The notepad functionality within GoldSTAR has long been seen as a powerful method of helping customer facing staff get the information they need at their fingertips. Whether this is to inform the customer that you've retrieved their lost property, a reminder to check the customer's details or a note of some interaction with customer services, notepads ensure that customer communication is the same across all your touch points. Maybe you use warning notepads - these are popped up 'in the face' of the GoldSTAR user, and require confirmation before they disappear. These are used to disseminate critical news about this customer.
Notepads allow completely free entry of text, so your users have maximum flexibility in the commentary they add. Like all GoldSTAR data, notepads are securely stored and delivered to your users - but what guidelines should you give to the people who are creating the notepads to ensure that you adhere to the GDPR principles, recording and storing only necessary data and making it available only to those who need to use it ?
Firstly, it's handy to remember that there are two levels of notepad - general, which can be read by any authorised user of the system; and restricted, which can only be seen by users with the correct level of authority set in their profile. Consider using restricted notepads for information that's only needed by a certain number of users.
Before creating a notepad against a customer, the user should think about the following :
If the answer to either of these is 'No', then the notepad function may not be the best way to share the knowledge.
It's also important to keep the details shared to a minimum. If you want the customer to be referred to customer services, the notepad only needs to state that : not the reason behind it. This is particularly true if that reason is sensitive or likely to cause embarrassment. There is no need to say "This person is suspected of fraud and is being investigated by revenue protection, check his photocard any credit card details carefully" if the action is only "Please ensure that a valid payment card is used and check ID".
When writing notepads, we recommend that users are advised never to include any special category data, which the Information Commissioners Office describes as :
For example : "Her girlfriend called to ask if we can advise her that she's left her passport at home" could be better expressed as "Her partner called to ask if we can advise her that she's left her passport at home"
It's also tempting to think of notepads, and indeed all the GoldSTAR data, as being an internal system that's only used by your own organisation. However, authors of notepads should consider that this data would be covered in a Subject Access Request and would automatically be included in a SAR report from GoldSTAR. Notepads should never contain the personal opinion of the author or anyone else unless you are absolutely happy for the data subject to see that opinion. How would you view a comment such as "The ticket office said this bloke was being really bolshy when he reported he'd lost his glasses" ?
In addition, it is very important not to enter any financial data, such as a credit card details, into a notepad.
Finally, every notepad must be given an expiry date - this should be as soon as practical to avoid having the data shown for longer than may be necessary but allow it to be seen and acted on by the right people. If you're using the archiving module, you can set an archive date, too.
No ! Notepads are quick and easy, and a very useful way to get customer-related particulars across to the people who need to know. They serve a valid business purpose, and can be useful in providing excellent service to the customer. You only need to be confident that they are being used by the right people, for the right purpose.
We're not GDPR experts but we do want to help you get the best out of your GoldSTAR system. Our strong recommendation is that you take a look at how you use the notepad function, and draw up some guidelines to be published to GoldSTAR users. Frame the guidelines around the Data Protection Principles :
and get your Data Protection Officer to sign them off.