Posted by John Kleeman
If you are a European or multinational company delivering assessments in Europe or an awarding body providing certification in Europe, then you likely have responsibilities as a Data Controller of assessment results and data under European law.
The European Data Protection Directive imposes an obligation on European countries to create national laws about collecting and controlling personal data. The Directive defines the role of “Data Controller” as the organization responsible for personal data and imposes strong responsibilities on that organization to process data according to the rules in the Directive. An assessment sponsor must follow the laws of the country in which it is established, and in some cases may also need to follow the laws of other countries.
To help assessment sponsors, we have written a white paper which explains your responsibilities as a Data Controller when assessing knowledge skills and abilities. If you are testing around the world, this is material you need to pay attention to.
One concept the white paper explains is that if you sub-contract with other companies (“Data Processors”) to help deliver your assessments, then you as Data Controller are responsible for the actions of the Data Processors and their Sub-Processors under data protection law.
Regulators are increasingly active in enforcing data protection rules, so failing in one’s responsibilities can have significant financial and reputational consequences. For example, a UK company was fined UK£250,000 in 2013 after a leakage of data as a result of a failure by a Data Processor. Other companies have faced significant fines or other regulatory action as a result of losing data, failing to obtain informed consent or other data protection failures.
The white paper describes the twelve responsibilities of a Data Controller with regard to assessments, summarized as:
- Inform participants
- Obtain informed consent
- Ensure that data held is accurate
- Delete personal data when it is no longer needed
- Protect against unauthorized destruction, loss, alteration and disclosure
- Contract with Data Processors responsibly
- Take care transferring data out of Europe
- If you collect “special” categories of data, get specialist advice
- Deal with any subject access requests
- If the assessment is high stakes, ensure there is review of any automated decision making
- Appoint a data protection officer and train your staff
- Work with supervisory authorities and respond to complaints
If you use a third party to help deliver assessments, you need to ensure it will help you meet data protection rules. The white paper describes how Questionmark OnDemand can help in this respect.
As well as ensuring you follow the law and reduce the risk of regulatory action, there are benefits in being pro-active to follow your responsibilities as a Data Controller. You build confidence with your participants that the assessment is fair and that they can trust you as assessment sponsor, which increases take-up and in encourages an honest approach to taking assessments. You also increase data quality and data security, and you gain protection against inappropriate data leakage.
The white paper is free to download [requires registration].