The Nineteen Responsibilities of an Assessment Data Controller under the GDPR

John KleemanPosted by John Kleeman

Back in 2014,  Questionmark produced a white paper covering what at the time was a fairly specialist subject – what assessment organizations needed to do to ensure compliance with European data protection law. With the GDPR in place in 2018, with its extra-territorial reach and potential of large fines, the issue of data protection law compliance is one that all assessment users need to consider seriously.

Data Controller with two Data Processors, one of which has a Sub-Processor

Myself, Questionmark Associate Legal Counsel Jamie Armstrong and Questionmark CEO Eric Shepherd have now rewritten the white paper to cover the GDPR and published it this week. The white paper is called  “Responsibilities of a Data Controller When Assessing Knowledge, Skills and Abilities”. I’m pleased to give you a summary in this blog article.

To remind you, a Data Controller is the organization responsible for making decisions about personal data, whereas a Data Processor is an organization who processes data on behalf of the Data Controller. As shown in the diagram, a Data Processor may have Sub-Processors. In the assessment context, examples of Data Controllers might be:

  • A company that tests its personnel for training or regulatory compliance purposes;
  • A university or college that tests its students;
  • An awarding body that gives certification exams.

Data Processors are typically companies like Questionmark that provide services to assessment sponsors. Data Processors have significant obligations under the GDPR, but the Data Controller has to take the lead.  The Nineteen Responsibilities of an Assessment Data Controller under the GDPR 1. Ensure you have a legitimate reason for processing personal data 2. Be transparent and provide full information to test-takers 3. Ensure that personal data held is accurate 4. Review and deal properly with any rectification requests 5. Respond to subject access requests 6. Respond to data portability requests 7. Delete personal data when it is no longer needed 8. Review and deal properly with any erasure requests 9. Put in place strong security measures 10. Use expert processors and contract with them wisely 11. Adopt privacy by design measures 12. Notify personal data breaches promptly 13. Consider whether you need to carry out a Data Protection Impact Assessment 14. Follow the rules if moving data out of Europe 15. If collecting “special” data, follow the particular rules carefully 16. Include meaningful human input as well as assessment results in making decisions 17. Respond to restriction and objection requests 18. Train your personnel effectively 19. Meet organisational requirementsBack in 2014, we considered there were typically 12 responsibilities for an assessment Data Controller. Our new white paper suggests there are now 19. The GDPR significantly expands the responsibilities Data Controllers have as well as makes it clearer what needs to be done and the likely penalties if it is not done.

The 25 page white paper:

  • Gives a summary of European data protection law
  • Describes what we consider to be the 19 responsibilities of a Data Controller (see diagram)
  • Gives Data Controllers a checklist of the key measures they need from a Data Processor to be able to meet these responsibilities
  • Shares how Questionmark helps meet the responsibilities
  • Comments on how the GDPR by pushing for accuracy of personal data might encourage more use of valid, reliable and trustworthy assessments and benefit us all

The white paper is useful reading for anyone who delivers tests and exams to people in Europe – whether using Questionmark technology or not. Although we hope it will be helpful, like all our blog articles and white papers, this article and the white paper are not a substitute for legal advice specific to your organization’s circumstances. You can see and download all our white papers at www.questionmark.com/learningresources and you can directly download this white paper here.

Delivering exams in Europe? What must you do for Data Protection?

John Kleeman HeadshotPosted by John Kleeman

Regulators in Europe are increasingly active in data protection, and most European organizations are reviewing their suppliers to ensure data protection and security. If you are an awarding body, multinational corporation or publisher delivering tests and exams in Europe, what do you need to do to stay comfortably within European Union data protection laws?

There is a fundamentally different approach to personal privacy between Europe and in the USA. In the USA, there is often a cultural expectation that technology and market efficiency are pre-eminent, but in Europe, the law requires technology to ensure privacy.

We all remember that in the US, citizens have a right to  “life, liberty and the pursuit of happiness” and that in France, people have a right to “Liberty, Equality and Fraternity”. But in the 21st century privacy probably one of the strongest discriminators between the continents. In a world being transformed by technology, the EU data protection directive firmly says that computer systems are designed to serve man, and not man serve the computer. Data processing systems must respect the fundamental rights and freedom of people, and in particular the right to privacy.  Whether you think this is right or not, this is the law in Europe.

Increasingly European governments are strengthening their laws on data protection and the penalties for not complying. So if you are delivering your exams in Europe, what do you need to do?  The key responsibilities for data protection are held by what EU Law calls the “Data Controller”.  Most sponsors of assessments – awarding bodies, corporations delivering tests, publishers and educational institutions are Data Controllers and they are responsible for protecting the data from the end user (Data Subject) and ensuring that any processors and sub-processors follow the rules.  The Data Controller will also be liable if anything goes wrong.

Data Subject - Data Controller - Data Procesor - Sub-processor

Here is a summary of the 12 responsibilities of a Data Controller under EU Law when delivering assessments:

1. Tell test takers what is being done with their data including how you are ensuring the assessment is fair.

2. Obtain informed consent from your test takers including relating to who will see their results.

3. Ensure that data is accurate, which in the assessment context likely means that assessments are reliable and valid.

4. Delete personal data when no longer needed.

5. Protect data against unauthorized destruction, loss, alteration and disclosure. If assessment results are lost, altered or disclosed without permission, you may be liable for penalties.  You need to put in place technical and organizational measures and ensure that data is only disclosed appropriately and that any data processors follow the rules strictly.

7. Take care transferring data outside Europe. You need to ensure that if assessment results or other personal data is transferred outside Europe that the EU rules are followed, this is particularly important as not all organizations outside Europe understand data protection, and so they may inadvertently break the rules.

8. If your assessments collect “special” categories of data, including racial or ethnic origin and health information, there are additional rules, get advice on how to ensure there is explicit consent from test takers.

9. People have a right to request data that you hold on them, and in some countries this includes exam results and all the personal details you hold on them. Be prepared to receive such requests.

10. If the assessment is high stakes, ensure there is a human review of automated decision making. Under the EU directive, technology serves man, not the other way round and taking decisions without human review is not always allowed.

11. Appoint a data protection officer and train your personnel

12. Work with supervisory authorities (you have to register in some countries) and have a process to deal with data protection complaints.

As a company established in both the EU and the US, Questionmark has a good understanding of data protection, and if  you use Questionmark OnDemand, several of these responsibilities are aided and ameliorated.

I hope this introduction and summary has been helpful. For more information the requirements of data protection when delivering assessments,  download our white paper (free with registration)  Responsibilities of a Data Controller When Assessing Knowledge, Skills and Abilities.