Data Protection and Data Retention

From All n One's bxp software Wixi

Revision as of 12:40, 12 July 2014 by Philip Lacey (talk | contribs) (Created page with "Business Express (BeX) makes it easy for you to retain data securely and have it accessible through the Internet. It is however important to always remember that if you are s...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

bxp software (bxp) makes it easy for you to retain data securely and have it accessible through the Internet. It is however important to always remember that if you are storing personal information about a customer or potential customer, member or potential member, student or potential student, what data you're storing and why you're storing it does fall under Data Protection and you (not All n One), have to ensure you are compliant with Data Protection laws.

That said, All n One and bxp can help greatly with your management responsibilities.


1 Understanding the law

Firstly you must understand your responsibilities under the law. The Data Protection Commissioner or equivalent for your country will help your understanding.


Ireland is one of the leading countries in setting data protection law. All n One is an Irish company with all of its operations and infrastructure based in Ireland managed by Irish companies. For location reasons we must be compliant with Irish law and as an organisation we want to comply with the strongest legislation available.


Within Irish law, a company who "owns" the data is called a Data Controller. Companies who store data and / or provide CRM capabilities are called Data Processors. All n One and bxp are Data Processors. bxp clients are Data Controllers.


All n One have written and supply an advisory document to outline where responsibilities lie.


It is also advisable that you register your organisation with your local data protection commissioner.


Here is All n One's public registration details https://www.dataprotection.ie/viewdoc.asp?fn=/documents/register/display.asp?ID=8759%2FA


2 Data Retention

All n One will never supply data to anyone who is not their client. System Champions are primary contacts for security gate keeping practices as well as organisational clarity and support. If a client needs to retrieve data from the system it is available through a number of reports, lookups / search facilities and data export tools, all of which have audit histories.


How long you retain data varies greatly with requirement. You will need to establish for your organisation how long you can retain data. It will be important to differentiate between active customers, former customers and prospect customers. Active, former and prospect can also be applied to any synonym for a person: member, staff, patient, student.


The easiest way to find out what your obligations are is to get in touch with your local data protection commissioner who can advise you. Alternately contact with data protection lawyers or data protection specialist consultants should be sought, though they will probably charge for their services.


As a result of those conversations you will need to develop a "data retention policy" for your organisation. This will spell out your data retention requirements.


As a best practice, it should:

  • Identify all sources of person data and be updated regularly (circa monthly)
  • State the physical location of the data
  • State the primary function of, reasons for retention and duration of retention of the data
  • State how access control to that data is maintained
  • State how security is managed on that data
  • Appoint a person internal to the organisation to be responsible for data protection matters (DPO : Data Protection Officer)
  • Ensure the DPO is trained formally according to jurisdictional laws and on an ongoing basis
  • Enable a clear request mechanism of the DPO for internal and external queries with a Service Level Agreement on responding to queries
  • Have an organisation statement on data retention and management, which is recognised by all staff and suppliers interacting with the data
  • Have operational policies and procedures on how the data is managed
  • Have quality control checks to ensure policies are being followed


3 The use of data and Marketing Permissions

Storing data requires management of the data. The simple question always boils down to "what do you want to do with the data".


Customer data of active customers is perfectly legitimate to retain. Just focus on what constitutes "active".

Data of former customers will have a retention period applied. Local will dictate what is required and where.

Potential customers may ask for their data to be removed but there is no pressure on the organisation to remove data.


The primary use of retained data only becomes an issue when marketing or communications are operationally sought to be performed. i.e. we want to do a mail shot / bulk text message. When this need arises special record of "Marketing Permissions" must be retained with the data. Getting the person to state "I agree to be communicated with" must be explicitly granted and the permission recorded. Marketing permissions are a separate area of law to data protection laws.

http://en.wikipedia.org/wiki/Permission_marketing

In Ireland, direct marketing also falls to the Data Protection Commissioner. http://www.dataprotection.ie/docs/DIRECT-MARKETING-A-GENERAL-GUIDE-FOR-DATA-CONTROLLERS/905.htm


The basic rule that applies to direct marketing is that you need the consent of the individual to use their personal data for direct marketing purposes. As a minimum, an individual must be given a right to refuse such use of their personal data both at the time the data is collected (an "opt-out") and, in the case of direct marketing by electronic means, on every subsequent marketing message. The "opt-out" right must be free of charge. You must also make clear who you are and where you obtained the individual's personal data (where this is not obvious).


  • Active person - may be communicated freely with, if in relation to provision of the product or service.
  • Former person - may be communicated with, providing clear option of "opt-out"
  • Potential person - must be told up front about communication, with an explicit "opt-in" option. The default position must be considered to be "opting out".


If you have existing data and when the data was captured marketing permissions weren't required, e.g. in Ireland before 1990, an explicit marketing permissions will need to be sought.


For former and potential persons, separate permissions must be sought for:

  • By Post
  • By Phone
  • By Email
  • By SMS


It is considered courtesy to give current persons the option with which they would like to be communicated with, at the start of the relationship, with the option to change during the relationship.


Currently social media allows for the person to block the organisation, so explicit social media permissions are not currently sought (as of July 2014).


For example.... I have a bunch of mobile numbers, I'd like to text them all. You must first categorise them, ensure you have permission and then careful word the message to allow opt out. Failure to do so can result in €3,000 per contact, up to a maximum fine of €100,000.


Summary proceedings for an offence under the Data Protection Act may be brought and prosecuted by the Data Protection Commissioner. Under section 31 of the Acts, the maximum fine on summary conviction of such an offence is set at €3,000. On convictions on indictment, the maximum penalty is a fine of €100,000. http://www.dataprotection.ie/docs/Offences_and_Penalties_under_the_Data_Protection_Act/97.htm


This law is actively upheld. http://www.irishexaminer.com/ireland/phone-companies-fined-for-unsolicited-calls-and-texts-251440.html


4 Best practice approaches

All n One suggest that all person data be stored in bxp. Using the previous guidelines, here is how bxp can help.

  • Identify all sources of person data and be updated regularly (circa monthly)
    • bxp can provide reports stating what campaigns and data is retained.
  • State the physical location of the data
    • Easily done if the data is in bxp, it will be in our secure hosting facility in ParkWest in Dublin, Ireland.
  • State the primary function of, reasons for retention and duration of retention of the data
    • This is an internal once off exercise for each source of data.
    • bxp allows eCourses which permit procedure manuals to be easily built and updated. Audit trails of access and updates make this easy to manage.
  • State how access control to that data is maintained
    • bxp provides the "System Access Management" (SAM) module to control user access to functions and content. Please review X for more details on this.
    • SAM also provides the audit trail reports.
  • State how security is managed on that data
    • If stored in bxp that removes the need for you to store data locally.
    • bxp provides secure storage. Please review X for more details on our facilities and approaches to security of your data.
  • Appoint a person internal to the organisation to be responsible for data protection matters (DPO : Data Protection Officer)
  • Ensure the DPO is trained formally according to jurisdictional laws and on an ongoing basis
    • All n One are familiar with numerous organisations capable of providing proper support and would be happy to discuss your needs with you.
  • Enable a clear request mechanism of the DPO for internal and external queries with a Service Level Agreement on responding to queries
    • bxp provides a number of data capture, ticket management and case management tools which can be linked to forms, external websites and email boxes.
  • Have an organisation statement on data retention and management, which is recognised by all staff and suppliers interacting with the data
    • The "Information Centre" module allows you to post notices on the equivalent of an internal noticeboard and track who has confirmed read of the message.
    • The "eCourse" module allows for training courses to be built internally, provided to staff. The "Testing Centre" module allows for confirmation of the learning.
  • Have operational policies and procedures on how the data is managed
    • "eCourse" will allow for documentation of policy and procedures and audit access by staff to ensure reading and retention
    • The "MetaData" module allows for procedures to be built to clean and tidy data. When tied into the scheduling engine of bxp data protection process can be automated.
  • Have quality control checks to ensure policies are being followed
    • bxp has a "Quality Assurance" module which allows for Quality Control forms to be built, used and reported on.


bxp has the ability to retain all data but will provide an audit trail to all interactions with data. Control of the data can be easily managed if it is centralised. Spreadsheets are easily loaded into bxp, removing risk from data stored on desktops, keys and other non-secure data storage mediums.


5 Tool for Data Protection automation

Retrieved from ‘https://www.bxpsoftware.com/wixi/index.php?title=Data_Protection_and_Data_Retention&oldid=1618