The personal information you give us is important. Getting to learn about you means that we can give you products and services that best meet your needs.
Our privacy notice explains what information we collect, what we do with it, how we collect it and keep it secure.
- The data we collect
- Collecting your data
- What we do with it
- How we store and protect it
- How we share your data
- International transfers
- Your rights
- Making a complaint
- Opting out
- Legal basis for processing data
- Contact us
Last updated: Jan 2021
Who we are
The legal entities that make up AQA (eg “AQA”, “we”, “us” or “our”), responsible for your personal information are:
- AQA Education Ltd (registered office: Devas Street, Manchester, M15 6EX).
- Doublestruck Ltd (registered office: Devas Street, Manchester, M15 6EX).
- DRS Data Services Ltd (registered office: 1 Danbury Court, Linford Wood, Milton Keynes, Buckinghamshire, MK14 6LR).
- Oxford International AQA Examinations (registered address: Oxford University Press, Great Clarendon Street, Oxford, England, OX2 6DP).
The data we collect
The type and level of personal information we collect varies, for example:
- Identity - names, date of birth, gender, candidate number, passport, birth certificate.
- Contact - e-mail address, address, telephone number, marital status, next of kin.
- Assessment - examination history, subject, grade, type of qualification and centre.
- Pupil - Unique Candidate Identifier (UCI), centre number, admission number, year group, registration group, teacher name, class, supervisor name, ethnicity, eligibility for free school meals.
- Financial - bank account details.
- Transaction - details of software products and services you’ve got from us. Purchase order details, and payments made to/from us.
- Technical - internet protocol (IP) address, login data, operating system and platform.
- Marketing - preferences when you receive communications from us and our third parties. The technologies used, and any related correspondence.
- Usage - use of our website, performance and other communication data.
- Survey - comments and opinions provided in response to a survey.
- Recruitment - education, qualifications, occupation, work history, referees, training and skills development, nationality.
- Employment - the terms and conditions of your employment, salary or fee payments, benefits, work patterns, National Insurance number, attendance, holidays, sickness.
- Performance - reviews and rating, development plans and related correspondence; and timesheet information.
- Activity - the websites our employees visit while using an AQA computer or network. The activity logs held within our systems and databases.
- Communications - emails you send or receive via our email system.
- Disclosure and Barring Service (DBS) - a DBS check reduces the risk of fraud or other unlawful acts.
- Digital data - such as audio recording of calls to our contact centre and telephony system. CCTV imagery both inside and outside of our buildings, including images of vehicles.
Collecting your data
We may collect personal data from you if you:
- register at an approved centre
- take part in our examinations, training, surveys or related events
- use our website, app, products or services
- interact with us through social media, email, post, text or phone, or use one of our cookies
- are a job applicant, employee, ex-employee, associate, trustee, contractors and temporary employee.
We may also capture information by telephone or CCTV when you call or visit AQA.
There are 34 cameras on the Manchester site and 42 cameras at the Guildford site. You can find them in our reception areas, loading bays, entrances, blind spots and key points. The cameras are in operation 24 hours a day, 7 days a week. There are signs which tell you that CCTV cameras are in operation and who to contact for further information.
Our cameras don't capture images which aren’t relevant to the purposes of the monitoring. Surveillance systems aren’t used to record sound. Surveillance systems aren’t used to record sound.
There aren’t any cameras in areas where there’s an expectation of privacy (eg toilets or changing rooms).
Covert surveillance (where you’re unaware that the monitoring or surveillance is taking place), will only happen:
- in exceptional circumstances
- if we have grounds to believe that criminal activity or malpractice is taking place
- if after suitable consideration, there's no less intrusive way to tackle the issue.
Any covert monitoring or surveillance we have to do will take place for a reasonable period of time. It'll relate only to the suspected criminal activity or serious malpractice.
Analytics and targeted advertising
We use online tools to collect information from you. For example:
- Google Analytics improves our marketing campaigns, strategies and website content
- Third party tools help to keep our website updated and relevant to you
- Cookies help us give you a personalised service.
We'll get in touch if you haven't completed and/or abandoned data entered on our websites and/or other online forms.
What we do with your data
Your personal information supports a range of different purposes and activities. The types of data we use, the legal base(s) we rely on when processing them and our legitimate interests are:
Purpose / Activity
Type of Data
To set and mark tests and examination papers and maintain a permanent record of the examination results (this includes the security and integrity of the examination process, the delivery of accurate results to students; and our compliance with statutory regulations).
To develop, deliver and publicise educational products, standards, qualifications, resources and training (this includes the provision and funding of research to inform education policy and improve assessment practice).
To promote education for the public benefit (this includes the provision of dedicated support and mentoring to young people through the AQA Unlocking Potential programme).
To manage our relationship with you, including: providing you with any information, products or services that you request from us; notifying you about changes to our products, services, events, terms and conditions or privacy notice; statistical analysis, market research, marketing and support.
To create an account, register you as a new customer and administer your account.
To process and deliver your order including: delivery of products and product features, recording your order details; keeping you informed about the order status; issuing product renewal notices, taking and processing payments and refunds, collecting money owed to us; and assisting fraud prevention and detection.
To use data analytics to: improve our website, products, services, marketing, customer relationships and experiences; and for market research, statistical and survey purposes.
To register you for email updates, and recommend products and services and events that may be of interest to you.
To gather your opinions on our products and services, or on your experiences of education.
To improve our customer service, monitor quality, resolve complaints and ensure compliance with regulations through contact capture, webforms and call recording.
To prevent crime and protect buildings and assets (of AQA, occupants of the building and of their respective staff and visitors) from damage, disruption, vandalism and other crime.
For the personal safety of staff and visitors (of AQA and the occupants of the building) and other members of the public and to act as a deterrent against crime.
To support law enforcement bodies in the prevention, detection and prosecution of crime.
To assist in the day-to-day management, including ensuring the health and safety of staff and visitors (of AQA and occupants of the building).
To assist in the effective resolution of disputes which arise in the course of disciplinary or grievance proceedings with staff (of AQA or occupants of or visitors to the building).
To assist in the defence of any civil litigation, including employment tribunal proceedings (involving AQA or occupants of or visitors to the building).
For job applicants, employees, ex-employees, associates, contractors and temporary employees only:
Purpose / Activity
Type of Data
To recruit the right people for our business, and manage their working relationship with us, including job role and responsibilities, salary or fee payments, progression, training, performance management and disciplinary or grievance procedures.
To arrange travel for you on AQA business and making appropriate safety arrangements for this, including monitoring your travel.
|To enable us to provide an Occupational Health and wellbeing service to staff.|
We may process your personal data using more than one lawful basis, this depends on the activity.
We’ll use your personal data for the reason we collected it. Unless we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your information for an unrelated purpose, we’ll let you know and explain the legal basis for this.
We may process personal data without your consent, in compliance with the above rules. Where it's required or permitted by law.
We'll keep your personal data:
- for as long as necessary
- for the purpose(s) its provided for
- and to meet our accounting, reporting, legal obligations and public interest responsibilities.
How we store and protect it
We keep personal data confidential within a secure infrastructure protected by many firewalls.
Access to your personal data is only given to those who have a business need to know it. They can only access it on our instructions and they'll stay subject to a duty of confidentiality.
We keep CCTV data on secure hard drives located within our offices for 30 days. They are then overwritten. Sometimes we have to give data to law enforcement agencies, or data subjects under data protection law.
Any third party we work with must have security measures in place to process your personal data. They must treat protect your data and treat such data under the law.
We have procedures in place to deal with any suspected personal data breach. We'd let you and the UK Information Commissioner know of a breach where we’re required to do so.
How we share your information
We may share your personal information with the following:
- The AQA group of companies (AQA Education, Doublestruck, DRS Data Services and Oxford International AQA Examinations)
- Government agencies, their partners and other third parties such as Ofqual, DfE, HMRC, Student Loan Company, Magistrates Courts
- Associates, business partners, suppliers (including their sub-contractors) or other third parties that we use to support the operation of our business. Other exam bodies and the Joint Council for Qualifications where joint working is required to process results
- Our professional advisers including auditors, lawyers, bankers and insurers who provide professional advice, accounting, banking, legal, insurance, and pension services, or to meet our audit responsibilities.
- Employers of associates, for example, the payment of teacher release vouchers
- If you’ve given consent for us to share your data with a third party event, we may pass your data onto that third party.
- Authorised personnel watch our CCTV during working hours only. It's accessible remotely at other times if required.
- We can check live feeds from CCTV cameras, if for example we need to protect health and safety.
- Live feeds from cameras and recorded images are only viewed by approved members of staff.
- We can share images from our CCTV system. If for example someone's car has been broken into on our premises. We’re not responsible for the use these occupants or individuals make of those images.
- Law enforcement agencies can view or remove CCTV footage in the detection or prosecution of crime.
We respect your data and expect all third parties to do the same.
We don’t allow our third-party service providers to use your personal data for their own purposes. They can process your personal data for specific purposes and under our instructions.
We can save any information we get about you from third parties, such as:
- examination centres
- schools and colleges
- other exam bodies
- the Department for Education (DfE)
- search data providers
- public sources.
In each case we’ll do only what’s allowed by relevant laws.
We can share information about our websites or products publicly or with third parties. This will not include data that can identify you.
Information disclosed in connection with business transactions
Information that we collect from users, including personal data, is a business asset.
If we get a third party as a result of a transaction such as a merger or acquisition or if our assets are acquired by a third party in the event we go out of business or enter bankruptcy,
some or all of our assets, including your personal data, will be disclosed or transferred to the third party in connection with the transition.
We'll always make you aware of such business transactions and give you the option to opt-out.
From 1 January 2021, the UK is a ‘third country’ in General Data Protection Regulations (GDPR) terms.
International transfers have to be given additional safeguards. This is on top of the existing measures we have in place for international transfers outside of the European Economic Area (EEA).
Data transfers from AQA to countries within the EEA
We can still send personal data to the EU/EEA, Gibraltar and other countries deemed adequate by the EU. They have adequate protection by the UK Government under the new arrangements. We’ll always do so securely in line with the GDPR principles.
Data transfers to AQA from countries within the EEA
Because the UK is a ‘third country’ in data protection terms, the EEA will need extra protection when transferring data to the UK.
We use the Standard Contractual Clauses to make sure that data transfers are secure and lawful . These are EU approved terms to help the exchange of personal data.
This is the most appropriate safeguarding available to us. It ensures that we continue to protect personal data flowing into the UK from the EEA. These will be in place after a 4-6 month extension granted by the EU at the start of 2021.
Data transfers from AQA to countries outside the EEA (including USA)
Our applications, services and products use service providers outside of the EEA. We may have to transfer some of your data to these providers so you can use our website and products.
Appropriate measures and controls are in place to protect the transfer of your data.
Transfer of data is made in accordance with the requirements of Regulations (EU) 2016/679 (GDPR) and may be based on the use of the European Commission’s Standard Model Clauses for transfers of personal data outside the EEA.
By using our websites, products or by interacting with us in the ways described in this privacy notice, you consent to the transfer of your data outside the EEA in the circumstances set out in this privacy notice.
If you don’t want your data to be transferred outside the EEA you should not use our websites or products.
You have several rights under the data privacy legislation. This includes, under certain circumstances, the right to:
- Access your data - you can access your data at any time by completing the subject access request form (392.0 KB). Please be specific about what you want to know. We’ll need to confirm your identity before we release data to you.
- Correct your data - you can ask us to correct any data we hold about you that's inaccurate.
- Request erasure - you have the right to ‘be forgotten’, in certain circumstances. This doesn’t apply if it would prevent the performance of a contract with you. Or if there's another legal requirement for us to keep your data. If erasure is not possible, you may be able to ask us to restrict processing.
- Request the restriction of processing of your data - you can suspend the processing of your data under certain circumstances. For example pending a review of the accuracy of the data or after you have objected to our use of the data, and we need to establish whether we may lawfully continue processing it.
- Request the transfer of your data - in some cases, you can ask us to transfer the data you originally provided to us to yourself or to another company. This only applies to data you provided directly, or that we observed about you through automated means.
- Object to the processing of your data - you can object to our processing of your data for direct marketing purposes, based on our stated legitimate interests (defined in the table above). In some cases, we may have compelling lawful grounds to process your data which override your rights and freedoms.
- Object to automated decision-making - you can also object to the processing of your personal data where profiling is being used to make assumptions about your behaviours or preferences; for example, to target marketing communications. You have the right not to be subject to automated decision-making and can require that any such decisions are reviewed by a human.
Making a complaint
We take the handling of your personal data very seriously. But, if you feel your data is being handled in a way that breaches data protection legislation, you can make a complaint.
Please contact our Data Protection Office at GDPRenquiries@aqa.org.uk.
We may charge a reasonable fee if your request is unfounded, repetitive or excessive. We can refuse to follow your request in these circumstances.
We’ll always try to respond to any legitimate request within one month. It may take us longer if your request is complex or you've made many requests. In this case, we'll let you know and keep you updated.
As a security measure, we may ask you to confirm your identity. This ensures that:
- personal data isn't disclosed to any person who doesn't have a right to receive it
- your right to access your data or to exercise any of your other rights.
We may also contact you to ask you for further information in relation to your request to speed up our response.
You also have the right to complain to the UK Information Commissioner.
If you don't want to receive information from us, you can ‘opt-out’ at any time. Use the “Unsubscribe” link at the footer of our emails or by contacting us at GDPRenquiries@aqa.org.uk.
We’ll process all opt-out requests as soon as possible. But please note it may take a few days for any opt-out request to be processed.
Our website may include links to and from third party websites. These websites will have their own privacy policies. We don't accept any responsibility or liability for them. Please check these policies before you submit any personal data.
The legal basis for processing your personal data
The law requires us to inform you of the legal basis for collecting and processing your personal data.. These include:
- Performance of contract - ie when we have a contract to either provide a product or service to you, or to receive something from you. We’re also acting under the 'performance of contract' if we collect or process your data for the purposes of entering into a contract with us.
- Legitimate interests - ie processing personal data, which doesn't relate to the performance of a contract agreed with you. We’ll check the fairness of this; and will only undertake the processing if it’s reasonable to do so and will not cause undue risk to you.
- Legal obligation - we're legally bound to process certain data about you. In some cases, we’re obliged to share personal data with third parties, such as OFQUAL, JCQ, DfE and HMRC.
- Public Interest – we’re obliged to maintain a permanent record of your assessment data (eg examination history, subject, grade, and type of qualification) under the ‘Conditions of Recognition’ defined by Ofqual, underpinned by the Apprenticeships, Skills, Children and Learning Act (2009). This is both a legal obligation and necessary for the performance of a task carried out in the public interest.
- Consent - we don’t rely on consent as a legal basis for processing your personal data. Other than in relation to sending marketing communications via email or text message.
Where we’d like to be able to contact you about our products and services, we’ll seek your consent to keep and re-use your contact details for that purpose. You have the right to withdraw consent to marketing at any time by contacting us.
If you have any questions about the way in which we collect, hold or process your data. Or wish to exercise your rights, please contact us at GDPRenquiries@aqa.org.uk.