gdpr Right to be forgotten in Service Manager

[Jeremy]

We have been asked what happens in regards to this and more generally about the GDPR provisions that are in place in Service Manager.

We have a lot of students both current, alumni and prospective students that we deal with and we have to remove all references to students if they do not become students but they may have requests in the system that need to be removed obviously the request number can stay but we are wondering how we go about removing the data from the requests?

Also we have obligations to remove any data about the students 6 years after they leave our institution unless it is regarding their marks, transcripts etc so again we need to have a robust plan of how we can deal with the data that is in Service Manager that is relating to these people.

Would it be possible to arrange a chat with someone or if someone could let us know how this process works in Service Manager?

[Kelvin]

+1

[Jeremy]

Is it possible to get some kind of feedback about this as we need to report back internally about this to our Governance Team, any help is apricated.

[Keith Stevenson]

Jeremy
Thanks for the post. We are putting together a doc on GDPR and managing requests in Hornbill, but as you can imagine every customer depending on their business is different and as we are not the data controller we do not have visibility of what people store and where, so can only talk in generics.  One thing that would be required as a first step is that you have a Policy in place for GDPR and PII which covers where you store PII and in what form. This should list all the fields\application areas that you permit your analysts or customers to store PII and the assessment of this against the 3 criteria and how you enforce this (This should exist regardless of whether the data is in Hornbill or not) 
 

1. Purpose test: are you pursuing a legitimate interest?
2. Necessity test: is the processing necessary for that purpose?
3. Balancing test: do the individual’s interests override the legitimate interest?

Once you have that, you then know what is valid to keep regardless of any request (It may be that keeping details of Requests and the user is a legitimate business reason to provide "audit trail" etc later on as long as the information is minimised ) and only then can you decide on what needs to be removed\kept.  But this is all depending on what you store and why. 

Then you\we can look at how to comply with the request, for example, deleting the emails (May be safe to assume that emails on their own and not associated to calls have no purpose), removing calls (some calls may not be required, others may be required for future audit or evidence)  or replacing PII (For example, it may be that if you store FirstName Surname you can get away with replacing this with FirstName - as that may not identify an individual or with just the generic word USER. ) and the document will explain how to find all emails, posts, calls for a given user, how to delete bulk emails for a given user, how to delete a set of calls etc. 

The guide\document we are producing should help with the later stages but the fundamentals of process and how you manage\decide what PII to keep in the first instance is internal to your organisation and that's where any process must start (Its far easier to manage GDPR if you dont store PII {or just the bare minimum}  and for that you need polices in place, awareness training conducted and enforced to prevent analysts from adding it) . 

Will post the document as soon as its ready. 

Kind Regards

Keith Stevenson

[Jeremy]

@Keith Stevenson we keep track of information is where in the system e.g. custom fields etc, our 'concern' is how we cleanse these records in Service Manager.

Are Hornbill producing a tool to allow us to input a name or reference number to remove all/certain fields or to blank out names, or is this something that we would have to develop ourselves via the API to look up a request and then overwrite the relevant bits in in the requests?

[Keith Stevenson]

Jeremey,
Thanks for the reply. Finding the information will be via reports (which will give a list of IDs, references). Deletion will be done (And can be for Calls) via the Hornbill Clean Utility already available, which we should be able to expand to include emails. The harder bit is the find\replace (on Custom fields or Diary entries) and we are looking at the best solution. Will post back soon.

Kind Regards

Keith Stevenson