Personally Identifiable Information (PII) and Privacy
Linking to a Privacy Policy
In some use cases of Engine, learners may be linked directly to a launched course that will be recording PII or data associated with PII. In those cases it may be necessary to provide access to a Privacy Policy. Engine provides a setting, PrivacyPolicyUrl, for activating a link in the content player to an external URL that should display a Privacy Policy statement. The URL can be absolute or relative, and may need to point to a dynamic resource that is capable of handling Accept-Language headers to support multiple translations.
Removing PII from the Database
While the registration is the central piece of information in Engine's data model, at the core of a registration is a learner's identifier. Most (if not all) data associated with that learner identifier could be classified as PII and subject to needing to be deleted. Engine provides an API to request deletion of PII data based on learner identifiers and/or xAPI Agent identifiers.
Due to the nature of the data and the extent to which it may be referenced within the Engine schema, this API is job based. To delete information for a set of learners, a POST request should be made to the /{tenant}/pii/deletionJob resource including a list of learner identifiers and/or xAPI Agent objects. The response of a successful request will return a job identifier that can be used when requesting job status via a GET request to the /{tenant}/pii/deletionJob/{jobId} resource. When all PII data has been removed, the job will report its status as COMPLETE.
Actions performed:
- Removal of all registrations associated with any learner identifiers provided, including pass/fail, completion, score, runtime information, launch history, etc.
- Removal of xAPI statements including any of the Agents provided or the Agent associated with a learner identifier anywhere in the statement- For voiding statements (where verb.idishttp://adlnet.gov/expapi/verbs/voided) a new voiding statement will be issued in its place
- Recalculation of statement targeting chains for statements previously involved with statement references
 
- For voiding statements (where 
GDPR Note: This process is intended to be sufficient for removing data per the GDPR requirements from Engine's provided schema. We suggest using additional third party data audit tools to ensure GDPR compliance.
Log Redaction
Given the learner's central role in data handled by Engine it is natural to need to log information from requests that may include learner data. While usable, at the same time this presents a problem when needing to protect PII, therefore Engine includes settings to enable redaction of PII from its logs.
Settings controlling the redaction of information from logs include:
- RedactLogs
- RedactedItems
- RedactedTables
- UnRedactedColumns
Use the RedactLogs setting to enable redaction. The other three settings have reasonable defaults that should be reviewed, but should match the majority of customers' installations. Contact support if you think they are not sufficient for your system or if you have additional questions on their use.