Summary
As far as I'm aware, CapX currently has no mechanism to inform staff of data processing at first login. This was flagged as an open recommendation in the Durham University Data Protection Impact Assessment for CapX (ref: A26-186, May 2026) as being required under UK GDPR Article 13 (information to data subjects at the point of collection).
If this feature already exists, please let me know where (and maybe we can keep this issue as a documentation improvement). If it doesn't, let me know: I'm happy to implement it and submit a PR for review.
Requirement
Display a privacy/acceptable-use notice to each user on their first login, before they can access the main application. The user must acknowledge the notice; subsequent logins should proceed normally without interruption.
The content for this notice should be configurable in the administration settings of CapX (Admin -> Settings), as each institutional deployment will have different requirements for the content.
A note on implementation: CapX uses legitimate interests + contract as the lawful basis for data processing, not consent: the purpose of this banner is not to capture consent. A dismissible banner/modal that contains a clear link to the Staff Privacy Notice is enough for us to satisfy the Article 13 obligation.
Dismissal is recorded with a timestamp and notice version (no positive agreement required; controller obligation is to provide, not obtain acknowledgement)
Suggested notice content (default content for a placeholder for institutions to customise)
- What personal data is collected and why (identity from CAS / Shib / Entra; time bookings, project allocations, etc
- Lawful basis for processing (legitimate interests + contract)
- Retention period (end of employment relationship + 6 years per Limitation Act 1980)
- Data subject rights (access, rectification, erasure request via IG)
- Contact for queries (Samantha Finnigan / Durham IG Unit)
- Link to the appropriate institutional privacy notice (ours is the Durham University Staff Privacy Notice: https://www.durham.ac.uk/about-us/governance/information-governance/privacy-notices/employees/)
A possible implementation
- Add a
privacy_notice_accepted_at (nullable timestamp) column to the user record
- On login, if
privacy_notice_accepted_at is null, pop the banner up at the bottom of the app.
- On acknowledgement, record the timestamp (and maybe version identifier?)
- Optional: store a notice version string so the flow can be re-triggered if the notice is materially updated in future
Summary
As far as I'm aware, CapX currently has no mechanism to inform staff of data processing at first login. This was flagged as an open recommendation in the Durham University Data Protection Impact Assessment for CapX (ref: A26-186, May 2026) as being required under UK GDPR Article 13 (information to data subjects at the point of collection).
If this feature already exists, please let me know where (and maybe we can keep this issue as a documentation improvement). If it doesn't, let me know: I'm happy to implement it and submit a PR for review.
Requirement
Display a privacy/acceptable-use notice to each user on their first login, before they can access the main application. The user must acknowledge the notice; subsequent logins should proceed normally without interruption.
The content for this notice should be configurable in the administration settings of CapX (Admin -> Settings), as each institutional deployment will have different requirements for the content.
A note on implementation: CapX uses legitimate interests + contract as the lawful basis for data processing, not consent: the purpose of this banner is not to capture consent. A dismissible banner/modal that contains a clear link to the Staff Privacy Notice is enough for us to satisfy the Article 13 obligation.
Dismissal is recorded with a timestamp and notice version (no positive agreement required; controller obligation is to provide, not obtain acknowledgement)
Suggested notice content (default content for a placeholder for institutions to customise)
A possible implementation
privacy_notice_accepted_at(nullable timestamp) column to the user recordprivacy_notice_accepted_atis null, pop the banner up at the bottom of the app.