Posted by John Kleeman
In my earlier post, Responsibilities of a Data Controller When Assessing Knowledge, Skills and Abilities, I suggested there are 12 responsibilities of assessment sponsors acting as Data Controllers when delivering assessments in Europe.
Here is an outline of the first 6 of these:
1. Inform participants
A key principle of data protection is that you tell people what is being done with their data. At a minimum, you need to inform assessment participants of:
- your identify and contact details
- the purposes of the assessment and of any processing of its results
- who will see the assessment results
- the rights of the participant under data protection law to see data and correct inaccuracies
- use of Internet “cookies” in delivering assessments
2. Obtain informed consent
It’s usually recommended to get informed, explicit and recorded consent from everyone whose data you process. You can ask for consent on the first screen of an assessment or in a prior agreement with test-takers. Failure to gain informed consent can have consequences: Case in point: a Portuguese company was fined €20,000 for hiring a third party to assess the professional skills of its employees without notifying them or gaining consent.
3. Ensure that data held is accurate
You are required to ensure that data is accurate and up to date. In the assessment context, this might include ensuring that if you hold data about someone being certified or not certified, the data is accurate and up to date. It also likely means requiring your assessment itself to be accurate, i.e. created and delivered using appropriate procedures that ensure accuracy. See the Questionmark white papers, “Five Steps to Better Tests” and “Defensible Assessments: What You Need to Know”, for some guidance in this area. These papers are available from https://help.questionmark.com/content/white-papers.
Supervisory authorities can also issue penalties if you fail to maintain accurate data and this causes distress. For instance a UK company was fined UK£50,000 in 2012 for mixing up two individuals’ data and failing to correct it over a period of time.
4. Delete personal data when it is no longer needed
The regulations require that you must not keep data for longer than is necessary and to ensure data held is relevant and not excessive. How long to keep assessment data will depend on the purpose of the assessment. An organization that delivers a formal certification program trusted by the community might want to keep assessment records for decades if those records contribute to the issuing of certificates. Other organizations that deliver casual quizzes to employees or stakeholders would likely choose to delete much sooner.
5. Protect against unauthorized destruction, loss, alteration and disclosure
This is a critical responsibility and one which typically requires the most effort and care from a Data Controller. You need to share assessment results only with those who are entitled to know about them and safeguard assessment data from being disclosed inappropriately, tampered with, lost or destroyed.
You are required to have in place “appropriate” organizational and technical measures commensurate with risk. Failure to put the appropriate measures in place can result in financial penalties. One UK organization was fined £150,000 in 2013 for failing to take appropriate technical security measures. If you use Questionmark OnDemand to deliver your assessments, many technical and organizational measures are taken care of for you. You will of course need to take care of any data once it leaves the Questionmark system, e.g. is downloaded to your systems.
6. Contract with Data Processors responsibly
As Data Controller, you are responsible for all the processing that your Data Processors and their Sub-Processors do. You need to appropriately contract with Data Processors, ensure they only process data under your instructions and that they have appropriate technical and organizational measures. An organization was fined £250,000 in 2013 for failing to ensure that one of its processors safeguarded data properly. If you contract with Questionmark, we ensure that data centres and other Sub-Processors that comply with data protection law – and you should check that other suppliers you use also have this in place.
I hope this is helpful. I’ll write about the other 6 responsibilities next week. If you want more details or want to find out about the other 6 before my next post (!), you can download our white paper.