Procedures for the Professional, Ethical and legal use of CRM data

Procedures for the Professional, Ethical and legal use of CRM data

Creation Date: January 2008

Author:Janette Pallas

Department of origin: Commercial Partnerships

Approval Authority:

Date of Approval:

Effective Date:

1.PURPOSE AND SCOPE

DMU has a professional, ethical and legal responsibility to process data collected from contacts in a lawful and professional manner. The Data Protection Act, Communications Act and others offer the data subject an opportunity to opt-in or out of receiving marketing data or calls.

For more information about the Data Protection act, see Appendix A, and ensure you are fully aware of the DMU Data Protection policy.

The Corporate Telephone Preference Service (CTPS) enables companies (of whatever size) to opt-out of receiving unsolicited telephone calls. See

The implementation of a crm system simplifies the management and usage of marketing data. The following procedures should be followed to ensure that DMU are not exposed to legal action and also to ensure that our business contacts are not exposed to inappropriate or excessive marketing information.

Please note that through these guidelines, the use of DMU applies to subsidiary companies including DMEL.

2.GENERAL PRINCIPLES

a)When a contact has been made e.g. at exhibition or network event and information is sent out, it is important that we ask permission of the contact to send out further marketing materials.

There are a number of different laws and regulations that may apply to (a). What they have in common is that where an individual or company has specifically requested some information, materials etc from eitherthe University or De Montfort Expertise Limited, then that individual or company’s details can be used to fulfil that person’s request by the legal entity to whom the request was made (individual name and contact details are in law personal data and that term is used to refer to such details in this document).

Any further use beyond fulfilling the request such as marketing use must be authorised in accordance with the relevant laws and regulations and these regulations differ significantly depending on what type of communication is used. Failure to comply will expose the University to a potential claim for damages, enforcement action by the Information Commissioner or in some cases criminal liability. It is possible to come up with a standard wording which is broad, but in each where contact information will be used in future for a specific purpose, thought should be given to whether in the circumstances the standard wording covers that purpose.

A positive indication of agreement to proposed uses of personal data when material or information is sent out is the best practice. It is therefore recommended that when a written communication is made responding to a contact or request, the following should be included in that communication:

Please tick here if you would like us to contact you with event updates and other information relating to De Montfort University and subsidiary companies’ activities which may be of interest you:

  • electronic means □
  • post□
  • telephone□

In a letter or fax, further wording should be included asking the recipient of the letter or fax to return a signed version of the letter with ticked box to the University. In an email a reply confirming agreement would suffice. This should be noted as an activity against the contact on the crm system with their contact preferences updated.

It should be noted that personal data collected by DMEL cannot be used by DMU and vice versa unless the individual concerned is made aware of this. The standard wording above covers this if the subsidiary company statement is included.

If information is imparted by telephone, it is possible to obtain oral consent to the sending of further marketing materials which may be of interest. However, oral consent presents significant evidential difficulties in the event of a dispute regarding whether an individual consented and therefore ideally should be avoided, though should be recorded as an activity on the crm system.

If information is imparted by email or SMS or by a new technology that is a form of electronic communication via a public communications network, the email or SMS or new technology message must include a valid opt-out address where the individual recipient can opt-out of further University marketing communications. An “UNSUBSCRIBE” option should always be offered, and the crm system contact preferences changed immediately on receipt of this message.

Someone who has provided consent by any means can at any time withdraw consent and thereafter no further communications can be sent.The CRM system should be updated as soon as a contact withdraws consent.

b)Sensitive data

In certain instances such as funded projects, it may be necessary to collect sensitive personal data defined under the Data Protection Act 1998. In simple, sensitive personal data is data which identifies a living individual and which comprisesinformation as to—

(a) the racial or ethnic origin of the data subject,

(b) his political opinions,

(c) his religious beliefs or other beliefs of a similar nature,

(d) whether he is a member of a trade union (within the meaning of the [1992 c. 52.] Trade Union and Labour Relations (Consolidation) Act 1992),

(e) his physical or mental health or condition,

(f) his sexual life,

(g) the commission or alleged commission by him of any offence, or

(h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.

The University should also be aware that once personal data is collected it must be used and stored in accordance with the data protection principles under the Data Protection Act 1998.

If the data is to be shared with other project partners, then this information must be made clear to the data subject in any means of data collection that are used (e.g. forms, letters)

c)Sending sms messages to remind people of event attendance that they have already booked on to.

The sending of such SMS messages in the circumstances of (c) does not require further permission because the SMS messages are being sent for the purpose personal data has been provided to the University. It would be reasonable for attendees at an event to expect they will receive reminders from the University to attend the event.

d)Pro-active marketing - when you have obtained data by researching documentation or through bought-in databases.

In this case, the data will be loaded onto the crm as leads and any marketing materials sent out and recorded as an activity. If personal research has provided the data, then the first mail shot should contain a statement such as in (a) requesting permission and preferences to enable further materials to be sent.

On receipt of this permission, the lead should be converted to a contact on the crm system and the permission recorded as an activity along with contact preferences.

Bought in databases

The use of bought in databases can be problematic as if prior consent has not been given by any individuals listed on such a database, or the consent given was too narrow, or if individuals have withdrawn consent prior to purchase, sending a communication asking for consent will itself be unlawful. The older a mailing list, the less likely individual consents will still be valid.

An example of the sort of consent an individual on a mailing list would have to provide to the compiler of the mailing list to allow the University to use individual details on such a mailing list is as follows:

“We would like to pass your details on to other organisations so that they can tell you about their activities and services. If you agree with this, please tick here”

It is prudent for the purchaser of a mailing list to require a warranty from the seller that the names on the list were collected lawfully and have not opted out or withdrawn consent prior to purchase of the list.

If the individuals on a mailing list have provided adequate consent, then the University may send information about its activities without obtaining further consent.

e)Corporate Telephone Preference Service

The CTPS allows a corporate subscriber to opt out of receiving unsolicited telephone marketing calls.

A corporate subscriber includes corporate bodies such as a limited company in the UK, a limited liability partnership in England, Wales and Northern Ireland or any partnership in Scotland. It also includes schools, government departments and agencies, hospitals, PLC's and other public bodies.

A body considering making an unsolicited telephone marketing call to a corporate subscriber needs to check the Corporate Telephone Preference Service list. If the Corporate Telephone Preference Service contains the number to be dialled, the call cannot lawfully be made.

Further information is available from the following site:

If a corporate subscriber has provided prior permission to the University to make calls, then the call is “solicited” and there is no need to check the CTPS.

DMU are currently investigating bureau services for cleansing the full database. In the interim period, if you wish to make unsolicited phone calls, please purchase a number of credits to check the phone numbers that you wish to use ( a number of bureau are available on the above site).

Appendix A

The Data Protection Act

What this means to you and the University

These notes provide a general introduction to the institution's responsibilities and those of employees and others who work within the De Montfort University environment. Separate advice has been generated for students. Staff will want to handle data in an ethical way and the Act provides a framework for reaching this objective.

To ensure the University meets its obligations under the Act the organisation provides information, a training environment and processes and sources for advice and assistance.

Staff should ensure that they are aware of University policy in this area and of the sources for further advice. Information relating to the DPA 1998, training materials, and sources of information are published on the University Intranet to which all students and staff have access. The Intranet site covers, background to the Act, information and advice on areas of particular concern to the functions of the University, general information and processes.

The Act is designed to protect the personal data of living individuals.

The Act requires that all organisations:

  • Process personal information fairly
  • Process for only the purposes stated at the time of data capture
  • That data collected is adequate, relevant and not excessive
  • Ensure that information is accurate and up to date as necessary
  • Ensure that it is stored for defined periods and is disposed of in an appropriate manner
  • Ensure that data subjects are fully informed of the organisations purposes for collecting and processing information about them, make personal data available to the data subjects themselves, provide for correction of data if it is wrong
  • Ensure that data is held securely
  • Stop personal information being exported to countries that do not treat personal information appropriately

Sources of more detailed information, advice mechanisms, processes and training are provided at the end of this document but there are some key points that staff should always keep in mind when dealing with personal data.

You should;

  • Follow any Data Protection guidelines provided by the organisation and refer to these first if you are in any doubt about processing personal data
  • Refer any matters still in doubt to the data coordinator. (Referred to on this sheet).
  • Take care not to let personal information become available to anyone who may not be authorised to have it
  • Only access and process personal information to the extent required to undertake your job and no more.
  • Respond immediately to requests for information from the data coordinator.
  • Ensure that electronic data is regularly backed up and that other forms of stored data such as in paper form is protected from destruction, corruption loss or theft. Disaster recovery plans should be in place.
  • Take special care if you remove personal data from the University to work on; that it is for business purposes, is kept secure and that unauthorised persons have no access to it.
  • Have up to date virus scanners on systems carrying personal data, in compliance with University guidelines.
  • Take special care when handling references, examination scripts and examination results that the full implications of the Act are understood.
  • Take special care that sensitive information you may hold such as ethnicity, religious beliefs, disabilities and trade union membership are only passed to those who it is clear need to know and have authority to receive this type of information.

You should not:

  • Pass on personal information about a student or member of staff to anyone without checking with the individual unless this is part of an established process to support University processes.
  • Respond to telephone enquiries requesting personal data unless you are sure the requester is authorised to receive the information. At the very least you should telephone back to check the identity of the inquirer.
  • Respond to any query concerning data protection without first checking that you are certain of the processes that should be followed.
  • Give access to personal data to maintenance and support engineers or visitors from outside the University. They must not take copies of personal data or remove data from the premises.
  • Dispose of any personal data without first ensuring that the University guidelines on disposal of data are being complied with.
  • Export personal data outside the European Economic Area without checking the University policy and if necessary obtaining consent from the data subject.
  • Put anything about another person on a World Wide Web page without consulting them and getting clearance.

Further information

The Data coordinator is the Director of information Services and Systems

Go to the ISAS area of the Intranet, select Services for staff; Data protection.

Intranet: The site includes: The University data protection policy, The University Data Protection Notification, Data protection information for members of De Montfort University, A list of the main University Data Owners, Data protection processes in place, Quick guides to data protection - training materials.

Self Learning programme: There is a self paced guide to the Data Protection Act on the University virtual learning system.- Blackboard. See the Intranet Data Protection site front page for details on how to log onto this.

Staff should ensure that they follow guidelines provided and that they do nothing that may jeopardize the University' position or that could lead to loss of reputation or prosecution. If a member of staff believes that they detect any non compliance they should report this to the responsible person in their department/ faculty. A list of such staff is available on the Intranet.

ISAS October 2007.