Posted by Jamie Armstrong, Group Legal Counsel
Questionmark’s Group Legal Counsel and Data Protection Officer, Jamie Armstrong, was recently made a Fellow of Information Privacy by the International Association of Privacy Professionals (IAPP). Jamie is a US and UK qualified lawyer and holds IAPP CIPP/E/US/C and CIPM credentials. In this short article, Jamie shares some brief thoughts on five key privacy considerations for testing and assessments.
Privacy is certainly not a new consideration for organizations operating in the field of testing and assessments, although its importance has been heightened by legal developments over the past five years and more recently by the ongoing global health crisis. Whether operating a large scale global certification program or running a smaller in-house testing function, all participants in this space should think carefully about privacy issues in the design and operation of their assessment activities. As with everything, no one size fits all however here are five key privacy considerations for testing and assessments that all entities should address:
1. Know Your Data.
Understanding the nature and extent of the data that is being collected and used in the assessment process is critical. What, if any, personal data (in some places called personal information or personally identifiable information) are you going to collect and use? Most testing programs involve the processing of at least some personal data and you should check what does and does not fall within the scope of this concept according to the applicable privacy laws. This is because particular rules apply to personal data and you need to ensure these are followed. For example, in many parts of the world it is either a legal requirement or recognized good practice to follow the principle of data minimization – i.e. only collect personal data that is really needed for your purposes;
2. Be Transparent.
For privacy compliance and other reasons, such as to ensure assessment candidates are fairly prepared for the testing process, you should provide full, clear and early information on what personal data will be collected, why it is needed and how it will be used. This can be done by providing test participants with a notice when they sign-up for the exam and re-providing that information on the day of the assessment. We all understand that candidates frequently overlook privacy notices, therefore it is important that the information is provided on multiple occasions and in a prominent fashion. This means do not bury it within or at the end of other documentation – instead present a dedicated notice or other communication to minimize the risk that this information is inadvertently overlooked;
3. Facilitate Test Taker Rights.
Privacy laws across the globe are increasingly framed from the perspective of data subject rights. This means that assessment participants have rights that they can enforce against testing organizations and those organizations need to be prepared to respond when those rights are asserted. For example, the EU General Data Protection Regulation (GDPR) includes, amongst others, rights to information, rectification, erasure and access, and laws elsewhere (such as the California Consumer Privacy Act) include some of these rights and others. Assessment sponsoring organizations need to understand what rights their candidates have, who will be responsible for responding to the assertion of these rights, the timescale within which a response must be given and what the appropriate response should be in each case;
4. Privilege Security.
It always bears repeating that you can have security without privacy, but you cannot have privacy without security. It is therefore important that organizations that collect and use personal data for assessments are satisfied that they can provide sufficient security for that data. Omnibus privacy laws and regulators have so far refrained from stipulating particular measures or standards for security that should apply across the board – for example the GDPR famously requires “appropriate technical and organizational measures” commensurate to the level of risk involved. There are a number of well-recognized independent security standards that organizations may use to design their information security frameworks, and obtain independent third party audit against (as Questionmark has now done for many years with respect to the ISO 27001 standard). Having good security and undertaking proper risk assessment is key to achieving proper privacy protections and safeguarding against personal data breaches;
5. Use Good Vendors.
If you rely on third parties for your assessment program, for example to provide assessment management services, proctoring solutions or for credentialing, you should complete appropriate due diligence to ensure those third parties can be relied upon. Are these organizations well-established in their market, with demonstrated experience in delivering the services you require? Do they understand privacy and can they prove this to you? Will they enter into appropriate contracts that provide for legally required or otherwise reasonable allocation of obligations and risk? And related to security above, if they claim they can provide appropriate security measures to safeguard the privacy of personal data through third party audit to a security standard, like ISO 27001 or SSAE 18, is this applicable to their own information security management system (as for Questionmark’s ISO 27001 certification) or only to the external data center they use to host their services? These and others are good questions to ask when evaluating vendors to be entrusted with personal data.
This is general information only, does not constitute legal advice and is not an adequate substitute for legal advice.
For more information, please contact us.