Posted by John Kleeman
One of the key responsibilities of an assessment sponsor acting as data controller under European Law is to implement appropriate technical and organizational measures to protect personal data. But what does appropriate mean?
And when you contract with a data processor to deliver assessments, you must ensure that the processor implements appropriate measures. But again what does appropriate mean?
This is not just an academic question. A UK organization was fined £150,000 in 2013 for failing to protect personal data with the regulator commenting that a key reason for the fine was “… the data controller has failed to take appropriate technical measures against the loss of personal data”
The measures to use will depend on the risk to the data and to the assessment participant. But here are some measures to consider. They are all met by Questionmark if you delegate service delivery to Questionmark – though some also need action by you:
For more information, you can download a complimentary version of the white paper: Responsibilities of a Data Controller When Assessing Knowledge, Skills and Abilities [requires registration]
| Measure | Questionmark OnDemand? | Your system? |
| Premises access control | ||
| Data center certified against ISO 27001 or SSAE 16 | ✔ | |
| Two-factor authentication for staff and visitors | ✔ | |
| 24/7/365 personnel intrusion alarms | ✔ | |
| 24/7/365 monitored digital surveillance cameras | ✔ | |
| 23/7/365 security team on site at all times | ✔ | |
| Strong physical security in nondescript building to aid anonymity | ✔ | |
| System controls | ||
| Well configured firewalls in each tier | ✔ | |
| Intrusion Detection System or Intrusion Prevention System | ✔ | |
| Secure software development approach following best practices | ✔ | |
| Comprehensive anti-virus measures | ✔ | |
| Regular third party penetration testing | ✔ | |
| Regularly updated system and application software | ✔ | |
| 24/7/365 network monitoring | ✔ | |
| Data access control (authentication and authorization) | ||
| Individual, unique high strength passwords for all users | ✔(you need to action) | |
| Users can easily be deleted when they leave an organization | ✔(you need to action) | |
| Store administrator passwords in encrypted form | ✔ | |
| Administrators can be given access to only functions/data needed | ✔(you need to configure) | |
| Participant login & identity can be confirmed by monitors/proctors | ✔(you need to configure) | |
| Data transmission control | ||
| All participant access via well configured SSL/TLS | ✔ | |
| All administrator access to results via well configured SSL/TLS | ✔ | |
| Any data copied for troubleshooting purposes strongly encrypted | ✔ | |
| No need to send data physically – all data transmitted electronically | ✔ | |
| Data entry control (keeping track of who does what) | ||
| Able to present participant with information & record consent | ✔(you need to action) | |
| Participant answers cannot be changed except with authority | ✔ | |
| Participant submissions recorded with time-stamp | ✔ | |
| Differential privileges for administrators, control over system functions | ✔(you need to configure) | |
| Log important activities by administrators and other users | ✔ | |
| Contractual control | ||
| Have data protection compliant contracts with processors | ✔ | |
| Processing only performed on instructions from Data Controller | ✔ | |
| Logical or physical separation of data from different customers | ✔ | |
| Availability controls (protecting against unauthorized destruction or loss) | ||
| Power supply redundancy, UPSs and onsite generators | ✔ | |
| N+1 or 2N redundancy on all hardware and Internet connections | ✔ | |
| Backup of all assessment data to offsite location | ✔ | |
| Backup assessment results frequently (e.g. hourly) to avoid losing data | ✔ | |
| Regular restore tests of such backups | ✔ | |
| Save participant answers “as you go” on server during test-taking | ✔ | |
| Tested, current service continuity plan in place in event of disasters | ✔ | |
| 24/7/365 environment monitoring | ✔ | |
| Organizational measures (These are all met by Questionmark; you will also have to follow these yourselves.) | ||
| Designate a data protection officer | ✔ | |
| Personnel have written commitment to confidentiality | ✔ | |
| Background checks on new employees | ✔ | |
| Regular training of employees on data security | ✔ | |
| Regular testing of personnel on data security to check understanding | ✔ | |
| Faulty or end of life disks degaussed or otherwise safely destroyed | ✔ |
I hope this helps you work out what measures might be appropriate for your needs. If you want to learn more, then please read our free-to-download white paper: Responsibilities of a Data Controller When Assessing Knowledge, Skills and Abilities [requires registration].
If you are interested in seeing if Questionmark OnDemand could meet your needs, see here for more information.
