MSAP Privacy Statement for Ireland, UK and other EU Countries

Introduction

By you registering for and/or sitting MSAP in the Republic of Ireland (or elsewhere), The Australian Council for Educational Research Ltd (ABN 19 004 98 145) of 19 Prospect Hill Road Camberwell Australia 3124 (“ACER”) will collect your required personal data to prepare for, allow access to, administer, report on and finalise all activities, including:

i.    Allowing you to enter into a supply contract with ACER for the MSAP entrance examination test.

ii.   Disclosing to Client Universities (or other institutions as required) for admission purposes the results of the test and other persons or bodies connected with MSAP and them collecting, storing, using, disclosing your personal information in accordance with their admission policies from time to time.

iii.  Disclosing to approved research bodies that have an interest in MSAP data. Note any research report will include anonymised data only.

iv.   Remote proctoring. MSAP conducted online will be remotely proctored. By registering to sit MSAP you will need to provide your Personal Data to a third party, ProctorU (ACER’s current provider of remote proctoring). ProctorU is a company based in the United States. Personal Information you provide to ProctorU will be stored outside of Australia. You may view ProctorU’s privacy policy at www.proctoru.com/privacy-policy. The data provided to enable this service is controlled by a Data Processing Agreement between ACER and ProctorU such that your rights and protections afforded under the GDPR or UK DPA 2018 are protected as if the data were stored within your locality.

v.    Investigating any suspected misconduct and determining and administering any consequences for misconduct.

vi.   The information provided may be used for the defence of legal claims, or the pursuit of fraud or other legal responsibilities applicable to ACER.

(Collectively the above represents the “Purpose”).

In respect of any act or omission of ACER concerning your personal information, in pursuit of the Purpose, ACER as controller are subject to the General Data Protection Regulation (EU) 2016/679 (GDPR) or associated legislation implementing this law.

The personal information ACER collects in pursuit of the Purpose:

The information ACER may collect in pursuit of the Purpose about you includes your:
  • names;
  • contact details such as addresses, post codes, telephone numbers, e-mail addresses;
  • official identification method chosen and authenticated photograph for remote proctoring verification purposes;
  • test answers and results;
  • educational data such as relevant previous educational institutions and qualifications gained;
  • details of application  for reasonable test adjustments (if applied for) including proof of medical documentation regarding health conditions;
  • unique identification information and other educational indices; and
  • email or other written communications with ACER;

relating to the Purpose. (Personal Data)

Definitions

The following terms are related to the following definition:
  • Data controller: the company, organisation or person that decides (jointly or alone) on the means and purpose of processing of personal data;
  • Processing: any action including storage, collection, usage, destruction, combining, publishing or otherwise constitute any form of operation on personal data; and
  • Personal Data: any information related to an identified or identifiable living natural person.

ACER roles and contact information

ACER:

  • is the Data Controller and is committed to protecting your rights in accordance with GDPR or other implementing legislation; and
  • has a Data Protection Officer who can be contacted at:
    • contact number :+44 7989305294
    • email address: dpo@acer.org

Legal basis for processing your information

1

By registering for MSAP we will be required to collect, store, use and otherwise process information about you in pursuit of the Purpose and for reasons deemed necessary for the performance of your contractual agreement with ACER.
2 ACER will obtain explicit consent from you when collecting or handling special information in order to assist with health, disability or special assistance you may have requested in order to undertake the MSAP test (e.g. special accommodation applications and services to candidates with disabilities.)
3

Processing of your personal data may also be necessary for the pursuit of ACER’s contractual requirements including:

  • investigating any suspected misconduct and determining and administering any consequences for misconduct;
  • the investigation of fraud or other legal requirements ACER are required to comply with;
  • publishing anonymised educational material; or
  • research and MSAP statistical analysis, for the public interest.

Legitimate interests

ACER has a legitimate interest in promoting the objectives and interests of ACER in regard to print and online assessment. However ACER will not use your personal data for any purpose not directly related to the Purpose, i.e., no marketing without explicit opt in.

In addition, your Personal Data may be processed for the contractual obligations of others. For example:

  1. Banking or other financial institutions in respect of payment of fees, refunds or charge backs;
  2. Potential providers of education you have approached;
  3. Professional bodies responsible for the management of university admissions;
  4. Government agencies with duties relating to prevention and detection of crime/fraud, collection of a tax or duty or safeguarding national security;
  5. ACER may use information provided by you when investigating a complaint or providing your rights as detailed in the legislation.

Disclosure of your Personal Data

Personal Data is protected by ACER and will not be disclosed to third parties without either your, specific consent, or, as is required by the MSAP contract process or as required by law. This section outlines the major organisations and the most common circumstances in which ACER discloses your Personal Data.

Where necessary in pursuit of the Purpose, your Personal Data may be:

  1. shared internally within ACER and its related companies directly related to MSAP processing requirements;
  2. disclosed to:
    • Banking or other financial institutions in respect of payment of fees, refunds or charge backs;
    • Potential providers of education you have approached;
    • Professional bodies responsible for the management of university admissions;
    • Government agencies with duties relating to prevention and detection of crime, collection of a tax or duty or safeguarding national security;
    • Your parents/guardians or power of attorney for an acting party where your explicit consent has been obtained;
    • ACER contracted service providers assisting ACER in pursuing the Purpose.

Areas outside the UK/EEA (data transfers)

Your Personal DATA IS transferred to Australia in pursuit of the Purpose. In that instance your personal information will be collected, used, stored and disclosed in accordance with the GDPR or UK DPA 2018. There is a UK Office for ACER and there are Standard Contractual Clauses between ACER and ACER UK confirming your rights are afforded as if the data resided within your own jurisdiction. All rights are afforded under the legislation, and the legal jurisdiction is that of your home country.

Remote proctoring

To sit MSAP Ireland by way of remote proctoring you will need to provide your personal information to ProctorU, ACER’s remote proctoring supplier so as to set up a user account. This account is required to undertake the test utilising ProctorU platform as the invigilator and verifier of authenticity of the candidate. Part of the account creation process involves the creation of a unique biometric profile using your face and tactile use of the keyboard. It is this profile along with username and password that authenticates and verifies the candidate and confirms the same person completed the test throughout its time period. ProctorU is a company based in the United States, however they are acting as a processor for ACER and thus are under a detailed data processing agreement including the standard contractual clauses and foreign transfer conditions, such that they are only allowed to collect your data for the purpose of the invigilation of the test and authentication of the candidate. They cannot share or utilise the data for any other purpose whatsoever. Your data is deleted within 30 days of the test completion unless specifically requested to be retained by ACER for the purpose of an investigation.

Retention periods

ACER may retain your Personal Data collected in pursuit of the Purpose for a period of up to two years, for your assistance, so you or your relevant education provider can verify results and Personal Data. Your specific medical information if provided for the purpose of reasonable test amendments will be deleted after two years of completion of the test (it may be requested from academic institutions you apply to enter).

Your rights

Under the GDPR/UK DPA 2018 you have a right of access to your Personal Data which ACER holds about you, subject to certain exemptions, by way of making a Data Subject Access Request (DSAR).

If you submit an access request to ACER, you are entitled to:

  • Be told whether ACER holds any Personal Data about you;
  • Be Given a description of the Personal Data, the reasons it is being processed, and whether it will be or could be provided to any other organisations or people;
  • Be given a copy of the information comprising the Personal Data and given details of the source of the data (where this is available);
  • Be told the recipients or categories of recipients to whom the Personal Data has been or will be disclosed, particularly 3rd countries or international organisations – where this is the case you are also entitled to be informed of appropriate safeguards relating to the transfer of information;
  • Be told the period data will be stored;
  • Be told the right to request rectification, erasure or restriction of processing;
  • Be told the right to lodge a complaint;
  • Be told the existence of automated decision making including profiling.

These rights apply to electronic Personal Data, and to Personal Data in "manual" organised filing systems.

Exemptions to your rights

The GDPR includes various exemptions in which a Data Controller can refuse to provide access to Personal Data. The most likely situations in which ACER could refuse to release information in response to a subject access request are where:

  • The release of the information would jeopardise the prevention or detection of crime, or the apprehension or prosecution of offenders;
  • The request relates to access to assessment material;
  • The request relates to Personal Data contained in confidential information;
  • The request relates to Personal Data which records ACER's intentions in relation to any negotiations with you, and the release of the Personal Data would prejudice the negotiations;
  • The Personal Data requested is covered by legal professional privilege;
  • The Personal Data requested relates to management forecasting or management planning, and its release to you would prejudice ACER's business or activities; or
  • The request relates to access to Personal Data which has been retained for the purposes of historical or MSAP statistical research, the conditions set out in the data protection laws for processing for research purposes have been met, and the results of the research have not been published in a way which identifies individuals.

If Personal Data is withheld from you as a result of an exemption under the GDPR, it will be explained why the Personal Data has been withheld and the relevant exemption, unless doing so would itself disclose information which would be subject to the exemption.

The GDPR allows ACER to refuse to act on your request, or to charge you a reasonable fee (taking into account the administrative costs of providing the information) where it’s considered your request to be manifestly unfounded or excessive, in particular because the request is repetitive in character.

ACER has to protect the data protection rights and other legal rights of other individuals when it responds to subject access requests. Information which does not relate to you may be 'blanked out' or redacted, particularly if it relates to other individuals. Sometimes it may not be possible to release Personal Data relating to you because doing so would also reveal information about other persons who have not consented to their data being released, and it would not be reasonable in the circumstances to release the data without their consent. In such cases, you will be informed that Personal Data about you have been withheld and the reasons for doing so.

If we consider that you have made a subject access request which is manifestly unfounded or excessive in nature (for example because a request is repetitive), it is possible for ACER to:

  • Charge a reasonable fee taking into account the administrative costs of providing the information; or
  • Refuse to act on the request.

If it is determined that a fee should be charged, you will be notified, in writing, of that fact, the level of the fee, and the reason for requesting the fee, without delay.

If it is determined that your request will be refused, you will be notified, in writing, of that fact and the reasons for the refusal to act on the request, without delay.

How do I submit a request?

You can make your subject access request by telephone or in person, by contacting the DPO at the contact details provided above.

When making your request please be as specific as possible about the Personal Data which you want access to, as this will assist in processing your request. For example, if you only want Personal Data relating to your academic record, you should indicate that. A general request such as "please send me all of the Personal Data which you hold about me" is likely to lead ACER to contact you for further information or clarification.

Proof of ID will be required to ensure that ACER is releasing Personal Data to the correct person. ACER will inform you if such is required and in what form up you making your access request

What happens next?

You will be sent an acknowledgement of your request as soon as possible. This will indicate the deadline by when ACER will send you a response, usually within 28 days (unless there are adequate grounds to extend that timescale, and if so, you will be informed accordingly).

You may be asked for further information to assist.

The Personal Data will usually be provided in the format in which you make the access request e.g. digitally or by post.

If you request further copies of the Personal Data ACER may charge a reasonable fee based on administrative costs.

Can I appeal?

If you are dissatisfied with the response to your access request, you have the right to apply directly to the privacy regulator in your relevant country. Further information about how to enforce your rights under applicable data protection laws is available on the relevant privacy regulator’s website.