Privacy statement

Introduction

By you registering for and/or sitting HPAT-Ulster The Australian Council for Educational Research Ltd (ABN 19 004 98 145) of 19 Prospect Hill Road Camberwell Australia 3124 (collectively, ACER, we or us) will collect your personal information to prepare for, administer and finalise all activities to satisfy the purposes for which you may sit HPAT-Ulster, including:

  1. investigating any suspected misconduct and determining and administering any consequences for misconduct;
  2. disclosing to the University of Ulster courses that require HPAT-Ulster scores, UCAS and them collecting, storing, using, disclosing your personal information in accordance with their policies from time to time;
  3. disclosing anonymised data only to approved research bodies that have an interest in HPAT-Ulster data. Any research report will include anonymised data only;
  4. ACER’s contracted remote proctoring supplier for HPAT-Ulster conducted online. By registering to sit HPAT-Ulster you may need to, or ACER may, provide your Personal Information to the contracted remote proctoring supplier. These may include Examity or ProctorU who supply such services. Examity and ProctorU are companies based in the United States. Personal Information you provide to Examity or ProctorU will be stored outside of Australia. You may view Examity’s privacy policy at https://www.examity.com/product-privacy-policy/ or ProctorU’s privacy policy at www.proctoru.com/privacy-policy. All privacy statements will be updated in the event the supplier changes.

("The Purpose").

In respect of any act or omission of ACER concerning your personal information, in pursuit of the Purpose, ACER may be subject to the:

  1. Privacy Act 1988 (Cth) (Privacy Act); and /or
  2. Applicable European data law.

The personal information ACER collects in pursuit of the Purpose:

The information ACER may collect in pursuit of the Purpose about you includes:

  1. Name;
  2. DOB;
  3. Sex;
  4. Address;
  5. Postcode;
  6. Country;
  7. Phone;
  8. Email;
  9. ID document type & Expiry,
  10. If you are a registered health professional;
  11. Preferred test centre;
  12. Country of birth;
  13. Citizen/PR of AU, citizen of NZ;
  14. Status as an Indigenous Australian;
  15. Language;
  16. If you reside in ASGC-RA area (remote/regional Med entry);
  17. Secondary schooling completed;
  18. Secondary schooling type;
  19. Highest qualification completed;
  20. Year first degree completed;
  21. Major subject area;
  22. University attended;
  23. Registration information ;
  24. Payment details;
  25. Test answers and results;
  26. Application (if any) for special testing conditions including health information;
  27. Identification information; and
  28. Communications with ACER relating to the Purpose.

(The information listed above is referred to as "Personal Information/Data")

The Privacy Act:

To the extent of the applicability of the Australian Privacy Act to your Personal Information collected in pursuit of the Purpose:

You CONSENT to ACER:

  • collecting and using any sensitive (such as health) information, for example, in case you need special consideration in sitting HPAT-Ulster;
  • collecting, storing, using, disclosing and transferring OUTSIDE OF AUSTRALIA, for purposes related to your registration, your personal information in accordance with its privacy policy specified at the end of this statement. YOU ARE NOTIFIED that the persons to whom the information is disclosed outside of Australia have no obligation to abide by the Australian Privacy Principles contained in the Privacy Act. The consequences of this may be, the:
    • country of the person may not have similar privacy laws or measures by which you may pursue any of your rights in respect of privacy as that of Australia; and
    • person may not handle your personal information in the manner designated under the Australian Privacy Principles and you may not have any mechanism by which to seek redress.

Please note the remote proctoring advice above concerning storage of your Personal Information in the United States of America.

Should you not wish to provide the above consents or wish to access and/or amend your personal information or wish to make a complaint related to privacy, please contact the HPAT-Ulster Office at hpat-ulster@acer.org.

For further information concerning how ACER handles your personal information or what privacy rights you have, please see: https://www.acer.org/privacy.

GDPR and other applicable European data law

To the extent of the applicability of the General Data Protection Regulation (GDPR, which term includes other applicable European law) to your Personal Data collected in pursuit of the Purpose. This notice tells you how we collect and process your personal data in connection with the HPAT-Ulster test, including what we use it for and who we share it with. It also explains your rights in relation to the processing of your personal data. This Privacy Notice may be amended from time to time if our practices change.

Definitions

The following items used or referred to in this document are defined below:

  • Data controller: the company, organisation or person that decides (jointly or alone) on the means and purpose of processing of personal data;
  • Processing: any action including storage, collection, usage, destruction, combining, publishing or otherwise constitute any form of operation on personal data; and
  • Personal data: any information related to an identified or identifiable natural living person.

Contact us

Please contact us if you have any questions or comments about this Notice or if you wish to exercise your rights under applicable privacy laws, which are explained further below.

You can contact us by:

  • sending an email to dpo@acer.org; or
  • calling +44 (0) 20 3909 0659

Data Protection Officer and ACER's compliance with the GDPR

Our registered Data Protection Officer (DPO) monitors and advises on compliance with the GDPR which applies to ACER's processing of personal data of individuals (known as data subjects) in the context of its UK operations or in relation to ACER offering data subjects ACER's products or services within the European Economic Area (EEA).

Our DPO can be contact by email at dpo@acer.org.

Acer International United Kingdom Ltd (ACER UK) is the authorised EU Representative for ACER and can be contacted as follows:

13-15 Canfield Place
London NW6 3BT
UNITED KINGDOM

Telephone:  +44 20 3909 0659
Email: unitedkingdom@acer.org

ACER UK is registered with the UK's Information Commissioners Office (ICO) under Z1280311 as both a data controller and data processor.

ACER UK is the data controller for our website and services provided through our website at the address shown above. However, ACER is a processor when supplying HPAT-Ulster services to universities.

On our website, you may find links to other third party websites not operated by us. This Privacy Notice does not apply to them – always check the Privacy Notice of any other third party website you enter.

What personal data do we collect and how?

The personal data we collect when you register to sit the HPAT-Ulster includes that specified above.

Sometimes we may be required to collect special categories of data about you, such as your health information, if you apply for special testing conditions.  We will only collect special categories of data from you or about you with your explicit consent, unless otherwise required or permitted by law.

By supplying special categories information about yourself, either directly or another authorised third party, you or the providing party will be taken to have given your explicit consent to our collection of that information to be used only for the specified purpose. When we obtain such information from a third party, we will insist that the third party must obtain explicit consent from you before transfer occurs.

We will collect your personal data when you register to sit the HPAT-Ulster or contact us in connection with your test.

Given the nature of our services to universities, we also collect personal data about you from the university to which you are applying. We may also collect information through secure web-based application systems if you undertake certain assessments, and from other third parties where you have agreed with them that your information may be disclosed.

How do we use and process the personal data we collect about you?

Basis for processing personal data

Purpose for processing

To perform our contract with you and respond to your related requests

We may use and process personal information under a contract with you to administer and provide the HPAT-Ulster to you.

With your consent

We may use your personal data for the purpose for which you have given your consent, which we will ensure we or third party have obtained prior to processing your information.  For example, with your consent, we may communicate with you (through the consented communication channels, including email, mail or social networking forums) for the specific purposes of:

  • telling you about other ACER products, services and offers that may be of interest to you;
  • inviting you to events; or
  • running competitions and other promotions.

Consent can be withdrawn at any time without detriment. You can withdraw your consent for a specific communication channel by clicking on the 'unsubscribe' link in our communications or contacting us directly using the details above.

In connection with our legitimate interests in carrying on our business

 

We may use your information for our legitimate interests (where we have considered these are not overridden by your rights to privacy) by:

  • investigating any suspected misconduct and determining and administering any consequences for misconduct;
  • publishing anonymised educational material;
  • research and statistical analysis, for the public interest;
  • operating and managing the ACER Foundation (public charities);
  • verifying identity or preventing or investigating any fraud or crime or suspected fraud or crime.

Under a legal obligation

 

We may use and process your personal data where we are required to do so by applicable laws, regulations or codes that apply to us.

What happens if you don’t provide your personal data to us?

If you don’t provide your personal data to us, we may not be able to:

  • permit you to sit the HPAT-Ulster;
  • respond to your requests;
  • manage or administer our HPAT-Ulster services; or
  • personalise your experience with us via the website.

Who do we share your personal data with?

We may share your personal data with other organisations consistent with the purposes for which we use and process your personal data as described above. This includes:

  • University of Ulster courses that require HPAT-Ulster scores, and UCAS;
  • entities that assist us in providing and administering our services (including hosting and data storage and remote proctoring suppliers); and
  • where we are required to do so by law, government agencies (or individuals appointed by government agencies) responsible for investigating and resolving breaches of law, fraud, criminal activities, disputes or complaints concerning our products or services.

Sharing personal data outside of the EEA

The main administrative office of ACER is in Australia with satellite offices overseas (see website for details). If we need to share some of the personal data we collect about you with organisations inside or outside Australia, we will take steps to ensure the transfer of personal data is lawful and complies with one of the safeguarding mechanisms as mandated by GDPR law; for example, through the use of Standard Contractual Clauses. All enquiries pertaining to the transfer of personal data outside the EEA and the specific safeguards can be directed to our EU representative, as outlined above.

How do we hold your personal data and keep it secure?

We hold your personal data in a combination of electronic and hard copy files depending on the service. We may store your personal data with one or more third party secure data storage providers. 

We may combine personal data we receive about you with other information we hold about you. This includes information received from third parties. Where possible, we will anonymise (de-identify) personal data we collect from studies we carry out as part of our research activities. 

We take all reasonable steps to protect the security of your personal data by the use of various methods, including password protection and secure storage.  Where we store your personal data with a third party data storage provider, we require them to agree to keep it secure and only use or disclose it for the purpose for which the service was provided.

Please contact us immediately if you become aware of, or have reason to believe there has been, any unauthorised use of your personal data that we hold.

What happens when we no longer need your personal data?

We generally keep your personal data for up to two years after you have taken the HPAT-Ulster, or otherwise as required for our business operations or by applicable laws. 

We may need to retain certain personal data after we cease providing you with services to enforce our terms, for fraud prevention, to identify issues or resolve legal claims, and for proper record-keeping. When we no longer require your personal data, we’ll ensure that your personal data is destroyed or de-identified.

We also retain a record of any stated objection by you to receiving ACER marketing for the purpose of ensuring we can continue to respect your wishes and not contact you further.

Your personal data rights

Under the GDPR or applicable law incorporating this legislation, you are afforded a number of rights, as detailed below.

How to access your personal data

Subject to applicable laws, you may request to know if ACER is processing your personal data and, if so, you may request access to your personal data (including in a structured, commonly used and machine-readable format). We will need to verify your identity before we can give you access. We will acknowledge receipt, and we will endeavour to deal with and respond to your request within one calendar month.

In certain circumstances, we are permitted by law to refuse access to your personal data. In such cases, we will give you a written explanation for our decision and information about how you can complain to the appropriate supervisory authority (e.g. ICO in the UK) if you are not satisfied with our decision.

You will not be charged for making a request for your personal data. However, we may charge a fee to provide your personal data if the request is repetitive, to cover administrative costs. We will inform you of any fee at the time your request is made.

How to correct your personal data

If you think that any personal data we hold about you is inaccurate, you may ask us to correct it. We will take reasonable steps to correct it unless we disagree with your reasons. If we refuse to correct your personal data, we will give you a written explanation of our decision.

Additional rights and choices

In certain circumstances, you can:

  • obtain information about the processing of your personal data;
  • ask us to erase your personal data, such as if you withdraw your consent and we are not otherwise legally entitled to retain it;
  • object to, and ask us to restrict, our processing of your personal data, if the legal basis is legitimate interest or public interest or we are applying profiling to your data, although we may continue to process your personal data while we verify your assertion or complaint;
  • withdraw your consent or object to processing for direct marketing or profiling purposes;
  • Raise a complaint with your supervisory authority about our handling of your personal data.

How do you make a complaint?

If you believe that we have not processed your personal data in compliance with the GDPR and have failed to provide your rights as detailed above, please contact us initially using the contact details above for our EU representative. We will investigate any complaint and notify you of our decision in relation to the complaint as soon as practicable after it is received and within 28 days.  

If we are unable to satisfactorily resolve your concerns about our handling of your personal data, you have the right to make a complaint to the relevant European data protection authority; for example, in the place you reside or where you believe we have breached your rights. The Supervisory Authority of our EU representative is the ICO, which will be able to investigate your complaint. The ICO can make use of the 'One Stop Shop' mechanism to address complaints from residents within the EEA and outside the UK if that benefits the complainant and their home location.

Legal basis for processing your information

(1)

By registering for HPAT-Ulster ACER will be required to collect, store, use and share information about you in pursuit of the Purpose and for reasons deemed necessary for the performance of your contractual agreement with ACER.

(2)

ACER will obtain explicit consent from you when collecting or handling special information in order to assist with health, disability or special assistance you need to undertake the HPAT-Ulster (e.g. special accommodation applications and services to candidates with disabilities.

(3)

Processing of your personal data may also be necessary for the pursuit of ACER’s legitimate interests (see below) or by a third party’s legitimate interests - but only where it is not unwarranted and will not cause a prejudicial effect on your rights and freedoms, or legitimate interest or public interest or we are applying profiling to your data, although we may continue to process your personal data while we verify your assertion or complaint

(4)

Processing of your personal data may also be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the University of Ulster instigating HPAT-Ulster.

(5)

Processing of Special Categories data is necessary for the statistical and research purposes in accordance with article 89(1) based on the duties in any relevant equality or discrimination laws.

 

Legitimate interests

ACER has a legitimate interest in:

  1. Providing you with HPAT-Ulster to assist you in pursuing higher education
  2. Safeguarding and promoting your welfare and the welfare of other students;
  3. Promoting the objects and interests of ACER;
  4. Facilitating the efficient operation of ACER;
  5. Ensuring that all relevant legal obligations of ACER are complied with; and
  6. Defence of legal claims

Third party legitimate interests

In addition your Personal Data may be processed for the legitimate interests of others. For example:

  1. Banking or other financial institutions in respect of payment of fees, refunds or charge-backs;
  2. Potential providers of tertiary education you have approached;
  3. Professional or statutory bodies responsible for the management of university admissions;
  4. Government agencies with duties relating to prevention and detection of crime, collection of a tax or duty or safeguarding national security; or
  5. When investigating a complaint.

Disclosure of your Personal Data

Personal Data is protected by ACER and will not be disclosed to third parties without consent, or as is permitted by law. This section outlines the major organisations and the most common circumstances in which ACER discloses your Personal Data.

Where necessary in pursuit of the Purpose, your Personal Data may be:

  • shared internally within ACER and/or its related contracted service provider companies for the Purpose; and
  • disclosed to:
    • Banking or other financial institutions in respect of payment of fees, refunds or charge-backs;
    • Potential providers of education you have approached;
    • Professional or statutory bodies responsible for the management of university admissions;
    • Government agencies with duties relating to prevention and detection of crime, collection of a tax or duty or safeguarding national security; and
    • Your parents or guardians where consent has been obtained.

Cross-border data transfers

ACER is based in Australia and any activity in respect of your Personal Data mainly occurs in Australia and exclusively in pursuit of the Purpose. Some of the recipients of your Personal Data detailed above may be located outside the EEA.

If your personal information is collected from within the EEA, you acknowledge that you understand that your data will be transferred to Australia in pursuit of the Purpose. In that instance your personal information will be collected, used, stored and disclosed in accordance with the GDPR and the EEA representative under GDPR legislation is ACER UK (Company No 5572704), 13-15 Canfield Place, London NW6 3BT UK.

Please note the remote proctoring advice above concerning storage of your Personal Information in the United States of America.

Retention periods

ACER may retain your Personal Data collected in pursuit of the Purpose for a period of up to 10 years, for your assistance, so you or your relevant education provider can verify results and Personal Data.

Medical reports and other supporting documentation for reasonable adjustment applications may be retained for the two-year results validity period.

Your rights

Under the GDPR you have a right of access to your Personal Data which ACER holds about you, subject to certain exemptions, by way of making an access request.

If you submit an access request to ACER, you are entitled to:

  • Be told whether ACER holds any Personal Data about you;
  • Be given a description of the Personal Data, the reasons it is being processed, and whether it will be or has been given to any other organisations or people;
  • Be given a copy of the information comprising the Personal Data and given details of the source of the data (where this is available);
  • Be told the purpose of processing;
  • Be told the categories of Personal Data concerned;
  • Be told the recipients or categories of recipients to whom the Personal Data has been or will be disclosed, particularly third countries or international organisations – where this is the case, you are also entitled to be informed of appropriate safeguards relating to the transfer of information;
  • Be told the period data will be stored;
  • Be told the right to request rectification, erasure or restriction of processing;
  • Be told the right to lodge a complaint; and
  • Be told the existence of automated decision making including profiling.

These rights apply to electronic Personal Data and to Personal Data in "manual" (i.e. non-electronic) formats subject to certain exemptions.

Exemptions to your rights

The GDPR includes various exemptions in which a Data Controller can refuse to provide access to Personal Data. The most likely situations in which ACER could refuse to release information in response to a subject access request are where:

  • The release of the information would jeopardise the prevention or detection of crime, or the apprehension or prosecution of offenders;
  • The request relates specifically to access to assessment material;
  • The request relates to Personal Data contained in ACER’s or the University of Ulster’s confidential information;
  • The request relates to Personal Data which records ACER's intentions in relation to any negotiations with you, and the release of the Personal Data would prejudice the negotiations;
  • The Personal Data requested is covered by legal professional privilege;
  • The Personal Data requested relates to management forecasting or management planning, and its release to you would prejudice ACER's business or activities; or
  • The request relates to access to Personal Data which has been retained for the purposes of historical or statistical research, the conditions set out in the data protection laws for processing for research purposes have been met, and the results of the research have not been published in a way which identifies individuals.

If Personal Data is withheld from you as a result of an exemption under the GDPR, it will be explained why the Personal Data has been withheld and the relevant exemption, unless doing so would itself disclose information which would be subject to the exemption.

The GDPR allows ACER to refuse to act on your request, or to charge you a reasonable fee (taking into account the administrative costs of providing the information) where your request is considered to be manifestly unfounded or excessive, in particular because the request is repetitive or unduly onerous in character.

ACER has to protect the data protection rights and other legal rights of other individuals when it responds to subject access requests. Information which does not relate to you may be 'blanked out' or redacted, particularly if it relates to other individuals. Sometimes it may not be possible to release Personal Data relating to you because doing so would also reveal information about other persons who have not consented to their data being released, and it would not be reasonable in the circumstances to release the data without their consent. In such cases, you will be informed that Personal Data about you has been withheld and the reasons for doing so.

If we consider that you have made a subject access request which is manifestly unfounded or excessive in nature (for example, because a request is repetitive), it is possible for ACER to:

  • Charge a reasonable fee taking into account the administrative costs of providing the information; or
  • Refuse to act on the request.

If it is determined that a fee should be charged, you will be notified in writing of that fact, the level of the fee, and the reason for requesting the fee, without delay.

If it is determined that your request will be refused, you will be notified in writing of that fact and the reasons for the refusal to act on the request, without delay.

How do I submit a request?

You can make your subject access request by telephone or in person, by contacting the DPO at the contact details provided above.

When making your request please be as specific as possible about the Personal Data to which you want access, as this will assist in processing your request; for example, if you only want Personal Data relating to your academic record, you should indicate that. A general request such as 'please send me all of the Personal Data which you hold about me' is likely to lead ACER to contact you for further information or clarification.

Proof of ID will be required to ensure that ACER is releasing Personal Data to the correct person. ACER will inform you of what is required and in what form it is required. It will usually involve photographic and authoritative documentation such as passport and driving license documents.

What happens next?

You will be sent an acknowledgement of your request as soon as possible. This will indicate the deadline by when ACER will send you a response (usually within 28 days).

You may be asked for further information to assist.

Your request will be responded to as soon as possible, and within 28 days of receipt of your request (unless there are grounds to extend that timescale).

The Personal Data will usually be provided in the format in which you make the access request e.g. digitally or by post.

If you request further copies of the Personal Data, ACER may charge a reasonable fee based on administrative costs.

Can I appeal?

If you are dissatisfied with the response to your access request, you have the right to apply directly to the privacy regulator in your relevant country. Further information about how to enforce your rights under applicable data protection laws is available on the relevant privacy regulator’s website.

Effective date: 7 April 2020