Confidentiality and Privacy
Introduction
By you registering for and/or sitting HPAT-Ireland The Australian Council for Educational Research Ltd (ABN 19 004 98 145) of 19 Prospect Hill Road Camberwell Australia 3124 (collectively, ACER, we or us) will collect your personal information to prepare for, administer and finalise all activities to satisfy the purposes for which you may sit HPAT-Ireland, including:
- investigating any suspected misconduct and determining and administering any consequences for misconduct;
- disclosing to the universities that require HPAT-Ireland scores, via the Central Applications Office (CAO) together with them collecting, storing, using, disclosing your personal information in accordance with their University application policies from time to time;
- disclosing anonymised data only to approved research bodies that have an interest in HPAT-Ireland data. Any research report will include anonymised data only;
- online proctoring. ACER's contracted online proctoring supplier for HPAT-Ireland conducted online. By registering to sit HPAT-Ireland you may need to, or ACER may, provide your Personal Information to the contracted online proctoring supplier. These may include ProctorU (current vendor) or others who supply such services. ProctorU are a company based in the United States, however, all data gathered during HPAT testing are stored within their EU “instance” (Germany). Personal Information you/we provide to ProctorU will be stored outside of Australia. You may view ProctorU's privacy policy at www.proctoru.com/privacy-policy . All privacy statements will be updated in the event the supplier changes; and
- Plagiarism review. ACER discloses your de-identified HPAT responses to its current contracted plagiarism review contractor, TURNITIN, LLC, a Californian limited liability company which is based in the USA. It processes HPAT test taker responses in the USA to ascertain instances of plagiarism. You may view its privacy policy HERE this privacy statement will be amended in the event the supplier changes.
(“The Purpose").
In respect of any act or omission of ACER concerning your personal information, in pursuit of the Purpose, ACER may be subject to the:
- Privacy Act 1988 (Cth) (Australian Privacy Act); and /or
- Applicable European or UK data law (i.e., EU/UK GDPR).
The Personal Information ACER collects in pursuit of the Purpose:
The information ACER may collect in pursuit of the Purpose about you includes:
Within the Application Process:
- Name;
- Address;
- Postcode;
- Country;
- Phone Number;
- Residency
- Test Centre
- Education (current highest course/qualification)
- Course applied for;
- ID document type & Expiry date (check valid for test date),
- CAO Registration number (required for CAO data distribution purposes)
- Ethnicity (required by CAO for application bias statistics)
- Country of birth;
- HPAT-Ireland Preparation details;
- Absent from sitting; (if you missed the sitting for any reason)
- Results block (whether to allow result to be distributed)
- OARs Test link (where to access the HPAT test online)
- OARS User Account: Name; email address; DOB; Gender
- Language;
- Registration information;
The following information will be generated/stored as part of HPAT application and completion of test.
Payment details; (only the transaction id, date and time, value retained)
Application (if any) for Reasonable Adjustments including health information; additional time allowed (if granted)
Test answers (correct responses) and results (psychometric skill scores);
Communications with ACER relating to the Purpose
Communications with Proctoring Service and Actual Test participation recording including: chat data; machine application issues; video authentication; keystroke analysis; any proctor interventions; test T&C’s acknowledged by test taker; verification, authentication and invigilation details;
The information listed above, if applicable, is referred to collectively as " Personal Information/Data"
Applicable Privacy Law
Depending on the jurisdiction of the HPAT test taker, the applicable law may be either: the law that applies directly to ACER in Australia, by virtue of the head office location; or privacy law that extends to any processor by virtue of the jurisdiction of the test taker, examples are EU and UK GDPR legislation. Consequently, the applicability of the relevant privacy legislation is set out below.
The Australian Privacy Act (1988)
To the extent of the applicability of the Australian Privacy Act to your Personal Information collected in pursuit of the Purpose:
You CONSENT to ACER:
- collecting and using any sensitive (such as health) information, for example, in case you need reasonable adjustments in sitting HPAT-Ireland;
- collecting, storing, using, disclosing and transferring OUTSIDE OF AUSTRALIA (please see the ‘Introduction’ above for the relevant countries), for purposes related to your registration, your personal information in accordance with its privacy policy specified at the end of this statement. YOU ARE NOTIFIED that the persons to whom the information is disclosed outside of Australia have no obligation to abide by the Australian Privacy Principles contained in the Privacy Act. The consequences of this may be, the:
- country of the person may not have similar privacy laws or measures by which you may pursue any of your rights in respect of privacy as that of Australia; and
- person may not handle your personal information in the manner designated under the Australian Privacy Principles and you may not have any mechanism by which to seek redress.
- May provide additional rights not afforded under the Australian Act.
Please note the online proctoring service advice above concerning storage of your Personal Information in the European Union (Germany) where GDPR law applies.
Should you not wish to provide the above consents or wish to access and/or amend your personal information or wish to make a complaint related to privacy, please contact the HPAT-Ireland Office at hpat-ireland@acer.org.
For further information concerning how ACER handles your personal information or what privacy rights you have and how to exercise them, please see: https://www.acer.org/privacy.
GDPR and other applicable European or UK Privacy Law
To the extent of the applicability of the General Data Protection Regulation (GDPR, which term includes both applicable European and UK versions of the law) to your Personal Data collected in pursuit of the Purpose. This section of the notice tells you how we collect and process your personal data in connection with the HPAT-Ireland test, including what we use it for and who we share it with, and why. It also explains your rights in relation to the processing of your personal data, and how to apply for these rights.
This Privacy Notice may be amended from time to time if our practices change.
Definitions
The following items used or referred to in this document are defined below:
- Data controller: the company, organisation or person that decides (jointly or alone) on the means and purpose of processing of personal data;
- Processor: the company, organisation or person that processes the data for the controller under a processing agreement/contract for a specific purpose, and defines their uses of the data
- Processing: any action including storage, collection, usage, destruction, combining, publishing or otherwise constitute any form of operation on personal data; and
- Personal data: any information related to an identified or identifiable natural living person.
Contact us
Please contact us if you have any questions or comments about this Notice or if you wish to exercise your rights under applicable privacy laws, which are explained further below.
You can contact us by:
- sending an email to dpo@acer.org; or hpat-ireland@acer.org
- calling UK +44 (0) 20 3909 0659
Data Protection Officer and ACER's compliance with the GDPR
Our registered Data Protection Officer (DPO) monitors and advises on compliance with the GDPR which applies to ACER's processing of personal data of individuals (known as data subjects) in the context of its UK/EU operations or in relation to ACER offering data subjects ACER's products or services within the European Economic Area (EEA).
Our DPO can be contact by email at dpo@acer.org.
Acer International United Kingdom Ltd ("ACER UK") is the authorised EU Representative for ACER and can be contacted as follows:
13-15 Canfield Place
London NW6 3BT
UNITED KINGDOM
Telephone: +44 20 3909 0659
Email: unitedkingdom@acer.org
ACER UK is registered with the UK's Information Commissioners Office ("ICO") under Z1280311 as both a data controller and data processor.
ACER is the data controller for our website and services provided through our website at the address shown above. However, ACER is acting as a processor when supplying HPAT-Ireland services to test takers applying for entry into universities via the CAO registrations system, by virtue of relevant agreements between the parties.
On our website, you may find links to other third-party websites not operated by us. This Privacy Notice does not apply to them - always read the Privacy Notice of any other third-party website you enter.
What personal data do we collect and how?
The personal data we collect when you register to sit the HPAT-Ireland includes that specified above (some applications from Australia or New Zealand will capture additional data).
Sometimes we may be required to collect special categories of data about you, such as your health information, but only if you apply for reasonable adjustments. We will only collect special categories of data from you or about you with your explicit consent, unless otherwise required or permitted by law.
By supplying special categories information about yourself, either directly or via another authorised third party, you or the providing party will be taken to have given your explicit consent to our collection of that information to be used only for the specified purpose (application for adjusted exam conditions). When we obtain such information from a third party, we will insist that the third party must obtain explicit consent from you before transfer occurs.
We will only collect your personal data when you register to sit the HPAT-Ireland or contact us in connection with your test booking, sitting voucher or results.
Given the nature of our services to universities, we may also collect personal data about you from the university to which you are applying. We may also collect information through secure web-based application systems if you undertake certain assessments, and from other third parties where you have agreed with them that your information may be disclosed.
How do we use and process the personal data we collect about you?
The various legal bases for us collecting data from you, either directly or indirectly as a result of your participation in HPAT are set out below together with the relevant purpose for processing.
Basis for collecting personal data
To perform our contract with you and respond to your related requests
Purpose for processing
We may use and process personal information under a contract with you to administer and provide the HPAT-Ireland to you.
Basis for collecting personal data
With your consent
Purpose for processing
We may use your personal data for the purposes for which you have given your consent, which we will ensure has been obtained by us or a relevant third-party prior to processing your information. For example, with your consent, we may communicate with you (through the consented communication channels, including email, or social networking forums) for the specific purposes of:
- Advising you of key dates and deadlines for submission of required information from you;
- inviting you to the test events at requested venues;
- Advising of any reasonable adjustments you have requested;
Consent can be withdrawn at any time without detriment. You can withdraw your consent for a specific communication channel by clicking on the 'unsubscribe' link in our communications or contacting us directly using the details above.
Basis for collecting personal data
In connection with our legitimate interests in carrying on our business services
Purpose for processing
We may use your information for our legitimate interests (where we have considered these are not overridden by your rights to privacy) by:
- investigating any suspected misconduct and determining and administering any consequences for misconduct;
- publishing anonymised educational material;
- research and statistical analysis, for the public interest;
- operating and managing the ACER Foundation (public charities);
- verifying identity or preventing or investigating any fraud or crime or suspected fraud or crime.
Basis for collecting personal data
Under a legal obligation
Purpose for processing
We may use and process your personal data where we are required to do so by applicable laws, regulations or codes that apply to us.
What happens if you don't provide your personal data to us?
If you don't provide your personal data to us, we will not be able to:
- permit you to sit the HPAT-Ireland;
- respond to your requests;
- manage or administer our HPAT-Ireland services; or
- personalise your experience with us via the website.
Who do we share your personal data with?
We may share your personal data only with other organisations consistent with the purposes for which we use and process your personal data as described above. These include:
- universities that require HPAT-Ireland scores, and the Central Applications Office (we provide the results of the test taker tests to the CAO, they then distribute these data to your specific university choices);
- entities that assist us in providing and administering our services (including hosting and data storage and online proctoring suppliers); and
- where we are required to do so by law, government agencies (or individuals appointed by government agencies) responsible for investigating and resolving breaches of law, fraud, criminal activities, disputes or complaints concerning our products or services.
Sharing personal data outside of the EEA
The main administrative office of ACER is in Australia with satellite offices overseas (see website for details). If we need for the purpose detailed above to share some of the personal data we collect about you with organisations inside or outside Australia, we will take steps to ensure the transfer of personal data is lawful and complies with one of the safeguarding mechanisms as mandated by GDPR law; for example, through the use of Standard Contractual Clauses , International Transfer Agreements and data processing agreements. All enquiries pertaining to the transfer of personal data outside the EEA and the specific safeguards can be directed to our EU representative, as outlined above.
How do we hold your personal data and keep it secure?
We hold your personal data in a combination of electronic and hard copy files depending on the service. We may store your personal data with one or more third party secure data storage providers.
We may combine personal data we receive about you with other information we hold about you. This includes information received from third parties. We will anonymise (de-identify) personal data we collect from studies we carry out as part of our research activities.
We take all reasonable steps to protect the security of your personal data by the use of various methods, including password protection, multifactor authentication, encryption and secure storage. Where we store your personal data with a third party data storage provider, we require them to agree to keep it secure and only use or disclose it for the purpose for which the service was provided.
Please contact us immediately if you become aware of, or have reason to believe there has been, any unauthorised use of your personal data that we hold.
What happens when we no longer need your personal data?
We generally keep your personal data for up to two years after you have taken the HPAT-Ireland, or otherwise as required for our business operations or by applicable laws.
We may need to retain certain personal data after we cease providing you with services to enforce our terms, for fraud prevention, to identify issues or resolve legal claims, and for proper record-keeping. When we no longer require your personal data, we'll ensure that your personal data is destroyed or de-identified.
We also retain a record of any stated objection by you to receiving ACER marketing for the purpose of ensuring we can continue to respect your wishes and not contact you further.
Your personal data rights
Under the GDPR or applicable law incorporating this legislation, you are afforded several rights, as detailed below.
How to access your personal data
Subject to applicable laws, you may request to know if ACER is processing your personal data and, if so, you may request access to your personal data (including in a structured, commonly used and machine-readable format). We will need to verify your identity before we can give you access. We will acknowledge receipt, and we will endeavour to deal with and respond to your request within one calendar month.
In certain circumstances, we are permitted by law to refuse access to your personal data. In such cases, we will give you a written explanation for our decision and information about how you can complain to the appropriate supervisory authority (e.g., ICO in the UK; DPC within Ireland), if you are not satisfied with our decision.
You will not be charged for making a request for your personal data. However, we may charge a fee to provide your personal data if the request is repetitive, to cover administrative costs. We will inform you of any fee at the time your request is made.
How to correct your personal data
If you think that any personal data we hold about you is inaccurate, you may ask us to correct it, but you do have direct edit access via the web portal. We will take reasonable steps to correct it unless we disagree with your reasons. If we refuse to correct your personal data, we will give you a written explanation of our decision.
Additional rights and choices
In certain circumstances, you can:
- obtain information about the processing of your personal data;
- ask us to erase your personal data, such as if you withdraw your consent and we are not otherwise legally entitled to retain it;
- object to, and ask us to restrict, our processing of your personal data, if the legal basis is legitimate interest or public interest or we are applying profiling to your data, although we may continue to process your personal data while we verify your assertion or complaint;
- withdraw your consent or object to processing for direct marketing or profiling purposes;
- Raise a complaint with your supervisory authority about our handling of your personal data.
How do you make a complaint?
If you believe that we have not processed your personal data in compliance with the GDPR and have failed to provide your rights as detailed above, please contact us initially using the contact details above for our EU representative. We will investigate any complaint and notify you of our decision in relation to the complaint as soon as practicable after it is received and within 28 days.
If we are unable to satisfactorily resolve your concerns about our handling of your personal data, you have the right to make a complaint to the relevant European data protection authority; for example, in the place you reside or where you believe we have breached your rights. The Supervisory Authority of our EU representative is the ICO, which will be able to investigate your complaint. The ICO can make use of the 'One Stop Shop' mechanism to address complaints from residents within the EEA and refer the complaint to the DPC within Ireland and outside the UK if that benefits the complainant and their home location.
Legal basis for processing your information
- By registering for HPAT-Ireland ACER will be required to collect, store, use and share information about you in pursuit of the Purpose and for reasons deemed necessary for the performance of your contractual agreement with ACER.
- ACER will obtain explicit consent from you when collecting or handling special information in order to assist with health, disability or special assistance you need to undertake the HPAT-Ireland (e.g. reasonable adjustment applications and services to test takers with disabilities).
- Processing of your personal data may also be necessary for the pursuit of ACER's legitimate interests (see below) or by a third party's legitimate interests - but only where it is not unwarranted and will not cause a prejudicial effect on your rights and freedoms, or legitimate interest or public interest or we are applying profiling to your data, although we may continue to process your personal data while we verify your assertion or complaint
- Processing of your personal data may also be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the University User Group's instigating HPAT-Ireland.
- Processing of Special Categories data is necessary for the statistical and research purposes in accordance with article 89(1) based on the duties in any relevant equality or discrimination laws.
Legitimate interests
ACER has a legitimate interest in:
- Providing you with HPAT-Ireland to assist you in pursuing University education
- Safeguarding and promoting your welfare and the welfare of other students;
- Promoting the objects and interests of ACER;
- Facilitating the efficient operation of ACER;
- Ensuring that all relevant legal obligations of ACER are complied with; and
- Defence of legal claims
Third party legitimate interests
In addition your Personal Data may be processed for the legitimate interests of others. For example:
- Banking or other financial institutions in respect of payment of fees, refunds, or charge-backs;
- Potential providers of tertiary education you have approached;
- Professional or statutory bodies responsible for the management of university admissions (CAO);
- Government agencies with duties relating to prevention and detection of crime, collection of a tax or duty or safeguarding national security; or
- When investigating a complaint.
Disclosure of your Personal Data
Personal Data is protected by ACER and will not be disclosed to third parties without consent, or as is permitted by law. This section outlines the major organisations and the most common circumstances in which ACER discloses your Personal Data.
- Where necessary in pursuit of the Purpose, your Personal Data may be:Shared internally within ACER and/or its related contracted service provider companies for the Purpose; and
- disclosed to:
- Banking or other financial institutions in respect of payment of fees, refunds or charge-backs;
- Potential providers of education you have approached;
- Professional or statutory bodies responsible for the management of university admissions (CAO);
- Government agencies with duties relating to prevention and detection of crime, collection of a tax or duty or safeguarding national security; and
- Your parents or guardians where consent has been obtained.
Cross-border data transfers
ACER is based in Australia and any activity in respect of your Personal Data mainly occurs in Australia and exclusively in pursuit of the Purpose. Some of the recipients of your Personal Data detailed above may be located outside the EEA, but store your data within the EU.
If your personal information is collected from within the EEA/UK, you acknowledge that you understand that your data will be transferred to Australia in pursuit of the Purpose. In that instance your personal information will be collected, used, stored and disclosed in accordance with the GDPR and the EEA representative under GDPR legislation is ACER UK (Company No 5572704), 13-15 Canfield Place, London NW6 3BT UK.
Please note the online proctoring advice above concerning storage of your Personal Information in the EU by the US based ProtorU.
Retention periods
ACER may retain your Personal Data collected in pursuit of the Purpose for a period of up to 10 years, for your assistance, so you or your relevant education provider can verify results and Personal Data.
Medical reports and other supporting documentation for reasonable adjustment applications may be retained for the two-year results validity period.
Your rights
Under the GDPR you have a right of access to your Personal Data which ACER holds about you, subject to certain exemptions, by way of making an access request.
If you submit an access request to ACER, you are entitled to:
- Be told whether ACER holds any Personal Data about you;
- Be given a description of the Personal Data, the reasons it is being processed, and whether it will be or has been given to any other organisations or people;
- Be given a copy of the information comprising the Personal Data and given details of the source of the data (where this is available);
- Be told the purpose of processing;
- Be told the categories of Personal Data concerned;
- Be told the recipients or categories of recipients to whom the Personal Data has been or will be disclosed, particularly third countries or international organisations - where this is the case, you are also entitled to be informed of appropriate safeguards relating to the transfer of information;
- Be told the period data will be stored;
- Be told the right to request rectification, erasure or restriction of processing;
- Be told the right to lodge a complaint; and
- Be told the existence of automated decision making including profiling.
These rights apply to electronic Personal Data and to Personal Data in "manual" (i.e. non-electronic) formats subject to certain exemptions.
Exemptions to your rights
The GDPR includes various exemptions in which a Data Controller or Processor can refuse to provide access to Personal Data. The most likely situations in which ACER could refuse to release information in response to a subject access request are where:
- The release of the information would jeopardise the prevention or detection of crime, or the apprehension or prosecution of offenders;
- The request relates specifically to access to assessment material;
- The request relates to Personal Data contained in ACER's or the HPAT-Ireland University User Group's confidential information;
- The request relates to Personal Data which records ACER's intentions in relation to any negotiations with you, and the release of the Personal Data would prejudice the negotiations;
- The Personal Data requested is covered by legal professional privilege;
- The Personal Data requested relates to management forecasting or management planning, and its release to you would prejudice ACER's business or activities; or
- The request relates to access to Personal Data which has been retained for the purposes of historical or statistical research, the conditions set out in the data protection laws for processing for research purposes have been met, and the results of the research have not been published in a way which identifies individuals.
If Personal Data is withheld from you as a result of an exemption under the GDPR, it will be explained why the Personal Data has been withheld and the relevant exemption, unless doing so would itself disclose information which would be subject to the exemption.
The GDPR allows ACER to refuse to act on your request, or to charge you a reasonable fee (taking into account the administrative costs of providing the information) where your request is considered to be manifestly unfounded or excessive, in particular because the request is repetitive or unduly onerous in character.
ACER has to protect the data protection rights and other legal rights of other individuals when it responds to subject access requests. Information which does not relate to you may be 'blanked out' or redacted, particularly if it relates to other individuals. Sometimes it may not be possible to release Personal Data relating to you because doing so would also reveal information about other persons who have not consented to their data being released, and it would not be reasonable in the circumstances to release the data without their consent. In such cases, you will be informed that Personal Data about you has been withheld and the reasons for doing so.
If we consider that you have made a subject access request which is manifestly unfounded or excessive in nature (for example, because a request is repetitive), it is possible for ACER to:
- Charge a reasonable fee taking into account the administrative costs of providing the information; or
- Refuse to act on the request.
If it is determined that a fee should be charged, you will be notified in writing of that fact, the level of the fee, and the reason for requesting the fee, without delay.
If it is determined that your request will be refused, you will be notified in writing of that fact and the reasons for the refusal to act on the request, without delay.
How do I submit a request?
You can make your subject access request by telephone or in person, by contacting the DPO at the contact details provided above.
When making your request please be as specific as possible about the Personal Data to which you want access, as this will assist in processing your request; for example, if you only want Personal Data relating to your academic record, you should indicate that. A general request such as 'please send me all of the Personal Data which you hold about me' is likely to lead ACER to contact you for further information or clarification.
Proof of ID will be required to ensure that ACER is releasing Personal Data to the correct person. ACER will inform you of what is required and in what form it is required. It will usually involve photographic and authoritative documentation such as passport and driving license documents.
What happens next?
You will be sent an acknowledgement of your request as soon as possible. This will indicate the deadline by when ACER will send you a response (usually within 28 days).
You may be asked for further information to assist.
Your request will be responded to as soon as possible, and within 28 days of receipt of your request (unless there are grounds to extend that timescale).
The Personal Data will usually be provided in the format in which you make the access request e.g. digitally or by post.
If you request further copies of the Personal Data, ACER may charge a reasonable fee based on administrative costs.
Can I appeal?
If you are dissatisfied with the response to your access request, you have the right to apply directly to the privacy regulator in your relevant country. Further information about how to enforce your rights under applicable data protection laws is available on the relevant privacy regulator's website.
Effective date: 20-07-2024