Privacy notice

See our Student privacy notice here

The personal information you give us is important. Getting to learn about you means that we can give you products and services that best meet your needs.

Our privacy notice explains what information we collect, what we do with it, how we collect it and keep it secure.

Last updated: November 2024

Who we are

The legal entities that make up AQA (eg “AQA”, “we”, “us” or “our”), responsible for your personal information are:

  • AQA Education (registered office: Devas Street, Manchester, M15 6EX).
  • AQA Commercial Services Ltd (registered office: Devas Street, Manchester, M15 6EX).
  • AQA Assessment Services Ltd (registered office: Devas Street, Manchester, M15 6EX).
  • AlphaPlus Consultancy Ltd (registered office: Devas Street, Manchester, M15 6EX).
  • Doublestruck Ltd (registered office: Devas Street, Manchester, M15 6EX).
  • Oxford International AQA Examinations (registered address: Oxford University Press, Great Clarendon Street, Oxford, England, OX2 6DP).
  • Training Qualifications UK Ltd (registered office: Crossgate House, Cross Street, Sale, M33 7FT).

The data we collect

The type and level of personal information we collect varies, for example:

  • Identity – names, date of birth, gender, candidate number, passport, birth certificate, driving license.
  • Contact – e-mail address, address, telephone number, marital status, next of kin, dependants, emergency contact details.
  • Assessment – examination history, subject, grade, type of qualification and centre.
  • On-screen assessment – biometric data such as audio, video of facial features, facial recognition by human or AI, identity documents, voice, images of home/working space, examination history, subject, grade, type of qualification and centre.
  • Pupil – Unique Candidate Identifier (UCI), centre number, admission number, year group, registration group, teacher name, class, supervisor name, ethnicity, eligibility for free school meals, FSM6, pupil premium indicator, SEN status, LEA care status.
  • Financial – bank account details.
  • Transaction – details of software products and services you’ve got from us. Purchase order details, and payments made to/from us.
  • Biometric data – such as your fingerprint if you visit and require access to our sites, and CCTV of your person if you attend one of our sites.
  • Technical – internet protocol (IP) address, login data, operating system and platform.
  • Marketing – preferences when you receive communications from us and our third parties. The technologies used, and any related correspondence.
  • Usage – use of our website, performance and other communication data.
  • Survey – comments and opinions provided in response to a survey.
  • Recruitment – education, qualifications, occupation, work history, referees, training and skills development, nationality, experience, right to work in the UK, criminal checks (if your role requires it) ad equal opportunity monitoring.
  • Employment – the terms and conditions of your employment, salary or fee payments, benefits, work patterns, National Insurance number, attendance, holidays, sickness, disciplinary or grievance issues, medical or health conditions, disabilities (for which AQA needs to make reasonable adjustments); and information about your vehicle, driving licence, MOT and insurance documents if you drive on company business.
  • Performance – reviews and rating, development plans and related correspondence; and timesheet information.
  • Activity – the websites our employees visit while using an AQA computer or network. The activity logs held within our systems and databases.
  • Communications – emails you send or receive via our email system.
  • Disclosure and Barring Service (DBS) – a DBS check reduces the risk of fraud or other unlawful acts.
  • Digital data – such as audio recording of calls and webchat data to our contact centre and telephony system. Video/Audio recordings of web-conference meetings and webinars. See also online assessment data listed, as it applies. CCTV imagery both inside and outside of our buildings, including images of vehicles. Analytics/Cookie data from our AQA website depending on the level of interaction with our cookie banner and preference centre. Interaction on social media with AQA or about AQA’s products and services.
  • Behaviour – how you may interact with certain sections of an event you attend where AQA are present, attend or host.
  • Safeguarding – information divulged to us by children, young adults and individuals at risk through use of our services, which we have a duty to investigate and act upon.

Online forms and electronic communications

All data that you provide in any of our online forms or through other electronic communications is done so at your own risk. This includes any sensitive, special category or potentially criminal data. Unless specifically requested or required, you should avoid providing these types of data to AQA.

Aggregated data

Aggregated data is data that is collected and combined from multiple individuals from a population, which is then used to create a statistical report that makes inferences about the population. Aggregated data is usually presented as an average, percentage, summary or proportion of some factor of interest.

AQA collects, uses and shares aggregated data such as statistical or demographic data for any purpose. For example, we may aggregate your website usage data to calculate the percentage of users accessing a specific feature. Or, we may aggregate student ethnic data to calculate how one ethnicity is performing against another to provide summarised statistical data to try to address potential bias in our products and services.

Aggregated data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. However, if AQA combines or connects aggregated data with your personal data so that it can directly or indirectly identify you, it will treat the combined data as personal data which will be used in accordance with this privacy notice.

Special category data

As an employer and provider of assessment products and services, AQA has to collect and process special category data of employees, associates, contractors, trustees, and importantly students. We treat this data with the extra protections required as set out in the UK General Data Protection Regulation (GDPR) and Data Protection Act (DPA) 2018 and take these requirements very seriously. We have in place, as required by legislation, an appropriate policy document for the types of special category data processing conducted by AQA, the lawful basis, purposes, and the conditions to be able to process such data. The main purposes AQA process special category data are for: equality, diversity and inclusion; employment law; and the safeguarding of children and adults at risk. If you would like to know more and review this policy, please get in touch with the Data Protection Office. You can find contact details in our contact us section.

Collecting your data

We may collect personal data from you if you:

  • register at an approved centre
  • take part in our examinations, training, surveys or related events
  • use our website, app, products or services
  • interact with us through social media, email, post, text or phone, or use one of our cookies
  • are a job applicant, employee, ex-employee, associate, trustee, committee/advisory group member, contractor or temporary employee.

CCTV

We may capture information by telephone or CCTV when you call or visit AQA.

There are 65 cameras at the Manchester Devas Street site, 7 cameras at Manchester Synergy House, 63 cameras at the Guildford site, 40 cameras at Milton Keynes Optima Wymbush, 5 cameras at Milton Keynes Kiln Farm Potters Lane, 9 cameras at Milton Keynes Brunleys, and 5 cameras at the London site.

You can find them in our reception areas, loading bays, entrances, blind spots and key points. The cameras are in operation 24 hours a day, 7 days a week, 365 days a year. There are signs which tell you that CCTV cameras are in operation and who to contact for further information.

Our cameras don't capture images which aren’t relevant to the purposes of the monitoring. Surveillance systems aren’t used to record sound. CCTV Recordings are kept for 3 months then overwritten.

There aren’t any cameras in areas where there’s an expectation of privacy (e.g. toilets or changing rooms).

Covert surveillance (where you’re unaware that the monitoring or surveillance is taking place), will only happen:

  • in exceptional circumstances
  • if we have grounds to believe that criminal activity or malpractice is taking place
  • if after suitable consideration, there's no less intrusive way to tackle the issue.

Any covert monitoring or surveillance we have to do will take place for a reasonable period of time. It'll relate only to the suspected criminal activity or serious malpractice.

Cookies and similar technologies, analytics and targeted advertising

We use online tools to collect information from you. For example:

  • Google Analytics improves our marketing campaigns, strategies and website content (we use Google Analytics 4)
  • Third party tools help to keep our website updated and relevant to you
  • Cookies and other similar technologies (such as tracking pixels) help us give you a personalised service.

We'll get in touch if you haven't completed and/or abandoned data entered on our websites and/or other online forms.

Our cookie banner and preference centre allow you to opt-in or out of the various types of cookies and similar technologies we serve in terms of Strictly necessary, Performance, Functional and Targeting. Please check out our Cookie notice for a dynamic listing of the cookies and similar technologies we serve and other information. Non-essential cookies are not loaded on our website unless you click 'Accept all'. Clicking 'Reject all' or not interacting with the banner will ensure only strictly necessary cookies are loaded in order to view our website.

You can also opt-out of the Google Display Advertising Features using Ad Settings, the Google Analytics opt-out browser add on, or WebChoices.

Doing so, however, may restrict the functionality of the AQA website and a large proportion of other websites around the world as cookies are a common feature of most modern websites.

What we do with your data

Your personal information supports a range of different purposes and activities. The types of data we use, the legal base(s) we rely on when processing them and our legitimate interests are:

Purpose/activity

Type of data

Lawful basis

To set and mark tests and examination papers and maintain a permanent record of the examination results (this includes the security and integrity of the examination process, the delivery of accurate results to students; and our compliance with statutory regulations).

  • Identity
  • Contact
  • Assessment
  • Transaction
  • Performance of a contract with you.
  • Necessary for our legitimate interests (eg to maintain and develop our core products and services in a regulated environment).
  • Legal obligation.
  • Public interest.

To develop, deliver, inform and publicise educational: products, policy, standards, qualifications, on-screen assessment, questions, resources and training (including the provision and funding of research to inform education policy and improve assessment practice, which may include the use of personal and special category data for equality, diversity and inclusion (EDI) purposes).

  • Identity
  • Contact
  • Technical
  • Usage
  • Marketing
  • Survey
  • Assessment
  • On-screen assessment
  • Pupil
  • Digital data
  • Communications
  • Behaviour
  • Performance of a contract with you.
  • Necessary for our legitimate interests (eg to maintain and develop our core products and services in a regulated environment).
  • Public interest.
  • Processing necessary for reasons of substantial public interest.
  • Processing necessary for archiving purposes in the public interest for research purposes.

To promote education for the public benefit (this includes the provision of dedicated support and mentoring to young people through the AQA Unlocking Potential programme).

  • Identity
  • Contact
  • Technical
  • Usage
  • Marketing
  • Survey
  • Performance of a contract with you
  • Necessary for our legitimate interests (eg to promote education).
  • Consent.

Capturing your data for events you may attend/book where AQA present at, attend or host by collecting data electronically or otherwise (sign up, booking, verbal, or scanners for example).

This is to provide you with relevant resources and information to support you in what you may be interested in from AQA. You also consent to AQA providing your data to vetted third party suppliers to book and manage our events/venues.

  • Identity
  • Contact
  • Survey
  • Marketing
  • Communications
  • Behaviour at events

Consent.

To create an account, register you as a new customer and administer your account.

  • Identity
  • Contact

Performance of a contract with you.

To manage our relationship with you, including: providing you with any information, products or services that you request from us; notifying you about changes to our products, services, events, terms and conditions or privacy notice; statistical analysis, market research, marketing, social media advertisements, and support.

Based on your marketing preferences we may use publicly available information to serve social media advertisements to you.

  • Identity
  • Contact
  • Marketing
  • Digital data
  • Performance of a contract with you.
  • Necessary for our legitimate interests (eg to keep our records updated and to study how customers use our products and services).
  • Consent.

To process and deliver your order including: delivery of products and product features, recording your order details; keeping you informed about the order status; issuing product renewal notices, taking and processing payments and refunds, collecting money owed to us; and assisting fraud prevention and detection.

  • Identity
  • Contact
  • Financial
  • Transaction
  • Marketing
  • Performance of a contract with you.
  • Necessary for our legitimate interests (eg to recover debts due to us).

To use data analytics to: improve our website, products, services, marketing, social media advertisements, customer relationships and experiences; and for market research, statistical and survey purposes.

Based on your marketing preferences we may use publicly available information to serve social media advertisements to you.

We may track your interaction with our website (which includes cookies and tracking pixels), ad campaigns, other areas of the internet, and social media etc. This data is collected through your consent and settings whilst browsing the internet. The majority of this data is aggregated and anonymous which provides us with data on views, clicks, impressions etc.

  • Identity
  • Contact
  • Technical
  • Usage
  • Marketing
  • Survey
  • Digital data
  • Necessary for our legitimate interests (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy).
  • Consent.

To register you for email updates, recommend products and services, and events that may be of interest to you.

Based on your marketing preferences we may use publicly available information to serve social media advertisements to you.

  • Identity
  • Contact
  • Technical
  • Usage
  • Digital data
  • Marketing
  • Consent.
  • Necessary for our legitimate interests (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy).

To gather your opinions on our products and services, or on your experiences of education. This includes the creation of our Student Advisory Group, including EDI data collection required to ensure a complete cross section of society is represented.

  • Identity
  • Contact
  • Survey
  • Marketing
  • Pupil
  • Consent.
  • Legitimate interests (for EDI purposes).

To improve our customer service, monitor quality, resolve complaints and ensure compliance with regulations through contact capture, webforms and call recording.

  • Identity
  • Contact
  • Digital

Necessary for our legitimate interests (to monitor quality and performance, resolve complaints, improve call handling practice and train staff to improve customer service).

To prevent crime and protect buildings and assets (of AQA, occupants of the building and of their respective staff and visitors) from damage, disruption, vandalism and other crime.

  • Identity
  • Digital

The legitimate interest of protecting our buildings and assets which belong to our staff, visitors and other occupants.

For the personal safety of staff and visitors (of AQA and the occupants of the building) and other members of the public and to act as a deterrent against crime.

  • Identity
  • Digital

The legitimate interests of keeping our staff, visitors and other occupants of the building safe.

To support law enforcement bodies in the prevention, detection and prosecution of crime. This may include: social media and internet monitoring where AQA believe our products and services may be being illegally passed on or sold; and where we may be alerted to safeguarding issues/referrals which have been divulged to AQA by students through using our services.

  • Identity
  • Contact
  • Digital
  • Pupil
  • Safeguarding
  • Assessment
  • On-screen assessment
  • The legitimate interest of helping staff, visitors and other occupants to prevent, detect and prosecute crime.
  • Legal obligation (where a crime has been committed).
  • Public interest (to ensure AQA examinations are free from dishonesty and malpractice).
  • Article 9 (g) of the UK GDPR and Section 18 of Schedule 1 of the DPA 2018 – 'Safeguarding of children and of individuals at risk'.

To assist in the day-to-day management, including ensuring the health and safety of staff and visitors (of AQA and occupants of the building), and temporarily collecting dietary requirements if staff and visitors are provided food at any of our locations.

  • Identity
  • Digital
  • Behaviour (dietary requirements)
  • The legitimate interests of AQA and occupants of the building in managing their businesses and ensuring the health and safety of their staff and visitors.
  • Legal duty under health and safety legislation.
  • In some cases – vital interests, when processing and sharing personal data is necessary to protect someone’s life.
  • Explicit consent for dietary information voluntarily provided but is not linked back to you.

To assist in the effective processing of appeals from centres or students in relation to grades received from AQA’s assessment products and services.

  • Identity
  • Contact
  • Assessment
  • On-screen assessment
  • Pupil
  • Digital
  • Communications

The legitimate interests of AQA and our legal obligation to enable centres or students to submit an appeal against the grades received in order to ensure the integrity of assessment across the UK in AQA’s products and services. Also to ensure examinations are free from malpractice and maladministration.

To assist in the effective resolution of disputes which arise in the course of disciplinary or grievance proceedings with staff (of AQA or occupants of or visitors to the building).

  • Identity
  • Digital

The legitimate interests of AQA, staff, visitors and other occupants of the building in resolving disputes which arise in the course of disciplinary or grievance proceedings.

To assist in the defence of any civil litigation, including employment tribunal proceedings (involving AQA or occupants of or visitors to the building).

  • Identity
  • Digital

The legitimate interests of AQA, other occupants of the building and visitors to the building in bringing or defending any civil litigation proceedings.

Usage and recordings of web-conference meetings and webinars you may attend that are hosted or attended by AQA.

  • Identity
  • Digital data
  • Technical
  • Usage
  • Activity
  • Behaviour
  • Consent.
  • Necessary for our legitimate interests (eg to enable those who cannot attend live meetings/events to watch them back at a later date).

To protect the security of commercial, personal and special category data in AQA’s care by securing and monitoring activity within AQA’s network, internet and email.

  • Identity
  • Technical
  • Usage
  • Activity
  • Communications
  • Digital data
  • Biometric data

Necessary for our legitimate interests (protecting the data entrusted to AQA by customers and commercially sensitive data about its business)

AQA may deploy the use of AI in some products and services. For example, we may use AI to transcribe what is said in meetings.

  • Identity
  • Technical
  • Digital data
  • Activity
  • Usage
  • Communications

Necessary for our legitimate interests (use of technology to transcribe meetings quickly and easily from the audio of attendees, low-level personal data)

For job applicants, employees, ex-employees, associates, contractors and temporary employees only:

Purpose/activity

Type of data

Lawful basis

To recruit the right people for our business, and manage their working relationship with us, including job role and responsibilities, salary or fee payments, progression, training, time-keeping, access control, performance management and disciplinary or grievance procedures.

  • Identity
  • Contact
  • Recruitment
  • Financial
  • Transaction
  • Activity
  • Employment
  • Performance
  • Technical
  • Usage
  • Survey
  • Communications
  • Performance of a contract with you.
  • Necessary to comply with a legal obligation.
  • Necessary for our legitimate interests (eg to monitor equal opportunities, to gather employee feedback; to contact your next of kin in case of emergency, time-keeping, access control).

Voluntary disclosures of special category data such as race/ethnicity, religion, legal gender, gender identity, sexual orientation, disability status, marital status and nationality.

This is to support our diversity and inclusion monitoring across the organisation, which is utilised anonymously, not used in recruitment decisions and only shared with colleagues on a need to know basis.

  • Identity
  • Contact
  • Recruitment
  • Employment
  • Explicit consent.
  • Necessary for our legitimate interest (eg. to support our commitment to being a fair, diverse and inclusive employer).

To arrange travel for you on AQA business and making appropriate safety arrangements for this, including monitoring your travel.

  • Identity
  • Contact
  • Communications
  • Performance of a contract with you.
  • Necessary to comply with a legal obligation.
  • Necessary for our legitimate interests (eg to contact your next of kin in case of emergency).

To enable us to provide health benefits, Occupational Health, and wellbeing services to staff.

  • Identity
  • Contact
  • Recruitment Data
  • Employment Data
  • Performance
  • Performance of a contract with you.
  • Necessary for our legitimate interests (eg to carry out health screening prior to employment, to support with health and wellbeing at work, to provide health benefits, and promote a positive working environment).
  • For the purposes of preventive or occupational medicine / for the assessment of the working capacity of the employee.

To enable us to test new and BAU systems using your data, where using dummy data is absolutely not viable.

  • Identity
  • Contact
  • Recruitment
  • Financial
  • Transaction
  • Activity
  • Employment
  • Performance
  • Technical
  • Usage
  • Survey
  • Communications

Necessary for our legitimate interests (eg to implement new systems and technologies to streamline inefficient or manual processes. This decision will be taken only where absolutely necessary, will be documented, risk assessed, alternatives explored and data safeguarded).

To provide our associates and examiners with digital accreditation badges in recognition for working with AQA.

  • Identity
  • Contact
  • Employment
  • Performance
  • Communications

Necessary for our legitimate interests (eg to provide value to our associates and recognition for working with AQA)

To protect the security of commercial, personal, and special category data in AQA’s care by securing and monitoring activity within AQA’s network, internet and email. This may include monitoring occupancy levels in our offices for attendance. Also, how our employees utilise our equipment and systems in AQA's network, and how they access these with the use of biometrics (facial and fingerprint recognition), including the use of artificial intelligence (AI).

  • Identity
  • Technical
  • Usage
  • Activity
  • Communications
  • Digital data
  • Biometric data

Necessary for our legitimate interests (ensuring our networks and data are secure for our employees and ensuring the wellbeing and safety of employees)

We may process your personal data using more than one lawful basis, this depends on the activity.

We’ll use your personal data for the reason we collected it. Unless we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your information for an unrelated purpose, we’ll let you know and explain the legal basis for this.

We may process personal data without your consent, in compliance with the above rules. Where it's required or permitted by law.

We'll keep your personal data:

  • for as long as necessary
  • for the purpose(s) its provided for
  • and to meet our accounting, reporting, legal obligations and public interest responsibilities.

Disclosure and Barring Service (DBS) checks may be carried out on job applicants or employees hired for specific roles, with their consent. This is to guard against the risk of fraud or other unlawful acts being inflicted upon AQA customers, partners or employees. We encourage you to discuss any concerns you have regarding DBS checks with AQA directly.

How long we keep your data

We keep personal data for as long as necessary or mandated for the purposes it was intended for at the point of collection. Our retention periods have been developed from our records of processing activities (RoPA) documentation and are regularly reviewed, updated and audited within AQA.

In the table below, you'll find examples of the data we collect, how long we keep it and why. We cannot provide a full list of all our data and the retention periods here, but we have provided some examples that are relevant to our employees, website users, and customers, etc. Please note that these retention periods are minimum periods, not maximum.

If you'd like to know more about our retention periods or require further information, please contact us.

Type of data

How long we keep it

Reason

Grades, results and entries

These are retained permanently

Regulatory need

Website tracking data

Various retention periods

Please visit our cookie notice

Supplier/employee/contractor/associate contracts

Seven years after termination

Limitations act

Employment, pension, expenses and payments

Seven years after termination

HMRC, limitations act

Recruitment of unsuccessful applicants

Two years

Business need

CRM database contacts

Two and a half years to four years

Business need

Complaints cases

Three years

Business need

Malpractice cases

Six years

Regulatory need

Appeals cases

Five years

Regulatory need

Marketing lists

One year after deactivation

Business need

Safeguarding data

Until child is 25

Best practice

Moderation data

Two years

Regulatory need

Special consideration cases

Three years

Regulatory need

Conflict of interest

Two years

Regulatory need

Centre inspections

Six years

Contractual need

How we store and protect it

We keep personal data confidential within a secure infrastructure protected by many firewalls and other technical and organisational measures. We are committed to keeping the security of our systems up to date.

Access to your personal data is only given to those who have a business need to know it. They can only access it on our instructions and they'll stay subject to a duty of confidentiality.

Any third party we work with must have security measures in place to process your personal data. AQA ensure their third parties protect your data under the law.

We have procedures in place to deal with any suspected personal data breach. We'd let you and the UK Information Commissioner know of a breach where we're required to do so.

We keep CCTV data on secure hard drives located within our offices. Sometimes we have to give data to law enforcement agencies, or data subjects under data protection law.

We follow a range of different governance processes. For example, we use the ISO27001 information security standard. We are currently ISO27001 certified.

How we share your information

We may share your personal information with the following, where we are the controller or joint controller of the information with other bodies and where we have a lawful basis to do so:

  • The AQA group of companies (AQA Education, AQA Commercial Services, AQA Assessment Services, AlphaPlus Consultancy, Doublestruck, Oxford International AQA Examinations, and Training Qualifications UK).
  • Government agencies, their partners and other third parties such as Ofqual, DfE, HMRC, Companies House, The Charity Commission, UCAS, Student Loan Company, Magistrates Courts, Centres/Schools/Academies, Employment Tribunals and Local Authorities.
  • Affiliates, associates, business partners, suppliers (including their sub-contractors) or other third parties that we use to support the operation of our business. For example, to: carry out criminal or credit checks; support the logistics involved in the secure keying, scanning, storage and transportation of exam papers; provide IT systems and software, internet access, website or hosting solutions; organise events or provide marketing and advertising services; provide training and development services; deliver employee benefits, run payroll, perform occupational health checks and referrals, and provide employee assistance. Oxford University Press (OUP) for delivery of international products and services, other exam bodies and the Joint Council for Qualifications (JCQ) where joint working is required to process results.
  • Our professional advisers including auditors, lawyers, bankers and insurers who provide professional advice, accounting, banking, legal, insurance, and pension services or to meet our audit responsibilities.
  • Employers of associates, for example, the payment of teacher release vouchers.
  • If you’ve given consent for us to share your data with a third party event, we may pass your data onto that third party.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. AQA does not allow its third-party service providers to use your personal data for their own purposes and only permits them to process your personal data for specified purposes and in accordance with our instructions.

AQA may add to your personal data any information it obtains from third parties that are allowed to share your data with AQA. This may include data from its examination centres, schools and colleges, the Department for Education, search data providers or public sources. In each case, AQA will do only what is allowed by relevant laws.

AQA may share non-personally identifiable information about the use of its websites or products publicly or with third parties; however, this will not include data that can be used to identify you.

CCTV

  • Authorised personnel watch our CCTV during working hours only. It's accessible remotely at other times if required.
  • We can check live feeds from CCTV cameras, if for example we need to protect health and safety.
  • Live feeds from cameras and recorded images are only viewed by approved members of staff.
  • We can share images from our CCTV system. If for example someone's car has been broken into on our premises. We’re not responsible for the use these occupants or individuals make of those images.
  • Law enforcement agencies can view or remove CCTV footage in the detection or prosecution of crime.

Data sharing

Data sharing with UCAS

UCAS will be provided with a copy of your candidate record for the relevant year, irrespective of whether you have made any applications to higher education institutions. This is so that there is no delay in processing your application should you decide to make a late application through the clearing system.

UCAS holds this information under strict instruction from AQA, and the other awarding bodies, and is strictly prohibited from using the information (even consulting it) except as instructed.

UCAS is instructed to search the records to find candidates who have applied to UCAS, and to access the records of applicants. UCAS can use this information to process your application (please see the privacy notice that UCAS provides to you for more details about the information, how UCAS uses it, and how long it keeps it). If you do not apply to UCAS, however, it is instructed not to access your information.

Once clearing has finished, UCAS is instructed to permanently delete all of the records provided by AQA and the other awarding bodies. UCAS can only keep the information it extracted from these records if you applied to UCAS, and will let AQA know whether or not it accessed your records. AQA relies on legitimate interest in facilitating the UCAS clearing process to make sure students have a seamless integration into the admissions services.

Data sharing with the Joint Council for Qualifications (JCQ)

JCQ exam boards collectively share and process candidate-level data for the following purposes:

  • To build the annual GCSE National Candidates Results Archive (NCRA), for use in research on standard-setting and to calculate prior attainment measures and prediction matrices used in GCE standard-setting.
  • To create the annual candidate-level Key Stage 2 Prior Attainment data set, to match learners to collated GCSE results and to produce prediction matrices used in GCSE standard setting.
  • To calculate ‘screening’ statistics after the completion of an examination series and to check that standards are aligned statistically between exam boards.
  • Entries and grade data for:
    • awarding endorsement grades in Ofqual-accredited GCSE English Language Spoken Language and A-level sciences
    • identification of students entered for the same subject with multiple exam boards in the same examination series
    • preparation of JCQ results statistics for publication
    • research into standards in general, vocational and technical qualifications
    • inter-board statistics and specification data
    • preparation of examination timetables and key dates for publication
    • preparation and use of national prediction matrices for standard setting
    • preparation of JCQ advanced entries analysis
    • summer results for GCSE Maths and English to feed into the November crosstabs.

Third parties

We respect your data and expect all third parties to do the same.

We don’t allow our third-party service providers to use your personal data for their own purposes. They can process your personal data for specific purposes and under our instructions.

We can save any information we get about you from third parties, such as:

  • examination centres
  • schools and colleges
  • other exam bodies
  • the Department for Education (DfE)
  • search data providers
  • public sources.

In each case we’ll do only what’s allowed by relevant laws.

We can share information about our websites or products publicly or with third parties. This will not include data that can identify you.

Information disclosed in connection with business transactions

Information that we collect from users, including personal data, is a business asset.

If we get a third party as a result of a transaction such as a merger or acquisition or if our assets are acquired by a third party in the event we go out of business or enter bankruptcy,

some or all of our assets, including your personal data, will be disclosed or transferred to the third party in connection with the transition.

We'll always make you aware of such business transactions and give you the option to opt-out.

International transfers

On the 28 June 2021, the UK was granted ‘adequacy’ by the European Commission in GDPR terms.

International transfers to the UK and AQA from the European Economic Area (EEA) and other adequate countries can continue to take place with no additional safeguards. This is alongside existing measures we have in place for international transfers outside of the EEA.

Data transfers from AQA to countries within the EEA

We can still send personal data to the EU/EEA, Gibraltar and other countries deemed adequate by the EU. They have adequate protection by the UK Government under the new arrangements. We’ll always do so securely in line with the GDPR principles.

Data transfers to AQA from countries within the EEA

Because the UK is now an ‘adequate country’ in data protection terms, the EEA do not require additional safeguards for transferring data to the UK.

Data transfers from AQA to countries outside the EEA (incl. USA and the rest of the world)

Our applications, services and products use service providers outside of the EEA. We may have to transfer some of your data to these providers so you can use our websites, services, and products. Also, low-level student personal data may be accessed from outside of the EEA for international associates (examiners) to mark AQA assessments or qualifications.

Appropriate measures and controls are in place to protect the transfer of your data.

Transfer of data is made in accordance with the requirements of the UK GDPR and DPA 2018 and are based on the use of the European Commission’s Standard Contractual Clauses (SCC) for transfers of personal data outside the EEA. AQA also utilise the Information Commissioners Office’s (ICO) International Data Transfer Agreement (IDTA) addendum for transfers to none adequate third countries outside of the UK and EEA. For transfers to the USA, we are able to send data to some companies without additional safeguards, as long as they are certified to the new UK-US Data Privacy Framework data bridge, which came into force in October 2023.

These are examples of the types of data we transfer to third countries outside of the UK and EEA using additional safeguards:

  • Identity, Contact, Assessment, On-screen assessment, Pupil – this may be sent to our partners who process our physical or digital exam scripts. They are based in the Philippines, Indonesia, Mauritius, and India. We may also provide this type of data internationally in order for you to use our products and services from outside the UK. You may provide this data to us so that we can enrich it with assessment data and return to you as a reverse transfer – this is low-level personal data.
  • Recruitment, Employment, Performance, Financial, Transaction – this may be accessed by our supplier partners who support our software products. They are based in the US and India.
  • Technical, Marketing, Usage, Survey, Activity, Communications, Digital, Behaviour, Safeguarding, Biometric – this may be accessed by our supplier partners who support our software products. They are based in the US, India, and Norway.

By using our websites, services and products or by interacting with us in the ways described in this privacy notice, you agree to and are informed of the transfer of your data outside the EEA in the circumstances set out in this privacy notice. If you don’t want your data to be transferred outside the EEA, you should not use our websites or products.

If you'd like to discuss the additional safeguards outlined above, access documents, review our processes, or receive further information on our international data transfers, please contact us.

Automated decision making

In certain situations AQA may have to make semi-automated decisions on the grading of exams/exam units, mainly when exams cannot take place or if a candidate is absent and unable to take an exam or set of exams.

Provided that students were entered for the units at the time, results will be generated based on results in the exams which students actually sat. This will be done by using statistical analysis processing for estimating missing marks, which is in line with JCQ guidance. The calculation takes into account any differences in assessment performance that exist across different units. This is called mark estimation or back calculated mark.

This process has been documented in the legitimate interests of AQA, and in the interests of the student and centre, to remove the possibility of the candidate receiving a grade of zero, and in some cases having to repeat a whole year of schooling. In other circumstances candidates will have the option to resit exams which are mark estimations or back calculated, if they're not happy with the grade applied.

Also, as per data protection legislation, candidates who may be affected by this process have the right to obtain human review into the grade applied, express their opinion or point of view, and to contest the decision. Visit the contact us page to find out more, or go to the contact us section at the bottom of this page.

Artificial Intelligence (AI)

Within certain products, services, suppliers, systems, and software AQA may utilise Artificial Intelligence (AI). We have developed a robust ethical framework to review any AI we implement at AQA to ensure there are no negative outcomes, bias, or discrimination, as a charitable organisation serving teachers and students across the world.

Each use case is established based upon its value to our customers, stakeholders, and organisation as a whole. Within our internal governance processes, we review the equality, impact, and risk of each AI use case to ensure there is accountability for transparency, documentation, training data, human oversight (human in the loop), explainability, audit logs, accuracy, cyber security robustness, and more intense AI Data Protection Impact Assessment (DPIA) processes.

Below are some of the AI use cases that AQA currently deploy within our organisation.

Use Case

Brief Description

Determine candidate response to a Multiple-Choice Question (MCQ)

Uses a set of pre-defined Neural Net Models built, and trained, internally. These models use Predictive AI computer vision to determine candidate responses.

Extract candidate details from front page of a script for use in Candidate Matching Process

Uses a mixture of Microsoft Optical Character Recognition (OCR) technology and own built AI models to determine the candidate details as written on the page.

Use of OpenAI

We may use OpenAI to create basic, generic internal or external policies.

Copilot features in our CRM tool

We use Copilot to summarise cases, generate timelines of events and assist in querying our knowledge base.

Quality Assure (QA) exam marking (Pilot)

We may use AI to check a human’s marking is correct or within tolerance and if not will be sent for further human review.

To deliver training via an AI avatar

We may use AI to deliver training in a more engaging and ‘human’ way using an AI avatar rather than use lots of text.

To check coding in our software debugging processes

We may use AI tools to check our computer code or create code for us to reduce errors in our software.

To translate our products into other languages

We may use AI tools to help translate some of our products and services into other languages for inclusivity and to reduce the likelihood of errors.

To transcribe speech of participants in meetings

We may sometimes want to record a meeting and part of that might be the use of AI to transcribe what is being said for use after the meeting.

If you wish to find out more about AQA’s use of AI please visit the contact us page to find out more, or go to the contact us section at the bottom of this page.

Your rights

You have several rights under the data privacy legislation. To learn more, see the table below.

Under certain circumstances you have the right to:

For example:

Access your data – you can access your data at any time by completing the subject access request form. Please be specific about what you want to know. We’ll need to confirm your identity before we release data to you.

You can request access to your exam results, exam scripts, marks provided by examiners, or general information on how we process your data.

Correct your data – you can ask us to correct any data we hold about you that's inaccurate.

We can update your:

  • name
  • date of birth
  • gender
  • email address
  • phone number
  • address that we use to contact you.

Request erasure – you have the right to ‘be forgotten’, in certain circumstances. This doesn’t apply if it would prevent the performance of a contract with you. Or if there's another legal requirement for us to keep your data. If erasure is not possible, you may be able to ask us to restrict processing.

You can request that we remove your email address from a marketing list or remove your contact details from our CRM database. You can also ask us to delete your CV if your job application is unsuccessful. This does not apply to erasing results data.

Request the restriction of processing of your data – you can suspend the processing of your data under certain circumstances. For example, pending a review of the accuracy of the data or after you have objected to our use of the data, and we need to establish whether we may lawfully continue processing it.

We can temporarily remove your data from our website or stop the processing of your data in our CRM system whilst we investigate any claims. This is an unlikely rights request for AQA but it is an option for you.

Request the transfer of your data – in some cases, you can ask us to transfer the data you originally provided to us to yourself or to another company. This only applies to data you provided directly, or that we observed about you through automated means.

You can request a copy of your contact account on our CRM database in a machine-readable format which you can use with other companies. This is an unlikely rights request for AQA but it is an option for you.

Object to the processing of your data – you can object to our processing of your data for direct marketing purposes, based on our stated legitimate interests (defined in the table above). In some cases, we may have compelling lawful grounds to process your data which override your rights and freedoms.

You can request that we stop:

  • sending you marketing data by email
  • tracking you on our website via our consent banner
  • contacting you by phone.

Object to automated decision-making – you can also object to the processing of your personal data where profiling is being used to make assumptions about your behaviours or preferences. You have the right not to be subject to automated decision-making and can request that any such decisions are reviewed by a human.

You can ask us not to:

  • target you for marketing purposes
  • give you estimated calculated grades.

(See our section on automated decision making)

Making a complaint

We take the handling of your personal data very seriously. But, if you feel your data is being handled in a way that breaches data protection legislation, you can make a complaint.

Please contact our Data Protection Office at GDPRenquiries@aqa.org.uk.

We may charge a reasonable fee if your request is unfounded, repetitive or excessive. We can refuse to follow your request in these circumstances.

We’ll always try to respond to any legitimate request within one month. It may take us longer if your request is complex or you've made many requests. In this case, we'll let you know and keep you updated.

As a security measure, we may ask you to confirm your identity. This ensures that:

  • personal data isn't disclosed to any person who doesn't have a right to receive it
  • your right to access your data or to exercise any of your other rights.

We may also contact you to ask you for further information in relation to your request to speed up our response.

You also have the right to complain to the UK Information Commissioner.

AQA Education’s Information Commissioner’s Office registration number is Z6944888.

Opting out

If you don't want to receive information from us, you can ‘opt-out’ at any time. Use the “Unsubscribe” link at the footer of our emails or by contacting us at GDPRenquiries@aqa.org.uk.

We’ll process all opt-out requests as soon as possible. But please note it may take a few days for any opt-out request to be processed.

Our website may include links to and from third party websites. These websites will have their own privacy policies. We don't accept any responsibility or liability for them. Please check these policies before you submit any personal data.

The legal basis for processing your personal data

The law requires us to inform you of the legal basis for collecting and processing your personal data, where we are the Data Controller, or Joint Data Controller. These include:

  • Performance of contract – ie when we have a contract to either provide a product or service to you, or to receive something from you. We're also acting under the 'performance of contract' if we collect or process your data for the purposes of entering into a contract with us.
  • Legitimate interests – ie processing personal data, which doesn't relate to the performance of a contract agreed with you. We'll check the fairness of this; and will only undertake the processing if it's reasonable to do so and will not cause undue risk to you.
  • Legal obligation – we're legally bound to process certain data about you. In some cases, we're obliged to share personal data with third parties, such as Ofqual, JCQ, DfE and HMRC.
  • Public interest – we're obliged to maintain a permanent record of your assessment data (eg examination history, subject, grade, and type of qualification) under the 'Conditions of Recognition' defined by Ofqual, underpinned by the Apprenticeships, Skills, Children and Learning Act (2009). This is both a legal obligation and necessary for the performance of a task carried out in the public interest. We may also share data with Ofqual, JCQ and the DfE under this lawful basis.
  • Consent – we don't rely on consent as a legal basis for processing your personal data. Other than in relation to sending marketing communications via email or text message.

Where we'd like to be able to contact you about our products and services, we’ll seek your consent to keep and re-use your contact details for that purpose. You have the right to withdraw consent to marketing at any time by contacting us.

Contact us

We have an established Data Protection Office that oversees AQA’s activities to ensure that your personal data is handled ethically and in line with our legal obligations. If you have any questions about the way in which we collect, hold or process your data, or wish to exercise your rights, please contact us at GDPRenquiries@aqa.org.uk. Our Data Protection Officer is Graham Dwyer.