Merge pull request #327 from RSE-Sheffield/feat/eula

Add EULA static page

Author: Joe-Heffer-Shef

home/templates/end_user_license_agreement.html

@@ -0,0 +1,201 @@
+{% extends "base_manager.html" %}
+{% block content %}
+    <div class="container mx-auto px-4 py-8" id="eula">
+        <h1>End User License Agreement (EULA)</h1>
+        <h2>1. Acceptance of terms</h2>
+        <p>By accessing or using the Self-Assessment of Organisational Research Readiness Tool (SORT) Online survey
+            platform ("Platform"), you ("User," "you," or "your") agree to be bound by this End User License Agreement
+            ("EULA"). If you do not agree to these terms, you must not use the Platform.</p>
+        <p>This EULA governs your use of the Platform designed to collect data from healthcare practitioners about
+            organizational preparedness to participate in research studies, in compliance with applicable data
+            protection laws including the UK Data Protection Act 2018, which incorporates the UK General Data Protection
+            Regulation (UK GDPR).
+        </p>
+        <h2>2. Data protection obligations</h2>
+        <h3>2.1 Fundamental Data Protection Principles</h3>
+        <p>You acknowledge that the Platform processes personal data, including special category data (ethnic origin),
+            and agree to:</p>
+        <ul>
+            <li>Respect participant privacy at all times</li>
+            <li>Minimize data collection to what is strictly necessary for research purposes</li>
+            <li>Implement appropriate security measures to protect participant data</li>
+            <li>Maintain confidentiality of all survey responses and participant information</li>
+        </ul>
+        <h3>2.2 Prohibited activities&mdash;Data protection</h3>
+        <p>You expressly agree NOT to:</p>
+        <ul>
+            <li>Attempt to identify or re-identify survey respondents through any means, including cross-referencing
+                responses with other data sources
+            </li>
+            <li>Combine survey data with other datasets that could enable participant identification</li>
+            <li>Use demographic combinations in ways that could identify individuals or small groups</li>
+            <li>Share individual-level data with employers, managers, or other third parties without explicit consent
+            </li>
+            <li>Conduct additional data collection beyond the approved survey questions</li>
+            <li>Ask probing or follow-up questions that could identify specific respondents</li>
+            <li>Screenshot, photograph, or record any survey responses or participant information</li>
+            <li>Access data outside your authorised role or research purposes</li>
+        </ul>
+        <h3>2.3 Data minimization requirements</h3>
+        <p>You agree to:</p>
+        <ul>
+            <li>Only collect data that is necessary and proportionate to the research objectives</li>
+            <li>Limit demographic questions to essential categories only</li>
+            <li>Aggregate data appropriately to prevent identification risks</li>
+            <li>Apply minimum cell sizes (minimum 5 respondents) for any demographic breakdowns</li>
+            <li>Remove or generalize any data elements that could enable identification</li>
+        </ul>
+        <h2 id='3-security-and-access-controls'>3. Security and access controls</h2>
+        <h3 id='31-account-security'>3.1 Account security</h3>
+        <p>You agree to:</p>
+        <ul>
+            <li>Maintain secure login credentials and not share account access with unauthorised
+                persons
+            </li>
+            <li>Use strong passwords</li>
+            <li>Log out securely after each session</li>
+            <li>Report any suspected security breaches immediately</li>
+            <li>Only access the Platform from secure, authorised devices</li>
+
+        </ul>
+        <h3 id='32-data-handling-requirements'>3.2 Data handling requirements</h3>
+        <p>You must:</p>
+        <ul>
+            <li>Access data only for legitimate research purposes as specified in the research protocol
+            </li>
+            <li>Not download or export data outside the UK without explicit authorization and
+                appropriate data
+                transfer safeguards
+            </li>
+            <li>Implement appropriate technical and organizational measures to protect data security
+            </li>
+            <li>Ensure secure data transmission when sharing authorised outputs</li>
+            <li>Maintain audit trails of data access and use</li>
+        </ul>
+
+        <h2 id='42-legal-compliance'>4. Legal compliance</h2>
+        <p>You warrant that your use of the Platform will:</p>
+        <ul>
+            <li>Comply with all applicable data protection laws including UK Data Protection Act 2018
+                and UK
+                GDPR
+            </li>
+            <li>Meet professional regulatory requirements for healthcare research (including NHS
+                Research
+                Ethics Committee approval where applicable)
+            </li>
+            <li>Adhere to institutional policies and procedures</li>
+            <li>Comply with Health Research Authority (HRA) requirements where applicable</li>
+            <li>Respect international data transfer restrictions under the UK&#39;s data transfer
+                regime
+            </li>
+
+        </ul>
+
+        <h2 id='5-data-sharing-and-publication'>5. Data sharing and publication</h2>
+        <h3 id='51-authorised-data-sharing'>5.1 Authorized data sharing</h3>
+        <p>You may only share data:</p>
+        <ul>
+            <li>In aggregate form that cannot identify individuals or small groups</li>
+            <li>With appropriate statistical disclosure controls applied</li>
+            <li>To authorised research collaborators under equivalent data protection obligations</li>
+            <li>Through approved data repositories with appropriate access controls</li>
+
+        </ul>
+
+        <h2 id='6-incident-reporting-and-breach-response'>6. Incident reporting and breach response</h2>
+        <h3 id='61-mandatory-incident-reporting'>6.1 Mandatory incident reporting</h3>
+        <p>You must immediately report:</p>
+        <ul>
+            <li>Any suspected data breaches or security incidents</li>
+            <li>Unauthorised access attempts to survey data</li>
+            <li>Technical vulnerabilities that could compromise data security</li>
+            <li>Potential identification risks discovered during analysis</li>
+            <li>Any misuse of the Platform by authorised users</li>
+
+        </ul>
+        <h3 id='62-breach-response-obligations'>6.2 Breach response obligations</h3>
+        <p>In the event of a data protection incident, you agree to:</p>
+        <ul>
+            <li>Notify the Platform administrators within 24 hours</li>
+            <li>Cooperate fully with incident investigation and response</li>
+            <li>Implement immediate containment measures to prevent further harm</li>
+            <li>Maintain detailed records of the incident and response actions</li>
+            <li>Support regulatory notifications to the Information Commissioner&#39;s Office (ICO) as
+                required
+                by law
+            </li>
+            <li>Notify relevant NHS authorities where healthcare data is involved</li>
+
+        </ul>
+
+        <h2 id='7-data-retention-and-deletion'>7. Data retention and deletion</h2>
+        <h3 id='71-data-retention-limits'>7.1 Data retention limits</h3>
+        <p>You agree to:</p>
+        <ul>
+            <li>Retain data only as long as necessary for the specified research purposes</li>
+            <li>Comply with institutional retention policies and legal requirements</li>
+            <li>Securely delete data when no longer needed</li>
+            <li>Maintain records of data deletion activities</li>
+
+        </ul>
+        <h2 id='8-monitoring-and-compliance'>8. Monitoring and compliance</h2>
+        <h3 id='81-platform-monitoring'>8.1 Platform monitoring</h3>
+        <p>You acknowledge that:</p>
+        <ul>
+            <li>Platform usage is monitored for security and compliance purposes</li>
+            <li>Access logs are maintained and may be reviewed</li>
+            <li>Automated tools may detect potential policy violations</li>
+            <li>Regular audits may be conducted to ensure compliance</li>
+
+        </ul>
+        <h2 id='9-consequences-of-violations'>9. Consequences of violations</h2>
+        <h3 id='91-suspension-and-termination'>9.1 Suspension and Termination</h3>
+        <p>Violations of this EULA may result in:</p>
+        <ul>
+            <li>Immediate suspension of Platform access</li>
+            <li>Permanent termination of user account</li>
+            <li>Notification to institutional authorities (including NHS Trusts, universities, and
+                professional
+                bodies)
+            </li>
+            <li>Notification to the Information Commissioner&#39;s Office (ICO) where appropriate</li>
+            <li>Legal action for damages and compliance enforcement under UK law</li>
+
+        </ul>
+        <h3 id='92-liability-and-indemnification'>9.2 Liability and Indemnification</h3>
+        <p>You agree to:</p>
+        <ul>
+            <li>Indemnify the Platform operators against claims arising from your violations</li>
+            <li>Accept full responsibility for compliance with data protection laws</li>
+            <li>Compensate for damages caused by your negligent or willful violations</li>
+
+        </ul>
+
+        <h2 id='10-updates-and-modifications'>10. Updates and modifications</h2>
+        <h3 id='101-eula-updates'>10.1 EULA Updates</h3>
+        <ul>
+            <li>This EULA may be updated to reflect changes in law, technology, or best practices</li>
+            <li>Users will be notified of material changes with reasonable notice</li>
+            <li>Continued use of the Platform constitutes acceptance of updated terms</li>
+
+        </ul>
+        <h2 id='11-final-provisions'>11. Final provisions</h2>
+        <h3 id='111-governing-law'>11.1 Governing Law</h3>
+        <p>This EULA is governed by the laws of England and Wales. Any disputes arising from this agreement shall be
+            subject to
+            the exclusive jurisdiction of the courts of England and Wales.</p>
+        <h3 id='112-severability'>11.2 Severability</h3>
+        <p>If any provision of this EULA is found to be unenforceable, the remaining provisions will continue in full
+            force.</p>
+        <h3 id='113-entire-agreement'>11.3 Entire Agreement</h3>
+        <p>This EULA constitutes the entire agreement between you and the Platform operators regarding your use of the
+            Platform.</p>
+
+        <p>By using the Platform, you acknowledge that you have read,
+            understood, and agree to be bound by this End User License Agreement.</p>
+
+        <p><em>Users are responsible for reviewing updates and ensuring
+            continued compliance.</em></p>
+    </div>
+{% endblock %}

home/urls.py

@@ -95,4 +95,5 @@
         views.HelpView.as_view(),
         name="help",
     ),
+    path("eula/", views.LicenseAgreementView.as_view(), name="eula"),
 ]

home/views.py

@@ -507,3 +507,11 @@ def form_valid(self, form):
 
 class HelpView(LoginRequiredMixin, TemplateView):
     template_name = "help.html"
+
+
+class LicenseAgreementView(LoginRequiredMixin, TemplateView):
+    """
+    End user license agreement
+    """
+
+    template_name = "end_user_license_agreement.html"