Meeting the new GDPR requirements

The General Data Protection Regulation (GDPR) comes into effect on 25 May 2018. It replaces the Data Protection Act for all organisations who are collecting and processing the personal data of individuals located in the European Union. 

Over the past year we have been preparing to meet the requirements of the GDPR and so we wanted to explain what we’ve done and provide some answers to the questions we’ve been receiving. 

Personal data: OCR as data controller 

Both OCR and the schools and colleges registered with us, act as independent controllers of the personal data of the candidates entered for our qualifications. We hold entry information in order to provide candidates with the results of their qualifications. As such, we are not a ‘data processor’, which means you do not need to send us a data processing agreement to complete. For definitions of data controllers and processors, please see the Information Commissioner’s Office website. 

Updated privacy policy 

We have updated our privacy policy to comply with GDPR. We have also created a separate candidate privacy policy, explaining how we handle student data. We recommend you share this privacy policy with your students to help them better understand how we use their personal data. How you do this is up to you, for example you could print out the policy and share it in hardcopy or share the privacy policy link through a newsletter or through your school portal. 

Data sharing agreement 

We have added a data sharing agreement to our terms of business. This sets out the respective responsibilities of OCR and our centres when handling candidate data. We are committing through these terms to comply with our obligations under the GDPR when we use any personal data in connection with our services. The agreement terms require you to make the same commitment. Please read through the data sharing agreement carefully and share it with the staff in your school or college responsible for the security and protection of candidate data. 

Frequently asked questions 

Do we have to send you a data processing agreement to sign? 
No, as we are a data controller, we do not need you to send us an agreement. Instead, we have produced a data sharing agreement, which you will need to sign up to on an annual basis. 

Do we have to sign a data sharing agreement?
We have produced a data sharing agreement. You will need to sign up to this on an annual basis. More information about this will be provided shortly. 

When posting non-exam assessment on removable data, eg USBs, does this have to be encrypted?
We don’t require you to send encrypted data, eg USBs or memory sticks. In fact, we recommend you send unencrypted data wherever possible. 

What if our policy is to only use encrypted removable data?
If you have no other option than to use encrypted data, please follow these instructions: 

1. Save the work as usual. 
2. Clearly label the removable data with your centre number and component number and send it to the OCR assessor. 
3. Print the password out together with your centre name, number and component details and send it to the assessor in a separate package. 
4. Email OCR at NEApasswords@ocr.org.uk with your centre number, the component number and the password. 

Where can I get further information about GDPR?
Take a look at the information on the Information Commissioner’s Office website. The DfE have also produced a toolkit for schools, which you may find useful. 

If you have any further questions, please get in touch with our Customer Contact Centre.