- Print
- DarkLight
- PDF
Anonymization of personal data
Right to Erasure ('Right to be forgotten')
The General Data Protection Regulation (GDPR) gave EU residents (and anyone who does business with EU organizations) the right to erasure (‘right to be forgotten’). This entitles people that organizations under specific circumstances erase their personal data. Other privacy legislation around the world have started to establish similar rights.
One circumstance, often applicable to our Customers as Data Controller, is that the "personal data is no longer necessary for the purpose an organization originally collected or processed it".
Personal Data
GDPR Article 4, the GDPR gives the following definition for “personal data”:
Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Relevant for Cirrus customers is that "identifier" includes User IDs and "Internet protocol (IP) addresses".
Policy Considerations
There is no specific retention period for personal data under the GDPR. Organizations must determine for themselves how long they store personal data. In doing so, they must consider how long the data is needed for the purpose for which it was collected or used. However, there are concrete retention periods in other laws that must be observed. For example, on the basis of tax legislation.
Data Controller in Control
Because organisation's data retention policies have to strike this balance between data protection and legal obligations, see Policy Considerations, often based on data outside of Cirrus and complex business rules, our design leaves the customer (Data Controller) in full control.
Most customers already have middleware to drive the full assessment process in Cirrus. For them, it's a minor change to extend this middleware for data retention. If not, it can either become an administrative process or a good business driver to explore our easy to implement REST API.
Anonymization of User Accounts
All users and candidates have an account on Cirrus that stores the login details and user profile.
Option 1. Rename user "ANONYMIZED" as Administrator
Your administrators can View and manage users and update all user profile fields with e.g. "ANONYMIZED".
Option 2. Rename user "ANONYMIZED" via API
Your systems can update all user profile fields using the /update-user API call.
Option 3. Delete user
This option to delete a user can often not be used when certain information is linked to or "owned" by a user in Cirrus.
Before deleting candidates linked to exams, please first review the /docs/anonymization-of-personal-data#anonymization-of-candidate-exam-results below.
For "author" users (other roles than candidate) please review Option 1 and/or Option 2.
Anonymization of candidate exam results
Background and Rationale
Though the Anonymization of User Accounts was already possible in Cirrus a big drawback for some customers was that often a candidate should remain active while (some of) their past exam results should be removed.
In collaboration with a high-stakes customer with strong compliance requirements Cirrus has been developing this anonymization of candidate exam results functionality.
Anonymization Notification Period
As anonymization is an irreversible procedure Cirrus adheres to a notice period of 90 days between marking a schedule for anonymization and the actual anonymization.
The anonymization (normally) only runs on Sundays (off-hours) so the notice period is not exact to the day.
Steps in Anonymization
At the moment the anonymization can only be controlled via the Cirrus REST API. Anonymization
Cirrus has deprioritized a UI for this functionality (CR-17939) due to lack of demand.
# | Step | Details | Remarks |
---|---|---|---|
Pre-requisites | All results published | Nothing should be "Pending".... | |
Schedule archived | ...and these two steps ensure that. | ||
1 | Get eligible schedules | /schedules | Suggested filters: MaxPublishDate= date e.g. 120d ago, IsMarkedForAnonymization=false , IsArchived=true , IsAllPublished=true |
2 | Mark for anonymisation | /anonymize/mark | Sets the MarkedForAnonymizationDate |
3 | Get marked schedules | /schedules | |
4 | Undo "Mark for anonymisation" | /anonymize/unmark | In case of mistakes in step 2 or change during notice period. |
5 | |||
6 | Await notice period | Anonymization Notification Period days | This will become a Global Setting |
7 | Anonymisation job | Sunday off-hour job | This job will do the actual anonymisation of candidate exam results |
8 | Monitoring: Get recently anonymised schedules | /schedules | E.g. MinAnonymizationDate= date e.g. 30d ago, IsAnonymized=true |
9 | Monitoring: Get eligible schedules not anonymised yet | /schedules | E.g. MaxPublishDate= date e.g. 150d ago, IsMarkedForAnonymization=true , IsAnonymized=false , .. |
How the Anonymisation job works
Every Sunday the Anonymisation job will get a list of all schedules Marked for anonymization that were marked more than Anonymization Notification Period days ago.
During anonymization all candidates attached to the schedule will be unlinked. This way the candidate can remain in the Cirrus, and answers remain available to generate statistic while all his/her exam related personal data disappears.
For customers that require also all text answers by the candidate and feedback to the candidate to be anonymized a "strict mode" is in development.
At the risk of stating the obvious please be aware that the schedule anonymization does NOT include the Anonymization of User Accounts.
Impact on Candidate
After anonymization a schedule will completely disappear from the candidate's dashboard (including a review session).
Impact on Author
The schedule will remain for an author however all the schedule's candidates show as a "Deleted User".
Note that also the invigilation logs will remain available though any "IP Address" will also have been "Deleted".
Impact on Statistics
The data to generate (by nature anonymous) statistics will remain available. In "strict mode" certain statistics of certain question types, like Essay questions may be impacted.
From any report with personal data the candidate will show as a "Deleted User".