Privacy, Security & Compliance

9.1 Data Protection (GDPR/FADP/PIPEDA)

Roles. GCRI is controller for Academy records; approved service providers act as processors. Partners may be joint controllers for co-badged programs (documented per MoU/DPA).
Data classes. Identity (name/email), learning data (enrolments, attempts, grades), artifacts (dashboards, code, GIS outputs), telemetry (xAPI/Caliper), accessibility needs, billing (if applicable).
Special categories. Processed only when strictly required (e.g., accessibility) with explicit safeguards; health/biometric data avoided unless legally necessary for a course and governed by an ethics review.
Data subject rights. Access, rectification, erasure, restriction, objection, portability; channel published in Support.

Bases. Contract (teaching/assessment), legitimate interests (security, anti-fraud, service improvement with safeguards), consent (marketing, research participation), legal obligation (tax/audit).
Minimization. Collect only fields needed for outcomes and verification. Use pseudonymized IDs in analytics.
Transparency. Layered privacy notices at enrolment and before any secondary use.
DPIA. Required for high-risk processing (e.g., proctoring, sensitive datasets, face/voice capture). Mitigations recorded before go-live.

Default schedule.
- Transcripts & credentials (codes/revs, assertions, status): kept indefinitely for verification unless erasure is lawfully exercised.
- Assessment artifacts & grade books: 6 years (or longer if law requires).
- Telemetry (xAPI/Caliper): 1-year hot / 5-year warm, then aggregate.
- Access/proxy logs: 12 months (security), shorter where law requires.
Portability. Learners can export: OB3/VC badges, machine-readable transcript (JSON/CLR), artifact bundles (with provenance).
Erasure. Where granted, revokes public access, deletes PII, preserves minimal cryptographic proofs (hashes) that cannot be related back without PII.

Screening. Courses/labs flagged if they could materially enable misuse (adversarial ML, offensive cyber, sensitive bio/health, fine-grain EO).
Controls. Gating (eligibility checks), environment sandboxing, red-team review, down-scoping of sensitive details, export/licensing checks, and ethics sign-off.
Logging. All approvals and mitigations recorded; re-review on each MAJOR course rev.

DPAs & SCCs. Execute Data Processing Agreements with annexed technical/organizational measures; use Standard Contractual Clauses or equivalent for cross-border transfers.
Sub-processors. Public list with notice window; opt-out process where feasible.
Security assurance. Require independent attestations (e.g., ISO 27001/SOC 2), pen-test summaries, and incident SLAs.
Data residency. Honor regional storage commitments where contractually required.

Issuer identity. did:web:nexus.gcri.org with KMS/HSM-backed keys; 12-month rotation or on incident.
Storage. Encryption at rest (server-side) and in transit (TLS 1.2+); least-privilege access; MFA for staff; admin actions recorded.
On-chain policy. Hash-only anchoring of assertions/status; no PII on public ledgers.
Content integrity. Signed packages for assessments/labs; checksum verification for artifacts; tamper-evident logs.

Runbook. Detect → contain → eradicate → recover → post-mortem with owner + timeline.
Breach notification. Regulators without undue delay and, where feasible, ≤72h after awareness (GDPR-aligned). Affected users notified when high risk is likely.
Severities. P1 (credential/signing compromise, large-scale PII), P2 (localized data exposure), P3 (availability only).
Exercises. Tabletop at least annually; lessons learned drive control updates.

Holds. Freeze relevant data/archives on counsel instruction; suspend deletion jobs.
Audit trails. Immutable logs (append-only) for issuance, revocation, grade changes, and admin access.
Chain of custody. Checksums for artifacts; timestamped status changes; reproducible exports on request.

Terms. Acceptable Use (no cheating, abuse, or circumvention), content & IP policy, research ethics, export control caveats.
Licensing. Course materials under stated license; learner artifacts remain the learner’s IP with a non-exclusive license to store and verify. All licenses tagged with SPDX identifiers.
Third-party data. Respect upstream licenses; display attribution; restrict redistribution if required.
Takedowns. Clear notice-and-action workflow for alleged infringement or rights violations.

Ethics Board. Independent advisors + internal leads; reviews DPIAs, dual-use proposals, sensitive dataset use, and research protocols.
Rights by design. Accessibility (WCAG 2.2 AA), non-discrimination, explainability of automated decisions affecting grades/eligibility, human appeal path.
Children/minors. No enrolment under local age of digital consent without verified guardian consent.
Complaints & appeals. Published channel; tracked SLAs; escalation to Academic Council where unresolved.

Role mapping (controller/processor/joint) documented; privacy notices published.
Lawful basis recorded for each processing purpose; DPIA completed for high-risk features.
Retention schedule enforced; exports (OB3/VC/CLR) available to learners.
Dual-use review completed for flagged courses; mitigations active.
DPAs/SCCs signed; sub-processor registry and change notices in place.
Keys rotated per policy; on-chain anchoring uses hash-only proofs.
Incident runbook tested; regulator/user notification templates ready.
Legal hold and immutable audit trails operational.
Terms/AUP and SPDX licensing visible on course/artifact pages.
Ethics Board charter active; accessibility, fairness, and appeal mechanisms verified.