Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Custom notifications feature for whistleblowing directive related timeline of communication with the whistleblower. #2866

Open
elbill opened this issue Jun 12, 2020 · 51 comments

Comments

@elbill
Copy link

elbill commented Jun 12, 2020

What is the motivation or use case for changing the behavior?
Whistleblowing directive sets some timeline regarding communication with the whistleblower, eg notification of receipt of report within 7 days and providing feedback within 3 months (extendable to 6 months).
I believe incorporating customisable notifications and templates would be great. It is also a real need as I have seen from companies.
There are currently no customisable notifications apart from the expiration.
A workaround would be to set the expiration date at 7 days and extend it however this is quite risky that some reports may slip our attention and expire. And not elegant.

GlobaLeaks version:
4.0.32

@evilaliv3
Copy link
Member

Thank you for your valuable feedback on this.

Would you add precise reference to the part of the directive that you are referring?

If you could provide more detail about how you envision this "reminders" to work this could help brainstorming about the possible feature and fasten the possible development.

@elbill
Copy link
Author

elbill commented Jun 12, 2020

https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32019L1937&rid=4

Article 9
Procedures for internal reporting and follow-up
….
(b) acknowledgment of receipt of the report to the reporting person within seven days of that receipt;
….
(f) a reasonable timeframe to provide feedback, not exceeding three months from the acknowledgment of receipt or, if no acknowledgement was sent to the reporting person, three months from the expiry of the seven-day period after the report was made;

Article 11
Obligation to establish external reporting channels and to follow up on reports
…..
(b) promptly, and in any event within seven days of receipt of the report, acknowledge that receipt unless the reporting person explicitly requested otherwise or the competent authority reasonably believes that acknowledging receipt of the report would jeopardise the protection of the reporting person's identity;
…..
(d) provide feedback to the reporting person within a reasonable timeframe not exceeding three months, or six months in duly justified cases;

@evilaliv3 I will get back with implementation ideas

@elbill
Copy link
Author

elbill commented Jun 12, 2020

@evilaliv3 One way to approach this would be the following. So each context in the advanced settings would have a notification of receipt reminder field in days (by default 7) and a notification of feedback reminder (by default 90). It could be good if notifications could be extended and repeated in a number of days (7 days by default) by the user (in a similar fashion with expiration of reports). An additional one or two generic notification could be also utilised by the receivers (used by receivers for commencement of investigation according to WB policy for example).
So in context advanced settings:
notification of acknowledgement of receipt (days)
[ ]

Set the value to 0 to disable this feature.
notification of whistleblower feedback (days)
[ ]

Set the value to 0 to disable this feature.
generic notification 1 (days)
[ ]

Set the value to 0 to disable this feature.
generic notification 2 (days)
[ ]

Set the value to 0 to disable this feature.

There will need to be 4 notification templates

A more flexible and generic notification system could be used to set one or more notifications however I can not think of a way to link with notification templates

Hope this helps...

@evilaliv3
Copy link
Member

Thank you @elbill!

The idea seems nice and generic enough to be implemented, i will try to analyze it further and get back to you.

@evilaliv3
Copy link
Member

@elbill: by any chance have you already analyzed this ticket in detail and you have already a proposal for what we could implement? @maxmois is as well looking into the features related to GDPR and it would be really interesting to start sharing our ideas and form a proper GDPR roadmap to be added to: https://docs.globaleaks.org/en/main/roadmap/#gdpr-compliance-improvements

evilaliv3 added a commit that referenced this issue Jun 11, 2021
@elbill
Copy link
Author

elbill commented Jun 14, 2021

thanks @evilaliv3
The whistleblower should be notified within 7 days of submission that the report was received. The automatic confirmation that the whistleblower sees after submission with the code could be considered that fulfils this obligation. However it would be desirable if receiver received a notification to make a contact with whistleblower within the 7 day time frame.
Furthermore the whistleblower should be notified within 3 months of the notification of receipt regarding the outcome/progress of the report.
Based on the above a flexible notification system should send a reminder to the recipients regarding those obligations. A flag whether these have been fulfilled or are overdue could be also useful.
This could be a fixed notification system just for the directive or a more flexible system for all types of reminders the recepient will be able to set up.
Do you need anything more specific in terms of UI? I see that on teh 12th of June 2020 I submitted some ideas.

evilaliv3 pushed a commit that referenced this issue Jul 27, 2021
evilaliv3 added a commit that referenced this issue Jul 27, 2021
evilaliv3 added a commit that referenced this issue Jul 27, 2021
evilaliv3 added a commit that referenced this issue Jul 27, 2021
evilaliv3 added a commit that referenced this issue Jul 27, 2021
@evilaliv3
Copy link
Member

After thinking a little bit about this feature idea i consider that an interesting implementation could be the following:

The administrator should have the possibility to define a set of custom notifications to be sent after a certain period since the arrival of a submission.
Each of this custom notification should offer the possibility to define:

  • The title of the email notification (text subject to internationalization)
  • The content of the email notification (text subject to internationalization)
  • The number of days after which sending the email notifications.

To be analyzed better:

  • Should the email be always sent after the period is passed or there should be configurable conditions for which the email should not be sent?
  • Should this feature relate to submission statuses?
  • Would it be enough to make it possible for Administrators to define general custom notifications at system level to be sent X days after the arrival of the submission or on the opposite we want users to be able to set their own reminders to be scattered on a precise calendar date and configurable per submissions.

@evilaliv3
Copy link
Member

@maxmois @larrykind: Would you please add your evaluations and suggestions if any? thank you!

@evilaliv3
Copy link
Member

I would like to add that many of the users and consultants that we involved in the conversation consider that for making a good implementation that could actually serve all European users it would be worth it to wait for some transcriptions of the EU directive at state level. This will enable to be able to know the real needs and design an helpful feature.

@evilaliv3 evilaliv3 removed the F: GDPR label Sep 9, 2021
@elbill
Copy link
Author

elbill commented Sep 10, 2021

@evilaliv3 the directive is very clear reagarding the notification requirements, and not much left for national interpetation (in my honest opinion).
The question is the level of user customisation of the feature to match non EU needs (that give different timelines), other EU requirements that may require more frequent notifications to users and whistleblower information, as well as individual organisation requirements.
In my oppinion again some type of recurring notification to recipeints or notification with some type of flexible posponing (in a similar way to deletion notifications but with a customisation of next notification) would be enough and not far from optimal for any case.

@evilaliv3
Copy link
Member

evilaliv3 commented Sep 10, 2021 via email

@larrykind
Copy link

larrykind commented Sep 10, 2021

Hi everyone,
thank you @evilaliv3 to mention me. Nice Idea to have custom email notifications to be set from administators, in my opinion I should not allow receivers to set custom notifications for themselves: if you would to allow receivers to have some kind of reminder, this should have a very, simple configuration in my opinion,

According to what @evilaliv3 wrote, in my opinion it should be parametrized:

  1. email subject
  2. email text
  3. Context
  4. one or more context receivers ( if no receivers is selected, no people will receive the email )
  5. number of days after ticket is received
  6. number of days after ticket is in some status, including "new" status
  7. if the actual status must be the same set in the previous condition, or choose what should be actual status (this could include to have tickets status history...)
  8. if a certain actual status (or list of statuses) should abort email to be sent
  9. possibility to have "repeat every X days" (may this cause mail flooding?)

From 1 to 4 they should be mandatory
From 5 to 8 there should be at least 1 parameter, with "AND" or "OR" between statuses from 5 to 8.

Finally, If custom notifications instances are set in tenant 1, they should be inherited by sub-tenants also in my opinion.
Personally I don't see the need to configure custom notifications on a ticket basis, It should be ok at context level.

@elbill
Copy link
Author

elbill commented Feb 14, 2022

@evilaliv3 has there been any progress regarding this? Notifications seems to be the most requested feature regarding the Whistleblowing EU directive implementation.
As soon as the legislation comes in full application and submissions increase in number, users are concerned they may miss deadlines.

@evilaliv3
Copy link
Member

Thank you for your question @elbill

I confirm that at the moment there has been no progress as we are continuing monitoring the national laws but at the moment we have not found precise indication.

As soon that we will have some we will activate on point on it but till we wont see any unfortunately any development would be just speculation.
From our understanding the EU directive is a a mandatory rule for the member state to implement a law; When the law will be present organizations of the member state will have time to implement their own platforms and we will activate our development on point on the law but till we wont see any law unfortunately any development would be just speculation.

@elbill
Copy link
Author

elbill commented Feb 14, 2022

@evilaliv3 the directive is quite clear in this matter. The confirmation of receipt must be sent within 7 days while feedback to the whistleblower has to be provided within 3 months from the confirmation.
For externa whistleblowing this is 7 days, 3 months (and 6 months in exceptional circumstances that have to be justified). Portugal, Denmark and Sweden that have implemented national legislations have kept these timelines, (for Lithuania I'm not sure but their law is closely based on the EU Directive so I believe the have also kept it ). It is a safe bet that all countries will keep these timelines as it would be stupid to differentiate and create problems to multinational companies, and also these timelines seem to be fair. Most if not all commercial systems (that I know) have implemented fixed or flexible timelines in order to call themselves "Compliant with EU Directive".
I therefore believe complying to EU directive now is very important, rather than waiting for countries that take advantage of each others delay. A fixed (or even better a flexible) notifications system will also help users that deal with a large number of reports, even if we forget about compiling with the EU directive!

@evilaliv3
Copy link
Member

evilaliv3 commented Feb 14, 2022 via email

@elbill
Copy link
Author

elbill commented Feb 15, 2022

@evilaliv3 thanks for your reply!
Regarding 1) I agree that the automated reply will do and formally nothing else is needed. Just mentioning that some users think that the first reply has also to be initiated by the recipient.

Indeed the issue is not the platform to comply but to assist organisations to comply with the EU Directive and National law timelines and not platforms to be compliant. In a similar way that globaleaks helps users with GDPR with notifications, postponement and expiring reports.
The use case I have been challenged with by users is "how do keep in track the reports that may have not been replied in time and being overtime"?
This has been a requirement from users with a lot of reports (~10-20 a day) as well as users with fewer reports (and less human resources).
How does a user handle some hundreds of cases looking for the ones that may nave not been provided with feedback?

The best way I have thought of, which is simple and flexible and universal (not only directive related)is a recurring notification system. (simple in terms of use not necessarily development)
Use case:
You receive a report.
The system asks you:
In how many days you want to be notified about this report [ 7 ]. (you put in 7).
After 7 days the system notifies you if you dont take an action (action would be to put in a different number in the notification box, for example [90] (to be notified in 90 days) or [ 0 ] to cancel the notification altogether (or use a checkbox for cancelling it).
Each day you receive an email notification with a list of reports that are overdue. (ideally in the CMS you can have a separate column that has a green "v" or a red "x" indicating the overdue reports.
In this way the user can create 1,2,3 or infinite number of (agnostic) notifications with a single variable.

@chateaufiesta
Copy link

Any progress on this issue?
The Portuguese law regarding this directive implements the same days for notifications, 7 days for initial progress, and 3 months for the final notification.

We are thinking about using the expiration date to "hack" this, but it's a manual process. It would be better to have somekind of a system to configure all these notifications instead of having to do this manually.
Thank you

@evilaliv3
Copy link
Member

Thank you @chateaufiesta, unfortunately no update on this side.

Please feel free to support detailing a specification for the feature or provide a pull request if you have this capacity and we will surely evaluate its integration.

@elbill
Copy link
Author

elbill commented Oct 20, 2022

It is up the the recipient to make sure the have acted on the reminder. The purpose of the feature is to remind the recipient to act, not to force nor to check. If they disable the reminder it means they have completed the action. Like the outlook flags in some way. Automated way to know this would not work well in my oppinion.
The feature sends a reminder "provide feedback to the WB". I provide it (proper feedback not just a comment) and then I disable the reminder. If I forget to disable it will keep showing red (or we could add a flag column). If I disable it and have not sent feedback to the user then it is my responsibility. Like I disabled an email flag in outlook and did not reply to the email.

@evilaliv3
Copy link
Member

evilaliv3 commented Oct 20, 2022 via email

@elbill
Copy link
Author

elbill commented Nov 25, 2022

@evilaliv3 based on our previous discussions regarding a rolling reminder feature I give a modification that should happen in the administrator backend in the context tab.
context1

When we are 72 hours form the reminder there will be some colour indication in the CMS (eg orange yellow).

When the report has passed the reminder date then the colour should be orange red.

I will soon give som mockup for the front end recipient site

@danielvaknine
Copy link

Sounds like a good first, more "light-weight" improvement!

@elbill
Copy link
Author

elbill commented Nov 29, 2022

@evilaliv3 regarding the recipient interface there should be some pop up regarding the number of reports about to or past the reminder date.
The reports will be color coded.

In individual reports there should be an additional icon that will open up a calendar allowing the recipient to postpone the reminder date. A checkbox will allow disabling or reenabling the reminder function for individual reports.
Document26 - Word 29_11_2022 4_50_23 μμ
test - Report - Google Chrome 29_11_2022 4_00_51 μμ
test - Report - Google Chrome 29_11_2022 4_04_16 μμ

@evilaliv3
Copy link
Member

Thank you @elbill for this update.

I would propose to not add a popup (as window that appera) but probably a info alter widget like we have on some existing interfaces.

I suggest as well we try to reduce the number of strings, like for example we can add the following 2 strings:
"Reminder"
"By confirming, you will postpone the reminder date to:"

and avoid to have a specific string "reminder enabled", we can instead have a clear icon for this feature.

Probably we could start using the bell icon for this, and use the sound on / sound off for silencing email notifications. What do you think?

@msmannan02
Copy link
Contributor

just a suggestion from my side, as @evilaliv3 said reminder enabled or disabling should be done for the team from admin side but how the popup opens up should be how @elbill showed because we are already doing it for postponing expiration date from the same menu, changing within the menu how user would change the reminder date can be confusing.

@evilaliv3
Copy link
Member

evilaliv3 commented Dec 27, 2022

Dear @elbill and @msmannan02,

i'm reviewing the proposed changes and i've tested it with few users and i would like to discuss with you some changes.

The interface currently uses two colors (red) and (yellow) depending on two different thresholds set by the administrator but then the recipients may vary just one setting based on their personal preference. This can lead in my opinion to significant confusion, in fact: recipients would never know the relation between yellow and red and will be able only to set a new different value for the red threshold without even knowing that they will be notified in advance.

In addition i consider that in general users using "reminders" are familiar with using only one threshold only: the reminder date.

For this reason i propose at least for now to simplify the feature implementing one single threshold and mark the report with a yellow marker if the reminder date is passed.

From the analysis for the EU directive, i consider that this would be more than enough to implement a simple reminder.
If the administrator will want to use the feature to support recipients answering in 7 days since the reception of the report, they could configure the reminder date to 5 days. Then users will vary the reminder up their needs.

Please let me know what do you think based on this evaluation

@danielvaknine
Copy link

danielvaknine commented Dec 27, 2022 via email

@evilaliv3
Copy link
Member

Thank you @danielvaknine for your feedback

@elbill and @msmannan02 have already a full proposal.

The created the concept for a reminder feature, configurable as default by the administrator and then editable by recipients.
It works like a clock alarm that is set automatically but that user can turn off or modify.
Basically the administrator can configure two deadlines (one soft and one hard).
Suppose you set the deadline of the reminder to be: 5 days (for the soft deadline) and 7 days (for the hard deadline).
Following this configuration recipients will notice a yellow icon after the soft deadline is passed: the icon will become red after the had deadline is passed.

From my point of view i consider that this proposal is nice but a bit confusing.
I would proposed to implement just one deadline for the reminder.
In relation to the european directive probably the Administrator will configure this to 5 days, to get sure that users see reports highlighted 2 days in advance from the famous 7 days to answer. It will up to recipients to eventually postpone or turn off this alarm up to their own preference.
In this way they could use this feature in relation to this specific aspect of the directive or for other purposes related to their operations.

What do you think?

@danielvaknine
Copy link

danielvaknine commented Dec 27, 2022 via email

@evilaliv3
Copy link
Member

Yes, i understand.

By default i think we will keep the feature disabled.
Administrators will have the possibility to set a time suitable for thei own project (e.g. 2 months to ensure to stay on the 3 month deadline)

Recipients will then always change the specific report reminder based on what they need to do in the current status of the management of the report.
What do you think @danielvaknine / @elbill

To clear any doubt this reminder feature will be only visual and will not send any notification email. We do not consider in fact that overwelming users with email notifications will be the correct thing do.

What do you all think?

\cc @maxmois @larrykind

@danielvaknine
Copy link

danielvaknine commented Dec 27, 2022 via email

@evilaliv3
Copy link
Member

Thank you for your feedback @danielvaknine.

What you have commented is perfectly in line with the implementation suggested by @elbill and @msmannan02 with my simplification.

In relation to notifications the reasons why we have evaluated to not add email notifications are the same discussed on ticket #3322 and specifically on comment #3322 (comment)

I would appreciate if you could give it a look and provide your feedback. Thank you

@danielvaknine
Copy link

danielvaknine commented Dec 28, 2022 via email

@chateaufiesta
Copy link

Hi all,

I wasn't able to create a development environment to start modifying Globaleaks (couldn't find a video on how to set it up and test the modifications, my bad :( ), so I went for another route.

I created a python script that reads the internaltip table and sends notifications to our recipients.

We send notifications after 7 days, 80 days and 89 days of the creation.

The notification from Globaleaks didn't make sense to us because we want to preserve the data for 10 years and the only way to do that in Globaleaks was to set the number of days of expiration to 3650.

I think you should have, as proposed by others, two different settings, one for expiration (deletion occurs) and another to "conclude" the process (90 days per UE law). In that way the notifications for the "conclude" setting would make sense.

@evilaliv3
Copy link
Member

evilaliv3 commented Dec 28, 2022 via email

@chateaufiesta
Copy link

  • shall the recipient be able to turn of the reminder when the report has
    been handled: agree (in our case we also added a new button in the "Reports" page to hide/show the reports that have the "concluded" status, using javascript)
  • shall the system enable the recipient to vary the reminder date for each
    report with respect to the default set by the administrator: agree
  • shall the system send notifications for reminders or just notify these
    aspects on the interfaces? We are still in doubt as we do not want to
    overwhelm recipients with notifications via email. We consider that would
    just create confusion and is not the correct way to stimulate them to work.
    The person working on cases should just use the platform regularly. Do you have some statistics related to real case scenarios? I don't know any company that has a department that only works on this. Normally is part of the work of some department but not their main work, thus the necessity of the reminders
  • in the case we will opt for having notifications also for this reminder
    feature we should study a general mail template and consider when sending
    aggregated email to limit notifications I see two options here, a daily aggregated email with a list of links to the expiring reports on the next day or a weekly aggregated email with the indication that next week XX reports will expire and a link to the platform Reports page - with a date range filter passed as a parameter in the url??

@evilaliv3
Copy link
Member

evilaliv3 commented Dec 28, 2022 via email

@danielvaknine
Copy link

I agree with @chateaufiesta on most. I however don't think the notification email template would need to be as advanced. To make it easy, perhaps it's easiest to just copy the "expiration date" function straight off and do minor changes to the email?

Regarding the public administration you mention here @evilaliv3 , I think these scenarios are in the minority. However, it doesn't need to be a problem. By simply enabling the administrator to disable the notifications for the "reminder date", each organisation could do whatever fits them, their needs and their amount of cases.

Does that sound reasonable?

@evilaliv3
Copy link
Member

evilaliv3 commented Dec 28, 2022 via email

@elbill
Copy link
Author

elbill commented Dec 30, 2022

Even though at the beginning I though necessary to use email reminders, I was convinced that they are not essential. In scenarios with few reports, they are under control without email notifications. In scenarios with many reports that may overwhelm recipients. We have prepared another feature with excel style filtering that will assist keeping reports under control based on date. We are also working on some concepts regarding statistics that would also help with keeping overdue reports under control.

@evilaliv3
Copy link
Member

@elbill @msmannan02 : we have almost completed to integrate the code related to this feature.

Considering that the feature requires some changes in the database, we will probably wait a little to merge the feature in production in order to include in the release other database changes needed for upcoing features. I will keep you posted on the timeline.
In a next call it would be great to discuss with you about the needs for your next implementations so that we could possibly edit the database just one time and prepare all that needed for your work at once.

I acknowledge that we have integrated you proposal with few changes:
You proposed to have an admin configurable soft deadline (e.g. 80 days) and an hard deadline (e.g. 90 days) and to let recipients edit only the hard deadline and recalculate the soft deadline automatically.
We have incurred in some bugs in this implementation that we considered quite complicated also from the point of view of the user experience so that at least for the first integration we are considering adding just one single reminder. We consider in fact that Administrators that would like to have Recipient to follow a 90 days policy, will probably just set a reminder to 80 days. And recipients aware of the law will know that the reminder is set in advance of 10 days. This way like an alarm clock, the alarm will be configured by the admin or by the user to wake the user up in advance.

Please feel free to let us know your feedback and if helpful i may prepare a demo for our next meeting.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Status: No status
Development

No branches or pull requests

6 participants