Personal information and data security

Personal information and data security (also referred to as data protection) is the relationship between the collection and dissemination of data, the public expectation of privacy, the technology used, and the legal issues surrounding them.

Download the white paper

Personal information and data security exist wherever personally identifiable information is collected, stored, used, and deleted, whether in digital form or otherwise.

The laws and regulations are constantly changing, so the challenge is to utilise data while still respecting the individual's privacy preferences and protecting personally identifiable information. Below, we outline the various controls that CyTrack have implemented to help ensure compliance with personal information and data security laws and regulations.


Collecting and protecting personally identifiable information

Privacy issues often stem from nonexistent or improper disclosure control and may arise in response to information collected from a wide range of sources, such as:

  • Web browsing behaviour or user preferences using persistent cookies
  • Healthcare records
  • Location-based service
  • Financial institutions and transactions
  • Privacy breach
  • Biological traits, such as genetic material
  • Residence & geographic records
  • Criminal justice investigations and proceedings
  • Academic research

CyTrack software and personal data

In CyTrack's products, personal data is stored primarily for improving customer experience through the review of statistics on performance. Data is collected for the purpose of delivering required functions of an omni-channel contact centre, including but not limited to:

  • Identification of customers (achieved by matching Caller ID to integration to customer CRM) for advanced customers services
  • Telephone numbers for creating outbound telemarketing campaigns
  • Identification of customers when in a Web Chat (by asking for email address and name) and optional storage of chat transcript after end of communication
  • Storage and retrieval of voice (and optionally screen) recordings for customer voice signature contracts and quality management of calls
  • Communication by SMS and content of the text flow
  • Twitter social media integration providing telephone callback to the Twitter user generates collection of the users screen name, full name, the id of the tweet, and the text flow of the tweet
  • Reporting of the call centre performance in both real time and historic form
  • Customer satisfaction surveys

EU General Data Protection Regulation (GDPR)

GDPR is enforceable from 25 May 2018 and replaces the 1995 Data Protection Directive.

The General Data Protection Regulation is a regulation in EU law on data protection and privacy for all individuals within the European Union. It addresses the export of personal data outside the EU.


The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.

What types of data does the GDPR protect?

  • Basic identity information such as name, address and ID numbers
  • Web data such as location, IP address, cookie data and RFID tags
  • Health and genetic data
  • Biometric data
  • Racial or ethnic data
  • Political opinions
  • Sexual orientation

Personal data must be portable from one company to another, and companies must erase personal data upon request. That last item is also known as 'the right to be forgotten'.

Companies must report data breaches to supervisory authorities and individuals affected by a breach within 72 hours of when the breach was detected.

Performing impact assessments is another requirement, intended to help mitigate the risk of breaches by identifying vulnerabilities and how to address them.

Protecting data in motion

HTTPS

HTTPS is an internet communication protocol that protects the integrity and confidentiality of data between the CyTrack Web Client and the CyTrack Web Server. Personal information such as credit card numbers are encrypted and cannot be intercepted. HTTPS provides three key layers of protection:

  1. Encryption – encrypting the data during transport to keep it secure from anyone listening to the network traffic
  2. Data integrity – data cannot be changed or corrupted during transfer
  3. Authentication – proves that communication between the web client and the web server is intended and protects against altered communication from attacks

HTTPS is supported by all CyTrack web clients including CyDesk, CyReport, CyCoach and Security Manager.

TLS/SSL

The same security layer is used between the CyTrack applications and the Database Server. Communications are enhanced by using TLS (Transport Layer Security) which provides the following benefits:

  1. Encryption – encrypting the data during transport to keep is secure from anyone listening to the network traffic.
  2. Data integrity – data cannot be changed or corrupted during transfer.
  3. Authentication – proves that communication between the applications and the database server is intended and protects against altered communication from attacks.

HTTPS is supported by all CyTrack web clients including CyDesk, CyReport, CyCoach and Security Manager.

XML encryption

CyTrack encrypts personal information being transmitted between CyTrack Windows desktop applications running outside the web browser. This secures data in motion that has been classified as personal information.

Protecting data at rest

SQL Server Windows Authentication

CyTrack uses Windows Authentication for SQL Server Authentication. This ensures that only authorized users with valid credentials can access the database server. The benefits from this are:

  1. Enables centralized management of SQL Server principals via Active Directory
  2. Uses Kerberos security protocol to authenticate users
  3. Supports Windows password policy enforcement including complexity validation for strong passwords, password expiration, and account lockout

CyTrack services

CyTrack services run using one identity. The identity is a Windows authenticated user. This prevents services from running using an unauthorized identity.

Auto delete log files

CyTrack generated log files are automatically deleted after a period.

Additional database server security measures

CyTrack would encourage customers to look at securing access to their database servers and their server content. The Microsoft article provides information on securing a database server: https://msdn.microsoft.com/en-us/library/ff648664.aspx#c18618429_004

Transparent data encryption

This is a SQL Server encryption option for customers with SQL Server Enterprise edition. Its main purpose is to protect data by encrypting the physical files, both the data (mdf) and log (ldf) files (as opposed to the actual data stored within the database). TDE Encrypts SQL Server, Azure SQL Databases, and Azure SQL Data Warehouse data files.

The following link provides details on setting up TDE: https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption?view=sql-server-2017

Personal information management

CyTrack personal information management tool

CyTrack provides an optional tool that performs searches for personal information and allows the administrator of the tool the ability to edit and/or anonymise the information. Voice recordings may also be optionally removed at the instruction of the administrator.

Download the white paper

CyTrack has identified data columns that may contain personal information. These data columns are flagged in the database as having personal information and used by the tool to search for personal information in these data columns.


Search, view & action window

The ability to allow the admin user to enter any known personal information on a specific data subject and optionally a date range. The Administrator may click to re-apply this action should it be required - for example to be actioned against a restored backup database.

The Compliance Manager searches and displays all associated personal information and populates it to the data subject 'window' within the Personal Compliance Manager App.

For transactional history items such as chat text flow, SMS text flows, the compliance window lists all of these and provides a redact button beside each item for the customer to manually select as required.

From this window the administrator will have actions to:

  1. Output all the associated personal information on the contact/subscriber to an output file.
  2. Edit any of the personal information – e.g. a contact may wish their email address to be updated and this is then replaced within the database.
  3. Redact any of the personal information.
  4. Redact any message stream associated with the user e.g. chat or SMS history.
  5. Delete associated voice recordings.

Compliance action history and database

Each Compliance Action taken is issued a transactional number against the name of the data subject. The system stores a history of compliance actions taken, the prime use for this in case a database needs to be restored and the customer may then re-apply past compliance actions taken.

The Compliance Action history is a transactional list that contains the name of the data subject that the compliance was acted upon and the list of actions taken. The Administrator may click to re-apply this action should it be required, for example to be actioned against a restored backup database.

The Compliance Action History database is stored in a separate log file and can be backed up so that it also can be restored in the event of the original being destroyed.


Data breach report and output

The system can output a CSV of all email addresses and/or telephone numbers found in the database so that this can be used to transfer to a CRM system and alert all contacts found of any data breach.

Offering customer consent functionality

Consent from your customer (the data subject) must now be granted by the customer to authorise the processing and storage of personal data. So its important for businesses to think about how they interact with customers and how the customer can provide or deny consent and the business be able to report on this capability.

CyTrack is assisting by building in functionality wherever possible within the technology to offer opt in/out controls and processes.

The following includes some examples and we will continue to review options and methods with our customers:


Voice/Screen Recording Opt in/Out*

CyTrack CyCC offers the option to include an announcement up front in your IVR or auto attendant that allows the customer to select whether a call can be voice recorded. According to the selection the caller will be put into a queue that allows calls recorded or not, also the agent can be alerted to whether this is an opt in or out call if required.


Web Chat

CyTrack CyChat offers the option that allows the customer to select whether a chat can be stored in the database and also whether the customer wishes a transcript of the conversation to be emailed back to them after the chat has ended.


Anonymising your customer's telephone caller ID in your records*

CyTrack CyCC offers the customer an option to have their caller ID made anonymous by replacing the last digits of their telephone number.


Other communication channels

CyTrack will continue to work with our customers and investigate and implement the means for opt in/out methods for different communication channels as those requirements are raised.


Personal information and data security (also referred to as data protection) is the relationship between the collection and dissemination of data, the public expectation of privacy, the technology used, and the legal issues surrounding them.

Technology helps but your processes are the solution

Technology can help you manage and understand your data but business policies and procedures need to be able to ensure the organisation complies with data protection principles and data subject rights. Make sure you seek independent legal representation for your compliance processes.

* These features are available with our CyCC Call Centre Suite. If you don't have CyCC:
1. CyDesk provides the ability for agents to manually stop voice recording.
2. CyReport offers a setting to anonymise all caller ID transactions.
3. If you don't deploy any of the above measures, we recommend you review our optional Personal Information Compliance Manager and you act on your customers' preferences on their personal information after notification to your customer service agents.


Enter your details below to download the CyTrack Personal information and data security white paper