The University’s Dynamics Online CRM system is governed by the CRM Acceptable Use Policy and access to the system is conditional upon adherence to this policy. This Acceptable Use Policy is available to download as part of the full CRM guidance document on policies, procedures and principles of engagement.
The Dynamics Online CRM system contains personal data relating to the University’s business and industry contacts, alumni, friends and donors. In signing up for access to Dynamics Online, users agree to abide by their responsibility to comply with the Data Protection Act 1998. The University’s Data Protection Policy, which describes the Data Protection Principles and how personal data should be handled and processed by University members, is available to consult here.
Data held on the CRM system may also be commercially sensitive and/or confidential. In signing up for access to Dynamics Online, users also agree to follow and regularly review the University’s best practice guidelines on information security, which can be viewed at the University’s Information Security pages. The three core principles of information security are:
- Confidentiality: ensuring that only those individuals who have a valid and authorised reason to access the information can do so.
- Integrity: ensuring that information is not altered, deleted or otherwise modified by individuals or processes unauthorised to do so.
- Availability: ensuring that the information can be accessed when it is required.
The purpose of this policy is to help University members understand their responsibilities with regard to data input and data editing, in the context of their obligations with regard to data protection and information security.
Acceptable Use of the System
All Dynamics Online licence holders are expected to abide by the following principles and parameters of acceptable use of the CRM system.
User Access Credentials
Following account creation, users will be able to gain access to the CRM system using their normal IT Services login and password . The University’s Information Security webpages contain guidance on the creation and management of passwords. Users should note that they should not divulge their password to anyone for any purpose and that it is their responsibility to create a strong password which meets the University’s minimum password standards.
Users are expected to ensure that their login credentials are kept secure and are not used to give access to non-authorised users.
Data Access Principles
- In signing up for access, all users commit to share with other University departments the customer data, intelligence and relationships that they hold or manage.
- As a general rule, all users will be able to access all data held on the CRM system, except under certain specified exceptions (e.g. sensitive personal data such as financial details; details of IP which are commercial in confidence; where confidentiality agreements may require restrictions to data access, etc.). These exceptions will be handled by security settings and access permissions within the system. The system design that will be undertaken for each department will, however, incorporate specific form design and personalisation such that only relevant data is displayed to each department.
- All users will be able to enter new and amend existing records, and be able to create and edit all data held in standard entity fields.
- Only system administrators will be able to delete records.
- All users must have received full training on the CRM system before full access will be given.
- All users must maintain the confidentiality of data and information stored on the CRM system. No data should be disclosed to individuals without a valid and authorised reason to have this data. Dynamics Online licence holders have a responsibility to ensure that any individuals or organisations which are given access to data held on the CRM system are aware of their obligations to protect the information and, if applicable, to process it in line with any University policies or stipulated conditions of access (see also section below on disclosure of personal data).
- No untargeted and/or unauthorised mass mails, either postal or electronic, should be made from the CRM system.
- Organisational and individual contact records are as a general rule owned by the University, although individual relationships with contacts will continue to be managed and stewarded by individual members of staff.
- The CRM system holds data on a number of organisations which the University or departments have identified as being of strategic importance. These strategic accounts are flagged on the system and any communication with the contacts associated with these accounts must be routed through the relevant strategic account manager so that a coordinated approach to engagement can be taken.
- Users will endeavour to engage with contacts on the CRM system in a consistent way and in coordination with other users. This applies to all accounts, not just the strategic accounts described above.
Data Input, Editing and Extracting
- A number of processes are being implemented to ensure the integrity of master data (e.g. organisational records) within the CRM system. These will incorporate both proactive measures to reduce the occurrence of master data issues at the point of data creation (e.g. duplicate detection rules which will, for example, present users with drop-down lists of master data values and display a warning if they are likely to be creating a duplicate value), as well as reactive measures to cleanse data after it has been entered into the system, which will include the daily review of new and existing data. Notwithstanding these measures, all users will have a role to play in ensuring data integrity within the system.
- In order to ensure that the CRM system is able to fulfil its purpose, all users will:
- Actively and regularly input and update data so that information relating to the organisations and individuals held within the CRM system is kept current.
- Ensure that all activities/opportunities/projects undertaken with an individual/organisation are entered onto the system.
- Complete all mandatory fields and as many fields as possible.
- Enable the tracking of emails, tasks and appointments in Dynamics CRM.
- All data entered on the system must be from a reliable source, relevant to the individual or organisation with whom the data is associated, timely and entered correctly to the best ability of the user.
- Processes for querying, extracting and analysing data held within Dynamics CRM will be developed in consultation with departments as part of the CRM project.
- Personal data on the CRM system should only be used for the purposes to which the individual has consented. All data held on the system relating to the University’s alumni and friends (as currently held on the Raiser’s Edge database) is covered by the DARO data protection statement.
- Personal data should only be disclosed to individuals or organisations with a valid and authorised reason to have this data. Licence holders have a responsibility to ensure that any individuals or organisations which are given such access are aware of their obligations to protect the information and to process it in line with University policies. This includes any third parties who may provide consultancy, system support or data processing services on behalf of the University, for whom a legal data sharing agreement or other contract with appropriate confidentiality and indemnity clauses should be in place.
- All users should note that under the Data Protection Act, individuals are able to make requests to the University to gain access to their personal data. This includes any information held on the CRM system that may relate to “any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual” (see http://ico.org.uk/for_organisations/data_protection/the_guide/key_definitions#para32). Whilst it is recognised that this kind of information can be invaluable in the context of CRM, care should be taken to record any such information in an objective, neutral and factual manner.