The Nineteen Responsibilities of an Assessment Data Controller under the GDPR

John KleemanPosted by John Kleeman

Back in 2014,  Questionmark produced a white paper covering what at the time was a fairly specialist subject – what assessment organizations needed to do to ensure compliance with European data protection law. With the GDPR in place in 2018, with its extra-territorial reach and potential of large fines, the issue of data protection law compliance is one that all assessment users need to consider seriously.

Data Controller with two Data Processors, one of which has a Sub-Processor

Myself, Questionmark Associate Legal Counsel Jamie Armstrong and Questionmark CEO Eric Shepherd have now rewritten the white paper to cover the GDPR and published it this week. The white paper is called  “Responsibilities of a Data Controller When Assessing Knowledge, Skills and Abilities”. I’m pleased to give you a summary in this blog article.

To remind you, a Data Controller is the organization responsible for making decisions about personal data, whereas a Data Processor is an organization who processes data on behalf of the Data Controller. As shown in the diagram, a Data Processor may have Sub-Processors. In the assessment context, examples of Data Controllers might be:

  • A company that tests its personnel for training or regulatory compliance purposes;
  • A university or college that tests its students;
  • An awarding body that gives certification exams.

Data Processors are typically companies like Questionmark that provide services to assessment sponsors. Data Processors have significant obligations under the GDPR, but the Data Controller has to take the lead.  The Nineteen Responsibilities of an Assessment Data Controller under the GDPR 1. Ensure you have a legitimate reason for processing personal data 2. Be transparent and provide full information to test-takers 3. Ensure that personal data held is accurate 4. Review and deal properly with any rectification requests 5. Respond to subject access requests 6. Respond to data portability requests 7. Delete personal data when it is no longer needed 8. Review and deal properly with any erasure requests 9. Put in place strong security measures 10. Use expert processors and contract with them wisely 11. Adopt privacy by design measures 12. Notify personal data breaches promptly 13. Consider whether you need to carry out a Data Protection Impact Assessment 14. Follow the rules if moving data out of Europe 15. If collecting “special” data, follow the particular rules carefully 16. Include meaningful human input as well as assessment results in making decisions 17. Respond to restriction and objection requests 18. Train your personnel effectively 19. Meet organisational requirementsBack in 2014, we considered there were typically 12 responsibilities for an assessment Data Controller. Our new white paper suggests there are now 19. The GDPR significantly expands the responsibilities Data Controllers have as well as makes it clearer what needs to be done and the likely penalties if it is not done.

The 25 page white paper:

  • Gives a summary of European data protection law
  • Describes what we consider to be the 19 responsibilities of a Data Controller (see diagram)
  • Gives Data Controllers a checklist of the key measures they need from a Data Processor to be able to meet these responsibilities
  • Shares how Questionmark helps meet the responsibilities
  • Comments on how the GDPR by pushing for accuracy of personal data might encourage more use of valid, reliable and trustworthy assessments and benefit us all

The white paper is useful reading for anyone who delivers tests and exams to people in Europe – whether using Questionmark technology or not. Although we hope it will be helpful, like all our blog articles and white papers, this article and the white paper are not a substitute for legal advice specific to your organization’s circumstances. You can see and download all our white papers at www.questionmark.com/learningresources and you can directly download this white paper here.

Is Safe Harbor still safe for assessment data?

John Kleeman HeadshotPosted by John Kleeman

A European legal authority last week advised that the Safe Harbor framework which allows European organizations to send personal data to the US  should no longer be legal. I’d like to explain what this means and discuss the potential consequences to those delivering assessments and training in Europe.

What European data protection law says about transfers outside Europe

According to European data protection law, personal data such as assessment results or course completion data can only leave Europe if an adequate level of protection is guaranteed. All organizations with European participants must ensure that they follow strict rules if they allow personal data to be transferred outside Europe. Data controllers can be fined if they don’t comply.

Data controller has data processors which have sub processorsA few countries, including Canada, are considered to have an adequate level of protection. But in order to send information to the United States and most other countries outside Europe, it’s necessary to ensure that each data processor who has access to the data  guarantees its protection. This includes every processor and sub-processor with access to the data including data centers, backup storage vendors and any organization that accesses the data for support or troubleshooting purposes. Even if data is hosted in Europe, the rules must still be followed if there is any access to it or any copy of it in the US.

There are two main ways in which US organizations can bind themselves to follow data protection rules and so be legitimate processors of European data: the EU Model Clauses or Safe Harbor.

EU Model Clauses

EU FlagThe EU Model Clauses are a standard set of contractual clauses, several pages long, which a data processor can sign with each data controller. Signing signifies a commitment to following EU data protection law when processing data. These clauses cannot be changed or negotiated in any way. Questionmark uses these EU model clauses with all our sub-processors for Questionmark OnDemand data to ensure that our customers will be compliant with EU data protection law.

Safe Harbor

An alternative to the EU model clauses in the US is Safe Harbor. Safe safe harborHarbor (formal name – the US-EU Safe Harbor Framework) is run by the US Department of Commerce and allows US companies to certify that they will follow EU rules for EU data without needing to sign the EU model clauses. You can certify once, and then it applies to all your customers. It’s very widely used, and most large US organizations in assessment and learning are Safe Harbor certified, including Questionmark’s US company, Questionmark Corporation. You can see a full list at http://safeharbor.export.gov/list.aspx.

There is some concern, particularly in Germany, that Safe Harbor is not well enough enforced, so some organizations like Questionmark also use the EU Model Clauses. For example, Microsoft offer these for their cloud products. But Safe Harbor is widely used to ensure the legality and safety of European data sent to the US.

The legal threat to Safe Harbor

Last week, the advocate general of the Court of Justice of the European Union made a ruling that the Safe Harbor scheme should no longer be legal. He argues that the widespread government surveillance by the US is incompatible with the privacy rights set out in the EU Data Protection directive, so the whole of Safe Harbor should be invalidated. His ruling is not yet binding, but rulings by advocate generals are often confirmed and made binding by the court, so there is a genuine threat that Safe Harbor could be suspended.

Negotiations on data protection are underway between the US and Europe, and it is likely that this will be resolved in some way. But there are significant differences in attitude on data protection between Europe and the US.  Much anger remains about Edward Snowden’s revelations about US surveillance, so the situation is hard to predict.

What can organizations do to protect themselves?

It’s likely that a deal will be found and that Safe Harbor will remain safe. And if it is ruled illegal, this is going to affect the whole technology sector, not just learning and assessment. But it’s a further argument to use a European vendor for assessment and learning needs and/or one who is familiar with and has their suppliers signed up to the EU Model Clauses.

For more information and background on data protection, see Questionmark’s white paper:  Responsibilities of a Data Controller When Assessing Knowledge, Skills and Abilities. John Kleeman will also be presenting at the Questionmark Conference 2016: Shaping the Future of Assessment in Miami, April 12-15. Click here to register and learn more about this important learning event.

Delivering exams in Europe? What must you do for Data Protection?

John Kleeman HeadshotPosted by John Kleeman

Regulators in Europe are increasingly active in data protection, and most European organizations are reviewing their suppliers to ensure data protection and security. If you are an awarding body, multinational corporation or publisher delivering tests and exams in Europe, what do you need to do to stay comfortably within European Union data protection laws?

There is a fundamentally different approach to personal privacy between Europe and in the USA. In the USA, there is often a cultural expectation that technology and market efficiency are pre-eminent, but in Europe, the law requires technology to ensure privacy.

We all remember that in the US, citizens have a right to  “life, liberty and the pursuit of happiness” and that in France, people have a right to “Liberty, Equality and Fraternity”. But in the 21st century privacy probably one of the strongest discriminators between the continents. In a world being transformed by technology, the EU data protection directive firmly says that computer systems are designed to serve man, and not man serve the computer. Data processing systems must respect the fundamental rights and freedom of people, and in particular the right to privacy.  Whether you think this is right or not, this is the law in Europe.

Increasingly European governments are strengthening their laws on data protection and the penalties for not complying. So if you are delivering your exams in Europe, what do you need to do?  The key responsibilities for data protection are held by what EU Law calls the “Data Controller”.  Most sponsors of assessments – awarding bodies, corporations delivering tests, publishers and educational institutions are Data Controllers and they are responsible for protecting the data from the end user (Data Subject) and ensuring that any processors and sub-processors follow the rules.  The Data Controller will also be liable if anything goes wrong.

Data Subject - Data Controller - Data Procesor - Sub-processor

Here is a summary of the 12 responsibilities of a Data Controller under EU Law when delivering assessments:

1. Tell test takers what is being done with their data including how you are ensuring the assessment is fair.

2. Obtain informed consent from your test takers including relating to who will see their results.

3. Ensure that data is accurate, which in the assessment context likely means that assessments are reliable and valid.

4. Delete personal data when no longer needed.

5. Protect data against unauthorized destruction, loss, alteration and disclosure. If assessment results are lost, altered or disclosed without permission, you may be liable for penalties.  You need to put in place technical and organizational measures and ensure that data is only disclosed appropriately and that any data processors follow the rules strictly.

7. Take care transferring data outside Europe. You need to ensure that if assessment results or other personal data is transferred outside Europe that the EU rules are followed, this is particularly important as not all organizations outside Europe understand data protection, and so they may inadvertently break the rules.

8. If your assessments collect “special” categories of data, including racial or ethnic origin and health information, there are additional rules, get advice on how to ensure there is explicit consent from test takers.

9. People have a right to request data that you hold on them, and in some countries this includes exam results and all the personal details you hold on them. Be prepared to receive such requests.

10. If the assessment is high stakes, ensure there is a human review of automated decision making. Under the EU directive, technology serves man, not the other way round and taking decisions without human review is not always allowed.

11. Appoint a data protection officer and train your personnel

12. Work with supervisory authorities (you have to register in some countries) and have a process to deal with data protection complaints.

As a company established in both the EU and the US, Questionmark has a good understanding of data protection, and if  you use Questionmark OnDemand, several of these responsibilities are aided and ameliorated.

I hope this introduction and summary has been helpful. For more information the requirements of data protection when delivering assessments,  download our white paper (free with registration)  Responsibilities of a Data Controller When Assessing Knowledge, Skills and Abilities.

Where do you deliver assessments from in a post-PRISM world?

John Kleeman HeadshotPosted by John Kleeman

Like many of you, I have been watching with interest revelations about government Internet surveillance initiatives. Technologically and legally, none of it is surprising. Businesses and governmental organizations around the world have frequently expressed concerns about the data privacy implications of the US Patriot Act.  Indeed, many of our customers cite data protection issues as factors in their decisions to opt for the Questionmark OnDemand service based at our European data centre.

Practically, I am torn between admiring our governments defending us against terrorism and pondering Benjamin Franklin’s saying that if you give up liberty for security, you lose liberty.

Wherever you stand on this issue, there are still questions to address about the practical implications this data protection challenge poses for those delivering assessments.  I thought it might be helpful to look at a couple of different scenarios and suggest data protection requirements you might look for when running assessments over the Internet.

Scenario 1. A US company looking for a safe place to deliver assessments from the Cloud

US flagSuppose you are a US company seeking to test your employees via a SaaS vendor. Suppose most employees are in North America but a few are spread round the globe. Here are the likely key data protection requirements:

1. Contract with a US service provider with confidentiality clauses.

2. Data centre and assessment results located in the US.

3. Data centre certified and audited to SSAE 16, the expected standard for quality data centres in North America.

4. Service provider and data centre operator certified under the U.S. Department of Commerce’s Safe Harbor Framework. This means they promise to comply with European data protection rules for data coming from Europe. Without this, you will have HR challenges testing your employees in Europe. With a lot of testing in Europe, you may want to look for stronger measures than Safe Harbor – see the White Paper (complimentary with registration): Responsibilities of a Data Controller When Assessing Knowledge, Skills and Abilities.

5. Vendors must have strong IT security including the latest SSL/TLS encryption and other technical measures.

Scenario 2. A European organization who wants to run assessments and keep data in Europe

European Union flagMany European companies or universities have a legal need to follow European data protection law and keep their data in Europe, and some may have constitutional requirements to avoid US oversight. Here are some of the key things they would look for:

1. Contract with a European service provider with confidentiality and data protection clauses.

2. Data centre with assessment results and personal data located inside the European Union.

3. Data centre certified and audited under ISO 27001, the expected standard for quality data centres in Europe.

4. This alone is only part of the story. The service provider and the data centre operator must not just be located in Europe, they must be European owned and not a subsidiary of a US company. If a US company runs a data centre or service in Europe, even if they run a subsidiary in Europe, they are required to hand over data on request to the US government, even if that data is in Europe. So if you work with a European subsidiary of a US LMS, VLE or other SaaS company, your data may be obtained by US enforcement agencies. According to a recent report by Reuters, a US judge has ruled that:

Internet service providers such as Microsoft Corp or Google Inc cannot refuse to turn over customer information and emails stored in other countries when issued a valid search warrant from U.S. law enforcement agencies

5. Again, all the legal data protection needs to be accompanied with good IT security. See our security comparison document for some questions to ask.

White Paper (complimentary with registration): Responsibilities of a Data Controller When Assessing Knowledge, Skills and Abilities.

Questionmark can meet both these needs. You can visit our website to learn how Questionmark OnDemand — US-based or EU-based — offers trustable solutions for either of these scenarios.

What organizational and technical measures are appropriate in assessment delivery?

John Kleeman HeadshotPosted by John Kleeman

One of the key responsibilities of an assessment sponsor acting as data controller under European Law is to implement appropriate technical and organizational measures to protect personal data.  But what does appropriate mean?

And when you contract with a data processor to deliver assessments, you must ensure that the processor implements appropriate measures. But again what does appropriate mean?

This is not just an academic question. A  UK organization was fined £150,000 in 2013 for failing to protect personal data with the regulator commenting that a key reason for the fine was “… the data controller has failed to take appropriate technical measures against the loss of personal data”

The measures to use will depend on the risk to the data and to the assessment participant. But here are some measures  to consider. They are all met by Questionmark if you delegate service delivery to Questionmark – though some also need action by you:

For more information, you can download a complimentary version of the white paper: Responsibilities of a Data Controller When Assessing Knowledge, Skills and Abilities [requires registration]

Measure Questionmark OnDemand? Your system?
Premises access control
Data center certified against ISO 27001 or SSAE 16
Two-factor authentication for staff and visitors
24/7/365 personnel intrusion alarms
24/7/365 monitored digital surveillance cameras
23/7/365 security team on site at all times
Strong physical security in nondescript building to aid anonymity
System controls
Well configured firewalls in each tier
Intrusion Detection System or Intrusion Prevention System
Secure software development approach following best practices
Comprehensive anti-virus measures
Regular third party penetration testing
Regularly updated system and application software
24/7/365 network monitoring
Data access control (authentication and authorization)
Individual, unique high strength passwords for all users (you need to action)
Users can easily be deleted when they leave an organization (you need to action)
Store administrator passwords in encrypted form
Administrators can be given access to only functions/data needed (you need to configure)
Participant login & identity can be confirmed by monitors/proctors (you need to configure)
Data transmission control
All participant access via well configured SSL/TLS
All administrator access to results via well configured SSL/TLS
Any data copied for troubleshooting purposes strongly encrypted
No need to send data physically – all data transmitted electronically
Data entry control (keeping track of who does what)
Able to present participant with information & record consent (you need to action)
Participant answers cannot be changed except with authority
Participant submissions recorded with time-stamp
Differential privileges for administrators, control over system functions (you need to configure)
Log important activities by administrators and other users
Contractual control
Have data protection compliant contracts with processors
Processing only performed on instructions from Data Controller
Logical or physical separation of data from different customers
Availability controls (protecting against unauthorized destruction or loss)
Power supply redundancy, UPSs and onsite generators
N+1 or 2N redundancy on all hardware and Internet connections
Backup of all assessment data to offsite location
Backup assessment results frequently (e.g. hourly) to avoid losing data
Regular restore tests of such backups
Save participant answers “as you go” on server during test-taking
Tested, current service continuity plan in place in event of disasters
24/7/365 environment monitoring
Organizational measures (These are all met by Questionmark; you will also have to follow these yourselves.)
Designate a data protection officer
Personnel have written commitment to confidentiality
Background checks on new employees
Regular training of employees on data security
Regular testing of personnel on data security to check understanding
Faulty or end of life disks degaussed or otherwise safely destroyed

I hope this helps you work out what measures might be appropriate for your needs. If you want to learn more, then please read our free-to-download white paper: Responsibilities of a Data Controller When Assessing Knowledge, Skills and Abilities [requires registration].

If you are interested in seeing if Questionmark OnDemand could meet your needs, see here for more information.

How to stay within European law when sub-contracting assessment services

John Kleeman HeadshotPosted by John Kleeman

Questionmark has recently published a white paper on assessment and European data protection. I’ve shared some material from the white paper in earlier posts on the Responsibilities of a Data Controller When Assessing Knowledge, Skills and Abilities and The 12 responsibilities of a data controller, part 1 and part 2.

Data Controller to Data ProcessorHere are some points to follow if you as an assessment sponsor (Data Controller) are contracting with a Data Processor to conduct assessment services that involve the Data Processor handling personal data. As always, this blog cannot give legal advice – please check with your lawyer on contractual issues.

For processors inside and outside Europe

1. You should have a contract with the Data Processor and if they use Sub-Processors (e.g. a data center), their contract with such Sub-Processors must follow data protection rules.

2. Processors should only process data under your direction.

3. You should define the nature and duration of the processing to be performed.

4. The Data Processor and its Sub-Processors must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access. See the white paper for more guidance on what measures are required.

5. You should have some capability to review or monitor the security of the processing, for instance by viewing reports or information from the processor.

6. If you need to delete data, you must be able to make this happen.

7. If there is a data leakage or other failure, you need to be kept informed.

8. Under some countries in Europe, e.g. Germany, data protection law also applies to encrypted personal data, even if the processor does not have access to the encryption key. If you are concerned about this, you need to ensure that any backup providers holding encrypted material are also signed up to data protection law.

9. When the contract is over, you need to ensure that data is returned or deleted.

10. Data protection law is likely to change in future (with some proposals in review at present), so your relationship with your Data Processors should allow the possibility of future updates.

For processors outside the European Economic Area

For any Data Processor or Sub-Processor who is outside the European Economic Area (and outside Canada and a few other countries), the safest procedure  is to use a set of clauses called the EU Model Clauses, a set of contractual clauses which cannot be modified and which sign up the processor to follow EU data protection legislation.

Another potential route if using US processors is to rely on the US Government Safe Harbor list.  However, particularly in Germany, there is concern that with Safe Harbor, so you need to do additional checking. And many stakeholders will increasingly expect processors outside Europe to sign up to the EU Model Clauses.  Microsoft have recently made their services compliant with these clauses, and we can expect other organizations to as well.

I hope this summary is interesting and helpful. If you want to learn more, please read our free-to-download white paper: Responsibilities of a Data Controller When Assessing Knowledge, Skills and Abilities [requires registration].