AQA is committed to protecting and respecting the privacy of your personal data. This privacy notice explains how your data is collected, used, transferred and disclosed by us. It applies to data collected when you participate in our examinations, training or events; use our website, products or services; interact with us through social media, email, post, text or phone; apply for employment with us; or are employed by us.
This privacy notice explains:
Who is AQA?
The Data Protection Office
What is personal data?
How we keep your data secure
The data we collect about you
How we collect your data
The legal basis for processing your personal data
How we use your data
Analytics and targeted advertising
How we share your data
How to contact us
Who is AQA?
AQA is an independent educational charity and the largest provider of academic qualifications taught in schools and colleges in the UK and our qualifications are taught in over 30 countries around the world. We set and mark a range of examination papers including GCSEs, AS and A-levels, the Extended Project Qualification, the AQA Baccalaureate, Tech-levels and Technical Awards. We collect personal data for the purposes of administering examinations, supporting teachers, providing services to exam centres, recruiting and managing AQA employees and contractors, processing and validating payments, carrying out market research, and recommending products and services that might interest you.
The separate and distinct legal entities that make up the AQA family (referred to collectively as “AQA”, “we”, “us” or “our” in this privacy notice) that are responsible for your personal data include:
- AQA Education Ltd (registered office: Devas Street, Manchester, M15 6EX)
- Doublestruck Ltd (registered office: Devas Street, Manchester, M15 6EX)
- DRS Data Services Ltd (registered office: 1 Danbury Court, Linford Wood, Milton Keynes, Buckinghamshire, MK14 6LR)
- Oxford International AQA Examinations (registered address: Oxford University Press, Great Clarendon Street, Oxford, England, OX2 6DP)
This also includes any other businesses we may add to this group in the future. If you would like more information about which company you’re dealing with, please refer to the terms and conditions of the product or service you’re using.
The Data Protection Office
AQA has established a Data Protection Office to oversee the activities we undertake to ensure that your personal data is handed ethically and in line with our legal obligations. If you have any questions about the way in which we collect, hold or process your data please send them to our Data Protection Office at GDPRenquiries@aqa.org.uk.
What is personal data?
“Personal data” is any information about a living individual, which allows them to be identified from that data (for example a name, photographs, videos, email address, or address).
Identification can be by directly using the data itself or by combining it with other information, which helps to identify a living individual.
The processing of personal data is governed by legislation relating to personal data, which applies in the United Kingdom including the General Data Protection Regulation (the “GDPR) and other legislation relating to personal data and rights such as the Human Rights Act.
How we keep your data secure
We have put appropriate organisational safeguards and security measures in place to protect your data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. We keep your data confidential within a secure infrastructure protected by multiple firewalls and we are committed to keeping the security of these systems as up-to-date and as secure as possible. We already encrypt special category data within some of our products. We also limit access to your personal data to those employees, associates, contractors and other third parties who have a business need to know it. They will only be permitted to process your data on our instructions and will always be subject to a duty of confidentiality.
CCTV data will be stored on secure hard drives located within AQA offices. Images will generally only be retained for 30 days before being overwritten, unless we are required to extract information for the purposes of providing the data to law enforcement agencies, or data subjects under data protection law.
We require any third party who is contracted to process your personal data on our behalf to have security measures in place to protect your data and to treat such data in accordance with the law. We have put in place procedures to deal with any suspected personal data breach and will notify you and the UK Information Commissioner of a breach where we are legally required to do so.
The data we collect about you
The following groups of personal data may be collected and processed by AQA:
- Identity Data such as your first name, last name, title, date of birth, gender, candidate number;
- Contact Data such as your e-mail address, address, and telephone number;
- Assessment Data such as your examination history, subject, grade, type of qualification and centre;
- Pupil Data such as UPN, centre number, admission number, year group, registration group, teacher name, class, supervisor name, ethnicity, eligibility for free school meals, FSM6, pupil premium indicator, SEN status, LEA care status.
- Financial Data such as your bank account details;
- Transaction Data such as details of the software products and services you have obtained from us, purchase order details, and payments made to/from us;
- Technical Data such as your internet protocol (IP) address, login data, operating system and platform;
- Marketing Data such as your marketing and communication preferences in receiving communications from us and our third parties, the technologies used, and any related correspondence;
- Usage Data such as your use of our website, performance and other communication data;
- Survey Data such as your comments and opinions provided in response to a survey.
- Digital data such as audio recording of calls to our contact centre and telephony system, and CCTV images of individuals and their vehicles on and around the Manchester and Guildford offices, and images of individuals inside these buildings.
In addition, we may collect the following additional groups of data with respect to job applicants, employees or ex-employees, associates, contractors, and temporary employees:
- Identity Data such as proof of your identity (e.g. passport, valid driving licence or birth certificate);
- Contact Data such as information about your marital status, next of kin, dependants, personal and emergency contacts details to be used in the event of an emergency;
- Recruitment Data such as details of your education, qualifications, occupation, work history, experience, referees, training and skills development; nationality, entitlement to work in the UK, criminal record (if your role requires this) and equal opportunities monitoring information;
- Employment Data such as the terms and conditions of your employment, salary or fee payments, benefits, work patterns, NI number, attendance, holidays, sickness, disciplinary or grievance issues, medical or health conditions, disabilities (for which AQA needs to make reasonable adjustments); and information about your vehicle, driving licence, MOT and insurance documents if you drive on company business;
- Performance Data such as performance reviews and ratings, performance development plans and related correspondence; and timesheet information;
- Activity Data such as the websites our employees visit while using an AQA computer or AQA network, and the activity logs held within AQA systems and databases;
- Communications Data such asthe emails you send or receive via the AQA email system.
We also collect, use and share aggregated data such as statistical or demographic data for any purpose. Aggregated data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice.
How we collect your data
We may collect personal data from you when you: register at an approved centre; participate in our examinations, training, surveys or related events; use our website, app, products or services; interact with us through social media, email, post, text or phone, or use one of our cookies. In addition, we will also collect personal data from job applicants, employees, ex-employees, associates, trustees, contractors and temporary employees during their recruitment screening and throughout the tenure of their employment with us.
We may also capture information by telephone or CCTV when you call or visit AQA. Our CCTV monitors the reception area, loading bays, remote entrances, blind spots and key points within the buildings and externally at both the Guildford and Manchester sites. There are 34 cameras on the Manchester site and 42 cameras at the Guildford site. The cameras are in operation 24 hours a day, 7 days a week
Signs are displayed prominently to inform staff and visitors that CCTV cameras are in operation and who to contact for further information.
Camera locations are chosen to minimise the capture of images which are not relevant to the legitimate purposes of the monitoring. Surveillance systems are not used to record sound.
No surveillance cameras will be placed in areas where there is an expectation of privacy (for example, in toilets or changing rooms).
AQA does not carry out covert monitoring or surveillance (that is, where you are unaware that the monitoring or surveillance is taking place) unless, in highly exceptional circumstances, there are reasonable grounds to suspect that criminal activity or extremely serious malpractice is taking place and, after suitable consideration, AQA reasonably believes there is no less intrusive way to tackle the issue.
Any covert monitoring or surveillance will be carried out for a limited and reasonable period of time consistent with the objectives of the monitoring or surveillance and will relate only to the specific suspected criminal activity or extremely serious malpractice.
The legal basis for processing your personal data
The law requires us to inform you of the legal basis for collecting and processing your personal data, where we are the Data Controller, or Joint Data Controller. These include:
- Performance of contract: In most cases, this occurs when we have a contract with you to either provide a product or service to you, or to receive something from you. Examples include: employment contracts; associate contracts; agreements for the provision of our products or services; and procurement contracts. We are also acting under the performance of contract if we collect or process your data for the purposes of entering into a contract, if you have expressed an interest in working with us.
- Legitimate interests: We may have a legitimate interest in processing certain personal data, which does not relate to the performance of a contract agreed with you. If we rely on our legitimate interests to justify processing your data, we will have conducted an assessment to evaluate the fairness of this; and will only undertake the processing if it is reasonable to do so and will not cause undue risk to you.
- Legal obligation: We may be legally obliged to process certain data about you, for example to report the results of our examinations, or protect employee safety while travelling on AQA business. In some cases, we are obliged to share personal data with third parties, such as OFQUAL, JCQ, DfE and HMRC.
- Public Interest: We are obliged to maintain a permanent record of your assessment data (e.g.examination history, subject, grade, and type of qualification) under the ‘Conditions of Recognition’ defined by Ofqual, underpinned by the Apprenticeships, Skills, Children and Learning Act (2009). This is both a legal obligation and necessary for the performance of a task carried out in the public interest.
- Consent: In general, we do not rely on consent as a legal basis for processing your personal data other than in relation to sending direct marketing communications to individuals via email or text message. Where we would like to be able to contact you about our products and services, and no other legal basis applies, we will seek your consent to retain and re-use your contact details for that purpose. You have the right to withdraw consent to marketing at any time by contacting our Data Protection Office at GDPRenquiries@aqa.org.uk.
How we use your data
The types of personal data we collect and use, the purposes for which we use your personal data, and the lawful bases we rely on to allow us to use your personal data in that way are set out in the table below.
Where the lawful basis is our legitimate interests or the legitimate interests of a third party, we have also indicated what those interests are.
We may have more than one lawful basis for using your personal data.
Purpose / Activity
Type of Data
To set and mark tests and examination papers and maintain a permanent record of the examination results (this includes the security and integrity of the examination process, the timely delivery of accurate results to students; and our compliance with statutory regulations).
To develop, deliver and publicise educational products, standards, qualifications, resources and training (this includes the provision and funding of research to inform education policy and improve assessment practice).
To promote education for the public benefit (this includes the provision of dedicated support and mentoring to young people through the AQA Unlocking Potential programme).
To manage our relationship with you, including: providing you with any information, products or services that you request from us; notifying you about changes to our products, services, events, terms and conditions or privacy notice; statistical analysis, market research, marketing and support.
To create an account, register you as a new customer and administer your account.
To process and deliver your order including: delivery of products and product features, recording your order details; keeping you informed about the order status; issuing product renewal notices, taking and processing payments and refunds, collecting money owed to us; and assisting fraud prevention and detection.
To use data analytics to: improve our website, products, services, marketing, customer relationships and experiences; and for market research, statistical and survey purposes.
To register you for email updates, and recommend products and services and events that may be of interest to you
To gather your opinions on our products and services, or on your experiences of education.
To protect the security of commercial and personal and special category data in our care by securing and monitoring activity within our network, internet and email.
|To improve our customer service, monitor quality, resolve complaints and ensure compliance with regulations through contact capture, webforms and call recording.|
To prevent crime and protect buildings and assets (of AQA, occupants of the building and of their respective staff and visitors) from damage, disruption, vandalism and other crime
For the personal safety of staff and visitors (of AQA and the occupants of the building) and other members of the public and to act as a deterrent against crime
To support law enforcement bodies in the prevention, detection and prosecution of crime
To assist in the day-to-day management, including ensuring the health and safety of staff and visitors (of AQA and occupants of the building)
To assist in the effective resolution of disputes which arise in the course of disciplinary or grievance proceedings with staff (of AQA or occupants of or visitors to the building)
To assist in the defence of any civil litigation, including employment tribunal proceedings (involving AQA or occupants of or visitors to the building)
For job applicants, employees, ex-employees, associates, contractors and temporary employees only:
Purpose / Activity
Type of Data
To recruit the right people for our business, and manage their working relationship with us, including job role and responsibilities, salary or fee payments, progression, training, performance management and disciplinary or grievance procedures.
To arrange travel for you on AQA business and making appropriate safety arrangements for this, including monitoring your travel.
|To enable us to provide an Occupational Health and wellbeing service to staff.|
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we wish to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. We may process personal data without your consent, in compliance with the above rules, where this is required or permitted by law.
Disclosure and Barring Service (DBS) checks may be carried out on job applicants or employees employed for specific roles, with their consent, to guard against the risk of fraud or other unlawful acts being inflicted upon our candidates, customers, partners or employees. We would encourage you to discuss any concerns you have regarding DBS checks with us directly.
We will keep your personal data for no longer than is necessary for the purpose(s) it was provided for and to meet our accounting, reporting, legal obligations and public interest responsibilities. Further details of the retention periods we apply to your data are available on request from GDPRenquiries@aqa.org.uk.
If you have any questions about how AQA use any of your personal data, please contact our Data Protection Office at GDPRenquiries@aqa.org.uk.
We may send you information about our examinations, products, services, activities and forthcoming events: by email if you have signed up to our email newsletters; or in accordance with your communication preferences if you have provided us with your details when you registered with us or consented to receiving such communications.If you do not wish to continue receiving information from us, you can ‘opt-out’ at any time by using the “Unsubscribe” link included in the footer of an email sent by us or by contacting us directly at GDPRenquiries@aqa.org.uk.
We will process all opt-out requests as soon as possible, but please note that due to the nature of our IT systems it may take a few days for any opt-out request to be implemented.
Our website may include links to and from the websites of our partners and other relevant organisations. If you follow a link to any of these websites, please note that these websites will have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to their websites.
Analytics and targeted advertising
We use a range of analytics and targeted advertising tools to deliver relevant website content and information to you.For example, we use tools such as Google Analytics to target and improve our marketing campaigns, marketing strategies and Website content. We may also use tools provided by other third parties such as Mouseflow to perform similar tasks that help to keep our website updated and relevant to you.
We may also collect your data where you partially complete and/or abandon data entered on our websites and/or other online forms and may use this data to contact you to remind you to complete any outstanding information and/or for marketing purposes.
Please note: you can opt-out of the Google Display Advertising Features using Ad Settings or the Google Analytics opt-out browser add on. In addition, the Digital Advertising Alliance (which includes companies such as Google and Facebook) provides a tool called WebChoices that can perform a quick scan of your computer or mobile device(s) and adjust your browser preferences accordingly. Doing so, however, may restrict the functionality of our website and a large proportion of other websites around the world as cookies are a common feature of most modern websites.
How we share your data
We may disclose and share your personal data with the parties set out below, for the purposes outlined in the tables above:
- The AQA group of companies (AQA Education, Doublestruck, DRS Data Services and Oxford International AQA Examinations);
- government agencies, their partners and other third parties to comply with our legal obligation or public interest responsibilities (such as Ofqual, DfE, HMRC, Student Loan Company, UCAS, Magistrates Courts, Employment Tribunals, Local Authorities and Academy Chains);
- associates, business partners, suppliers (including their sub-contractors) or other third parties that we use to support the operation of our business. For example, to: carry out criminal or credit checks; support the logistics involved in the secure storage and transportation of exam papers; provide IT systems and software, internet access, website or hosting solutions; organise events or provide marketing and advertising services; provide training and development services; deliver employee benefits, run our payroll, perform occupational health checks and referrals, and provide employee assistance;
- our professional advisers including auditors, lawyers, bankers and insurers who provide professional advice, accounting, banking, legal, insurance, and pension services, or to meet our audit responsibilities;
- where you have consented for us to do so. For example, if you have given your consent for us to share your data with a third party in respect of an event, we may pass your data on to the relevant third party administering the event;
- employers of associates. For example, the payment of teacher release vouchers
- Images are monitored by AQA authorised personnel during working hours only and can be accessed remotely at other times if required. Live feeds from CCTV cameras are monitored only where this is reasonably necessary, for example to protect health and safety.
- AQA will ensure that live feeds from cameras and recorded images are only viewed by approved members of its staff whose role requires them to have access to such data. This may include AQA’s People Services staff involved in disciplinary or grievance matters.
- Where images from our CCTV system are relevant to occupants of the buildings or any individual (for instance if they show that their car has been broken into), AQA may share them with those other occupants/individuals if it considers that this is reasonably necessary for any of the purposes set out above.
- AQA is not responsible for the use these occupants or individuals make of those images.
- AQA may allow law enforcement agencies to view or remove CCTV footage where this is required in the detection or prosecution of crime.
AQA will keep a record of all disclosures of CCTV footage.
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
We may add to your personal data any information we obtain from third parties that are allowed to share your data with us. This may include data from our examination centres, schools and colleges, the Department for Education, search data providers or public sources. In each case we will do only what is allowed by relevant laws.
We may share non-personally identifiable information about the use of our websites or products publicly or with third parties, however, this will not include data that can be used to identify you.
Information disclosed in connection with business transactions: Information that AQA collects from users, including personal data, is a business asset. If AQA or any part of AQA is acquired by a third party as a result of a transaction such as a merger, acquisition or asset sale; or if our assets are acquired by a third party in the event we go out of business or enter bankruptcy, some or all of our assets, including your personal data, will be disclosed or transferred to a third party acquirer in connection with the transition. We'll always make individuals aware of such business transactions and give them the option to opt-out and how to manage the handling of their personal information.
From 1 January 2021, the UK is a ‘third country’ in GDPR terms and therefore international transfers have to be given additional safeguards; in addition to the existing measures we have in place for international transfers outside of the EEA.
Data transfers from AQA to countries within the EEA
In line with Government guidance, there are currently no changes to the way AQA can send personal data to the EU/EEA, Gibraltar and other countries deemed adequate by the EU. Therefore we’ll continue to be able to transfer personal information to countries within the EEA, as they’ve been deemed to have adequate protection by the UK Government under the new arrangements. We’ll always do so securely in line with the GDPR principles.
Data transfers to AQA from countries within the EEA
Because the UK is a ‘third country’ in data protection terms; until an adequacy decision is received from the European Commission, organisations based in the EEA require additional protection when transferring data to the UK. To ensure that all data transfers are secure and lawful; we’ll ensure that we use the Standard Contractual Clauses, which are EU approved terms to facilitate the exchange of personal data. We’ve assessed these to be the most appropriate safeguarding available to us to ensure that we continue to protect personal data flowing into the UK from the EEA.
Data transfers from AQA to countries outside the EEA (including USA)
We may use service providers based outside of the EEA to help us provide our websites and products (for example, marketing service providers). This means that we may transfer some of your data to service providers outside the EEA for the purpose of providing our applications, services and advertising to you. We also administer exams outside the EEA in conjunction with Oxford International AQA Examinations, and may transfer information to Centres and government agencies outside the EEA for the purpose of administering and verifying exam results.
Where data is transferred outside of the EEA to our service providers, we take steps to ensure that appropriate measures and controls are in place to protect that data in accordance with relevant data protection laws and regulations. In each case, such transfers are made in accordance with the requirements of Regulations (EU) 2016/679 (the General Data Protection Regulations or “GDPR”) and may be based on the use of the European Commission’s Standard Model Clauses for transfers of personal data outside the EEA.
By using our websites or products or by interacting with us in the ways described in this Privacy Notice, you consent to the transfer of your data outside the EEA in the circumstances set out in this Privacy Notice. If you do not want your data to be transferred outside the EEA you should not use our websites or products.
You have several rights under the data privacy legislation - details of each of these rights are set out below. If you wish to contact us regarding any of these – please complete the subject access request form by following the instructions in the form and returning this with the required identification. This will help us to process your request more promptly.
You have the right to:
- Access your data: You can access the data we hold on you at any time, by making a subject access request using the above form. The more specific you can be about what you want to know, the better. We will need to confirm your identity before we release data to you.
- Rectify your data: You can ask us to correct any data we hold about you that is inaccurate.
- Request erasure:You have the right to ‘be forgotten’, in certain circumstances. This right does not apply if it would prevent the performance of a contract with you or if there is another legal requirement for us to retain your data. If erasure is not possible, you may be able to ask us to restrict processing.
- Request the restriction of processing of your data: You may ask us to suspend the processing of your data under certain circumstances, for example pending a review of the accuracy of the data or after you have objected to our use of the data, and we need to establish whether we may lawfully continue processing it.
- Request the transfer of your data: In some cases, you can ask us to transfer the data you originally provided to us to yourself or to another company. This only applies to data you provided directly, or that we observed about you through automated means.
- Object to the processing of your data: You can object to our processing of your data for direct marketing purposes, or on the basis of our stated legitimate interests (defined in the table above). In some cases, we may have compelling lawful grounds to process your data which override your rights and freedoms.
- Object to automated decision-making: You can also object to the processing of your personal data where profiling is being used to make assumptions about your behaviours or preferences; for example, to target marketing communications. You have the right not to be subject to automated decision-making and can require that any such decisions are reviewed by a human.
- You can lodge a complaint: If you believe your data is being handled in a way that breaches data protection legislation, you can lodge a complaint with us directly. You also have the right to complain to the UK Information Commissioner. Please be aware that we take the handling of your personal data very seriously. As such, we would always appreciate the opportunity to address any concerns you may have directly with you.
If you wish to exercise any of these rights, or lodge a complaint please contact our Data Protection Office at GDPRenquiries@aqa.org.uk. You will not normally have to pay a fee, however, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.We will always try to respond to any legitimate request within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
How to contact us
If you have any questions or concerns about the way in which we collect, hold or process your data, or simply wish to exercise your rights (as identified in the previous section) please contact us directly.
You can contact the Data Protection Officer and team at GDPRenquiries@aqa.org.uk.
Version 4.0 – Last Updated 8 December 2020.