ACER and your personal information

This is our Privacy Notice which summarises for public view, the important aspects of some of our internal company privacy practices, and provides an overview of how ACER UK (and the ACER Group on occasions) processes personal data.

This notice sets out what personal information the Australian Council for Educational Research International Ltd (ACER UK) collects about you and how it complies with the UK Data Protection Act 2018 (DPA 2018) and in some cases other related legislation such as Privacy in Electronic Communications Regulation (PECR) for marketing activities.

ACER UK is part of the ACER Group (Australian Council for Educational Research) headquartered in Melbourne Australia. The ACER Group takes your privacy very seriously and thus this privacy notice explains what data practices are undertaken within the UK and how data is protected and may be shared within the group, and if so, how the Group complies with the DPA 2018 for UK/EEA citizens who interact directly with ACER Ltd.

ACER UK acts as the GDPR Article 27 representative for ACER Limited Australia and therefore is the primary contact for privacy matters relating to Data Subjects within the UK/EEA no matter what context you interact with the ACER Group.

This Notice will differ slightly from ACER Ltd.’s privacy notice in Australia, when processing data from non-UK/EEA citizens; their notice should be read separately if this applies to you and the application or applicability of Australian Law to you. It can be found at   https://acer.org/au/privacy

This Notice sets out how and why we collect your personal information: why we collect it; our legal basis; how we hold it; how we use it; how long we keep it for; who we disclose it to.  It explains what information we may collect from you when you use our website or an ACER product or service.  It also sets out how you may access and seek correction of your personal information or complain about a possible breach of your privacy.  This Privacy Notice may be amended from time to time if our practices change or the law is updated.

On our website, you may find links to other websites not operated by us.  This Privacy Notice does not apply to them – always check the Privacy Notice of any other website you enter; they are not all the same.

It is important to understand that how you interact with ACER UK defines a number of privacy parameters: the service you utilise; the professional contact point and/or purpose; whether you are a supplier or a consumer;  these will affect the way we collect data, it will define our status as controller or processor, our legal basis for collection and retention and thereby what data privacy obligations we are required to meet. Thus, to make this Notice as succinct as possible we have aggregated the information into sections which can be navigated to by using the shortcut links below.

Finally, whenever you interact with ACER UK you will probably fall into one or more of the following categories below; we have provided a very short comment (in italics) on the status ACER UK will play to assist with understanding the privacy implications and the access to rights afforded to you by using  ACER services:

ACER UK Contact Points

  1. As an educational provider or establishment wishing to participate in learning assessment services such as ELMS (Essential Learning Metrics), STA (Standard Testing Assessments), ISA (International School Assessments), PISA (Programme for International Students Assessments), SNSA (Scottish National Schools Assessments), SEW (Social-Emotional Wellbeing), SOFA (Scottish Online Formative Assessments) etc. ACER UK will be working under a data processing agreement in these contexts and thus will be a processor for the controller.
  2. As a graduate wishing to enter into higher education courses using GAMSAT (Graduate Medical School Admissions Test) or a mature student looking to enter into higher education programs MSAP (Mature Students Admissions Pathway). These projects are administered directly from Australia and thus ACER Ltd is the controller and thus is responsible for DPA 2018 compliance; ACER UK will act as DSAR provider and representative and this privacy notice is applicable for UK/EEA citizens.
  3. As a participant in professional education development programs or conferences. ACER UK is controller and therefor this notice applies.
  4. As an applicant for employment or current employee. ACER UK is the controller and UK Employment Law and DPA 2018 applies.
  5. As a web site visitor. ACER UK privacy notice and cookie notice applies.
  6. As a supplier or Contractor/Sub-Contractor. ACER UK Privacy Notice and DPA 2018 applies.

ACER UK Information

Acer UK is headquartered at 13-15 Canfield Place, London NW6 3BT. Our office telephone number is 020 3909 0659 and general email contact at unitedkingdon@acer.org. We are registered with the ICO (Information Commissioners Office) under Z1280311 as both a data controller and data processor. We have a registered DPO within the UK and can be contacted on dpo@acer.org

Privacy Notice Shortcuts:

  1. What kind of personal information do we collect and how?
  2. What is our approach to collecting personal information about children?
  3. When do we collect your personal information?
  4. Why do we collect the information and how do we use it?
  5. Can you choose to remain anonymous?
  6. How can you request to receive direct marketing and how is it cancelled?
  7. Who do we disclose your personal information to?
  8. Do we disclose your information outside the UK/EEA?
  9. How do we hold your personal information and keep it secure?
  10. How can you seek access to your rights under the DPA 2018?
  11. How can you seek further information or complain about a breach of your privacy?
  12. What is the data retention period?
  13. What is our legal basis for data collection?

1. What kind of personal information do we collect and how?

The personal information we collect depends on your relationship with us – whether you purchase a business service as a client; a candidate for an assessment service; a current or prospective employee; a supplying business or contractor – and the product or service we are delivering.  It may include but not limited to:

  1. your contact details, photographic ID, National Identity numbers and personal preferences (such as name, address, email address, phone number, dietary requirements, health, or physical disabilities), institution, country, education sector, professional development interests etc.;
  2. your website registration and login information; any forms submitted or enquiry details completed for seeking further contact;
  3. your payment details (such as credit card details, bank account details) if a supplier or purchaser;
  4. your employment history and qualifications; if an applicant or current employee;
  5. government-related identifiers and information (such as student number, Unique Pupil Identifier; qualified teacher status; working with children registrations details and police or criminal record checks, immigration status and UK visa type and status);
  6. your testimonials, feedback and complaints.

Sometimes we may also collect sensitive information about you.  This may happen, for example, through surveys we conduct or when you sit tests, and may include your race and religious beliefs and your health information (such as whether you have any disability or medical condition and require special testing accommodations).  We will only collect sensitive information from you or about you with your explicit consent unless otherwise required mandated or authorised by law (e.g. Employment or Immigration law).

By supplying sensitive information about yourself or on behalf of your child, you will be taken to have given your explicit consent to our collection of that information (confirmed valid by institution) or are required by law to provide it.  When we obtain such information from a third party (such as through a school or institution at which you or your child studies) or a government agency or authoritative body (Police, Home Office etc.), we will usually enlist that third party to obtain consent from you if that is required, or have the legislative power to search for access and provide it under current applicable law.

2. What is our approach to collecting personal information about children?

We collect information about children who, for example, sit assessments at schools or colleges to whom we provide our services and whom have previously correctly collected consent (under contract); or willingly participate in our surveys or participate in other research projects having properly provided valid consent.  Whether a child has the capacity to make his or her own privacy decisions is assessed by us on a case by case basis, having regard to factors such as their age and circumstances.  In general, a person over 15 years or age will be considered to have the capacity to make his or her own privacy decisions, unless jurisdictional law mandates a higher age threshold.

For children who are under 15 years old, or who otherwise do not have capacity to make these decisions for themselves, or where we cannot make an assessment of their capacity, ACER will refer or deal with requests for access, consent and notices in relation to personal information to the parent and/or guardian or relevant school or institution.  We will treat consent given by a parent and/or guardian as consent given on behalf of the child, and notices to the relevant school or other institution or parent and/or guardian will act as notice given to the child.

3. When do we collect your personal information?

We may collect your personal information when you contact us, purchase or use our products or services (including when you sit a test or participate in a survey or other research), register with us online, participate in our online discussion boards or enter our competitions, contribute to one of our social media pages (such as Twitter, LinkedIn, Vimeo and Facebook), attend an ACER event, apply for a job with us, provide services to us or make a donation through the ACER Foundation.

Given the nature of our products and services [Educational Research; On-line Assessments and Curriculum Development, Professional Development Training], we often collect personal information about you from third parties, such as the school or educational institution that you (or your child) attends.  We may also collect information through secure web-based application systems if you do certain assessments or higher education entry tests, and from other third parties where you have agreed with them that your information may be specifically disclosed to us.

4. Why do we collect the information and how do we use it?

We collect, hold, use and disclose your personal information based on the legal purpose for which it was originally collected:

  1. to deliver our educational research and learning products and services (including our consultancy services and professional development programs, such as testing, assessments, Higher Education access programmes, and training);
  2. to publish educational curriculum materials;
  3. to conduct our retail activities (including through our website);
  4. to operate and manage the ACER Foundation and ACER Cunningham Library [based in Australia];
  5. to develop and enhance our products and services;
  6. to conduct research and plan and develop our product strategies;
  7. to provide and operate our competitions, events and promotions;
  8. to market and promote our products and services; and
  9. to comply with our legal obligations.

5. Can you choose to remain anonymous?

If the situation or circumstance allows it, you may elect not to identify yourself or you may use a pseudonym in your dealings with us. However, given the nature of the business, there are many situations where it is impractical for us to deal with you on this basis (for example, we will need to identify you in order to provide most of our products and services).  You can always choose not to give us your information or remain anonymous, but if you do, we may not be able to provide you (or our client) with the products and services that you (or they) have asked for. In some cases, the relevant laws mandate we uniquely identify you e.g. Employment Law, Immigration Law and the conduct of other law enforcement activities such as fraud, or pursuit of criminal or civil proceedings.

6. How can you request to receive direct marketing and how is it cancelled?

For us to market to you in any way, we must have asked you explicitly to consent to such activities before we include you on marketing lists, be they email text phone or postal service. Consent must be gathered in accordance with the DPA 2018 or it is not valid. You may ask us at any time to stop sending you direct marketing information or to stop being contacted by or on our behalf, usually either directly by the opt out process for the contact protocol or by contacting us directly and requesting cancellation (see web site for contact details). Note: we do not rely on legitimate interest as a legal basis for any direct marketing activities.

7. Who do we disclose your personal information to?

How and why we disclose your personal information very much depends on how we collected it initially: in the first person as a data controller; in the third person as a data processor via a data processing agreement. Thus, disclosure and whom the third party receiving it varies depending on context:

  1. to schools, educational institutions, psychologists, HR practitioners and other third parties who have contracted with us for the provision of our products and services.  For example, if you are a candidate for an ACER scholarship test, or a pupil at a school undergoing assessments, we will supply your test results to those schools whom supplied your data initially, or to the institution to which you have applied for a scholarship;
  2. to entities who assist us in providing and administering our products and services and our events and promotions (including hosting, data storage, payment systems, printing and scanning providers and debt collectors);
  3. to companies that promote and market, or conduct research to help us improve and target, our products and services;
  4. to social media sites on which we have a presence;
  5. we may combine personal information we receive about you with other information we hold about you.  This includes information received from third parties, e.g. schools’ pupil personal information and our assessment test scores.  Where we use assessment data and research study data or generate statistics, we will de-identify or anonymise all personal information before we publish such studies, we have sought consent to utilise such data prior to utilising in this context.
  6. where we are required to do so by law, or to government agencies, or individuals appointed by government, responsible for investigating crime or fraud and resolving disputes or complaints concerning our products or services. If we are a processor only for the data we will redirect the official request to the data controller before releasing any personal data.
  7. When you enter into a competition we are running or participate in a sponsored event, we may seek, as a condition of entry, consent to pass your information to a promoter or sponsor of the competition or event.  If we do this, we will notify you at the time of entering into the competition or event with us and obtain your informed consent for this purpose.

Note: when we disclose data to a third-party assisting ACER or providing a service to us, they are required to have in place a data processing agreement such that they only process the shared data for the legal purpose agreed to beforehand.

8. Do we disclose your information outside the UK/EEA?

As per the Data Protection Act 2018 (incorporating the amended GDPR 2016) we are compelled to only allow data to reside in geographical areas considered adequate for privacy protection or if not adequate comply with the safe guarding mechanisms prior to export. ACER UK complies fully with these requirements; We have Standard Contractual Clause (SCC) agreements in place with ACER Ltd [Australia] such that they are fully accountable to UK DPA 2018; if we export to another third party, we utilise data processing agreements incorporating the SCC’s thus protection is afforded as if the third party was within the UK.

We may disclose your personal information in the following circumstances:

  1. to our related corporate bodies located overseas (including Asia and Australia) to assist us in delivering our products and services; and
  2. to overseas educational institutions (including schools and universities) and other organisations or bodies (including government agencies) who are our clients and to whom we need to provide your personal information in order to deliver our products and services.

9. How do we hold your personal information and keep it secure?

For the majority of data subjects, we hold your personal information usually in electronic form but in some cases (HR or Employment Records) we use hard copy files in conjunction with electronic records (All UK HR files are hard copy within the UK) and electronic records are in Australia.

We may store your personal information with one or more third party data centre storage providers under strict DPA’s and held to the highest monitored and audited security standards. These are within the EEA/UK or Australia. Unless expressly granted at inception of project no UK/EEA pupil/student data is allowed outside UK/EEA regions whatsoever. UK HR data is held within Australia.

We take all reasonable steps to ensure that the personal information we hold is protected from misuse, interference and loss, and unauthorised access, modification or disclosure by the use of various methods, including password protection, access control and secured storage.  Where we store your personal information with a third-party data storage providers, we require them to keep it secure and only use or disclose it for the purpose for which it was provided. In many cases it is mandated to be encrypted at rest and in flight (only use SSL transport).

Please contact us immediately if you become aware or have any reason to believe there has been any unauthorised use of your personal information that we hold.

10. How can you seek access to your rights under the DPA 2018?

As mandated within the DPA 2018 data subjects must be given access to a number of fundamental rights free of charge by data controllers or in some cases processors (if controllers are unable to comply) if they so wish to exercise these rights. These rights are extensive but in short allow:

Access to a copy of the/any information held on the individual, the legal basis of the collection and the purpose, who the controller is and their DPO, who the provider of data was if a third party;

Access to request corrections to errors and the right to be forgotten depending on legal basis for collection;

Access to explanation of profiling and objection to processing based on Legitimate Interests;

Access to the third parties to whom your data has been shared with and the safeguarding mechanism used if outside EEA/UK to enable the transfer of data.

The right to withdraw consent at any time if that was the basis for collection; right to suspend processing or request data portability;

Right of complaint to the supervisory authority if the subject access request has been ignored or failure to provide accurate responses within the required time frame. 

You may request access to your rights above by either using the web site and DSAR request forms; or by writing to us or contacting us at any time using the details displayed on the web site or from the information below.  We will need to verify your identity before we can give you access.  We will promptly acknowledge receipt, and we will endeavour to deal with and respond to your request within a reasonable time (usually within two weeks, but no later than 1 month). Remember it is the controller who is the primary contact point for DSAR requests e.g. if a school provided the pupils’ data to ACER UK, then the school is the controller and will provide the DSAR rights.

In certain circumstances, we are permitted by law to refuse access to your personal information (such as where providing access would have an unreasonable impact upon the privacy of other individuals, or would reveal our test scoring processes or other commercially sensitive information).
In such cases, we will give you a written explanation for our decision (including, where applicable, an alternative means of access to the information, such as supervised inspection), and how you can complain if you are not satisfied with our decision. Our Supervisory Authority is the Information Commissioners Office (ICO) and their complaints process can be accessed using the following link: https://ico.org.uk/make-a-complaint/

You will not be charged for making a request for your personal information.  However, we may charge a fee to provide your information to cover administrative costs (including for supervised inspection) if we feel your requests are repetitive in nature or unnecessarily onerous.  We will inform you of any fee at the time your request is made.

If you think that any personal information we hold about you is inaccurate, incomplete, out-of-date or irrelevant, you may ask us to correct it.  We will take reasonable steps to correct it unless we disagree with your reasons.  If we refuse to correct your personal information, we will give you a written explanation why.

11. How can you seek further information or complain about a breach of your privacy?

If you feel that your privacy has been breached or that you suspect that ACER has acted incorrectly with regard to your personal data, or should not be in possession of same, then please contact us immediately using any mechanism at your disposal (web site, phone, email, letter) or using the information below:
DPO
ACER UK
13-15 Canfield Place
London
NW6 3BT
United Kingdom

dpo@acer.org
unitedkingdom@acer.org

Tel: 020 3909 0659
Mobile: 07989305294

You can use the contact us form to submit requests electronically at https://acer.org/gb/about-us#contact

12. What is the data retention period?

The length of time we keep your data or retain it very much depends on the purpose and how it was originally collected.

Usually when you engage with us directly (ACER is are the controller), we will have a product explanation statement that defines the data collected and its respective retention period, e.g. say an application test script for University entrance will be retained for up to 10 years.

If your data was collected by means of a law applicable to ACER UK then the law will define the retention period; e.g. for UK employment, your details are retained for 7 years post leaving the establishment; for financial law we are required to retain payment details within our accounts for 7 years after transaction date; for pensions we are required to keep some information indefinitely.

If we have collected data under a processing agreement (ACER is the processor) then the agreement will define the retention period, usually 7-10 years after starting the project or service to allow for long term progress analysis. Sometimes the agreement will stipulate the data collected during the processing period must be deleted once project terminated and handed over to the controller.

In the case of marketing activities, we assume your consent is valid for a period no longer than two years, we will contact you to ask if you wish to continue your subscription on the list or you may ask for removal at any time in which case deletion is immediate.

In the case of DSAR requests we retain the fact you requested this service for 7 years post provision of the response, or if the DSAR was escalated to the ICO we retain the outcome of the ICO decision for 7 years after summary findings confirmed.

In the case of legal proceedings, we retain the data for 7 years after the two-year appeal period ends after judgement has been passed (i.e. 9 years).

In the case of anonymised research data and publications of research we retain the scientific data indefinitely, as there is no personal data contained within it thus exempt from DPA 2018.

13. What is the legal basis for data collection?

The legal basis for which we collect your personal data very much depends on the interaction with us as described above. Thus, for expediency we have listed the various legal basis’s as they apply to the business:

The legal basis that are applicable under the DPA 2018 are described within Article 6 on the GDPR 2016 as follows:

Article 6 1 (a) data subject has provided consent for a specified purpose…

We use this for things like consent to marketing activities; to appear on web site images or comments available on social media; for a child to take part in testing assessments or projects for schools or colleges or curriculum development; for special arrangements for testing should a pupil have health or physical disabilities they supply sensitive data with explicit consent . This consent can be removed/revoked at any time without explanation.

Article 6 1 (b) Processing is necessary for the performance of a contract…

We use this legal basis for customers entering into a supply contract for services or for contractors, suppliers who enter into a contract with us. A customer can be an individual or an institution. Where an institution enters into an educational service supply, they are responsible for obtaining consent from the parents/pupils for individual pupil inclusion into the project, but the data we hold on the institution itself is for the contract purpose.

Article 6 1 (c) processing is necessary for compliance with a legal obligation which the controller is subject

We use this legal basis for things like HR and PAYE obligations on ACER UK as an employer plus ancillary legislation for work permits and visa entitlement, anti-discrimination legislation and statistical employment obligations. We also are mandated to carry out checks on employees working with students/pupils directly and teaching qualifications. We are also mandated to comply with Police investigations regarding fraud, criminal activities and legal processes/proceedings.

Article 6 1(e) processing is necessary for the performance of a task carried out in the public interest

We use this legal basis for processing when we are carrying out a curriculum assessment programme or project initiated by an institution or local government body with a view at improving attainment. We work under a detailed data processing agreement and the pupil data we collect via the institution is processed and added to by the assessment data and this legal basis is the justification and purpose for the activity.

Article 6 1 (f) processing is necessary for the purpose of legitimate interest…

We at ACER do not utilise this legal basis for any of our data processing activities irrespective of controller or processor.

Article 6 1 (d) processing is necessary in order to protect the vital interests of the data subject

We very rarely use this legal basis as we are not involved in the protection of interests of data subjects in our daily business operations. However, we are asked very occasionally by legal representatives of the family to provide/release attainment test scores for mature students who have taken admission tests and subsequently have suffered critical life-threatening injuries prior to entering the higher educational institution of their choice. This data is used to allow insurance support costs to be calculated. This is the legal basis we use for these activities.

End of Document

26/8/2020