SAR Process in CIS v19
1st Draft Consolidating Oral History
CS - Added additional sections on 2 key agencies. Sterling and Mosaic
CS –Updated 30/09/2020 as waiting for confirmation from Mosaic
Added ICO links to introduction.
Added contact details for Mosaic Response Handling (Membership/Donations)
Updating Contact Details and changes post 19r2 Upgrade
Updating Sterling Details
Updated engaging networks
Added Details for Mosaic Trading
(Purchases via the Online Shop)
Added Just Giving information
Aim is to document how to:
Put a contact beyond use in CIS, based on formal request from Information Governance.
Lock down details from daily viability, prevent from being picked up by database marketing for selections.
Additional teams to consult e.g. Safeguarding, teams who own specific relationships e.g. Philanthropy.
It is assumed that all requests received will have an accompanying Redmine ticket from Information Governance to process the request.
Updating Contact Details in CIS (CareNG)
A status is the highest form of locking a contact down in CIS. This needs updating using the following steps:
If the status = DE for deceased, do not update.
If the status = REF for referral, do not update. Report back to Information Governance and Safeguarding for further advice. Do this via meeting in 1st instance.
If the contact has a status = ITMM for IT mismerged, do not update. Report back to Information Governance and Fundraising Compliance for further advice on the Redmine ticket.
If the status is NULL, or has a different status it must be updated to ITDQ for IT Data Quality. This will prevent the contact being selected for communications by the
Set the status reason to include the redmine ticket number e.g. http://camdukcppv01:8080/redmine/issues/98765
Contact Ownership Group and Department
An Ownership group controls read and view access levels given to users. An ownership group can have a prinicpal department which gives higher levels of access to groups of users. Procedure detailed below for updating contact:
If the Department = RC for restricted contact, do not update. Report back to Information Governance and Safeguarding for further advice. Do this via meeting in 1st instance.
If the Department has any other value, update to GDPR, following guidelines provided by Advanced 365.
If the Ownership Group = SAF for safeguarding, do not update. Report back to Information Governance and Safeguarding for further advice. Do this via meeting in 1st instance.
If the Ownership Group has any other value, update to GDPR, following guidelines provided by Advanced 365.
Consent to be contacted needs to be removed for all channels, following the guidance produced post GDPR. This will prevent selection for any new unsolicited marketing.
Guidance can be found in CIS on any contact or in iknow.
Use the new telephone call function in CIS.
Source code to use is 0XSZAXX00, for CIS Admin.
Set the precis to be to include the redmine ticket number e.g. http://camdukcppv01:8080/redmine/issues/98765Page Break
Anonymizing of contact address is required to change how a contact is viewed in CIS front screen
If the contact has any positions linking them to an organisation group, this must be reported before making any updates. This includes Local Groups, Communities and Committees.
If the contact has any positions linking them to any other type of organisation, this must be ended using the leave function.
Add a new address with address Line 1 = Unknown Address, and town = UNKNOWN, all other fields blank. Make the address default and mailing communications
Make all other addresses historic.
If the contact has active declarations these must be canceled. The address has been anonmised and will not be able to claim monies.
The appropriate manager in business support must be informed.
Cancelation Reason to use is ITDQ along with Source code to use is 0XSZAXX00, for CIS Admin.
Contact Networks and Paid for Benefits
All membership of any networks that diabetes UK promotes need updating
Check for an current Orders, be they membership or not. Cancel with a reason = RC for complaint.
Check mailing suppressions for older networks, opting contacts into them. If in doubt consult the CIS Product Expert.
Check contact categories for any newtorks, volunteering roles that need ending. Principal codes are BL, ECAM, NTDV, VT. If in doubt consult the CIS Product Expert.
Check Gift aid. Set cancelation reason = RC and use source code = 0XSZAXX00.
Contact Communications & Bronto
Very few date fields are configured on the communications table for the storing of phone numbers, email addresses. For each and every device you will need to do the following to put it beyond use.
Make a note of the amended_on date.
Update the device setting the valid_from = amended_on, up until -2 days from date of update.
Update the device setting the valid_to = -1 day from date of update.
Uncheck the box that says [] mail.
If there are any email addresses, make a note of them.
Check for email sharing. If any instance’s of same email on another contact, report back to info Gov.
Use the CIS login to Bronto and check if the email exists in Broto and has not been marked as Unsubscribe.
If email exists in Bronto report to the Technical Architect in Digital Team, part of E&F directorate. They have the the power to delete from that system.
If not already done so, update all activity/values in contact categories where the activity = BL. This is the code to opt the contact and their email addresses into Bronto Lists.
Contact External References
External references store 3rd party URNs, where data has been collected from.
Check for references which refer to universal fundraising platforms that all charities obtain data from such as Everdayhero, JustGiving, VirginMoney.
Check for references that indicate that data is held at 3rd parties on our behalf. Check with fundraisning Compliance for full list at time of processing. Examples include Mosaic for fulfillment & trading, Shopify for trading, Sterling for gambling products, Aerian for learning zone.
Check for other internal systems that may prevent anonymizing. At time of writing all references relating to FirstClass the legacy administration database are relevant.
Report back any references that raise concerns/questions to Information Governance. If in doubt consult the CIS product Expert
Contacting external suppliers
Recommendations to be added by Clive Sherman
Sterling (Raffle and Lottery Supplier)
Sterling require a formal document completing.
Extract all relevant external references from CIS – For Raffle we code the name of the Raffle to the Reference for raffle customer remove the details before _ and the _ so you only have numeric data left. For weekly Lottery we do add anything to the Reference.
Inform the Senior Supporter Aquistion/Development Manager in Individual Giving team via email, cc the Fundraising Compliance Manager in Business Support. –Send the Surname and the Sterling Membership ID number
The Senior Supporter Development Manager will contact the Supplier and feedback.
Mosaic (Membership, Donation supplier and Fulfillment House)
Mosaic require contact number usually and also the postcode to check they have the correct person before anonymizing,
Contact the current Mosaic Contacts give them the required information and ask them to anonymize the data on their systems.
Inform the mobilisation manager in Operations via email.
They can then delete based on the external reference and the email address provided
Current contacts as at 20/10/2020 are
Current contacts 26/04/2021: Go via Supplier Management internal contact, Niall Durdin
Supporters have a relationship with JustGiving, each tim they fundraise for Diabetes UK they can commit to future contact with charity.
Consent method has not bee reviewed since 2014. If a supporter ticks yes, then email consent added to CIS (old method via a suppression of EOI). If they tick no, then global unsubscribe from all marketing added to CIS (old method via a suppression of DPA)
No way of deleting the data held in diabetesdwh.justgiving.dbo.dl_pages. Currently stores all fundraising pages ever.
Appendix 1 – Standard Redmine Text
I have followed the standard process we were given by the vendor and method developed by Information Systems Management Team.
Ownership Group = GDPR
Department = GDPR
I have removed all consent, to all channels.
I have added a new postal address = "UNKNOWN"
I have made the as is address historic.
Then any other details as appropriate..
Appendix 2 – Screenshot some examples in a test fashion