Anonymization of personal data
  • 19 Oct 2023
  • 4 Minutes to read
  • Contributors
  • Dark
  • PDF

Anonymization of personal data

  • Dark
  • PDF

Article summary

Right to Erasure ('Right to be forgotten')

The General Data Protection Regulation (GDPR) gave EU residents (and anyone who does business with EU organizations) the right to erasure (‘right to be forgotten’). This entitles people that organizations under specific circumstances erase their personal data. Other privacy legislation around the world have started to establish similar rights.
One circumstance, often applicable to our Customers as Data Controller, is that the "personal data is no longer necessary for the purpose an organization originally collected or processed it".

Personal Data

GDPR Article 4, the GDPR gives the following definition for “personal data”:

Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Relevant for Cirrus customers is that "identifier" includes User IDs and "Internet protocol (IP) addresses".

Policy Considerations

There is no specific retention period for personal data under the GDPR. Organizations must determine for themselves how long they store personal data. In doing so, they must consider how long the data is needed for the purpose for which it was collected or used. However, there are concrete retention periods in other laws that must be observed. For example, on the basis of tax legislation.

Data Controller in Control

Because organisation's data retention policies have to strike this balance between data protection and legal obligations, see Policy Considerations, often based on data outside of Cirrus and complex business rules, our design leaves the customer (Data Controller) in full control.

Most customers already have middleware to drive the full assessment process in Cirrus. For them, it's a minor change to extend this middleware for data retention. If not, it can either become an administrative process or a good business driver to explore our easy to implement REST API.

Anonymization of User Accounts

All users and candidates have an account on Cirrus that stores the login details and user profile.

Option 1. Rename user "ANONYMIZED" as Administrator

Your administrators can View and manage users and update all user profile fields with e.g. "ANONYMIZED".

Option 2. Rename user "ANONYMIZED" via API

Your systems can update all user profile fields using the /update-user API call.

Option 3. Delete user

This option to delete a user can often not be used when certain information is linked to or "owned" by a user in Cirrus.
Before deleting candidates linked to exams, please first review the /docs/anonymization-of-personal-data#anonymization-of-candidate-exam-results below.
For "author" users (other roles than candidate) please review Option 1 and/or Option 2.

Anonymization of candidate exam results

Background and Rationale

Though the Anonymization of User Accounts was already possible in Cirrus a big drawback for some customers was that often a candidate should remain active while (some of) their past exam results should be removed.

In collaboration with a high-stakes customer with strong compliance requirements Cirrus has been developing this anonymization of candidate exam results functionality.

Anonymization Notification Period

As anonymization is an irreversible procedure Cirrus adheres to a notice period of 90 days between marking a schedule for anonymization and the actual anonymization.

The anonymization (normally) only runs on Sundays (off-hours) so the notice period is not exact to the day.

Steps in Anonymization

Using the Cirrus REST API

At the moment the anonymization can only be controlled via the Cirrus REST API. Anonymization
Cirrus has deprioritized a UI for this functionality (CR-17939) due to lack of demand.

Pre-requisitesAll results publishedNothing should be "Pending"....
Schedule archived...and these two steps ensure that.
1Get eligible schedules/schedulesSuggested filters: MaxPublishDate=date e.g. 120d ago, IsMarkedForAnonymization=false, IsArchived=true, IsAllPublished=true
2Mark for anonymisation/anonymize/markSets the MarkedForAnonymizationDate
3Get marked schedules/schedules
4Undo "Mark for anonymisation"/anonymize/unmarkIn case of mistakes in step 2 or change during notice period.
6Await notice periodAnonymization Notification Period daysThis will become a Global Setting
7Anonymisation jobSunday off-hour jobThis job will do the actual anonymisation of candidate exam results
8Monitoring: Get recently anonymised schedules/schedulesE.g. MinAnonymizationDate=date e.g. 30d ago, IsAnonymized=true
9Monitoring: Get eligible schedules not anonymised yet/schedulesE.g. MaxPublishDate=date e.g. 150d ago, IsMarkedForAnonymization=true, IsAnonymized=false, ..

How the Anonymisation job works

Every Sunday the Anonymisation job will get a list of all schedules Marked for anonymization that were marked more than Anonymization Notification Period days ago.

During anonymization all candidates attached to the schedule will be unlinked. This way the candidate can remain in the Cirrus, and answers remain available to generate statistic while all his/her exam related personal data disappears.
For customers that require also all text answers by the candidate and feedback to the candidate to be anonymized a "strict mode" is in development.

Candidate itself is not anonymized

At the risk of stating the obvious please be aware that the schedule anonymization does NOT include the Anonymization of User Accounts.

Impact on Candidate

After anonymization a schedule will completely disappear from the candidate's dashboard (including a review session).

Impact on Author

The schedule will remain for an author however all the schedule's candidates show as a "Deleted User".
Note that also the invigilation logs will remain available though any "IP Address" will also have been "Deleted".

Impact on Statistics

The data to generate (by nature anonymous) statistics will remain available. In "strict mode" certain statistics of certain question types, like Essay questions may be impacted.
From any report with personal data the candidate will show as a "Deleted User".

Was this article helpful?