Anytime you’re working in an online application, data security should be top-of-mind. This is a wide-ranging topic, starting with the passwords you use to access the system, creating policies on data retention and safe disposal, user account access, safe sharing, and so much more.
For our March Support Training, we invite customers to join us for a discussion around Security Best Practices in iCarol. We’ll touch on a variety of tools available for you to use to put your own policies and practices around data security into place at your organization.
Date: Wednesday, March 15
Time: 2pm Eastern
To register for this webinar, log into iCarol — the link to register is posted in the iCarol Help Center Community Announcements as well as the Admin Dashboard.
At iCarol, we’re always looking to the most cutting edge and progressive ways of strengthening system security, protecting data, and preventing unauthorized system access. This always has been and will continue to be a top priority for us.
In addition to the security measures we take to protect data during its transmission and storage, ensuring good password strength is one simple way that each iCarol user can protect their system and the personal information stored within. That’s why, to help our users do this, we are proactively implementing advanced security protocols for passwords used to access the iCarol system. Once these new protocols are enacted, our users will be prompted to update their passwords to ensure they meet our new strength requirements.
We appreciate our users’ compliance with these new protocols. We want you to rest easy knowing we are doing our part to keep your iCarol system secure, while also helping ensure that each individual’s use of iCarol also upholds this security through tight password guidelines.
Beginning Sunday, June 3, several members of the iCarol team will be in Dallas, Texas for our annual User Group Summit followed by the Alliance of Information and Referral Systems conference. In attendance will be:
Rachel Wentink, Vice President, Operations
Polly McDaniel, Director of Business Development
Crystal McEachern, Senior Product Manager
Val Kozintsev, Development Team Manager
Sean Higgins, Executive Vice President of Cityview, the division of Harris of which iCarol is now a part, will also join us for the Summit and early portion of the conference so he can learn more about the information and referral industry and meet the 2-1-1 and other I&R clients we regularly work with.
We’ll start our time in Dallas with our annual User Group Summit, on Sunday, June 3 beginning at 9am. This free, all-day iCarol training is aimed at iCarol users and prospective customers with anywhere from beginner to advanced usage experience with iCarol. The day is a chance for our team to focus in on a few key areas of iCarol capabilities and teaching our users how to leverage their iCarol system for the biggest impact.
This year we’ll present two training sessions at the Summit. Our first session of the morning is called Build a Better Picture: Using iCarol Statistics. That session will help attendees identify their reporting needs so they can then build out their contact forms and work flows to support those needs. We’ll take users through an overview of iCarol Statistics with a heavy focus on the analysis tab of reports, discuss Met and Unmet Needs reporting, and talk a bit about how to access data for more advanced reporting needs.
Following a brief break, the second session of the morning is titled Do More Together: Are You Ready? and will focus collaboration with partners. There are a multitude of ways you can use iCarol to partner with both fellow iCarol users, and outside organizations that don’t use iCarol. The session will take attendees through the tangible steps to evaluate readiness and then prepare to communicate with potential partners about collaboration. Attendees will leave with an outline and use cases to help them begin to build successful sharing relationships.
Attendees will then be released for lunch on their own, and then we’ll reconvene at 1:45pm for a traditional User Group session. All are welcome to the User Group Session, even if they did not register for the sessions held earlier in the day. In the User Group session, we’ll share a summary of the enhancements made to iCarol in the previous year, and speak to the upcoming developments in the works and coming soon. We’ll gain feedback from attendees and use their account of trends, themes, and common requests to help us prioritize upcoming and future developments that will best meet the needs of our customers.
If you’re heading to Dallas and will be in town by Sunday morning, it’s not too late to register for the User Group Summit. You can learn more and register here.
From there, the AIRS Conference sessions officially begin on Monday morning. Attendees can come visit us at booths 103 and 104 where we’ll have some items to hand out, including a number of data sheet flyers on a variety of topics of interest to conference attendees, including resource data sharing, offering centralized intake, ensuring continuity of care, dispatching mobile crisis services, and information on iCarol data privacy and security. As always we’ll welcome your questions, comments, and conversation on what’s going on at your organization. We always enjoy the opportunity to talk to you about the projects and partnerships you’re engaging in and investigate how we could potentially contribute to that.
You may have heard of something called the GDPR, which comes into force May, 2018, and might be wondering what it stands for, and what it means. While my personal favorite for the acronym is Grateful Dead Public Radio, an Internet station located in Baltimore, Maryland, in this context, GDPR actually stands for General Data Protection Regulation.
What is the GDPR? A regulation which will be enforced in the European Union (EU) starting on May 25, 2018. It will broaden the definition of personally identifiable data and will strengthen enforcement for its handling. It also gives individuals (called “clients” in this blog, in GDPR documentation referred to as “data subjects”) the power to request copies of any personally identifiable data you track about them, and the power to ask that it be removed from your system.
Before I move to specific details about the GDPR, let me cite a best practice, true for any country on the planet. If your organization doesn’t need your clients’ personally identifiable data for your business processes, don’t ask it and don’t log it even if it is offered. Use shredding (described later in the blog) to remove personally identifiable data after a set period if this practice aligns with your business process. (See the Data Minimisation section below).
iCarol customers own their data 100%. We, at iCarol feel very strongly that any organization should have the right to access their own data. We, as your data stewards, bear some responsibility in ensuring we process only the data to which your clients give permission, and that we both need to put processes in place to keep it secure. At all times, you have the ability to export your data and can delete or modify the personally identifiable data about your clients.
Locations affected: Some have asked us if they are affected by the GDPR even if they are not in the EU. If you work with clients in the EU, then yes, you must adhere, even if your organization is located in North America, or any other location outside the EU.
Location for data storage: Does the GDPR require personal data from clients in the EU to stay in the EU? No it does not. There are no new restrictions on the transfer of personal data outside of the EU. However, there should be more central coordination in place to oversee data activities, and there are rules regarding the following areas:
Consent: You must explicitly, in a very clear manner, ask for consent to track any data about the client. You’ll need to explain what you’d use the data for. We strongly recommend you add a question to your contact forms, also referred to as call report forms, if you don’t today indicating the client has given consent. Since you can add guiding language to a contact form, you might consider wording the question as your legal team specifically suggests, and make sure your volunteers and staff ask it exactly as worded. If you use chat or text, use the pre-chat or pre-text survey to explicitly ask the question.
Data Minimisation: Organizations can collect only the personal data that is adequate and relevant to the intended purpose. As we stressed above, if you do not need personally identifiable data from your client for your process, do not ask it or log it. For instance, if you do not need a social number or other uniquely identifiable data, don’t ask it and log it thinking you might need it later.
Accuracy: The data about a client must be accurate, which means it must be kept up to date if it is retained. Your client has the right to ask for changes if they feel data is inaccurate. Rights to edit submitted contact forms, also known as contact records, can be granted to iCarol volunteers and staff, or your iCarol Administrator(s) can edit the record. Administrators also have the right to edit client profiles, as can volunteers and staff if you grant them the rights.
Retention of data: Personal data must be kept only for as long as it is needed to fulfill the original purpose of its collection. Since iCarol provides a “shredding” feature to remove personally identifiable data within your logged records, we strongly suggest considering deploying that feature. If you’re unfamiliar with the feature, please see the section below on it.
Security of the data: There are a variety of ways to secure the data. iCarol takes the security of your clients’ data very seriously. While the GDPR does not require encryption, personally identifiable data is encrypted within iCarol “in transit” (when it is traveling from a volunteer or staff member’s device to our servers in the data centre), and “at rest”, when it is saved in the database. A number of other security provisions are also in place to protect the data. Should you need more information on this area, please contact me at to schedule a conference call.
Data Access: As noted above, your clients have the right to ask for transcripts of any of their personally identifiable data which is logged in iCarol. You may print out logged records and print them to PDF. We strongly suggest sending them in an encrypted email, or storing them on a secure FTP site for your client to log into to retrieve them. Later this year, iCarol will release the ability to password protect the PDF. You’ll also want to share with them any profile data you may have stored about them, which is accessible by exporting client profiles, which is available to any Administrator of your iCarol system.
Right to Erasure: Your client has the power to request erasure of their data in your system. It’s important for you to devise a business process on how to handle an erasure request from a client. Using iCarol’s shredding feature can assist in ensuring that very little personally identifiable data exists in your system, and using the search feature for contact forms and profiles can enable you to find it very quickly. iCarol Administrators have the right to delete submitted forms and client profiles.
What is Shredding? Shredding is a feature within iCarol which removes personally identifiable data within contact records. Phone numbers, addresses, names, and any data in a text field is removed from the database when it is shredded. An example of what appears in place of the data is shown below:
iCarol Administrators can turn the feature on in the Admin Tools/Calls tab of iCarol, which schedules the automatic shredding. We already have a range of timeframes you can select in order to shred the data, based upon the age of the contact record. Shredding allows you to maintain the data in dropdown and checkbox questions in your submitted contact forms for reporting purposes, while protecting data privacy for your clients.
As mentioned above, we at iCarol take the security of your data very seriously, as we know many of you work with subject matter that is highly sensitive and which must remain private. We provide the tools you’ll need to protect that data for your clients, to give both you and them peace of mind.
By now many of you have read about the recently discovered security vulnerabilities named Meltdown and Spectre. We are closely tracking the availability of patches for different systems, and many of our systems in our data centers have already been patched. We’ll continue to monitor this on a daily basis and apply high confidence patches to our systems expeditiously.
We encourage iCarol users to be vigilant in monitoring for patches and updating your own PCs, laptops, mobile phones and other devices, to ensure the highest possible security. This includes paying close attention to available operating system updates (Windows Update, for example) and installing these updates promptly. Browser security is key as well, so be sure to check for and install the latest updates to your browsers of choice. Note also that as new security patches become available more updates may be necessary, and so fully securing your local tools from Spectre and Meltdown could be a multi-stage process.
In iCarol, there are five security levels available for users in your system; Trainee, Standard, Enhanced, Supervisor and Admin. Each of these levels enables users to see and use a particular set of tools and functions in iCarol. Further to this, using Advanced Security settings, you can fine-tune exactly which tools and functions each user can see and use. This article will provide an overview of the Security Levels, and definitions of the settings found in Advanced Security Settings.
Security Level
Security Level is found on the Admin tab of user profiles, as below:
As shown in the above screenshot, there is a link that will take you to an explanation of each security level. This link will show a chart that explains what each security level can see and do in iCarol. Here is a screenshot of the chart:
In general, Admins are the highest security level and can see and use all tools and functions in iCarol by default, with some exceptions that will be pointed out later in this article. Supervisors can see and use everything Admins can, except sending welcome emails to new users and accessing the Admin Tools menu. Again, as with Admin, there are a few exceptions that will be pointed out. Enhanced and Standard users have access to fewer tools and functions, and Trainees have access to very few tools and functions.
Advanced Security Settings
Many of the Advanced Security settings are self-explanatory. Those that are not or where additional information may be helpful to understand what the setting enables will be noted here.
Allowed to access Call Reports and Repeat Callers – This is the setting that enables the user to see “Calls” in the left hand menu, and therefore view and submit call reports.
Can give feedback on call reports – This setting enables the user to see and use the “Feedback” text box in call reports to provide feedback to the user who submitted the call report.
Can review call reports – If you have enabled the function that staff can mark call reports as “reviewed for accuracy”, this setting allows the user to see and use the “Report has been reviewed for accuracy” check box at the bottom of call reports when viewing them.
Can only see call reports submitted by themselves – When the user views the “All Calls” page, only call reports they have submitted will appear in the list of submitted call reports. Further, this means they can only view the details of call reports they have submitted themselves.
Can access Specialized Call Export Tool – This is an add-on feature that enables the creation of resource lists in Word or Excel format. This setting enables users who are not Admins to use this tool.
Can certify computers – If you are using Restriction and Certification, this setting enables non-Admins to user the Certification tool to certify a computer.
Exempt from Restriction – If you are using Restriction and Certification, and the user belongs to a Security Level that is restricted; this setting exempts them from restriction. Depending on settings made on the Tools tab of Admin Tools, Restriction may also apply to Admins and Supervisors. If this is true, to exempt a particular Admin or Supervisor from Restriction, this setting must be manually checked.
Can only see call reports for programs to which they belong – This setting only appears if you are using the add-on feature Programs. This is the setting that restricts users to only seeing call reports that belong to the same programs they do.
Can only see caller profiles for programs to which they belong – This setting only appears if you are using the add-on feature Programs. This setting restricts which repeat callers the user can see and choose for use in a call report. Please note: This setting is not given to any Security Level by default. Therefore, if a user needs this setting, it must be manually checked.
Can use Call Reports residing in other iCarol system – This setting only appears if a caller report from another iCarol system is being shared with your system. This setting enables the user to see and create call reports using the shared call report. Please note: This setting is not given to any Security Level by default. Therefore, if a user needs this setting, it must be manually checked.
Can access Outbound Calls – This setting enables the user to see the Outbound Calls button on the main Calls page, if this tool is turned on in the system.
Can only access Outbound Calls, but not see Call Reports – If a user should only have access to the Outbound calls tool, and should not be able to see and use Call Reports, check this setting.
Allowed to access Shifts – this is the setting that enables the user to see “Shifts” in the left hand menu, and therefore view the shift calendar and sign up for shifts.
Hide the list of people currently in On Call shifts, on the main Calls page – If this setting is unchecked, at the top of the Calls page will be a list showing who is currently signed up for On Call shifts. If this setting is checked, this will not show.
Can only see shifts for programs to which they belong – This setting only appears if you are using the add-on feature Programs. This setting restricts which shifts the user sees on the shift calendar to just those that are for the programs he or she belongs to.
Allowed to access Resources – this is the setting that enables the user to see “Resources” in the left hand menu, and therefore view and search Resources through that link and through the call report form.
Can activate/inactive resources – this refers to the “Status” field in resource records. This setting enables users to change to status to and from Active, Inactive, and Active but do not refer.
Can approve resource changes – This setting only applies to those systems using Workflow rules for the resource database.
Can QA resources – This setting only applies to those systems using Workflow rules for the resource database.
Can access verification – This setting enables the user to use the Automated Verification add-on feature.
Data export options – As noted at the top of this section, if any of these are selected, the person can access the Data Export tool from the bottom of the home page inside of iCarol.
Can always see the full names of staff and volunteers – This setting applies when Admins have made changes to the way user names are displayed in iCarol via the Vols and Staff tab in Admin tools.
Allowed to access Vols and Staff – this is the setting that enables the user to see “Vols-Staff” in the left hand menu, and therefore view the list of users in the system.
Allowed to access Chatboard – this is the setting that enables the user to see “Chatboard” in the left hand menu, and therefore view and post messages to the Chatboard.
Allowed to access Internal Chat – this is the setting that enables the user to see “Internal Chat” in the lower right hand corner of the screen when logged into iCarol, and therefore use this tool to chat with other users that are logged in. Please note: This setting is not given to any Security Level by default. Therefore, if a user needs this setting, it must be manually checked. Alternatively, this option can be checked for everyone by using the “Enable Internal Chat for Everyone” link on the Vols and Staff tab of Admin Tools.
Allowed to access Events – this is the setting that enables the user to see “Events” in the left hand menu, and therefore view the Events calendar.
Allowed to access News & Fun – this is the setting that enables the user to see “News” in the left hand menu, and therefore view the News page.
Statistics – With this drop-down menu, a user can be given access to see “Statistics” in the left hand menu, and therefore run various reports with this tool.
Can receive Instant Messages in iCarol – This setting will only appear if you are using the instant messaging/chat add-on feature. This setting enables the user to assume and respond to chat conversations from the Messaging page. Please note: This setting is not given to any Security Level by default. Therefore, if a user needs this setting, it must be manually checked.
Can receive Texting/SMS Messages in iCarol – This setting will only appear if you are using the texting/SMS add-on feature. This setting enables the user to assume and respond to SMS conversations from the Messaging page. Please note: This setting is not given to any Security Level by default. Therefore, if a user needs this setting, it must be manually checked.
If you have any questions at any time about Security Level or Advanced Security Settings, please do not hesitate to submit a case to the iCarol Support Team via the Online Case Management tool.