We are sure everyone has been hearing a lot about GDPR recently and may have some questions regarding the data that training providers and assessment centres store and process on Ecordia. The General Data Protection Regulation can seem complex so we have provided some information and guidance in this article for your centre.
“The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union. It addresses the export of personal data outside the EU. The GDPR aims primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. When the GDPR takes effect, it will replace the 1995 Data Protection Directive. It was adopted on 27 April 2016. It becomes enforceable from 25 May 2018, after a two-year transition period”.
GDPR is without doubt a great step forward in data protection for individuals, but how does it affect your assessment centre with the data that’s stored and processed on Ecordia?
We need to look at what personal data is stored on Ecordia, that GDPR applies to. And this depends very much on what your assessment centre requires and decides to place on Ecordia. The data usually includes individuals’ details containing name, address, date of birth, national insurance number, email address, telephone number etc.
This data is your responsibility, but Ecordia provides all the functionality you need to ensure GDPR compliance (with this particular data). If you store and process personal data digitally on other systems, computers, hard-drives or on paper, then this will need to be assessed and addressed separately.
GDPR is about organisations becoming more responsible and accountable for data they store on individuals. Issues such as an individuals’ rights to be informed, of access, rectification of data, erasure and portability of their data. Your centre will need to create a document showing your understanding of these requirements and your policies towards them.
The following are specific GDPR requirements for the data you store and process on Ecordia. You will need to address and include these in your data protection policy document:
Consent to store data – (from May 2018) on first login, all users and learners are asked for explicit consent for storing personal data, such as name, address, email address, date of birth, national insurance number, to be held on Ecordia and accessed by parties, people and organisations involved their qualification/course, such as the assessment centre, training provider, College and workplace.
Right of access – the Ecordia system has functionality to enable data controllers to respond to individuals’ requests for access to their personal information.
Right to rectification and data quality – the Ecordia system has functionality to enable data controllers to edit personal data held on the system to ensure it remains accurate and up-to-date.
Right to erasure – (from May 2018) the Ecordia system will have functionality for data controllers to securely dispose of personal data that is no longer required. Ecordia also has processes to routinely and securely dispose of personal data that is no longer required or is beyond the time limit specified with the data controller (maximum of 7 years).
Right to restrict processing – the Ecordia system has functionality to enable data controllers to suppress processing of specific data.
Right of data portability – the Ecordia system has functionality for the data controller to supply the personal data they process in electronic format (exported portfolio, which will also include user data).
Other information, such as where the data is stored, may need to be included in your data protection policy document. You can find more details within Ecordia’s data protection policy document, which has been updated in-line with GDPR. Currently the document is in draft until GDPR officially becomes enforceable on the 25th May 2018. Ecordia’s Data Protection Policy – download here
When looking-up information on compliance for GDPR, be sure to look at your responsibilities as the data controller and data processor. It is important to understand that Ecordia is a web-based application to store your data, for you to manage and process, therefore your centre is responsible for the data placed on Ecordia. We would recommend looking at the following guidance from the Information Commissioner’s Office (ICO) : https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/ The ICO have also provided some handy self-assessment checklists: https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/
Please contact us if you have any queries about GDPR and the data you store on Ecordia. matthew.seldon@ecordia.co.uk “The biggest change is that institutions will be held far more accountable for the data they hold. As well as records of what personal data exist within the organisation, the GDPR requires a documented understanding of why information is held, how it is collected, when it will be deleted or anonymised, and who may gain access to it”. – JISC 2017