Data Protection and Conditions of Recognition A1, A5, C3, D4 and B3
Wherever you look you cannot get away from data protection. Condition A1 doesn’t mince its words on how an AO can render itself unsuitable by breaching Data Protection Law, or B3 that notification to Ofqual would be expected if the AO was named, investigated or sanctioned in relation to regulatory duties. Then A5 talks about retention of data and adequate information being available at all times, along with appropriate systems of planning and internal control to be in place. C3 arrangements with centres, we all know how data sharing makes things more complicated and arrangements in this area need to be clear. Then finally D4 which talks about disclosure of information that would breach confidentiality.
Some things that are worth highlighting from the Conditions mentioned above is that we need address what ‘adequate information’ means? Obtaining more details from Learners and others than we need is an easy thing to happen. An example where I’ve seen it often occur is when questions in registration/ application forms - that have been there forever but never questioned why - and captures data that is not relevant, or used in relation to the purpose of the application. Sometimes the data could be deemed sensitive too, eg to do with marital status, religion, gender, race which is not being used for any purpose.
A5 also brings to mind what policies are in place in the AO in relation to data retention? If someone wants to obtain a copy of their results from 10 years previous, do you say somewhere that you only keep achievement data for a limited time? How long do you keep other types of data?
Internal controls and data protection is a huge area. For me the controls around data protection includes not only your data protection policy and procedures, but:
• Staff induction and training on data protection, including refresher training
• Protocols or security checks for when someone rings or emails in with queries about their situation
• Whether system logins are required to be updated and passwords to be suitably strong?
• How contractors, for example EQAs, access and keep centre/learner data remotely, on their personal laptop, memory stick, emailed files, hard copies? Is it secure, what happens when they leave? These things are often forgotten or left out of data protection policies.
• When a temp being a good minded person sends an email update and shares the email addresses of everyone. Does your AO skip talking about data protection rules with temps?
• What happens to all those paper records that went to archive/storage years ago? Can anyone remember exactly what was in there?
There is also how AOs manage their IT risks and the potential for disclosure of personal information that is part of the control environment of the AO. The recent ICO (Information Commissioners Office) newsletter mentions a small organisation that didn’t take adequate protection measures out and made themselves and their customers susceptible to, and suffered from a cyber-attack to their website that allowed the attacker to access personal customer files. Also, if you are using a third part CRM, data base or customer interface system does the contract say anything about the security and ownership of the data stored or passed through it?
There is quite a bit more to data protection compliance than the usual policy and basic procedures.
Next year GDPR (General Protection Regulation and Directive) which is heralded as ‘the biggest change to data protection law in a decade’. The ICO is encouraging early preparation and has some good information on its site.
Heather Venis
Principal, Awarding First
E: heather@awardingfirst.co,uk T: 0789 479 6262
Heather at Awarding First supports Awarding Organisations with professional backup, guidance, knowledge and skills development on regulatory requirements, compliance position, AO development, qualifications development and quality assurance arrangement. Heather has a breadth and depth of experience in the sector and works with a range of AOs.