Do privacy laws mean you have to delete a test result if a test-taker asks you to?

Posted by John Kleeman

We have all heard about the “right to be forgotten”, which allows individuals to ask search engines or other organizations to delete their personal data. This right was made stronger in Europe in 2018, when the General Data Protection Regulation (“GDPR”) entered into force, and is gradually becoming recognized in some form in other jurisdictions, for example in the new California privacy law, the California Consumer Privacy Act (“CCPA”).

I’m often asked questions by customers about what the situation is if test-takers ask to delete the results for tests and exams.  Let’s take an example:

  • Your organization runs a global certification program for third party candidates;
  • One of your European candidates takes an exam in your program;
  • The candidate then reaches out to you and asks for all their personal data to be deleted.

What do you need to do? Do you verify his/her identity and delete the data? Or can you hold onto it and deny the request if you have reasons why you need to – for example, if you want to enforce retake policies or you are concerned about possible cheating. Here is an answer based on typical circumstances in Europe (but please get advice from your lawyer and/or privacy adviser regarding your specific circumstances).

Under the GDPR, although as a general principle you do need to delete personal data if retaining it for a longer period cannot be justified for the purposes for which it was initially collected or another permitted lawful purpose, there are exemptions which may allow you to decline an erasure request.

For example, you may refuse to delete personal data in response to a request from an individual if retaining the data is necessary to establish, exercise or defend against legal claims. If you follow this exception, you must be comfortable that retention of the data is necessary, and you must only use the data for this purpose, but you do not need to fully delete it.

Another broader reason for refusing to delete data may arise if you articulate in advance of the candidate taking the exam that processing is performed based on the data controller’s (usually the test sponsor’s) legitimate interests. The GDPR permits processing based on legitimate interests if you balance such interests against the interests, rights and freedoms of an individual. The GDPR also specifically says that such legitimate interests may be used to prevent fraud (and this obviously includes test fraud).

If you want to be able to refuse to delete information on this basis:

  • You should first conduct and document a legitimate interests assessment which justifies the purpose of the processing, considers whether the processing is really necessary, and balances this against the individual’s interests. (See this guidance from the UK Information Commissioner for more information);
  • You should communicate to candidates in advance, for example in your privacy policy or candidate agreement, that you are processing their data based on explained legitimate interests;
  • If you then later receive a deletion request, you should carefully analyse whether notwithstanding the request you have overriding legitimate interests to retain the data;
  • If you conclude that you do have such an interest, you should only retain the data for as long as that continues to be the case and only keep the data to which the overriding legitimate interest applies. This might mean that you have to delete some data, but can keep the rest.
  • You also need to let the individual know about your decision promptly providing them with information including their right to complain to the appropriate supervisory authority if they are unhappy with your decision.

The CCPA also has some exceptions where you do not need to delete data, including where you need to retain the data to prevent fraudulent activity.

In general, you may well want to follow delete requests, but if you have good reason not to, you may not need to.

For further information, there is some useful background in the Association of Test Publishers (ATP) GDPR Compliance Guide, in other ATP publications and in Questionmark’s white paper “Responsibilities of a Data Controller When Assessing Knowledge, Skills and Abilities” obtainable at https://www.questionmark.com/wc/WP-ENUS-Data-Controller.

I hope this article helps you if this issue arises for you.