Data protection in the Hogrefe Testsystem online portal
Hogrefe ensures the security of customer data through the latest technologies and in accordance with the requirements of the EU General Data Protection Regulation (GDPR).
The principle that "the best data protection is to avoid data worthy of protection" has been implemented within the Hogrefe Testsystem (HTS 4 and HTS 5). It is not essential to record personal data in the system, only age and gender are necessary for certain tests (and this data alone cannot be used to identify a person). The identification of a person (by the diagnostician) may be done via an individual code (e.g., a number in a separate spreadsheet) in order that results may be linked back to individuals outside the HTS system.
It is the responsibility of the diagnostician to obtain consent for the collection and storage of data that could be used to identify an individual (e.g. name, date of birth and address) if that data is going to be collected and used during the diagnostic process.
Data on the servers will not be deleted automatically: This must be done by the diagnostician.
The data is automatically archived in a backup system in order to be able to recover it in the event of a disaster. Hogrefe recommends archiving test results on paper or electronically in order to show GDPR compliance.
Protection of personal data from misuse
Special emphasis is placed on the confidentiality of personal information and compliance with applicable privacy policies. Personal information stored in the Hogrefe Test System will only be processed according to the guidelines listed here.
The connections between client (online portal administration station) and server (hogrefe-online.com) on the one hand, as well as client (test area) and server (hogrefe-online.com) on the other hand, are made exclusively via encrypted SSL connections.
To ensure the accuracy and security of personal information and to prevent unauthorised access or misuse, modern safeguard procedures are used. These include:
- Use of form-based authentication
- Data transfer via an SSL-encrypted connection
- Securing the server through firewall systems
- Access to the servers is limited to port 443
The administration space (online portal) is secured by its own user administration, which ensures that only the data managed by a specific user can be viewed by that user. The Hogrefe support team cannot view personal data without the prior consent of the customer (password change).
EU General Data Protection Regulation (GDPR)
The Hogrefe Testsystem fulfils the data protection requirements of the GDPR, complying with the principles of "privacy by design" and "privacy by default" outlined in Article 25 of the GDPR. As a result, the system may be used without the collection of personal data.
All HTS-related processing activities and internal processes are documented and regularly reviewed. These records of data processing also assist diagnosticians in the fulfilment of their data protection obligations outlined in Article 30 of the GDPR.
All employees have been familiarised with the requirements of the GDPR and are committed to confidentiality.
Protection of electronic data against loss or alteration
To protect data from loss, damage, unauthorised access and misuse, the Hogrefe online portal is hosted in a data center and uses a fail-safe data link. Organisational measures include:
- Continuous monitoring of operation and access, 24/7
- Remote support during business hours
- Access to the data centre is granted to authorised personnel only via an access card and access code
- The entire data centre and grounds are monitored by video around the clock and the monitoring is continuously documented
- The data centre has an uninterruptible power supply and can therefore be operated even in the event of prolonged power outages of several hours
- The databases are continuously backed up on separate hardware
Upon request, Hogrefe will provide customers with a complete list of technical and organisational measures with regard to the provisions of the GDPR and other regulations relating to data protection (in accordance with Article 32 of the GDPR).
Please note that test protection is included in data protection and neither the items within a test nor the results should be made public.
Professional testing procedures should be used when administering tests, whether they are written tests (paper and pencil) or online tests. Tests should be administered under controlled conditions, which includes verification of the identity of the test-taker, supervision of the test procedure (by a trusted representative if the test is being held remotely) and prevention of unauthorised aids and communication.