Data privacy opt out

AD
DM
DS

Health care providers can request that their personal data be restricted or blocked from processing. To support these requests, records can be flagged as opted-out so the data is hidden from users and can no longer be updated.

Opted-out records can be managed by Veeva OpenData or can be managed locally for your Network instance. When records are flagged, the opt-out behavior occurs when records are exported to downstream systems. For Veeva OpenData records, this occurs when records are downloaded to your Network instance. For local records, the opt-out behavior occurs when you export the records to your downstream systems.

Summary of behavior for opted out records

This table summarizes opt-out behavior for records in your Network instance.

Note: Except for where it's noted, this behavior does not apply to OpenData records that have not been downloaded to your Network instance; those records cannot be downloaded after they are opted-out.

Behavior OpenData Record -
Master Opt-Out

(data_privacy_opt_out__v)

OpenData Record -
Customer Opt-Out

(data_privacy_opt_out__c)

Local Record -
Customer Opt-Out

(data_privacy_opt_out__c)

Visibility in Network

No access

Controlled using data visibility profile permissions. Controlled using data visibility profile permissions
Record updates

The records can't be updated through the Network UI.

Records can be updated through your OpenData country subscription or a source subscription that uses the VID as a custom key.

Data stewards can update the data_privacy_opt_out__c field only. Data stewards can update the data_privacy_opt_out__c field only.
Download from OpenData Can be downloaded using Ad Hoc Download or if it's included in the working set. Not applicable Not applicable
Export from search No access Can be exported. Fields are not masked. Can be exported. Fields are not masked.
Export behavior "Data Privacy" replaces most field values. "Customer Data Privacy" replaces most field values.

Custom field values are preserved.

"Customer Data Privacy" replaces most field values.
Reports

"Data Privacy" replaces most field values.

Report masks or blanks field values. Report masks or blanks field values.
US Compliance Reports Report displays all field values.
Ad Hoc Match Not included Included in match jobs. Included in match jobs.
Matching (source subscriptions / add requests) Excluded by default, but can be included. Excluded by default, but can be included. Excluded by default, but can be included.
Suspect Match Not applicable Not applicable Records can be included in the task, but an opted-out record cannot be merged with another record.
Merge Not applicable

Opted-out records cannot be merged.

Candidate records are the exception to this merge behavior. A candidate record can be merged into an opted-out record if the opted-out record is the merge winner. If the candidate record itself is opted-out, it cannot be merged because opted-out records cannot be merge losers.

Data Deduplication The record won't be considered for matching by the job. The record won't be considered for matching by the job. If the opted-out record is included, the job will find matches (to records that aren't opted-out).

Opted-out records won't be considered as a match to records that are in the job.

Data change requests Requests are auto-rejected.

If there was a local task for the record, it will also be auto-rejected.

Requests are auto-rejected. Requests are auto-rejected.

For more details about each type of opted-out records, see the sections below.

Impact of opted out records on CRM

See the Network blog article for details: GDPR Compliance with Veeva Network - Part 3: Managing HCPs that opt out from your organization.

Veeva OpenData opt-out

Data privacy is regulated by Veeva OpenData teams for opted-outClosed Direction from an HCP that their personal attributes should not be visible to those who use Veeva OpenData. Capture of opt-out requests is required by law in some countries. HCPs for countries that require it. This functionality ensures data privacy for opted-out HCPs to satisfy regional regulatory requirements.

When an HCP requests to block or restrict their personal data, Veeva OpenData stewards set the data_privacy_opt_out__v field to Yes/True. The opt-out date is captured in the data_privacy_opt_out_date__v field. These fields are read-only in your Network instance.

Converting opted-out records

Th data_privacy_opt_out__v field cannot be updated by OpenData after it has been set to Yes/True because you can convert an opted-out record into a locally managed record. This ensures that the OpenData record stays opted out permanently and cannot be downloaded again into your Network instance in the future. If you convert an opted-out record into a local record for your Network instance, you have taken over the record and its Network entity ID as a customer managed record.

For more information, see Converting opted out records.

Opt-out behavior

When records are opted-out by Veeva OpenData and updated in your Network instance, they can no longer be accessed in downstream systems, including your Network instance, Veeva CRM, or by API calls (see the "API considerations" section below).

Impact to records in your Network instance

  • Updates - Records that you have previously downloaded remain in your Network instance and are no longer updated. The last update is the opting out by OpenData which includes the opt-out date. This update will be exported to your downstream systems.

    Fields on the records are updated in various ways. To see the field behavior for opted-out records when they are sent to downstream systems, export the data model and review the HCP Opt-Out Behavior column for each field.

  • Visibility - Records are no longer visible in the UI. They do not display on the profile page or in search results.

    If users search for a record by appending the Network entity ID (VID) to the URL of their Network instance, a locked profile screen displays with a message advising users that the HCP has opted out.

  • Record information - Revision history and data lineage information is hidden.
  • Downloading - Records can be downloaded using Ad Hoc Download or if the Network entity ID (VID) is listed in the country subscription's working set. The record will not be visible in the UI.
  • Reports - Records can be included in reports, but fields are masked (set to "Data Privacy") or blanked in the results.
  • Ad Hoc Match - Already downloaded opted-out records are not included in ad hoc match jobs. Not yet downloaded recorded are excluded when the Match Against OpenData option is selected.
  • Match - Already downloaded opted-out records are excluded from the matching process by default in all add requests and source subscriptions. Not yet downloaded records are excluded when the Match & Download from OpenData option is selected.

    To include opted-out records in the matching process, see Opt out matching settings.

  • Merge - Records cannot be merged if one of the records is an opted-out HCP. An HCP record cannot be merged into an opted-out record, and an opted-out record cannot be merged into an HCP record.

    Candidate records are the exception to this merge behavior. A candidate record can be merged into an opted-out record if the opted-out record is the merge winner. If the candidate record itself is opted-out, it cannot be merged because opted-out records cannot be merge losers.

  • Data deduplication - Opted-out records that are included in the list or the query itself it will find matches (to records that aren't opted out but the subsequent actions are limited because the record isn't visible in your Network instance). Opted-out records won't be considered by the job when looking for a match.
  • Data change requests - Records cannot be updated or otherwise managed through the data change request process.

    If users submit a change request for an opted-out HCP, Network rejects the DCR with the following localized message:

    System rejected - The requested HCP has opted-out. If this is an OpenData record and you wish to see this HCP again in OpenData, please ask the HCP to send an email to opendata.optin@veeva.com with "Cancellation of opt-out" in the subject line. Otherwise, please create the HCP in your local instance."

    If a DCR is pending for a record and then the record is opted out, the task will be automatically rejected when it is opened. The user that submitted the change will no longer be able to view the HCP's name in the task; it will be masked with "Data  Privacy". The "System rejected" resolution note advises that the HCP has opted out.

    If there was a local DCR for the HCP, the rejection of the OpenData task will automatically reject the local task.

Country support for data privacy opt-out

Veeva OpenData manages HCPs who have opted out of these countries. When records are opted out, they can no longer be accessed.

Opt out from marketing

A separate opt-out flag (opt_out__v) is informational; downstream systems can still view records that have been opted out using this field. The field is used to guide marketing usage of records in these countries.

Locally managed opt-out

The data privacy opt-out functionality can be used locally in any country by using the custom opt-out field, data_privacy_opt_out__c. To support an HCP's request, you can opt out any records in your Network instance, whether they are locally managed, thirty party managed, or managed by Veeva OpenData. The opt-out date is captured in the data_privacy_opt_out_date__c field.

Opt out behavior

When you flag HCP records as opted-out, the opt out behavior occurs when you export the records to downstream systems, but it also impacts the record in your Network instance.

Impact in downstream systems

Appropriate fields are blanked or masked when the record is exported in any manner; for example, when they are exported to reporting or exported to downstream systems using target subscriptions. This ensures that the HCP cannot be identified.

Name related fields are replaced with "Customer Data Privacy" and the values in many of the other fields are removed. To see the opt-out behavior for fields, export the data model and review the HCP Opt Out Behavior column for each field.

Impact in your Network instance

Access to opted-out records is controlled by the HCP Opt Out Visibility permission in your data visibility profile (DVP).

For example, you might restrict standard users from viewing opted-out records but allow specific data stewards and data managers to view records in case they need to investigate previous changes.

For information about specifying opted-out HCP visibility in data visibility profiles, see Working with data visibility profiles.

HCP Opt Out Visibility permission enabled

The following behavior occurs for opted-out records when your HCP Opt Out Visibility DVP permission is set to True:

  • Visibility - Opted-out records can be viewed in your Network instance. The records are identified by the Lock overlay on the HCP icon.
  • Records are locked - They cannot be updated through the data change request process or on the profile page; all of the fields on the record display a Lock icon.

    Only the Customer Data Privacy Opt Out? field can be updated by data stewards or by jobs. If the value is changed from Yes/True to No/False, the record is no longer opted out and can be updated again.

  • Search results - Opted-out records display in the search results. Opted-out records can be exported from search results: they are not masked in the exported file.
  • Ad hoc match - Opted-out records are included in ad hoc match jobs.
  • Match - Records are excluded from the matching process by default in all add requests and source subscriptions. To include opted-out records in the matching process, see Opt out matching settings.
  • Suspect Match -You can create suspect match tasks that include an opted-out record but the record cannot be merged with another record.
  • Merge - Records cannot be merged if one of the records is an opted-out HCP.

    Candidate records are the exception to this merge behavior. A candidate record can be merged into an opted-out record if the opted-out record is the merge winner. If the candidate record itself is opted-out, it cannot be merged because opted-out records cannot be merge losers.

    Suspect match tasks cannot merge a record that is opted-out.

  • Data deduplication - Opted-out records that are included in the list or the query itself it will find matches (to records that aren't opted-out). Opted-out records won't be considered by the job when looking for a match.
  • Revision History and Data Lineage - The opted-out HCP record be viewed.
  • Network Explorer - The opted-out HCP record can be viewed.
  • Pending tasks - Data Stewards can see the HCP's name in the inbox list and on the task, but the task cannot be actioned. When the task is opened, it is formally rejected.

HCP Opt Out Visibility permission disabled

The following behavior occurs for opted-out records when your HCP Opt Out Visibility DVP permission is set to False:

  • Visibility - Opted out records do not return in search results and cannot be viewed by users (for example, if they try to be accessed from Recent Items).

  • Pending tasks If a record has a pending task and then is opted out, Data Stewards cannot see the record name in their inbox.

    • Click Inadequate Access Permission - Opens the Profile page that displays the Lock icon.

    • No action - The task remains in Pending state in the inbox and on the submitter's My Requests page.

    • Open the task - The task is rejected.

      The task submitter sees the following message on their My Requests page:

      The data steward sees the following Resolution Note in the rejected task:

Enabling the opt-out field for a country

Administrators can enable the Customer Data Privacy Opt Out? field. When the field is enabled, it displays in HCP record profiles. Data Stewards can use the field to opt out HCPs in the profile.

Tip: Before opting out a record, Data Stewards should search the inbox for tasks involving that record and process them first. Otherwise, tasks for records that have been opted out cannot be processed unless the record is opted in again.

  1. In the Admin console, click Data Model > Data Domains > Customer Master.
  2. Click the Health Care Professional object.
  3. In the Fields section, select the data_privacy_opt_out__c field.
  4. On the Edit Field page, in the Visibility in Countries section, click Add Country Group.
  5. Select a country from the Countries list.
  6. In the Network Objects list, select HCP.

  7. Click Done and Save your changes.

Updating the opt-out field

On HCP profiles, any user can edit the Customer Data Privacy Opt Out? field. A data change request will be sent to local data stewards.

API considerations

Search API

The Search API will not return opted-out records, even if the Integration User has the HCP Opt Out Visibility permission set to True in their data visibility profile.

This applies to both OpenData opt-out and local opt-outs.

Veeva CRM

Users in CRM can't search for an opted-out record, even if the Integration User has the HCP Opt Out Visibility permission set to True in their data visibility profile in Network. This type of search uses the Search API.

Retrieve API

If the Retrieve API includes the Network entity ID (VID) of an opted-out HCP, the user can see the full record but the fields are masked. Masked fields say "Client Data Privacy" if the record was opted-out in your Network instance or “Data Privacy” if the record was opted-out by OpenData. The user can see opted-out records in the Network UI if their data visibility profile allows them to do so. (Regular CRM users do not use the Retrieve API.)