How to Navigate Assessments through the GDPR Automated Decision-Making Rules

John KleemanPosted by John Kleeman

The GDPR has got a lot of publicity for its onerous consent requirements, large fines and the need to inform of data breaches. But there are other aspects of GDPR which have implications for assessment users. To protect human rights, the GDPR imposes restrictions on letting machines make decisions about people, and these limitations can apply when using computerized assessments. Here is how one of the recitals to the GDPR describes the principle:

“The data subject should have the right not to be subject to a decision … evaluating personal aspects relating to him or her which is based solely on automated processing and which produces legal effects concerning him or her or similarly significantly affects him or her, such as automatic refusal of an online credit application or e-recruiting practices without any human intervention.”

In some cases, it is actually illegal in the European Union to use a computerized test or exam to make a significant decision about a person. In other cases, it is permissible but you need to put in place specific measures.  The assessment industry has always been very careful about reliability, validity and fairness of tests and exams, so these measures are navigable, but you need to follow the rules. The diagram below shows what is allowed, with or without protection measures in place, and what is forbidden.

Flowchart describing rules on automated decision-making in the GDPR

 

 

When you are free from restriction

For many assessments, the GDPR rules will not impose any prohibitions, as shown by the green “Allowed” box in the diagram:

  • If you are only making minor decisions from an assessment, you do not need to worry.  For example, if you are delivering e-learning, and you decide which path to go next depending on an assessment, that is unlikely to significantly impact the assessment participant.  But if the assessment impacts significant things, like jobs, promotions or access to education, or has a legal effect, the restrictions will apply.
  • Even if decisions made do have legal or significant effects, the GDPR only restricts solely automated decision-making. If humans are genuinely part of the decision process, for example with the ability to change the decision, this is not solely automated decision-making. This doesn’t mean that an assessment is okay if humans wrote the questions or set the pass score; it means that humans must review the results before making a decision about a person based on the test. For example, if a recruitment test screens someone automatically out of a job application process without a person intervening, the GDPR consider this to be solely automated decision-making. But if an employee fails a compliance test, and this is referred to a person who reviews the test results and other information and genuinely decides the action to take, that is not solely automated decision making.

What to do if the restrictions apply

If the GDPR restrictions do apply, you have to go through some logic as shown in the diagram to see if you are permitted to do this at all. If you do not fall into the permitted cases, it will be illegal to make the decision according to the GDPR (the red boxes). In other cases, it is permitted to use automated decision-making, but you have to put measures in place (the yellow boxes). Here are some of the key measures a data controller (usually the assessment sponsor) may take if the yellow boxes apply, for example when using assessments in screening candidates for recruiting:

  1. Provide a route where test takers can appeal the assessment result and the decision and have a human review;
  2. Inform test takers that you are using automated decision making and what the consequences for them will be;
  3. Provide meaningful information about the logic involved. I suggest this might include publishing an explanation of how questions are created and reviewed, how the scoring works and in a pass/fail test, how the pass score is arrived at fairly;
  4. Have mechanisms in place to ensure the ongoing quality and fairness of the test. The regulators aren’t precise about what you need to do, but one logically important thing would be to ensure that the question and test authoring process results in a demonstrably valid and reliable test. And to maintain validity and reliability, it’s important to conduct regular item analysis and other reviews to ensure quality is maintained.
  5. Perform and document a Data Protection Impact Assessment (DPIA) to check that test taker’s rights and interests are being respected, if the assessment will involve a systematic and extensive evaluation of personal aspects relating to the test taker or otherwise gives a high risk to rights.  Questionmark has produced a template for DPIAs which might help here – see www.questionmark.com/go/eu-od-dpiatemplate.

Although these measures might appear threatening on first sight, in fact they could be helpful for the quality of assessments. As I describe in my blog post What is the best way to reduce cheating?, providing information to test-takers about how the test is created and scored and why this is fair, can help reduce cheating by making the test-taker less likely to rationalize  that cheating is fair. And it is generally  good practice to use an assessment as one piece of data along with other criteria to make a decision about someone. The increased visibility and transparency of the assessment process by following the requirements above could also encourage better practice in assessment, and so more reliable, valid and trustable assessments for all.

If you want to find out more about the rules, there is guidance available from the European Data Protection Board and from the UK Information Commissioner. Questionmark customers who have questions in this area are also welcome to contact me. You might also like to read Questionmark’s white paper “Responsibilities of a Data Controller When Assessing Knowledge, Skills and Abilities” which you can download here.

This blog post includes my personal views only and is based on guidance currently available on the GDPR. This is a fluid area that is likely to develop over time, including through publication of additional regulator guidance and court decisions. This blog does not constitute legal advice.

Six predictions now the GDPR is in place

Posted by John Kleeman
So the European GDPR is in place now. Questionmark like most other companies has been working hard in the last two years to ensure we are compliant and that our customers in and outside Europe can be compliant with the GDPR. See our trust center or summary for information on Questionmark’s compliance.

Is it all done and dusted? My email inbox seems to have a few less promotional emails in it. But is this because of the holiday weekend or have companies really taken my name off their mailing lists? Here are six predictions for what we’ll see going forwards with the GDPR.

1. The May 25th 2018 date will matter much less going forwards than backwards

A picture of a dog with a Christmas hatCompanies have been rushing to meet the May 25th date, but GDPR and privacy is a destination not a journey. There is a famous slogan “a dog is for life not just for Christmas” encouraging people to look after their dog and not just buy it as a cute puppy. Similarly the GDPR is not just something you get compliant with and then ignore. You need to include privacy and compliance in your processes forever.

No one will care much whether you were compliant on May 25th 2018. But everyone will care whether you are meeting their privacy needs and following the law when they interact with you.

2. History will judge the GDPR as a watershed moment where privacy became more real

Nevertheless I do think that history will judge the GDPR as being a seminal moment for privacy. Back in the early 2000s, Microsoft popularized the concept of security by design and security by default when they delayed all their products for a year as they improved their security. Nowadays almost everyone builds security into their systems and makes it the default because you have to to survive.

Similarly the GDPR encourages us to think of privacy when we design products and to make privacy the default not an afterthought. For example, when we collect data, we should plan how long to keep it and how to erase it later. I suspect in ten years time, privacy by design will be as commonplace as security by design – and the GDPR will be the key reason it became popular.

3. Many other jurisdictions will adopt GDPR like laws

Although the GDPR is over-complex, it has some great concepts in it, that I’m sure other countries will adopt. It is appropriate that organizations have to take care about processing peoples’ data. It is appropriate that when you pass people’s data onto a third party, there should be safeguards. And if you breach that data, it is appropriate that you should have to be held accountable.

We can expect lawmakers in other countries to make GDPR-like laws.

4. Supply chain management will become more important

Diagram showing one data controller with two data processors. One data processor has two sub-processors and one data processor has one sub-processorUnder the GDPR, a Data Controller contracts with Data Processors and those Data Processors must disclose their Sub-processors (sub-contractors). There is positive encouragement to choose expert Data Processors and Sub-processors and there are consequences if processors fail their customers. This will encourage organizations to choose reputable suppliers and to review processors down the chain to make sure that everyone is following the rules. Choosing suppliers and Sub-processors that get themselves audited for security, e.g. under ISO 27001, is going to become more commonplace.

This will mean that some suppliers who do not have good enough processes in place for security, privacy and reliability will struggle to survive.

5. People will be the biggest cause of compliance failures

Organizations set up processes and procedures and put in place systems and technology to run their operations, but people are needed to design and run those processes and technology. Some GDPR compliance failures are going to be down to technology failures, but I predict the majority will be down to people. People will make mistakes or judgement errors and cause privacy and GDPR breaches.

If you are interested in this subject, Amanda Maguire of SAP and I gave a webinar last week entitled “GDPR is almost here – are your people ready?” which should shortly be available to view on the SAP website. The message we shared is that if you want to stay compliant with the GDPR, you need to check your people know what to do with personal data. Testing them regularly is a good way of checking their knowledge and understanding.

6. The GDPR and privacy concerns will encourage more accurate assessments

Last but not least, I think that the GDPR will encourage people to expect more accurate and trustworthy tests and exams. The GDPR requires that we pay attention to the accuracy of personal data; “every reasonable step must be taken to ensure that personal data that are inaccurate … are erased or rectified without delay”.

There is a strong argument this means that if someone creates a test or exam to measure competence, that the assessment should be accurate in what it claims to measure. So it needs to be authored using appropriate procedures to make it valid, reliable and trustworthy. If someone takes an assessment which is invalid or unfair, and fails it, they might reasonably argue that the results are not an accurate indication of their competence and so that personal data is inaccurate and needs correcting.

For some help on how you can make more accurate assessments, check out Questionmark white papers at www.questionmark.com/learningresources including “Assessment Results You Can Trust”.

 

 

Delivering exams in Europe? What must you do for Data Protection?

John Kleeman HeadshotPosted by John Kleeman

Regulators in Europe are increasingly active in data protection, and most European organizations are reviewing their suppliers to ensure data protection and security. If you are an awarding body, multinational corporation or publisher delivering tests and exams in Europe, what do you need to do to stay comfortably within European Union data protection laws?

There is a fundamentally different approach to personal privacy between Europe and in the USA. In the USA, there is often a cultural expectation that technology and market efficiency are pre-eminent, but in Europe, the law requires technology to ensure privacy.

We all remember that in the US, citizens have a right to  “life, liberty and the pursuit of happiness” and that in France, people have a right to “Liberty, Equality and Fraternity”. But in the 21st century privacy probably one of the strongest discriminators between the continents. In a world being transformed by technology, the EU data protection directive firmly says that computer systems are designed to serve man, and not man serve the computer. Data processing systems must respect the fundamental rights and freedom of people, and in particular the right to privacy.  Whether you think this is right or not, this is the law in Europe.

Increasingly European governments are strengthening their laws on data protection and the penalties for not complying. So if you are delivering your exams in Europe, what do you need to do?  The key responsibilities for data protection are held by what EU Law calls the “Data Controller”.  Most sponsors of assessments – awarding bodies, corporations delivering tests, publishers and educational institutions are Data Controllers and they are responsible for protecting the data from the end user (Data Subject) and ensuring that any processors and sub-processors follow the rules.  The Data Controller will also be liable if anything goes wrong.

Data Subject - Data Controller - Data Procesor - Sub-processor

Here is a summary of the 12 responsibilities of a Data Controller under EU Law when delivering assessments:

1. Tell test takers what is being done with their data including how you are ensuring the assessment is fair.

2. Obtain informed consent from your test takers including relating to who will see their results.

3. Ensure that data is accurate, which in the assessment context likely means that assessments are reliable and valid.

4. Delete personal data when no longer needed.

5. Protect data against unauthorized destruction, loss, alteration and disclosure. If assessment results are lost, altered or disclosed without permission, you may be liable for penalties.  You need to put in place technical and organizational measures and ensure that data is only disclosed appropriately and that any data processors follow the rules strictly.

7. Take care transferring data outside Europe. You need to ensure that if assessment results or other personal data is transferred outside Europe that the EU rules are followed, this is particularly important as not all organizations outside Europe understand data protection, and so they may inadvertently break the rules.

8. If your assessments collect “special” categories of data, including racial or ethnic origin and health information, there are additional rules, get advice on how to ensure there is explicit consent from test takers.

9. People have a right to request data that you hold on them, and in some countries this includes exam results and all the personal details you hold on them. Be prepared to receive such requests.

10. If the assessment is high stakes, ensure there is a human review of automated decision making. Under the EU directive, technology serves man, not the other way round and taking decisions without human review is not always allowed.

11. Appoint a data protection officer and train your personnel

12. Work with supervisory authorities (you have to register in some countries) and have a process to deal with data protection complaints.

As a company established in both the EU and the US, Questionmark has a good understanding of data protection, and if  you use Questionmark OnDemand, several of these responsibilities are aided and ameliorated.

I hope this introduction and summary has been helpful. For more information the requirements of data protection when delivering assessments,  download our white paper (free with registration)  Responsibilities of a Data Controller When Assessing Knowledge, Skills and Abilities.