Data Protection and Data Retention

bxp software (bxp) makes it easy for you to retain data securely and have it accessible through the Internet. It is however important to always remember that if you are storing information about a person ( customer or potential customer, member, staff, student, patient), what data you're storing and why you're storing it falls under Data Protection and you (not All n One), have to ensure you are compliant with local Data Protection laws.

That said, All n One and bxp can help greatly with your management responsibilities.

This section is for handy location of supporting documentation used throughout this article.

• Data Protection Guidelines from the Irish Data Protection Commissioner - [1]
• Whitepaper : Data Protection Compliance for bxp software clients - Whitepapers
• Learning : CC-2-1 Security and Custom Interface configuration - Contact_Centre_Training

Firstly you must understand your responsibilities under the law. The Data Protection Commissioner or equivalent for your country will help your understanding.

• Ireland : http://www.dataprotection.ie/
• UK : http://ico.org.uk/
• European Bodies : https://www.dataprotection.ie/docs/European-Functions-Useful-Links/99.htm
• European Law : http://ec.europa.eu/justice/data-protection/index_en.htm

• US : No single law is available yet ( http://en.wikipedia.org/wiki/Data_Protection_Directive )

• South Africa : http://www.popi-compliance.co.za/
• Australia : http://www.privacy.gov.au/
• Canada : http://www.privcom.gc.ca/
• New Zealand : http://www.privacy.org.nz/

Ireland is one of the leading countries in setting data protection law. All n One is an Irish company with all of its operations and infrastructure based in Ireland. For location reasons we must be compliant with Irish law and as an organisation we want to comply with the strongest legislation available.

Within Irish law, a company who "owns" the data is called a Data Controller. Companies who store data and / or provide CRM capabilities are called Data Processors. All n One and bxp are Data Processors. bxp clients are Data Controllers.

All n One have written and supply an advisory document to outline where responsibilities lie.

All n One advise you to register your organisation with your local data protection commissioner.

Here is All n One's public registration details https://www.dataprotection.ie/viewdoc.asp?fn=/documents/register/display.asp?ID=8759%2FA

All n One will never supply data to anyone who is not their client. System Champions are primary contacts for security gate keeping practices as well as organisational clarity and support. If a client needs to retrieve data from the system it is available through a number of reports, lookups / search facilities and data export tools, all of which have audit histories.

How long you retain data varies greatly with requirement. You will need to establish for your organisation how long you can retain data. It will be important to differentiate between active customers, former customers and prospect customers. Active, former and prospect can also be applied to any synonym for a person: member, staff, patient, student.

The easiest way to find out what your obligations are is to get in touch with your local data protection commissioner who can advise you. Alternately contact with data protection lawyers or data protection specialist consultants should be sought, though they will probably charge for their services.

As a result of those conversations you will need to develop a "data protection policy" for your organisation. This will spell out your data retention requirements.

As a best practice, it should:

• Identify all sources of person data and be updated regularly (circa monthly)
• State the physical location of the data
• State the primary function of, reasons for retention and duration of retention of the data
• State how access control to that data is maintained
• State how security is managed on that data
• Appoint a person internal to the organisation to be responsible for data protection matters (DPO : Data Protection Officer)
• Ensure the DPO is trained formally according to jurisdictional laws and on an ongoing basis
• Enable a clear request mechanism of the DPO for internal and external queries with a Service Level Agreement on responding to queries
• Have an organisation statement on data retention and management, which is recognised by all staff and suppliers interacting with the data
• Have operational policies and procedures on how the data is managed
• Have quality control checks to ensure policies are being followed

Storing data requires management of the data. The simple question always boils down to "what do you want to do with the data".

Customer data of active customers is perfectly legitimate to retain. Just focus on what constitutes "active".

Data of former customers will have a retention period applied. Local law will dictate what is required and where.

Potential customers may ask for their data to be removed but there is no pressure on the organisation to remove data.

The primary use of retained data only becomes an issue when marketing or communications are operationally sought to be performed. i.e. we want to do a mail shot / bulk text message. When this need arises special record of "Marketing Permissions" must be retained with the data. Getting the person to state "I agree to be communicated with" must be explicitly granted and the permission recorded. Marketing permissions are a separate area of law to data protection laws.

http://en.wikipedia.org/wiki/Permission_marketing

In Ireland, direct marketing also falls to the Data Protection Commissioner. http://www.dataprotection.ie/docs/DIRECT-MARKETING-A-GENERAL-GUIDE-FOR-DATA-CONTROLLERS/905.htm

The basic rule that applies to direct marketing is that you need the consent of the individual to use their personal data for direct marketing purposes. As a minimum, an individual must be given a right to refuse such use of their personal data both at the time the data is collected (an "opt-out") and, in the case of direct marketing by electronic means, on every subsequent marketing message. The "opt-out" right must be free of charge. You must also make clear who you are and where you obtained the individual's personal data (where this is not obvious).

• Active person - may be communicated freely with, if in relation to provision of the product or service.
• Former person - may be communicated with, providing clear option of "opt-out"
• Potential person - must be told up front about communication, with an explicit "opt-in" option. The default position must be considered to be "opting out".

If you have existing data and when the data was captured marketing permissions weren't required, e.g. in Ireland before 1990, an explicit marketing permissions will need to be sought.

For former and potential persons, separate permissions must be sought for:

• By Post
• By Phone
• By Email
• By SMS

It is considered courtesy to give current persons the option with which they would like to be communicated with, at the start of the relationship, with the option to change during the relationship.

Currently social media allows for the person to block the organisation, so explicit social media permissions are not currently sought (as of July 2014).

For example.... I have a bunch of mobile numbers, I'd like to text them all. You must first categorise them, ensure you have permission and then carefully word the message to allow opt out. Failure to do so can result in €3,000 per contact, up to a maximum fine of €100,000.

Summary proceedings for an offence under the Data Protection Act may be brought and prosecuted by the Data Protection Commissioner. Under section 31 of the Acts, the maximum fine on summary conviction of such an offence is set at €3,000. On convictions on indictment, the maximum penalty is a fine of €100,000. http://www.dataprotection.ie/docs/Offences_and_Penalties_under_the_Data_Protection_Act/97.htm

This law is actively upheld. http://www.irishexaminer.com/ireland/phone-companies-fined-for-unsolicited-calls-and-texts-251440.html

All n One suggest that all person data be stored in bxp. Using the previous guidelines, here is how bxp can help.

• Identify all sources of person data and be updated regularly (circa monthly)
  • bxp can provide reports stating what campaigns and data is retained.

• State the physical location of the data
  • Easily done if the data is in bxp, it will be in our secure hosting facility in ParkWest in Dublin, Ireland.

• State the primary function of, reasons for retention and duration of retention of the data
  • This is an internal once off exercise for each source of data.
  • bxp allows eCourses which permit procedure manuals to be easily built and updated. Audit trails of access and updates make this easy to manage.

• State how access control to that data is maintained
  • bxp provides the "System Access Management" (SAM) module to control user access to functions and content. Please review our training document CC-2-1 Security and Custom Interface configuration on the page Contact_Centre_Training for more details on this.
  • SAM also provides the audit trail reports.

• State how security is managed on that data
  • If stored in bxp that removes the need for you to store data locally.
  • bxp provides secure storage. Please review our white paper on Data Protection Compliance in our Whitepapers section for more details on our facilities and approaches to security of your data.

• Appoint a person internal to the organisation to be responsible for data protection matters (DPO: Data Protection Officer)

• Ensure the DPO is trained formally according to jurisdictional laws and on an ongoing basis
  • All n One are familiar with numerous organisations capable of providing proper support and would be happy to discuss your needs with you.

• Enable a clear request mechanism of the DPO for internal and external queries with a Service Level Agreement on responding to queries
  • bxp provides a number of data capture, ticket management and case management tools which can be linked to forms, external websites and email boxes.

• Have an organisation statement on data retention and management, which is recognised by all staff and suppliers interacting with the data
  • The "Information Centre" module allows you to post notices on the equivalent of an internal noticeboard and track who has confirmed read of the message.
  • The "eCourse" module allows for training courses to be built internally, and then provided to staff. The "Testing Centre" module allows for confirmation of the learning.

• Have operational policies and procedures on how the data is managed
  • "eCourse" will allow for documentation of policy and procedures and audit access by staff to ensure reading and retention
  • The "MetaData" module allows for procedures to be built to clean and tidy data. When tied into the scheduling engine of bxp the data protection process can be automated.

• Have quality control checks to ensure policies are being followed
  • bxp has a "Quality Assurance" module which allows for Quality Control forms to be built, used and reported on.

bxp has the ability to retain all data but will provide an audit trail to all interactions with data. Control of the data can be easily managed if it is centralised. Spreadsheets are easily loaded into bxp, removing risk from data stored on desktops, keys and other non-secure data storage mediums.

There are a number of tools in bxp which provide you with convenient options.

6.1 Form Deletion [On demand]

If you delete the data then you don't have to worry about it.

Main Menu > Form - Form and Data Deletion > Form Deletion - Delete (All Form and Data) > Choose the form

This is a permanent and irreversible action from the user side of bxp.

All n One maintain backups for 6 months, so it is possible for All n One to restore a form given an explicit charged request. This work takes 1 hour to restore your form.

6.2 Form Retirement [On demand]

Deletion is extreme. For tidiness it is possible to retire forms, rather than delete them. Retired forms can be restored later.

Main Menu > Form - Form and Data Deletion > Form Deletion - Form Retire > Choose the form

and conversely

Main Menu > Form - Form and Data Deletion > Form Deletion - Form Restore > Choose the form

More information can be found here. Form_Retire_and_Restore

6.3 Grouped Data Deletion [On demand]

If it is possible to identify groups of data within a form, then these groups can be deleted.

Main Menu > Form - Form and Data Deletion > Data Deletion - Grouped Data > Choose the form > Choose your criteria > Confirm the deletion

If no flag is easily identifiable on the data in the form there is a process which can be applied.

• Add a flag field to the form, usually a text box will suffice.
• Run a report to Excel of all the potential data. Ensure that the CDA Id is one of the columns in the report.
• In the excel file, update the flag field with a code or word to group / categorise the data to be deleted.
• Remove all of the columns except the CDA Id column and the Flag column.
• Sort the Excel spreadsheet on the flag column and remove any rows of data that do not need to be flagged.
• Perform a SMART update loading of that Excel spreadsheet into the form.
• You can now perform the grouped deletion on all the records flagged.

6.4 Old Data Deletion [On demand]

It is possible to remove older records. Records where there has been no interaction in whatever desired period can be deleted from within a form.

Main Menu > Form - Form and Data Deletion > Data Deletion - Data Protection - Remove records older than selected data > Choose the form > Choose the date

So if no email, sms or any type of contact (i.e. a CCL record) has been stored within the selected time window, the record and all contact with it will be removed.

6.5 Grouped Data overwriting [On demand]

Using the same SMART update process as in "Grouped Data Deletion" above, it is possible to keep all of the columns of data and just overwrite your data with whatever values you enter / change in the spreadsheet.

• Run a report to Excel of all the potential data. Ensure that the CDA Id is one of the columns in the report.
• Modify any / all of the data as needed, except the CDA Id column.
• Remove any rows of data that do not need to be updated.
• Perform a SMART update loading of that Excel spreadsheet into the form.

6.6 Single Field wiping [On demand]

It is possible to easily wipe / replace the contents of one field for every record in a form.

Main Menu > Form - Data Cleaning > Mass Update - Single Field Update - All records > Choose the form > Choose the field and enter the replacement contents

6.7 Data manipulation via Outcomes [Real-time]

With every outcome used in a form it is possible to modify data.

Main Menu > Form Management > Form - Outcome Manager > Outcome - Add > Choose the form > Data Management

The MetaData module allows for custom data manipulation routines to be built. These could be likened to macros in an Excel Spreadsheet. The rules can be built to perform any manner of data removal, modification or translation required.

This work is done server side, after the data is stored in bxp.

6.8 Data manipulation via JavaScript [Real-time]

Unlike "Data manipulation via Outcomes", JavaScript can be used in the client browser to manipulate data before it is ever sent to bxp. This level of manipulation usually allows for Credit Card details and the like to be wiped / modified before they are ever transmitted.

The JavaScript rules can be put in place at a form, field or outcome level.

6.9 MetaData data manipulation [On demand or Scheduled]

Using the MetaData module it is possible to build a rule set to modify data which can be executed on a scheduled basis. For example: every day, wipe records that have not been interacted with in more than 6 months.

6.10 bxp Scheduling Engine Process [Scheduled]

It is possible for any form to have data wiping / record deleting capability applied on a scheduled basis. Please read here for more details. Form_-_Data_Protection_-_Scheduled

All n One have been extremely careful to position the security and data protection compliance of bxp software in line with the strictest of laws and rules. All of our team are versed in Data Protection and its requirements. We would be happy to help you identify and navigate your data protection requirements and are completely confident that bxp software is a platform that can provide you with every tool required.