I think this highlights that the rather lax procedures you used in the past aren't really suitable anymore with the changes in GDPR.
The employer, one could argue, is a data processor as they are acting under your instructions and you failed to give them correct instructions and you also failed to put in place a contract as required.
On the other hand, the employer was entitled to know the data as they were carrying out the assessment (not withstanding the above). The student has only been told information that they were going to get anyway. The risk to the data subject is virtually nil, but it has highlighted that you need to tighten up your procedures.
Seth
Seth Speirs
Data Protection Officer
PPS
028 902 64621
From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]] On Behalf Of Greg Devereux-Cooke
Sent: 23 May 2019 09:11
To: [log in to unmask]
Subject: [data-protection] Sharing of exam grade
Hi
After some advice please.
We run hairdressing courses, and as part of the technical framework students have to complete practical exams, with an employer present and offering feedback. The employer does not have to be the students employer, just a local employer.
I have a case where the employer present was indeed the employer of the student. Following completion of the exam, the employer was told that all students would be given their grade the following day, but was not specifically told not to share it with them. Unfortunately the employer has then jumped the gun and told the student their grade. The parent of the student has contacted the lecturer to complain and thrown "GDPR" in to the conversation. This is not an apprentice where the employer has a right to know their employees progress.
As controller I assume that I need to treat this as a breach and investigate as I would any other. What makes me question it is that the employer was invited in but was not "employed" by us, so does the responsibility sit with them?
Greg
[Image removed by sender. BcoT on Facebook]<https://www.facebook.com/BasingstokeCollegeofTechnology>
[Image removed by sender. BCoT on Twitter]<https://twitter.com/bcot>
[Image removed by sender. BCoT on Instagram]<http://www.instagram.com/instabcot/>
[Image removed by sender. Add us on Snapchat]<https://www.snapchat.com/add/SnapBCoT>
[Image removed by sender. BCoT on LinkedIn]<https://www.linkedin.com/company/67269/>
[Image removed by sender. BCoT]<https://www.bcot.ac.uk>
[Image removed by sender. The Edtech 50 2018]<http://www.ednfoundation.org/wp-content/uploads/EDTECH50.pdf>
[Image removed by sender. TES FE Winner 2018]<https://www.tes.com/news/further-education/breaking-news/basingstoke-college-technology-win-outstanding-use-technology>
________________________________
Scanned by Trustwave SEG - Trustwave's comprehensive email content security solution. Download a free evaluation of Trustwave SEG at www.trustwave.com<http://www.trustwave.com>
________________________________
BCoT is Good with Outstanding features - Ofsted 2016
________________________________
This e-mail message (including attachments, if any) is confidential and may well also be legally privileged from disclosure. It is only for the person(s) to whom it is addressed. If you have received this e-mail message in error, please do not copy it or use it for any purposes, or disclose its contents to any other person. Please note that the opinions expressed do not necessarily reflect the official opinion or position of the College. Please notify us immediately of the error by reply e-mail and then delete this message from your systems. Thank you for your help in preserving the security of our documents.
________________________________
________________________________
All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html
Selected commands (the command has been filled in below in the body of the email if you are receiving emails in HTML format):
* Leaving this list: send leave data-protection to [log in to unmask]<mailto:[log in to unmask]&BODY=LEAVE%20data-protection>
* Suspending emails from all JISCMail lists: send SET * NOMAIL to [log in to unmask]<mailto:[log in to unmask]&BODY=SET%20*%20NOMAIL>
* To receive emails from this list in text format: send SET data-protection NOHTML to [log in to unmask]<mailto:[log in to unmask]&BODY=SET%20data-protection%20NOHTML>
* To receive emails from this list in HTML format: send SET data-protection HTML to [log in to unmask]<mailto:[log in to unmask]&BODY=SET%20data-protection%20HTML>
All user commands can be found at https://www.jiscmail.ac.uk/help/subscribers/subscribercommands.html and are sent in the body of an otherwise blank email to [log in to unmask]<mailto:[log in to unmask]>
Any queries about sending or receiving messages please send to the list owner [log in to unmask]<mailto:[log in to unmask]>
(Please send all commands to [log in to unmask]<mailto:[log in to unmask]> not the list or the moderators, and all requests for technical help to [log in to unmask]<mailto:[log in to unmask]>, the general office helpline)
________________________________
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at https://www.jiscmail.ac.uk/help/subscribers/subscribercommands.html
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
