I think this highlights that the rather lax procedures you used in the past aren’t really suitable anymore with the changes in GDPR.
The employer, one could argue, is a data processor as they are acting under your instructions and you failed to give them correct instructions and you also failed to put in place a contract as required.
On the other hand, the employer was entitled to know the data as they were carrying out the assessment (not withstanding the above). The student has only been told information that they were going to get anyway.
The risk to the data subject is virtually nil, but it has highlighted that you need to tighten up your procedures.
Seth
Seth Speirs
Data Protection Officer
PPS
028 902 64621
From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]]
On Behalf Of Greg Devereux-Cooke
Sent: 23 May 2019 09:11
To: [log in to unmask]
Subject: [data-protection] Sharing of exam grade
Hi
After some advice please.
We run hairdressing courses, and as part of the technical framework students have to complete practical exams, with an employer present and offering feedback. The employer
does not have to be the students employer, just a local employer.
I have a case where the employer present was indeed the employer of the student. Following completion of the exam, the employer was told that all students would be given their
grade the following day, but was not specifically told not to share it with them. Unfortunately the employer has then jumped the gun and told the student their grade. The parent of the student has contacted the lecturer to complain and thrown “GDPR” in to
the conversation. This is not an apprentice where the employer has a right to know their employees progress.
As controller I assume that I need to treat this as a breach and investigate as I would any other. What makes me question it is that the employer was invited in but was not
“employed” by us, so does the responsibility sit with them?
Greg
Scanned by
Trustwave SEG
- Trustwave's comprehensive email content security solution. Download a free evaluation of Trustwave SEG at
www.trustwave.com
BCoT is Good with Outstanding features - Ofsted 2016
This e-mail message (including attachments, if any) is confidential and may well also be legally privileged from disclosure. It is only for the person(s) to whom it is addressed. If you have received this e-mail message in error, please do not copy it or
use it for any purposes, or disclose its contents to any other person. Please note that the opinions expressed do not necessarily reflect the official opinion or position of the College. Please notify us immediately of the error by reply e-mail and then delete
this message from your systems. Thank you for your help in preserving the security of our documents.
All archives of messages are stored permanently and are available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
Selected commands (the command has been filled in below in the body of the email if you are receiving emails in HTML format):
All user commands can be found at
https://www.jiscmail.ac.uk/help/subscribers/subscribercommands.html and are sent in the
body of an otherwise blank email to
[log in to unmask]
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
(Please send all commands to
[log in to unmask] not the list or the moderators, and all requests for technical help to
[log in to unmask], the general office helpline)