Customer/Resident using shared email address


A bit of background:

We are a Borough Council and are using the CH Framework with Converse as a CRM for our customer services team as well as case creation and management across a number of different back office workstreams. We are also using a Master Data Manager to take person data from a number of back office systems, cleanse it and create a single person record each person that we have interactions with.

The dilemma:

What we have found, is that there are a significant number of person records that use shared email addresses. This presents the potential for inadvertently committing a data breach. We were wondering what other CH framework users have done to ensure that this doesn’t occur?

Additionally, I am also mindful of the potential need for some of our residents to have services, cases or actions requested on their behalf for a multitude of reasons and wondered if anyone has implemented a “family” account such as that which Spotify, Microsoft or Amazon provide?

Any suggestions or considerations will be gladly received!

Afternoon Richard,

I searched for an official line from the ICO and I was unable to find any relevant advice that might apply.

I think you could take the line that when the user shared the shared email address with yourselves, an address they chose to share with their partner, they gave implicit permission for you to share information regarding that request with that email address and in-turn anyone they chose to give access to it. The same rule would apply to subsequent cases / submissions from either party.

It is not dissimilar to you sending letters addressed to the homeowner or both named parties.

The onus must be on the user supplying the point of contact to ensure its safety and the suitability of any agreed communication with that of the other recipients.

I think it would be difficult, if not impossible currently to implement a family account style system in Create. All Create activity is logged against a given userid, one that is not subject to change. The ability to switch the contextual user-id post authentication is not there and as such you would not be able to escalate the user-id to that of a parent account id.

Please let us know what, if any, decisions you choose to make.