The e-Competence Framework (e-CF)1 is an accepted and common framework developed in Europe (http://www.ecompetences.eu/). EXIN supports the e-CF, because EXIN believes in professionals showing their competences and growing towards their full potential by helping them make their competences transparent. The certificate EXIN Privacy and Data Protection Practitioner is based on the e-CF.
The practical assignments are used to demonstrate practical skills and experience which cannot be tested in a multiple choice exam. Making the practical assignments part of the certification scheme helps to test the entire competence.
1.4 Assessment
Practical assignments can be assessed by an accredited trainer from the accredited training provider. It is the trainer’s responsibility to familiarize themselves with the assessment criteria.
Each assignment has assessment criteria that are based on the exam specifications and linked to the e-CF. The criteria are found in the Checklists. The trainer fills in the checklist for each individual candidate, stating whether or not the criteria have been observed.
The ATO should have evidence that practical assignments have been done in a particular training, this can be requested in an EXIN audit.
2. Assignment 1: Construct a Data privacy breach response plan and handle a personal data breach
Background
Quazle is a European multinational technology company specializing in internet-related services and products. These include online advertising technologies, search, cloud computing, software, and hardware. The company has a database of just over half a million customers and 500 staff. You work in the multinational privacy team that is based at various office locations and you have a position at the European office which is located in Strasbourg.
Your assignment
The privacy team has just implemented a privacy and data protection program. The next step is now to develop a set up for a data privacy breach response plan. Divide the roles of the data protection officer (DPO) and two employees in charge of privacy tasks among a privacy team of three candidates.
Divide the below elements among the three of you and construct a data privacy breach response plan that contains at least the following elements:
1. A definition of what constitutes a data privacy breach
2. Categories of data privacy breaches (based on impact and severity)
3. Detailed scenarios & instructions for each category
4. Contact information:
a. Departments and internal stakeholders that should be involved in a data breach response.
b. Supervisory authority
c. Third parties providing services for remediation
5. A set of draft documents to be used for notifying the supervisory authority and the affected individuals and for informing the media
6. Metrics on data privacy breaches
In addition to this the following documents should be available:
7. Logs that prove that the data privacy breach response plan is tested periodically
8. Reports of data privacy breaches that have previously occurred, incl. root cause analyses
9. Each of the team members thinks of a personal data breach that could occur to the personal data processed by Quazle.
The personal data breaches should be:
-considered as such by the General Data Protection Regulation (GDPR) and the applicable Literature
-plausible in this case scenario
10. Imagine you discover that one of the three personal data breaches the team members have proposed has indeed happened. Apply the newly elaborated data privacy breach response plan in this specific case. Divide the tasks according to the legal requirements for the roles of the DPO on the one side and the other roles on the other side.
11. Describe what you should do to contain the data breach and subsequently investigate it.
12. Motivate why you should or should not notify the supervisory authorities and the individuals affected.
Recommended time
3 hours
Expected results
A group presentation of approximately 15 minutes including:
• A data privacy breach response plan for the above company including the above mentioned elements
• A list detailing 3 possible personal data breaches
• A report of how you would deal with one of the personal data breaches
Assessment criteria for the assignment
The candidate is able to……
1. cooperate in a team to construct a data privacy breach response plan and respond adequately to a data breach
2. construct a data privacy breach response plan containing the essential elements listed above
3. sketch a plausible personal data breach applicable to the case scenario
4. apply the data privacy breach response plan and:
• act appropriately by taking into account his or her specific role
• act according to the requirements presented in the Literature
• provide sufficient depth of details
• clearly express details of the plan
• clearly explain reasons for notification/or reasons for no notification and explain to whom to address the notification
Assignment 1 Checklist
The trainer can assess each candidate on each exam specification.
3. Assignment 2: Controller, Processor and Data Protection Officer
Background
In an EU member state two hospitals decide to merge their organization. Physically the two hospitals will remain on their current locations. Staff services and specialized medical departments will be merged and (re)located at either one of the two premises. The idea behind this merger is to generate cost effectiveness and to enable the modernization of the current IT systems and network. This generates more capacity to better serve patients. In addition to this, the merger provides the opportunity to monitor patients at home or in facilities such as retirement homes, nursing homes and rehabilitation centers.
To mitigate the risks of possible privacy data breaches the boards of directors of the two hospitals designate the data center of former hospital A as main data center and the data center of former hospital B as backup center. The two data centers are serviced by different companies.
You are currently working as the data protection officer (DPO) for both hospital organizations. After the merger you will be the DPO for the new organization. To help prepare for the merger, the boards of the two hospitals request that you provide an overview of the processing flows of personal data in the future organization as well as an indication of the data protection risks arising from the merger.
Your assignment