At Comms Multilingual, we are very interested in the latest developments within the assessment and certification industries. To that end, we are asking industry experts to provide guest contributions to our blog, which we hope will be of interest to our community.

This post on data security and test taker privacy has been kindly written by Gary Behrens, Director of Human Capital Sciences at General Dynamics IT.


Test services organizations have long been keenly attuned to the necessity of protecting tests from compromise, as much for safeguarding intellectual property rights as for upholding fairness in examinee and candidate outcomes. Protecting test taker privacy has also been an important consideration, which has received an even greater amount of attention in recent times due to the pervasive hacking of personally identifiable information (PII) and stepped up regulatory efforts globally.

Consequently, the Association of Test Publishers (ATP) has broadened the focus of its Test Security Committee to include personal privacy and data security matters. The mandate for the Privacy Subcommittee of the Test Security Committee is to reinforce the essential importance and practical value of data security and privacy compliance through member communications, developing and conducting educational activities, and the publication of pertinent information to ATP members.

The rationale for data privacy compliance rests on three pillars: legal, technical, and ethical. The legal aspect reflects the reality that governmental bodies around the world are enacting laws, adopting policies, and implementing regulations to ensure accountability of any organizations that handle PII. Test services organizations are potentially subject to legal enforcement actions for non-compliance with applicable rules. Therefore, such organizations need to become familiar with all legal requirements, both national and international, surrounding the protection of test taker privacy in order to build documented practices and procedures to establish and enforce those protections. This is especially relevant in transferring test taker PII and assessment information to another country for processing.

The technical pillar recognizes that test services organizations typically have Information Technology (IT) security policies, practices, and procedures in place to prevent and manage unauthorized access to system data, including participant PII. Yet achieving and maintaining compliance with relevant legal requirements for data security and also protecting privacy may entail additional security measures and/or technical infrastructure and operational enhancements. Hence, a test services organization needs to identify all applicable technical requirements in order to develop documented practices and procedures that ensure the protection of test taker privacy.

The ethical facet accepts that test services providers generally are pledged to adhere to professional principles and guidelines of ethical conduct – at both the individual practitioner level and the organizational level – which specify that they must respect examinee rights and well-being, including privacy. Even so, some test security methods have drawn criticism as an invasion of privacy. Thus, a test services organization needs to evaluate its practices and procedures regarding test taker privacy to determine if there are any ethical issues, and take steps to modify them accordingly.

Although a strong foundation for privacy compliance exists in the testing services industry, supported by legal, technical and ethical pillars, there may be opportunities for an organization to further strengthen its compliance posture in protecting privacy. Individual organizations would do well to review present privacy policies and practices, then take any steps needed to reinforce a focus on test taker privacy.


The views expressed herein are solely those of the author and do not necessarily reflect the positions or policies of either General Dynamics IT or of the Association of Test Publishers.