The European Union’s Court of Justice recently attracted a lot of attention with a new ruling that will affect Google’s business in this part of the world. Under this popularly termed “right to be forgotten”, individuals living in the EU may ask the search engine to remove links to articles, court judgments and other documents in search results for their name. The news raised a lot of eyebrows, particularly in the U.S., and Google stated that it was disappointed by the decision – but to be honest, it didn’t surprise me all that much.
Both individuals and businesses are becoming increasingly concerned about their privacy protection on the web. Scepticism towards internet giants like Google is growing every day, in terms of where they store our data and who can access it. I think the feelings have always been strong in Europe, perhaps even more so in Germany. Following the revelations about Chancellor Merkel’s phone being tapped, the German government is now about to tighten national regulations affecting the IT industry. For example, the German government is considering having IT companies sign a no-spy agreement when bidding for public tenders. Providers from within the legislation of the US Patriot Act might find this very hard and could even be barred from doing business in the German and eventually the European IT public administration market.
In case you’re based outside the EU, here’s a bit of background information: The European Data Protection Directive regulates the processing of personal data for all member nations of the European Union. It originates from the protection of personality rights and consumer rights. Every time a contract between two parties is signed within the EU, both must agree on the data protection terms that apply. There are very good reasons for this regulation, but actually, these terms often end up limiting the mutual benefits of a new partnership between organisations when it comes to L&D.
Data security issues for HR and L&D
Europe-based HR and L&D departments, as custodians of sensitive personal data, will be able to confirm this. Just think of what happens when a company in the EU decides to integrate an online learning solution by a third party provider. All student data, such as learning progress, support emails and training results, will need to be stored at a location which is accessible to both HR and the provider. With the rise of globally integrated talent and learning management systems, this type of data is increasingly made accessible through the cloud, which opens up a lot of new concerns.
“By the way, where is your learning data stored?” is a question the Speexx team regularly receives from customers and potential clients. One client actually sent two data privacy officers over to Speexx to ensure our servers were safely located within Germany. This was a prerequisite just for signing the contract. Furthermore, many of our clients ask that their employees’ data be “forgotten” completely after a six-month course period and some even demand that learner results be displayed anonymously, with no possibility of identifying the student whatsoever.
While I fully understand the need for data protection in businesses, I think this can sometimes be counterproductive. After all, keeping track of an online language student’s learning results for a longer period (more than six months) is crucial for recognising strengths and knowledge gaps – it simply takes longer than 6 months to learn a language. Only with a comprehensive and transparent set of learning data can we give our learners the full support they need and make founded recommendations for their further training. And let’s be honest, does it really hurt to know which students still need to work on their Spanish gerund forms and which have difficulties remembering their Business English vocabulary?
Alternatives to forgetting
To prevent data security issues from hampering your L&D strategy and to avoid having to ask your e-learning providers to “forget” your data, I recommend five simple steps.
1. Assume that all learning and development data is personal data and ensure you document where it is held and how it is processed. Make sure that all stakeholders including unions and IT professionals are involved from the start.
2. Multinational organisations with HR data centralised in one company but headquartered in another perhaps for tax or legal reasons will have to address where their home authority is in data protection terms.
3. Appoint a designated data protection controller. The new draft EC regulations call for a data protection officer to be appointed by law in any public body or any business with over 250 people.
4. Subject access requests, where people can ask to see data held on them look likely to get easier and cheaper so make sure the organisation is ready to handle these efficiently.
5. Consent is important in data protection law. Consider how you will be able to show that consent was obtained to storing personal data in the course of learning and development, possibly through including this in the initial contract of employment.