Pearson and GDPR

Pearson complies with GDPR

Last verified on June 29, 2023

There is currently a lot of discussion on social media suggesting that Pearson (the producer of WPPSI and WISC) may not comply with GDPR, as they allegedly store data from their Q-Interactive and Q-Global applications in a manner that does not align with legal requirements.

We have investigated this matter with both the Danish Data Protection Agency and Pearson themselves and can refute this claim.

To begin with, we would like to debunk a number of myths before describing what we do as a clinic to ensure compliance with GDPR.


MYTH: Pearson has moved their data to the USA


This is misinformation!

Pearson stores its data in data centers located in Canada and Ireland.

Verified via email with Pearson on June 28, 2023.

Data from Q-Interactive and Q-Global is hosted by their service provider, Amazon Web Services (AWS), which is a subsidiary of Amazon.

Pearson has entered into a data processing agreement with AWS, specifying that data is always stored in data centers located in Canada or Ireland. This is stated in Annex 2 and 3 of the agreement:

“Q-global and Q-interactive data are hosted at Amazon Web Service (AWS) Canada Central region in Montreal, QC, Canada. Some data within Q-global are also hosted at AWS Europe West 1 region in Ireland.”

The data processing agreement has been provided to us by Pearson on June 28, 2023, and its validity and currency have been confirmed.

A data processing agreement is legally binding for the data processor, in this case, AWS. Amazon is a company that has a lot at stake if they were to violate such an agreement. AWS serves massive customers in Europe who handle much more sensitive data than Pearson. Examples include SAP, BMW, and Siemens.


Pearson does not store its data in the USA!


MYTH: Sensitive data must not be located outside of Europe


This is misinformation!

A data controller may enter into data processing agreements with providers in certain third countries.

Verified via phone with the Danish Data Protection Agency on June 29, 2023.

According to the Danish Data Protection Agency’s website, data may be located in multiple third countries that meet legal requirements that are essentially equivalent to Regulation (EU) 2016/ 679 of the European Parliament and of the Council of 27 April 2016, commonly known as GDPR.

Canada, where Pearson stores data from Q-Interactive and Q-Global, has been approved by the EU Commission as a safe third country for the transfer and storage of personal data when the data controller, in collaboration with its data processor, complies with PIPEDA (Personal Information Protection and Electronic Documents Act), which is Canada’s own data protection law.

Pearson explains (in Swedish) that they are subject to PIPEDA in an email dated June 28, 2023:

“Grunnen til at vi har valgt Canada er at landet har et omfattende lovverk (PIPEDA – Personal Information Protection and Electronic Documents Act) for håndtering og prosessering av persondata. Dette lovverket er godkjent av EU-kommisjonen som sikkert, når det gjelder beskyttelse av individuelle rettigheter og friheter av personer i Europa, herunder også Danmark.”

Which translates to:

“The reason we have chosen Canada is that the country has comprehensive legislation (PIPEDA – Personal Information Protection and Electronic Documents Act) for handling and processing personal data. This legislation has been approved by the EU Commission as secure, in terms of protecting individual rights and freedoms of people in Europe, including Denmark.”

While PIPEDA primarily outlines ethical rules for handling sensitive data, it is also our understanding that a technically responsible solution has been implemented:

  • AWS is ISO 27001 certified, which is a more comprehensive data security standard than GDPR. We have examined their certificate and can confirm that their AWS data centers in Canada and Ireland are covered by this certification.

  • Pearson sends its data to AWS over a line encrypted with AES-128 and TLS.

  • When data is stored at AWS in Canada, it is encrypted at rest with AES-256 and FIPS.


This is a responsible and compliant solution!


MYTH: The Danish Data Protection Agency determines GDPR rules in Denmark

 

This is misinformation!

It is determined by the European Commission.

Verified via phone with the Danish Data Protection Agency on June 29, 2023.

 

While there are exceptions in Denmark for certain aspects of data protection regulations that apply under administrative law and archival law, the responsibility for planning, preparing, and proposing new European legislation lies with the EU Commission.

 

The Danish Data Protection Agency is a supervisory authority. They do not have authority over the European General Data Protection Regulation (GDPR).

 

What is our responsibility in the clinic?

Where we have responsibilities as a data controller towards our clients are in the following areas: 

  • According to the Danish Data Protection Agency’s guidance on data controllers and processors, section 3.2.1, we must ensure that we have a data processing agreement in place with Pearson, as they act as our data processor when we use Q-Interactive and Q-Global (the electronic parts of WISC and WPPSI).

  • We are required to retain data related to our clients’ records for a minimum of 5 years, as stated in Regulation 567 of 2017 about authorized psychologists’ duty to keep ordered records, Article 14(2). Therefore, we must not delete data from Q-Interactive before that timeframe, unless we store a copy of the data in our own journaling system.

  • While we have an obligation to retain a client’s records for at least 5 years, we ALSO have a duty to delete data when it is no longer necessary, in accordance with Article 5(1) of the General Data Protection Regulation (GDPR). Therefore, unless there is an ongoing case involving the client, we must delete their data from Q-Interactive/Q-Global, as well as our own journaling system, after 5 years.

  • If we were a public authority covered by the Danish Public Administration Act (e.g., a PPR office in a municipality), we would have an obligation to archive data in accordance with the Danish Archives Act as described in Order 128 of 2020. In such a case, we would not be allowed to delete data from systems like Kingo, WinPPR, or the municipality’s central ESDH system until the data is transferred to the The Danish National Archives or the municipality’s own §7-approved archive.

Stefan Franck

 

I am the technical expert at Psychologist Dea Franck. 

My professional experience includes many years as a digital archivist at the Municipality of Copenhagen and as a software developer at KMD A/S.

I have developed our own journaling system and ensure that we conduct ourselves digitally responsibly, while adhering to GDPR regulations, data retention periods, and fundamental principles of data discipline and security.

Feel free to ask me anything regarding the current article. You can contact me here.