Sensitive data

Learn more about how the application handles sensitive data.

Note: The sensitive data purge functionality does not purge Video Feedback responses. To request deletion of specific Video Feedback responses, please contact your Account Representative.

In joining the Community, your members may give you personally identifiable information or protected health information (for example, names, addresses, emails, birth dates, and so on). You are obligated to handle this data in a way that complies with the regulations and policies of your jurisdiction. This may include:

Flagging information as sensitive.
Periodically removing sensitive data that belongs to members with a status of Purged, Undeliverable, Unsubscribed, or Nonmember.
Restricting user access to sensitive data.

Purging sensitive data

Note: This feature is available by request. If you are interested in enabling this feature, contact your Account Representative.

To qualify for the data removal process, members must have an eligible member status for a period of time that exceeds a specific time frame. (Their prior member status is not relevant for the data removal process.) If a member does not qualify, their data will not be affected. You can configure the time frame, which can range from 30 to 365 days depending on your organization's data needs. You can also configure which member statuses qualify for data removal (Purged, Undeliverable, Unsubscribed, or Nonmember). For more information, see Configure sensitive data purge settings.

The sensitive data purge process runs every 8 hours and looks for any new members that qualify. Then, the application permanently overwrites their data for the profile variables and questions which have been flagged. Once the data is purged, you cannot recover it.

Note: Sensitive data purge starts purging the values for eligible members after you flag the profile variables and questions as sensitive. The application does not go back and retroactively overwrite values for members who were purged before the flagging. Therefore, there may be some cases where a member was purged and the profile variables and questions were flagged as sensitive, but some of the member's values still remain in the system. For this reason, we recommend flagging a profile variable or question as sensitive when you first create it, or as soon as you anticipate collecting sensitive data with it.

Restricting sensitive data access

Users with these permissions can work with sensitive data:

Admins
Power Users with Can access sensitive data enabled
Authors with Can access sensitive data enabled
Analysts with Can access sensitive data enabled

For more information, see Sensitive data permission tables.

Profile and system variables

You can flag profile variables of the following types as sensitive data:

Text
Date
Number
Identity

To do this, when you are creating or editing a profile variable, select Treat this profile variable as sensitive data. This setting controls whether the data is purged, as well as whether user access to the data is restricted. On the Profile Variables page, a shield icon appears beside profile variables flagged as sensitive data.

Additionally, if a Calculated Date profile variable references a Date profile variable flagged as sensitive data, the Calculated Date profile variable will also be flagged as sensitive data.

Note: Admins can change this setting. To change this setting as a Power User, you must have Can access sensitive data enabled.

Note:

By default, the following profile variables and system variables are flagged as sensitive data automatically:

email
name
username
firstname
lastname
pushaddress
bcmdevicetokens
signupfirstname
signuplastname
signupemail
unsubscribereasonother

Survey questions

The following survey questions and objects can be flagged as sensitive data:

Single Choice (other/specify responses only)
Multiple Choice (other/specify responses only)
Net Promoter Score℠¹ (follow-up responses only)
Image Upload
Short Answer
Long Answer
Number
Date
Email
Zip / Postal Code
Phone Number

To do this, when you are creating or editing the survey question or object, scroll to the Sensitive data area. This setting controls whether the data is purged, as well as whether user access to the data is restricted. Select Treat other/specify text response as sensitive data or Treat response as sensitive data.

Note:

This setting only appears in survey authoring if the Sensitive Data Purge feature has been enabled.
The sensitive data purge functionality does not purge Video Feedback responses. To request deletion of specific Video Feedback responses, please contact your Account Representative.
Admins can change this setting. To change this setting as a Power User or an Author, you must have Can access sensitive data enabled.

In the Table of Contents, a shield icon appears beside survey questions or objects flagged as containing sensitive data.

Power survey questions

In power surveys, there are two settings that control sensitive data behavior. These settings are visible to Admins only.

Treat other/specify text response as sensitive data and Treat response data as sensitive data control data purge behavior.

The following survey questions can be flagged as sensitive data:
- Open End
- Numeric
- Date
- Member Image Upload
- Choice (other/specify responses only)
- Buttons (other/specify responses only)
When you are creating or editing the question, scroll to the Sensitive Data area. Select Treat other/specify text response as sensitive data or Treat response data as sensitive data. This setting can be changed regardless of the status of the study.
Private and Is private control whether the data in exports and reports should be visible to Admins only. This setting cannot be changed after the study collects live data.

The following can be flagged as private:
- Open End questions
- Other-Specify responses in Choice questions

CSV exports

CSV export	How sensitive data is handled
Reasons members unsubscribed from the community	Users who do not have Can access sensitive data enabled cannot view this information.
Members or profile variables	Users who do not have Can access sensitive data enabled: Cannot select sensitive profile variables while creating the export Cannot download exports that contain sensitive data (at the time of export)
Power surveys data	Refer to the "Power surveys" section above.
Member participation data	Sensitive data values are redacted and replaced with `SENSITIVE`.
Community Profile report	Sensitive data values are redacted and replaced with `SENSITIVE`.
Report: Text analysis Uploaded images Report data	Users with these permissions can export data: Admins Power Users with Can access sensitive data enabled Authors with Can access sensitive data enabled Analysts with Can access sensitive data enabled Power Users, Authors, and Analysts without Can access sensitive data enabled can export data. However, sensitive data is redacted and replaced with `Sensitive`.
Forums: Posts and replies Participation information	Forum CSV exports do not contain sensitive data; therefore, there are no restrictions.
Purged sensitive data values	Purged sensitive data appears with the value `Purged` instead of displaying the actual value. The application replaces any purged email addresses with a false email address. This applies to all users regardless of user roles or permissions.

Member Hubs

Admins and Power Users who have Can access sensitive data enabled can access the Member Hub.

The following fields are automatically flagged as sensitive data in the Member Hubs:

Full Name
Username
Email Address
Title
Bio
Profile Background

When the Sensitive Data Purge feature is enabled, the Member Hub:

Replaces the member's username and full name with Purged
Obscures the member's email address (for example, 84fbb860-cded....@purged.disabled)
Leaves the member's Bio and Title blank
Replaces the member's avatar and background image with a default image

A purged member's posts, contributions and newsletters will remain. However, you cannot track a user to their posts, contributions or newsletters after they are purged.

Touchpoint

In Touchpoint, you can flag responses associated with certain screens as sensitive data. You can then use Touchpoint's data purge feature to remove flagged responses. For more information, see Flag a response as sensitive data in the Touchpoint documentation.

¹ Net Promoter, NPS, and the NPS-related emoticons are registered U.S. trademarks, and Net Promoter Score and Net Promoter System are service marks, of Bain & Company, Inc., NICE Systems, Inc. and Fred Reichheld.