Odia Kagan of FoxRothschild writes:
Are test questions and answers personal data that needs to be provided pursuant to an access request?
A German court recently weighed in, providing some good insight regarding both GDPR and U.S. state data privacy laws.
Some key takeaways:
- Answers given by a student in a test could be considered personal data. Test questions, however, cannot be considered personal data.
- The argument the test questions are strictly linked to the answers given by the plaintiff was also not accepted by the court, which held that the questions do not reveal anything about the level of knowledge of the plaintiff and thus do not constitute personal data.
- Access requests under Article 15 GDPR serve the purpose of making data subjects aware of the processing of their personal data and to verify the legality of processing. It is therefore irrelevant that the plaintiff needed access to the test questions for the purpose of interpreting the test result because he does not have a right to access under the GDPR for such purpose.
- Test questions may constitute trade secrets.
That ruling makes sense. Entities have a legitimate interest in protecting the security of test questions. But could there come at time when — or has it come already — when test questions might contain personal information on a student?