Earner Personal Data, Consent and GDPR for Issuing Digital Badges

Find out more about data processing involved with issuing digital badges.

Issuing digital badges via online platforms requires processing of earner personal data. The information below is a quick guide to the basics of issuing under GDPR including some platform-specific information to the best of our knowledge.

We always recommend examining any required data processing before you commence issuing badges on any issuing platform. If you would like to discuss any elements of data in more detail, don’t hesitate to get in touch.

Jargon Buster

PII

Personal Identifiable Information (first name, last name, email address)

Issuer

An organisation that is issuing a badge

Earner

An individual that has earnt a badge

Assertion

A unique record of a badge being issued to an earner.

ICO

Information Commissioner’s Office

GDPR

General Data Protection Regulation (Data Protection Act 2018)

Data Controller

A party that exercises overall control over the purposes and means of processing personal data.

Data Processor

A party that acts on behalf of, and only on the instructions of, a relevant Data Controller.


The Basics of Issuing Badges

To issue a digital badge, an issuer inputs earner PII to an issuing platform. This data then becomes an assertion, and the earner receives a notification via email.

Issuing badges should take place using an email address belonging to the earner. If it is not possible to issue badges directly to your earners, please see this guide for more information.


Badge Nation and Earner Data

By purchasing a Badge Nation membership package, the issuer consents to Badge Nation having admin access to their issuing platform account for the purposes of publishing new badges and delivering customer support.

As an account admin, Badge Nation is a Data Processor for any earner PII an issuer inputs to an issuing platform but will not download or process any earner data relating to Badge Nation issuers unless:

  • An issuer expressly requests it to be carried out on their behalf.
  • It is required for the delivery and/or monitoring of an issuer’s membership package.

If Badge Nation is required or requested to process earner PII, the data will never be saved, stored, or recorded in any way.


Lawful Basis to Issue Badges

Issuers are always responsible for ensuring they comply with GDPR. To issue digital badges an issuer must:

  • Be a Data Controller or Data Processor of earner PII.
  • Have a lawful basis to process earner PII.

Issuers are responsible for obtaining and demonstrating their own lawful basis for processing the PII of any earners they wish to issue badges to. More information on lawful basis for data processing can be found here on the ICO website.

Consent and legitimate interest are the most commonly used lawful bases for issuing digital badges.


Consent

If the issuing activity is not covered by another lawful basis, the issuer must gain an earner’s consent before issuing them with badges.

Under GDPR, all individuals aged 13 and upwards can consent to their own data sharing.

For issuing to earners younger than this, consent must be gathered from a parent / guardian and depends on the issuing platform you intend to issue badges with. Please see this guide for further reading on issuing badges to children under the age of 13. 

More information on the sharing of children's data can be found here on the ICO website

Some issuers, despite working with individuals over the age of 13, may not be able to allow children to exercise their rights to consent to sharing their own data. In these cases, the issuer may still choose to gather written consent from a parent / guardian.

Summaries of specific information for Credly, Navigatr, and Open Badge Factory can be found below.

Credly

Badge Acceptance Method:
Earners must create an individual account on the platform to accept and share a badge.

Earners:
Must be 13+ years old to provide their own consent.
Written consent from a parent or guardian must be obtained for issuing to children aged 11 - 12.
Credly does not support issuing badges to children under the age of 11.

In-platform methods to gather consent:
No

Useful information:
Credly uses US servers to host the platform.

Issuing badges via Credly represents an international data transfer and is covered by the Standard Contractual Clauses contained in Annex 2 of Credly’s GDPR Data Processing Addendum.

Documentation:
GDPR Compliance – Issuer & Earner Data
Data Security Brief
Privacy Policy

Navigatr

Badge Acceptance Method:
Earners must create an individual account on the platform to accept and share a badge.

Earners:
Must be 13+ years old to create an account on the platform.
Navigatr does not support issuing badges to children under the age of 13.

In-platform methods to gather consent:
Issue badge via Activity
1. Issuer creates activity.
2. Earner creates a Navigatr account and clicks ‘Attend’ on activity to be added to an attendee list.
3. Issuer uses attendee list to issue the badge. For in-person activities, earner can also present their personal QR code to the issuer, who scans it to issue the badge.

Useful information:
Navigatr uses UK servers to host the platform.

Documentation:
Privacy Policy

Open Badge Factory (OBF)

Badge Acceptance Method:
Via email, no account required to accept and share a badge.
Optional whether earner chooses to create a passport (digital badge wallet) account to collect and store their badges.

Earners:
Must be 13+ years old to provide their own consent.
Consent from a parent or guardian must be obtained when issuing to children under the age of 13.
If not possible to issue badges directly to the earner, badges can be issued to a parent / guardian on an earner's behalf. Please see this guide for more information.

In-platform methods to gather consent:
Issue badge via Badge Application.
1. Issuer creates badge application.
2. Earner volunteers name and email address when completing application to request being issued with a badge / be issued with a badge automatically (depending on application type as chosen by issuer).

Useful information:
OBF uses EU servers to host the platform.

Documentation:
Privacy Notice