The General Data Protection Regulation (GDPR) comes into effect on 25 May 2018. It replaces the Data Protection Act for all organisations who are collecting and processing the personal data of individuals located in the European Union.
Over the past year we have been preparing to meet the requirements of the GDPR and so we wanted to explain what we’ve done and provide some answers to the questions we’ve been receiving.
Both OCR and the schools and colleges registered with us, act as independent controllers of the personal data of the candidates entered for our qualifications. We hold entry information in order to provide candidates with the results of their qualifications. As such, we are not a ‘data processor’, which means you do not need to send us a data processing agreement to complete. For definitions of data controllers and processors, please see the Information Commissioner’s Office website.
We have added a data sharing agreement to our terms of business. This sets out the respective responsibilities of OCR and our centres when handling candidate data. We are committing through these terms to comply with our obligations under the GDPR when we use any personal data in connection with our services. The agreement terms require you to make the same commitment. Please read through the data sharing agreement carefully and share it with the staff in your school or college responsible for the security and protection of candidate data.
Do we have to send you a data processing agreement to sign?
No, as we are a data controller, we do not need you to send us an agreement. Instead, we have produced a data sharing agreement, which you will need to sign up to on an annual basis.
Do we have to sign a data sharing agreement?
We have produced a data sharing agreement. You will need to sign up to this on an annual basis. More information about this will be provided shortly.
When posting non-exam assessment on removable data, eg USBs, does this have to be encrypted?
We don’t require you to send encrypted data, eg USBs or memory sticks. In fact, we recommend you send unencrypted data wherever possible.
What if our policy is to only use encrypted removable data?
If you have no other option than to use encrypted data, please follow these instructions:
Where can I get further information about GDPR?
Take a look at the information on the Information Commissioner’s Office website. The DfE have also produced a toolkit for schools, which you may find useful.
If you have any further questions, please get in touch with our Customer Contact Centre.