Do privacy laws mean you have to delete a test result if a test-taker asks you to?

Posted by John Kleeman

We have all heard about the “right to be forgotten”, which allows individuals to ask search engines or other organizations to delete their personal data. This right was made stronger in Europe in 2018, when the General Data Protection Regulation (“GDPR”) entered into force, and is gradually becoming recognized in some form in other jurisdictions, for example in the new California privacy law, the California Consumer Privacy Act (“CCPA”).

I’m often asked questions by customers about what the situation is if test-takers ask to delete the results for tests and exams.  Let’s take an example:

  • Your organization runs a global certification program for third party candidates;
  • One of your European candidates takes an exam in your program;
  • The candidate then reaches out to you and asks for all their personal data to be deleted.

What do you need to do? Do you verify his/her identity and delete the data? Or can you hold onto it and deny the request if you have reasons why you need to – for example, if you want to enforce retake policies or you are concerned about possible cheating. Here is an answer based on typical circumstances in Europe (but please get advice from your lawyer and/or privacy adviser regarding your specific circumstances).

Under the GDPR, although as a general principle you do need to delete personal data if retaining it for a longer period cannot be justified for the purposes for which it was initially collected or another permitted lawful purpose, there are exemptions which may allow you to decline an erasure request.

For example, you may refuse to delete personal data in response to a request from an individual if retaining the data is necessary to establish, exercise or defend against legal claims. If you follow this exception, you must be comfortable that retention of the data is necessary, and you must only use the data for this purpose, but you do not need to fully delete it.

Another broader reason for refusing to delete data may arise if you articulate in advance of the candidate taking the exam that processing is performed based on the data controller’s (usually the test sponsor’s) legitimate interests. The GDPR permits processing based on legitimate interests if you balance such interests against the interests, rights and freedoms of an individual. The GDPR also specifically says that such legitimate interests may be used to prevent fraud (and this obviously includes test fraud).

If you want to be able to refuse to delete information on this basis:

  • You should first conduct and document a legitimate interests assessment which justifies the purpose of the processing, considers whether the processing is really necessary, and balances this against the individual’s interests. (See this guidance from the UK Information Commissioner for more information);
  • You should communicate to candidates in advance, for example in your privacy policy or candidate agreement, that you are processing their data based on explained legitimate interests;
  • If you then later receive a deletion request, you should carefully analyse whether notwithstanding the request you have overriding legitimate interests to retain the data;
  • If you conclude that you do have such an interest, you should only retain the data for as long as that continues to be the case and only keep the data to which the overriding legitimate interest applies. This might mean that you have to delete some data, but can keep the rest.
  • You also need to let the individual know about your decision promptly providing them with information including their right to complain to the appropriate supervisory authority if they are unhappy with your decision.

The CCPA also has some exceptions where you do not need to delete data, including where you need to retain the data to prevent fraudulent activity.

In general, you may well want to follow delete requests, but if you have good reason not to, you may not need to.

For further information, there is some useful background in the Association of Test Publishers (ATP) GDPR Compliance Guide, in other ATP publications and in Questionmark’s white paper “Responsibilities of a Data Controller When Assessing Knowledge, Skills and Abilities” obtainable at https://www.questionmark.com/wc/WP-ENUS-Data-Controller.

I hope this article helps you if this issue arises for you.

Six predictions now the GDPR is in place

Posted by John Kleeman
So the European GDPR is in place now. Questionmark like most other companies has been working hard in the last two years to ensure we are compliant and that our customers in and outside Europe can be compliant with the GDPR. See our trust center or summary for information on Questionmark’s compliance.

Is it all done and dusted? My email inbox seems to have a few less promotional emails in it. But is this because of the holiday weekend or have companies really taken my name off their mailing lists? Here are six predictions for what we’ll see going forwards with the GDPR.

1. The May 25th 2018 date will matter much less going forwards than backwards

A picture of a dog with a Christmas hatCompanies have been rushing to meet the May 25th date, but GDPR and privacy is a destination not a journey. There is a famous slogan “a dog is for life not just for Christmas” encouraging people to look after their dog and not just buy it as a cute puppy. Similarly the GDPR is not just something you get compliant with and then ignore. You need to include privacy and compliance in your processes forever.

No one will care much whether you were compliant on May 25th 2018. But everyone will care whether you are meeting their privacy needs and following the law when they interact with you.

2. History will judge the GDPR as a watershed moment where privacy became more real

Nevertheless I do think that history will judge the GDPR as being a seminal moment for privacy. Back in the early 2000s, Microsoft popularized the concept of security by design and security by default when they delayed all their products for a year as they improved their security. Nowadays almost everyone builds security into their systems and makes it the default because you have to to survive.

Similarly the GDPR encourages us to think of privacy when we design products and to make privacy the default not an afterthought. For example, when we collect data, we should plan how long to keep it and how to erase it later. I suspect in ten years time, privacy by design will be as commonplace as security by design – and the GDPR will be the key reason it became popular.

3. Many other jurisdictions will adopt GDPR like laws

Although the GDPR is over-complex, it has some great concepts in it, that I’m sure other countries will adopt. It is appropriate that organizations have to take care about processing peoples’ data. It is appropriate that when you pass people’s data onto a third party, there should be safeguards. And if you breach that data, it is appropriate that you should have to be held accountable.

We can expect lawmakers in other countries to make GDPR-like laws.

4. Supply chain management will become more important

Diagram showing one data controller with two data processors. One data processor has two sub-processors and one data processor has one sub-processorUnder the GDPR, a Data Controller contracts with Data Processors and those Data Processors must disclose their Sub-processors (sub-contractors). There is positive encouragement to choose expert Data Processors and Sub-processors and there are consequences if processors fail their customers. This will encourage organizations to choose reputable suppliers and to review processors down the chain to make sure that everyone is following the rules. Choosing suppliers and Sub-processors that get themselves audited for security, e.g. under ISO 27001, is going to become more commonplace.

This will mean that some suppliers who do not have good enough processes in place for security, privacy and reliability will struggle to survive.

5. People will be the biggest cause of compliance failures

Organizations set up processes and procedures and put in place systems and technology to run their operations, but people are needed to design and run those processes and technology. Some GDPR compliance failures are going to be down to technology failures, but I predict the majority will be down to people. People will make mistakes or judgement errors and cause privacy and GDPR breaches.

If you are interested in this subject, Amanda Maguire of SAP and I gave a webinar last week entitled “GDPR is almost here – are your people ready?” which should shortly be available to view on the SAP website. The message we shared is that if you want to stay compliant with the GDPR, you need to check your people know what to do with personal data. Testing them regularly is a good way of checking their knowledge and understanding.

6. The GDPR and privacy concerns will encourage more accurate assessments

Last but not least, I think that the GDPR will encourage people to expect more accurate and trustworthy tests and exams. The GDPR requires that we pay attention to the accuracy of personal data; “every reasonable step must be taken to ensure that personal data that are inaccurate … are erased or rectified without delay”.

There is a strong argument this means that if someone creates a test or exam to measure competence, that the assessment should be accurate in what it claims to measure. So it needs to be authored using appropriate procedures to make it valid, reliable and trustworthy. If someone takes an assessment which is invalid or unfair, and fails it, they might reasonably argue that the results are not an accurate indication of their competence and so that personal data is inaccurate and needs correcting.

For some help on how you can make more accurate assessments, check out Questionmark white papers at www.questionmark.com/learningresources including “Assessment Results You Can Trust”.

 

 

Data Protection and Privacy: Important developments

Jamie ArmstrongPosted by Jamie Armstrong

As Associate Legal Counsel at Questionmark, I spend a lot of time thinking about data protection and privacy law issues. There have been many important developments over recent months, and I thought it would be interesting for our readers if I summarized just three of these below. I may look at others and/or consider those mentioned here in more detail in a future blog post. With a dedicated in-house technical and legal team, Questionmark is continuously monitoring changes in this field and my role helps to ensure that Questionmark is ahead of the curve in protecting our customers.

1. For around fifteen years, organizations transferring personal data from the European Union to the United States were able to rely on the US-EU Safe Harbor Agreement as a legal basis for such transfers. The Safe Harbor Agreement allowed organizations to self-certify compliance with certain data protection standards. In October 2015, the Court of Justice of the EU invalidated the EU decision that underpinned this arrangement. This meant that organizations transferring relevant data had to review their arrangements to ensure such transfers remained legal by different means, such as the EU Standard Contractual Clauses or Binding Corporate Rules – Safe Harbor can no longer be relied on for transfers of EU personal data to the US.

2. The final text of the new General Data Protection Regulation (“GDPR”) was agreed in April this year, and the GDPR will have legal effect from May 2018. From that date, the GDPR will replace the current Data Protection Directive and will apply in all EU member states without any implementing national law required. This should help multinational organizations with compliance, as there will be more uniformity than there is now. The GDPR includes some new obligations, like requiring appointment of a data protection officer in certain cases, hence the two year lead in period to allow organizations time to prepare. The GDPR is relevant for organizations based outside the EU as it has broader effect when EU personal data processing is involved.

3. After Safe Harbor was invalidated, the US and EU authorities worked together on a replacement, known as the Privacy Shield. The initial agreed text received a cool response in Europe and was subsequently revised to address concerns, including around possible continued surveillance in the US and insufficiency of the Ombudsman role created to consider complaints. It is expected that the mechanics of the Privacy Shield will operate similarly to Safe Harbor (but with stricter requirements), with voluntarily compliance certification to the US Department of Commerce possible from August 1 of this year. Unlike the EU Standard Contractual Clauses and Binding Corporate Rules, the Privacy Shield, as with Safe Harbor, will only apply to transfers of data from the EU to the US. The collective of EU data protection authorities have recently said they will not legally challenge the Privacy Shield for at least a year, to provide an opportunity to gauge how this operates in practice.

With the above representing a very simplified summary of just three important recent developments in the data protection and privacy law field, organizations that control and process personal data clearly need to maintain a heightened level of vigilance to be positioned to respond to the shifting landscape. Check back here for updates on these and other relevant developments in future blog posts.

Disclaimer: This blog post is provided for general information purposes only and does not constitute legal advice. Any views included are personal to me.

For more on Questionmark’s commitment to security, check out the video below: