & Rights Safeguards

• Ethics Board. Independent advisors + internal leads; reviews DPIAs, dual-use proposals, sensitive dataset use, and research protocols.
• Rights by design. Accessibility (WCAG 2.2 AA), non-discrimination, explainability of automated decisions affecting grades/eligibility, human appeal path.
• Children/minors. No enrolment under local age of digital consent without verified guardian consent.
• Complaints & appeals. Published channel; tracked SLAs; escalation to Academic Council where unresolved.

Acceptance Checklist (Privacy, Security & Compliance)

• Role mapping (controller/processor/joint) documented; privacy notices published.
• Lawful basis recorded for each processing purpose; DPIA completed for high-risk features.
• Retention schedule enforced; exports (OB3/VC/CLR) available to learners.
• Dual-use review completed for flagged courses; mitigations active.
• DPAs/SCCs signed; sub-processor registry and change notices in place.
• Keys rotated per policy; on-chain anchoring uses hash-only proofs.
• Incident runbook tested; regulator/user notification templates ready.
• Legal hold and immutable audit trails operational.
• Terms/AUP and SPDX licensing visible on course/artifact pages.
• Ethics Board charter active; accessibility, fairness, and appeal mechanisms verified.