Management of Personal Identifying Information (PII)
Sometimes, it is necessary to access user data that may include personally-identifying information (PII) for reasons that include:
- Fulfillment of a contract
- Legitimate interest
- User-driven consent
Note: All the future user read admin access requests will be provisioned only in IAM as the Profiles system will be targetted for EOL in the near future. Please reach out to the IAM Team by filling out the Google Form available at: User Read Admin Access Request to request for users read admin access. Your request will be reviewed by the Office of Data Protection and the Engineering/Architecture team of Profiles/IAM.
Please also write to pradeep_dhanarajan@trimble.com and kamalakkannan_r@trimble.com for any additional requirements.
Fulfillment of a contract
Certain internal applications must be granted permission to access user data: when it is directly required to provide services to the customer and in a carefully-managed process. The storage of information within Trimble Cloud Platform Services is necessary to fulfill contracts for the customer (B2B).
The ODP must perform a risk assessment to verify that the data is used only for the necessary functions of internal tools and not in any way used for purposes contrary to laws or policies. Participation in the security and privacy reviews can protect end users and customers from data misuse.
Evidence of these reviews will be attached to some object of interest so that authorization policy can be written once enough applications have had the opportunity to complete the exercise.
Legitimate interest
In the interest of protecting user data and to provide transparency, Trimble Cloud Platform Services expects each integrator to perform a security review and a privacy review for their use of user data.
Evidence of these reviews will be attached to some object of interest so that authorization policy can be written once enough applications have had the opportunity to complete the exercise.
User-driven consent
When an activity is not included in the fulfillment of a contract or in the legitimate interest use cases, an application must capture the user’s consent or refusal. A consent inquiry informs the user of how their data might be used and ask the user to agree to that usage.
To capture the consent state, Profiles establishes a consent data entity. This entity may contain various pieces of metadata, but its primary function is carried out in accordance with these statements:
- A consent object will have a purpose for which the consent represents (for example, terms and conditions).
- A consent object will relate to one or more specific applications.
- A consent object will relate to each user who grants the consent.
How do we ensure that the user actually consented directly?
Consent gathered from the various Trimble experiences all funnel through Profiles. This system is used for authentication and will only call Profiles to update a consent with the user information during an active user security session, which is established when a person logs into the Trimble ID system as a credentialed user.
To ensure that what the user sees on the screen and understands when they consent, the Terms and Conditions (Ts & Cs) themselves are stored and pulled in real time from the consent object in Profiles. Because the Ts & Cs are stored on the same record instance being acted upon in the same session, there is no risk of the user being associated with the wrong consent record.
How do we ensure that we act on specifically what the user agrees to?
Our authorization policies are written to act directly from the very same consent object that stores the purpose of consent — the Terms and Conditions — as well as the relationship to the user. An example of this policy might be as follows:
“An Application can access user data if that particular user has given consent to the Application.”
This policy, written in our authorization code, will act on the same data instance that houses the purpose and was updated with links to a user during the active session verified by Trimble Identity v3.
When Terms and Conditions change, a new consent entity is created with the new Terms and Conditions, and users must acknowledge the update in accordance with ODP’s guidelines. Adding additional applications to the scope of the consent should be considered the same as an update to the Terms and Conditions.
Once an integrator has received the data, Trimble Cloud Platform Services can no longer control what integrators do with that data; it is now their responsibility to follow through on the stated intent. The data privacy review must inform and guide the integrator of proper data handling.
Trimble policy regarding access to PII
While we are safe to say that all Cloud Platform activities are covered under the “fulfillment of a contract” and “legitimate interest” reasons, we also recognize the opportunity to be a champion for our customers and to assist in the efforts of data privacy and security. We will attempt to strike the balance between security and ease of legitimate access with the following policy.
While we cannot control what integrators do with data from our platform once it is in their possession, we can require that certain safety measures are taken to document the use of protected data. Therefore, for every integrator using the API who wishes to access protected data, we require them to engage with the Office of Data Protection (ODP) to perform a data privacy review and with the Office of Cybersecurity to perform a data security review. We then certify that application through a digital artifact that enables authorization to the protected data. In this way, the protected data is only accessible by integrators who exercise diligence and continue to protect user data without needless interaction with Trimble Cloud Platform.
Some use cases do exist where an application wishes to access protected data for situations that the ODP has determined is covered neither under the fulfillment of a contract nor by legitimate interest. For those scenarios, Trimble Cloud Platform Services offers functionality for applications to acquire consent from users that will authorize their access while that consent exists. This consent relationship is maintained on a per-user and per-purpose basis and can be revoked at any time.
Transition period
Many of the integrators presently using admin-level access have business operations that must continue to function. To enable the successful transition to a more secure solution, all integrators who presently utilize protected data will be granted a temporary permit to access the same information in the new system. The duration of this permit will be determined by the rate at which the ODP can process each integrator’s request to perform the necessary reviews and to certify. To ensure that integrators adhere to this upgraded privacy and security policy, their permit will expire at a set period of time deemed reasonable by Trimble Cloud Platform Services.