Sensitive Data Collection

When creating Questionnaires, Assignments, or utilizing any other LEAD feature to request that Users submit information, it is crucial to handle sensitive information with the utmost care. Sensitive data can include personal identifiers like social security numbers, financial data, health information, and more. The collection of such data necessitates compliance with various data protection regulations such as GDPR.

Important Notice: Collection of direct payment information within LEAD (except via the platform’s own integration with Stripe) is entirely disallowed. Administrators of LEAD instances must never request credit card, bank, or other direct payment information from users in any format, including but not limited to Questionnaires or Assignments. LEAD does not maintain regulatory compliance for collecting such payment information from users.

Sensitive Data Guidelines for Admin

While LEAD handles the platform’s side of compliance, as a LEAD admin, you also have a responsibility to the data privacy of your users. Please ensure you follow these guidelines

1. Clear Purpose and Legitimacy: Before collecting sensitive data, ensure there is a clear and legitimate need for each piece of sensitive information requested.

2. User Transparency: Always provide users with a clear and comprehensible explanation of what data is collected, why it is collected, how it will be used, and who it will be shared with. This explanation should be included directly within the format being used to collect data, such as a Questionnaire.

3. Minimization and Limitation: Collect only the sensitive data that is absolutely necessary for the purposes defined. Avoid collecting unnecessary sensitive information as this increases risk and potential liability.

4. Labeling of Sensitive Data fields: LEAD has an AI Questionnaire Assistant, which has access to Questionnaire Responses. Because of this, it is absolutely required to label any field requesting sensitive data correctly. If you do not check this box, sensitive data may be sent to OpenAI’s API, which is without qualification, unacceptable.

Open

How LEAD Protects Users' Sensitive Information

LEAD, as a platform, makes every effort to not only comply with regulations for personal information, but also to exceed those requirements when possible.

General Data Protection Measures

• Encryption: LEAD implements strong encryption for data at rest and in transit, providing a robust defense against unauthorized data access.

• Access Control: We enforce strict access controls and role-based access to ensure that only authorized personnel have access to sensitive data.

• Regular Security Audits: LEAD conducts regular security audits and vulnerability assessments to identify and mitigate risks, ensuring continuous improvement of our security practices.

Specific Protections for Questionnaires

• Field-Level Encryption: For additional security, responses to questionnaires are encrypted at the field level, providing an extra layer of security beyond general database encryption.

• Audit Logs: System-wide audit logs track all access to questionnaire responses, including views and downloads, to ensure a traceable record of data access and handling.

Specific Protections for Questionnaires/Assignments

• Self-Attestation for Data Collection: Administrators are required to complete a self-attestation confirming that their questionnaires do not collect sensitive data unnecessarily and that any collection of sensitive data has a clear and legitimate purpose. This attestation process (a required checkbox when creating and updating Questionnaires and Assignments) helps ensure compliance with LEAD’s guidelines and regulatory requirements.

Commitment to Compliance

LEAD is committed to upholding the highest standards of data protection and to complying with relevant data protection laws and regulations. We continuously monitor our compliance and make adjustments as needed to respond to new challenges and legal requirements.