Posted by John Kleeman
Under data protection law in Europe and increasingly other jurisdictions, “sensitive” personal data has to be given special protection. What does this mean for assessments?
How is sensitive data defined?
The idea behind the concept of “sensitive” or “special” categories of data is that there are some sorts of personal data that if misused could have severe consequences on an individual’s rights or social environment. For instance, information on a living person’s health, racial origin, sexual orientation and political opinions is usually considered sensitive, and special care is needed in processing this information.
At present within Europe, there are minor national differences as to what information is considered sensitive but the forthcoming General Data Protection Regulation (GDPR) should make this more uniform. In the US, the HIPAA patient privacy law defines the concept of protected health information (PHI). Most PHI would likely also be sensitive under European rules, but HIPAA does not protect political or other non-health information, whereas Europe’s sensitive personal data rules can.
When is assessment data sensitive?
The results of most ordinary skill or knowledge assessments is not sensitive personal data, but here are some ways in which assessment data could or will be sensitive.
- Health diagnosis. The results of some assessments used in mental health clearly are sensitive. What about psychometric assessments that assess mental state and personality, arguably an aspect of health? This is a grey area, and results from such assessments might be sensitive.
- Sensitive surveys. If you ask surveys about someone’s health or political views or other sensitive subjects, the assessment results will be sensitive.
- Demographic data. Do you ask for racial or ethnic origin to accompany assessments, perhaps in order to gather information to prove your assessments are non-discriminatory? If so, that data is likely sensitive.
- Identity information gathered to prevent cheating. Depending what information you gather to identify someone or check he/she is not cheating, this might be sensitive. For example the GDPR clearly indicates that biometric information should be considered sensitive.
There will not always be a black and white definition – it may well be grey as to whether data is sensitive or not. For example, in some countries, photographs are considered sensitive due to the fact that you can usually identify race from a photo — but in other countries this is only the case for some photos. The GDPR (which becomes law in 2018) says photos they are only sensitive if used to allow unique identification or authentication.
What does it mean for assessment users if data is sensitive?
Here are three suggestions for what to do if you may be processing sensitive data in an assessment.
1. Get explicit participant consent. Although there are some other legal routes, for most assessment use cases, it’s probably wise to get explicit consent from the participant to process sensitive data. For example, include a question at the start of the assessment identifying what you are going to do with the data, and get the participant’s consent.
2. Since there are consequences including fines for misusing data and in general these will be more severe for sensitive data, it would be wise to take strong technical and organizational measures (e.g. encryption) for sensitive data.
3. It’s also wise to ensure that any processors including assessment vendors are knowledgeable about data protection and that you and they have appropriate legal measures in place to cover data protection.
There are some uncertainties around what data is sensitive and how you should deal with it in an assessment context, but I hope this article helps you understand the likely shades of grey to figure out what might be important in your context.
This blog does not give legal advice – please check with your lawyer for rules that apply to your organization and use case.