At the point of registering for a test, you agree that your Personal Data shall be handled as described in this Policy. If you do not agree to the terms in this Policy, you must request removal of your registration prior to taking a test via the Data Protection Officer. Any disputes related to the Test or use of our Site, is subject to this Policy and our registration terms and conditions, including its applicable limitations on damages and the resolution of disputes or any service-specific terms made available to you when you sign up for the Test. Our registration terms and conditions are incorporated by reference into this Policy. If you have any questions or complaints in relation to this Policy, you may contact our Data Protection Officer at [email protected].
PSI are Joint Data Controller with the relevant Programme Sponsor with regards to Test result data. Therefore, the Programme Sponsor may access your Personal Data via a secure online verification portal for their purposes; such as the UK Home Office accessing the results of UKVI (SELT) if a visa application is made. Any Personal Data provided to a Programme Sponsor will be processed and retained in accordance with their own privacy policies and PSI are not responsible for how the Programme Sponsor process the Personal Data shared with them.
When you take the Test or visit our Site, we may process the following categories of Personal Data. You can obtain details of the specific categories of information collected by contacting us. Please refer to the Your Legal Rights section below.
Personal data will be processed to serve and support the:
We may use your Personal Data for one of the following activities:
We do not share your Personal Data with third parties for their own marketing purposes.
We disclose your Personal Data internally, within entities of the PSI Group, and externally, with the Programme Sponsors, and other third parties as set forth below. When we disclose Personal Data, the recipient is required to keep that Personal Data confidential, secure and process the Personal Data only for the specific purpose for which they are engaged:
We have put in place various electronic safeguards and managerial processes designed to prevent unauthorised access or disclosure, maintain data integrity, and ensure the appropriate use of Personal Data. We use industry best practices and guidance from sources such as the National Institute of Standards and Technology (“NIST”), National Cyber Security Centre (“NCSC”), Her Majesty’s Government (“HMG”), Government Digital Service (“GDS”), Payment Card Industry (“PCI”), standards from the Center for Internet Security (“CIS”), and International Standards Organization (“ISO”), ISO/IEC 27001:2013 to design and maintain our information security program. We maintain Personal Data, Test data, and licensee updates on secured computers and all Programme Sponsors, Test candidates, and all other accounts are password protected. No such security or safeguards are 100% effective, but we will take commercially reasonable efforts to employ security measures designed to protect the information. No Personal Data is knowingly disclosed to third parties except as described herein. Unfortunately, since data transmission over the internet cannot be completely secure, we cannot ensure or warrant the security of any information transmitted to us.
We limit access to your Personal Data to those employees, agents, contractors, processors and other third parties who have a business need to know and have been security cleared to the UK Home Office standard. They will only process your Personal Data on our instructions, and they are subject to a duty of confidentiality.
PSI conduct Risk Assessment and Data Privacy Impact Assessment service wide and extends to the Processors that PSI use.
We have procedures put in place to deal with any suspected Personal Data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
Personal data will be processed for as long as required:
Following the end of such bases for processing, processing of anonymised information will be limited to historical or statistical purposes.
PSI retains your Personal Data for a minimum of five (5) years.
The location of the servers where your Personal Data is stored will be dependent on the specific Services that PSI provide to you (where applicable) and governed by the service you register for with PSI. All Personal Data you shared with PSI will reside in the UK. Please refer to our list of processors for further information on the locations where your Personal Data may be processed by our processors.
We will only retain your Personal Data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your Personal Data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you or the Programme Sponsors. When Personal Data is no longer required, we carry out secure destruction in accordance with ISO27001 policies.
Unless agreed otherwise, we may use your Personal Data after anonymisation (so that it can no longer be identified as your information) for historical or statistical purposes, in which case we may use this information for a reasonable period of time without further notice to you. We may also use your Personal Data as part of statistical, aggregated data for research purposes in a pseudonymised form, if required and approved by the Programme Sponsors, and shall only be for Personal Data in relation to Test data for candidates who took the Test approved or provided by the approving Programme Sponsor.
We may share your Personal Data within the PSI Group for the purposes stated above. This may involve transferring your information outside the European Economic Area (“EEA”). Whenever we transfer your Personal Data outside of the EEA, we ensure a similar degree of protection is afforded to it by implementing the following safeguards:
Intra-Group Data Sharing Agreement. All relevant PSI Group Companies across the globe have entered into an intra-group data sharing agreement adopting the European Commission’s standard contractual clauses and committing to compliance with the General Data Protection Regulation 2016/679 (“GDPR”).
Other International Transfers. Personal Data may be processed outside your jurisdiction by our processors. Please refer to our list of processors at the end of this Policy and the locations where Personal Data may be processed by our processors. We ensure that our processors offer an adequate level of protection to the Personal Data by entering into appropriate agreements committing them to compliance with GDPR and other applicable laws.
We process your Personal Data in accordance with the contract with our Client, the GDPR and the California Consumer Privacy Act (“CCPA”). Based on the specific circumstances, the legal basis for our processing is one of the following:
The GDPR sets forth certain rights to EU residents. PSI is committed to full compliance with the GDPR.
If you are a data subject under the GDPR, you have the following rights in relation to your Personal Data.
To exercise any of these rights, please submit a request to us by emailing our Data Protection Officer : [email protected]
PSI is committed to full compliance with the CCPA. Any terms defined in the CCPA have the same meaning when used in this section.
The CCPA provides California residents with specific rights regarding their Personal Data:
To exercise any of these rights, please submit a verifiable consumer request by either:
Calling us at: +800 8001 2900 or
Emailing us at: [email protected]
We will not discriminate against you for exercising any of the foregoing rights under CCPA. You will not have to pay a fee to access your Personal Data or to exercise any of the other rights under CCPA. Only you, or someone legally authorised to act on your behalf, may make a verifiable consumer request. You may only make such a request twice within any 12-month period. Your request must provide sufficient information that allows us to reasonably verify that you are the person about whom we collected Personal Data. As a security measure, we may need to request specific information from you to help us confirm your identity.
We try to respond to all legitimate requests under CCPA within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made several requests. In this case, we will notify you.
We may engage in marketing campaigns in order to introduce new products or services. Where required by applicable law, we will only engage in such marketing communications if the individual has opted into these communications. Individuals may opt-out of the processing of their Personal Data by exercising their right to withdraw consent and the right to object to the processing of their information. To opt-out of commercial emails, simply click the link labelled “unsubscribe” at the bottom of any email sent by us. Please note that even if you opt-out of commercial emails, we may still need to contact you with important transactional information about your account or a scheduled exam in order to fulfil a contractual obligation. For example, we will still send assessment confirmations and reminders, information about centre changes and closures, and information about assessment results even if commercial emails have been opted-out (or not opted-in).
Our Site may provide links to third-party websites. We have no control over third parties and we assume no responsibility for the availability, content, accuracy or privacy practices of other websites, services or goods that may be linked to, or advertised on, such thirdparty websites. We suggest that you review the privacy policies and the terms and conditions of the third-party websites to get a better understanding of what, why and how they collect and use any personally identifiable information.
Our Site and Services are not designed to attract anyone under the age of 16 and children under the age of 16 are not permitted to access or use our Site or Services. Candidates between the ages of 16 to 18 years of age should refer to our Minors Testing Policy for Skills for English.
We reserve the right to amend or change this Policy from time to time. We encourage you to visit and review this Policy periodically. We will post our revised Policy on our website and update the revision date below to reflect the date of the changes. By continuing to use our website after we post any such changes or updates, you accept the Policy as modified.
|PSI Services||PSI, its affiliates and their partners (including test centre networks)||https://www.psionline.com/en-gb/privacy/privacy-policy/||https://www.psionline.com/engb/company/office-locations/
Web Services, Inc)
|Cloud SaaS, PaaS and IaaS.||https://aws.amazon.com/privacy/||Located in the
USA and affiliated companies are located globally. Depending on the scope of our interactions with AWS Offerings, personal data may be stored in or
accessed from multiple countries, including the USA, EU and UK.
|Amazon Web Services||Hosting of recorded videos and all video processing services||https://aws.amazon.com/privacy/?nc1=f_pr||EU, USA|
|Barracuda Networks||Barracuda Networks provide email filtering and quarantine services. Barracuda Networks is certified under both the EU-US and Swiss-U.S Privacy Shield frameworks.||https://www.barracuda.com/company/legal/trust-center/data-privacy/privacy-policy||USA|
|BrightLink||used for certificant database||https://www.brightlink.com/privacy-policy/||EU, USA|
|CloudFlare||DDoS mitigation, reverse proxying, WAF, DNS and CDN.||https://www.cloudflare.com/privacypolicy/||EU, USA|
|Cyxtera||Hosting of website and webservices.||https://www.cyxtera.com/privacy-policy||USA|
|Datamatics||Business Process Operations services||https://www.datamatics.com/privacy-policy||Philippines|
group of companies (Dynatrace LLC and its subsidiaries)
|Logging, analytics and performance management.||https://www.dynatrace.com/company/trust-center/privacy/||Operates globally, as listed:
Use of cloud applications hosted by third-party service providers, server locations listed: here:
|Elastic.co||Provides monitoring and log aggregation for our cloud infrastructure which is integrated into our SIEM solution.||https://www.elastic.co/legal/privacy-statement||EU, UK, USA|
|Ledgeview||Customer Relationship Management service used for ticket and incident handling||https://ledgeviewpartners.com/privacy-policy/||EU, USA|
|Microsoft||Hosting services, IAAS, PAAS, O365, Data Analytics, Dynamics, Application Monitoring.||https://privacy.microsoft.com/en-gb/privacystatement||EU, UK, USA|
|MZDev||Provides a Manual Assessment marking solution that integrates with PSI Systems and Services. Human markers are used to mark assessments and upload results.||https://mzdevinc.com/wp-content/uploads/2018/02/MZD_P|
|NetSuite||Netsuite provides services related to business finances, operations and customer relations||https://www.oracle.com/legal/privacy/services-privacy-policy.html||USA|
|QPSoftware||Website hosting||https://qpsoftware.net/||Hong Kong|
|Educational Assessment and Services||https://www.sqa.org.uk/sqa/45396.html||UK|
|Trustwave||PENS Testing, Vulnerability Scanning.||https://www.trustwave.com/en-us/legal-documents/privacy-policy/||EU, USA|
|Veracode||Static and Dynamic Code Scanning.||https://www.veracode.com/legal-privacy||USA|
|Zendesk||Ticket Tracking system.||https://www.zendesk.com/company/customers-partners/privacy-policy/||EU, UK, USA|