MSAP Privacy Statement for Ireland, UK and EU

Introduction

By you registering for and/or sitting MSAP in the United Kingdom, Ireland or Europe The Australian Council for Educational Research Ltd (ABN 19 004 98 145) of 19 Prospect Hill Road Camberwell Australia 3124 (ACER) will collect your personal data to prepare for, administer, report on and finalise all activities, including:

  1. investigating any suspected misconduct and determining and administering any consequences for misconduct;
  2. disclosing to the Association of Universities and relevant universities for admission purposes and other persons or bodies connected with MSAP and them collecting, storing, using, disclosing your personal information in accordance with their policies from time to time; and
  3. disclosing to approved research bodies that have an interest in MSAP data. Any research report will include anonymised data only.

(the Purpose).

In respect of any act or omission of ACER concerning your personal information, in pursuit of the Purpose, ACER may be subject to the General Data Protection Regulation (EU) 2016/679 (GDPR).

The personal information ACER collects in pursuit of the Purpose:

The information ACER may collect in pursuit of the Purpose about you includes your:

  • names;
  • country of residence and birth, gender, birth date
  • contact details such as, telephone numbers, e-mail addresses;
  • test answers and results;
  • educational data such as relevant educational institutions, highest educational level application (if any) for  reasonable test adjustments including medical documentation regarding health information;
  • unique identification information and other educational indices; and
  • email or other written communications with ACER.

Definitions

The following terms are related to the following definition:

  • Data controller: the company, organisation or person that decides (jointly or alone) on the means and purpose of processing of personal data;
  • Processing: any action including storage, collection, usage, destruction, combining, publishing or otherwise constitute any form of operation on personal data; and
  • Personal Data: any information related to an identified or identifiable living natural person.

ACER roles and contact information

ACER:

  • is the Data Controller and Processor and is committed to protecting your rights in accordance with GDPR; and
  • has a Data Protection Officer who can be contacted at:
    • contact number :+44 7989305294
    • email address: dpo@acer.org

Legal basis for processing your information

1 By registering for MSAP will be required to collect, store, use and otherwise process information about you in pursuit of the Purpose and for other reasons deemed necessary for the performance of your contractual agreement with ACER.
2 ACER will obtain specific consent from you when collecting or handling special information in order to assist with health, disability or special assistance you need to undertake the MSAP  (e.g. special accommodation applications and services to candidates with disabilities.
3 Processing of your personal data may also be necessary for the pursuit of ACER’s legitimate interests:
  • investigating any suspected misconduct and determining and administering any consequences for misconduct;
  • publishing anonymised educational material; or
  • research and statistical analysis, for the public interest;

but only where it is not unwarranted and will not cause a prejudicial effect on your rights and freedoms, or legitimate by interests.

Legitimate interests

ACER has a legitimate interest in promoting the objectives and interests of ACER in regard to print and online assessment.

In addition, your Personal Data may be processed for the legitimate interests of others. For example:

  1. Banking or other financial institutions in respect of payment of fees, refunds or charge backs;
  2. Potential providers of education you have approached;
  3. Professional bodies responsible for the management of university admissions;
  4. Government agencies with duties relating to prevention and detection of crime, collection of a tax or duty or safeguarding national security;
  5. ACER may use information provided by you when investigating a complaint.

Disclosure of your Personal Data

Personal Data is protected by ACER and will not be disclosed to third parties without either specific consent, or, as is required by the MSAP contract process or as required by law. This section outlines the major organisations and the most common circumstances in which ACER discloses your Personal Data.

Where necessary in pursuit of the Purpose, your Personal Data may be:

  1. shared internally within ACER and its related companies directly related to MSAP processing requirements;
  2. disclosed to:
    • Banking or other financial institutions in respect of payment of fees, refunds or charge backs;
    • Potential providers of education you have approached;
    • Professional bodies responsible for the management of university admissions;
    • Government agencies with duties relating to prevention and detection of crime, collection of a tax or duty or safeguarding national security;
    • Your parents or guardians where consent has been obtained;
    • ACER contracted service providers assisting ACER in pursuing the Purpose.

Areas outside the EEA (data transfers)

Your Personal Data is transferred to Australia in pursuit of the Purpose. In that instance your personal information will be collected, used, stored and disclosed in accordance with the GDPR.

Retention periods

ACER may retain your Personal Data collected in pursuit of the Purpose for a period of up to ten years, for your assistance, so you or your relevant education provider can verify results and Personal Data.

Your rights

Under the GDPR you have a right of access to your Personal Data which ACER holds about you, subject to certain exemptions, by way of making a Data Subject Access Request (DSAR).

If you submit an access request to ACER, you are entitled to:

  • Be told whether ACER holds any Personal Data about you;
  • Be Given a description of the Personal Data, the reasons it is being processed, and whether it will be or could be provided to any other organisations or people;
  • Be given a copy of the information comprising the Personal Data and given details of the source of the data (where this is available);
  • Be told the recipients or categories of recipients to whom the Personal Data has been or will be disclosed, particularly 3rd countries or international organisations – where this is the case you are also entitled to be informed of appropriate safeguards relating to the transfer of information;
  • Be told the period data will be stored;
  • Be told the right to request rectification, erasure or restriction of processing;
  • Be told the right to lodge a complaint;
  • Be told the existence of automated decision making including profiling.

These rights apply to electronic Personal Data, and to Personal Data in "manual" organised filing systems.

Exemptions to your rights

The GDPR includes various exemptions in which a Data Controller can refuse to provide access to Personal Data. The most likely situations in which ACER could refuse to release information in response to a subject access request are where:

  • The release of the information would jeopardise the prevention or detection of crime, or the apprehension or prosecution of offenders;
  • The request relates to access to assessment material;
  • The request relates to Personal Data contained in confidential information;
  • The request relates to Personal Data which records ACER's intentions in relation to any negotiations with you, and the release of the Personal Data would prejudice the negotiations;
  • The Personal Data requested is covered by legal professional privilege;
  • The Personal Data requested relates to management forecasting or management planning, and its release to you would prejudice ACER's business or activities; or
  • The request relates to access to Personal Data which has been retained for the purposes of historical or statistical research, the conditions set out in the data protection laws for processing for research purposes have been met, and the results of the research have not been published in a way which identifies individuals.

If Personal Data is withheld from you as a result of an exemption under the GDPR, it will be explained why the Personal Data has been withheld and the relevant exemption, unless doing so would itself disclose information which would be subject to the exemption.

The GDPR allows ACER to refuse to act on your request, or to charge you a reasonable fee (taking into account the administrative costs of providing the information) where it’s considered your request to be manifestly unfounded or excessive, in particular because the request is repetitive in character.

ACER has to protect the data protection rights and other legal rights of other individuals when it responds to subject access requests. Information which does not relate to you may be 'blanked out' or redacted, particularly if it relates to other individuals. Sometimes it may not be possible to release Personal Data relating to you because doing so would also reveal information about other persons who have not consented to their data being released, and it would not be reasonable in the circumstances to release the data without their consent. In such cases, you will be informed that Personal Data about you have been withheld and the reasons for doing so.

If we consider that you have made a subject access request which is manifestly unfounded or excessive in nature (for example because a request is repetitive), it is possible for ACER to:

  • Charge a reasonable fee taking into account the administrative costs of providing the information; or
  • Refuse to act on the request.

If it is determined that a fee should be charged, you will be notified, in writing, of that fact, the level of the fee, and the reason for requesting the fee, without delay.

If it is determined that your request will be refused, you will be notified, in writing, of that fact and the reasons for the refusal to act on the request, without delay.

How do I submit a request?

You can make your subject access request by telephone or in person, by contacting the DPO at the contact details provided above.

When making your request please be as specific as possible about the Personal Data which you want access to, as this will assist in processing your request. For example, if you only want Personal Data relating to your academic record, you should indicate that. A general request such as "please send me all of the Personal Data which you hold about me" is likely to lead ACER to contact you for further information or clarification.

Proof of ID will be required to ensure that ACER is releasing Personal Data to the correct person. ACER will inform you if such is required and in what form up you making your access request.

What happens next?

You will be sent an acknowledgement of your request as soon as possible. This will indicate the deadline by when ACER will send you a response, usually within 28 days (unless there are adequate grounds to extend that timescale, and if so, you will be informed accordingly.

You may be asked for further information to assist.

The Personal Data will usually be provided in the format in which you make the access request e.g. digitally or by post.

If you request further copies of the Personal Data ACER may charge a reasonable fee based on administrative costs.

Can I appeal?

If you are dissatisfied with the response to your access request, you have the right to apply directly to the privacy regulator in your relevant country. Further information about how to enforce your rights under applicable data protection laws is available on the relevant privacy regulator’s website.