Do your Candidates and Certificants Know What You’re Doing with their Data?

Introduction

When I began working as a certification director at IAPP (International Association of Privacy Professionals), I learned very quickly that IAPP members were particularly vigilant about how their personal data was being collected, used, and retained. So we made sure our team is up-to-date on policy and prepared to answer questions about how their personal data is used.

If your organization is accredited under ISO/IEC 17024:2012 Conformity assessment — General requirements for bodies operating certification of persons, you are familiar with its required record control plan. But that is merely a starting point. By taking it another step and creating a Privacy FAQs page on your website that clearly and comprehensively describes what happens to your candidates’ and certificants’ personal data throughout their certification journey will go a long way.

Other important steps are outlined below to ensure proper data handling and building trust in data collection and use.

Be a Responsible Data Steward

Building trust with your candidates and certificants begins by training your staff in the best practices for data management, which includes:

Compliance with data privacy regulations is crucial; be sure whatever data is collected and stored is done so in accordance with any local, state, federal or international regulations, such as Europe’s privacy regulation (GDPR)[1].
Use the principle of “least privilege” – only access data you need for your role and do not share data with colleagues unless it is permitted.
Never store member data on personal devices and always store sensitive data (e.g., health and biometric data) in authorized systems.
Schedule specific days for staff to check their emails and folders for any files that include the personal data of customers, members, contractors, sponsors, or employees and delete them, unless they are necessary for a specific business purpose.

Be Transparent about Data Policies

The testing process is a repository of some of the most sensitive personal data for candidates. Whether they go to test centers or test remotely in their homes, your testing vendor will process your candidates’ biometric data, recordings of their testing events (including images of their residence), driver’s license or passport images, and sensitive health data (for testing accommodations). Here are some things your candidates should know:

Be prepared to tell your candidates exactly what is being collected and why.
Tell your candidates if ID validation software is used to evaluate the legitimacy of their identification, if the vendor uses real time facial comparison technology, and how long the vendor retains photographs of the candidate, copies of IDs, images of their room surroundings, and event recordings.
Provide a way for those who refuse to participate in the ID validation and facial comparison to have their identity verified by a person.
Understand the process for providing candidates with all of their personal data. GDPR allows individuals to submit a data subject access request (DSAR). For a certification body that might include exam results, communications, accommodation records, and even the actual options they chose on a multiple-choice exam.
Do you provide digital credentials to your certificants? Some of them might not want their data shared with your credential provider. Give them the opportunity to opt out of the digital credential receipt.

Conclusion

Data protection is not a burden. It is a business enabler that sets you apart from less responsible organizations. Showing your candidates and certificants that you care about data stewardship as well as their privacy will foster goodwill and make them feel comfortable engaging with you. This will become even more critical as organizations begin or increasingly use large language models or agentic AI in their certification process.

[1] See more information on GDPR at https://gdpr-info.eu/.