Where do you deliver assessments from in a post-PRISM world?
Posted by John Kleeman
Like many of you, I have been watching with interest revelations about government Internet surveillance initiatives. Technologically and legally, none of it is surprising. Businesses and governmental organizations around the world have frequently expressed concerns about the data privacy implications of the US Patriot Act. Indeed, many of our customers cite data protection issues as factors in their decisions to opt for the Questionmark OnDemand service based at our European data centre.
Practically, I am torn between admiring our governments defending us against terrorism and pondering Benjamin Franklin’s saying that if you give up liberty for security, you lose liberty.
Wherever you stand on this issue, there are still questions to address about the practical implications this data protection challenge poses for those delivering assessments. I thought it might be helpful to look at a couple of different scenarios and suggest data protection requirements you might look for when running assessments over the Internet.
Scenario 1. A US company looking for a safe place to deliver assessments from the Cloud
Suppose you are a US company seeking to test your employees via a SaaS vendor. Suppose most employees are in North America but a few are spread round the globe. Here are the likely key data protection requirements:
1. Contract with a US service provider with confidentiality clauses.
2. Data centre and assessment results located in the US.
3. Data centre certified and audited to SSAE 16, the expected standard for quality data centres in North America.
4. Service provider and data centre operator certified under the U.S. Department of Commerce’s Safe Harbor Framework. This means they promise to comply with European data protection rules for data coming from Europe. Without this, you will have HR challenges testing your employees in Europe. With a lot of testing in Europe, you may want to look for stronger measures than Safe Harbor – see the White Paper (complimentary with registration): Responsibilities of a Data Controller When Assessing Knowledge, Skills and Abilities.
5. Vendors must have strong IT security including the latest SSL/TLS encryption and other technical measures.
Scenario 2. A European organization who wants to run assessments and keep data in Europe
Many European companies or universities have a legal need to follow European data protection law and keep their data in Europe, and some may have constitutional requirements to avoid US oversight. Here are some of the key things they would look for:
1. Contract with a European service provider with confidentiality and data protection clauses.
2. Data centre with assessment results and personal data located inside the European Union.
3. Data centre certified and audited under ISO 27001, the expected standard for quality data centres in Europe.
4. This alone is only part of the story. The service provider and the data centre operator must not just be located in Europe, they must be European owned and not a subsidiary of a US company. If a US company runs a data centre or service in Europe, even if they run a subsidiary in Europe, they are required to hand over data on request to the US government, even if that data is in Europe. So if you work with a European subsidiary of a US LMS, VLE or other SaaS company, your data may be obtained by US enforcement agencies. According to a recent report by Reuters, a US judge has ruled that:
Internet service providers such as Microsoft Corp or Google Inc cannot refuse to turn over customer information and emails stored in other countries when issued a valid search warrant from U.S. law enforcement agencies
5. Again, all the legal data protection needs to be accompanied with good IT security. See our security comparison document for some questions to ask.
White Paper (complimentary with registration): Responsibilities of a Data Controller When Assessing Knowledge, Skills and Abilities.