We take care of your data
By now, you have probably heard a lot about the new data protection laws which came into effect on 25 May 2018. Here is a short summary, stating how ABRSM is becoming GDPR compliant.
ABRSM is a Data Controller in relation to our exams, and we are required by law to process data in accordance with GDPR. We have issued a statement about ABRSM’s role as a data controller and you can read about it on our website.
We have analysed our processes and executed an action plan which includes the following:
- A revision of the wording in our Exam Rules and Regulations to reflect the relationship between applicants, candidates and ABRSM.
- The implementation of updated data security and data protection policies.
- Training completed by all staff and representatives around the world.
- An updated code of conduct for examiners.
- An updated retention policy setting out the time and rationale for keeping customer records.
- Updated agreements with all organisations that support our business to ensure that they are also compliant with GDPR.
- Holding and maintaining National Cyber Security Centre’s Cyber Essentials Plus accreditation.
How does this affect you?
You may notice some small changes in our exam processes, especially regarding any personally sensitive data that we hold about you.
Want more information?
We are committed to keeping your data safe and secure and ensuring that you receive the best possible service from ABRSM.
Keeping your personal information safe is very important to us. We are committed to complying with privacy and data protection laws and being transparent about how we process personal data.
This policy applies to both ABRSM and ABRSM Publishing, which are two separate legal entities.
Both ABRSM and ABRSM Publishing are data controllers registered with the UK Information Commissioner’s Office (registration numbers Z6618494 for ABRSM and Z6329415 for ABRSM Publishing).
We have policies, procedures and training in place to help our employees and volunteers understand their data protection responsibilities and follow the data protection principles:
- We will process your personal information fairly, lawfully and transparently
- When we gather personal information from you, we will ensure what we collect is adequate, relevant and not excessive to our needs
- We take care to ensure your personal information is accurate and up to date
- We will only keep personal information for as long as necessary
- We will only use your personal information for the reasons for which it was collected
- We have put in place technical and organisational measures to protect your personal information from accidental loss or unlawful processing
We may collect your personal data in a number of ways, for example:
- when you, your parent or guardian, your tutor or your school communicate with us by post, telephone, SMS, email or via our websites (including the JOURNEYS platform made available at www.journeysguitar.com); for example, in order to book or make enquiries about a course or an exam, or when you participate in a discussion forum on the website
- when you sign up to, pay for and use the JOURNEYS platform
- from our exam centres – for example, in relation to exams that you have booked or taken at a particular centre;
- when you purchase products from our online shop;
- from the information you provide to us when you make an application to work for us, or from third parties such as your previous or current employers so we can verify details about you;
- from third parties who collect personal data on our behalf, such as international examination boards (e.g. the Hong Kong Examinations and Assessment Authority), or ticketing agencies and other contractors where, for example, they assist us in running events such as conferences;
- as you interact with us in other ways – either as a student, a contractor, or in any other capacity.
We collect and use personal information about our members, supporters, enquirers, job applicants and volunteers to:
- process exam entries and manage events and courses;
- provide products you have purchased from our online shop;
- provide and facilitate discussion forums;
- provide information of interest, including for marketing purposes;
- consider and award scholarships and funding;
- consider job applications;
- provide customer service and respond to enquiries.
- Provide the JOURNEYS service to JOURNEYS customers
The information that we collect may include:
- contact details such as name address, email address and phone numbers;
- your instrument and grade;
- your interests;
- credit card details and any purchases you have made;
- date of birth, gender and marital status;
- any Special Educational Needs (SEN) requirements for exams including relevant medical records;
- dietary requirements where this is required for catering;
- religious beliefs where this is relevant to exam dates and your availability;
- qualifications and school or organisation you belong to/work for;
- name of your parent or guardian (if you are under 18);
In respect of job applicants, we may also collect:
- your image and likeness where this is required for business or security purposes;
- information about your family, social circumstances and extra-curricular activities;
- your bank account details, tax and residency status;
- references from previous employers or educational institutions;
- contact details for your family members and next of kin;
- information concerning your health and medical conditions;
- information about your race, ethnicity and sexual orientation;
- details of criminal convictions.
We ask you for Special Educational Needs (SEN) requirements, which may require supporting health and medical evidence, in order to consider making reasonable adjustments for candidates taking exams. Exam candidates must actively give consent to ABRSM to retain any supporting evidence for reasonable adjustments for five years.
If candidates choose not to give permission to ABRSM to retain supporting evidence, or do not respond to the request for ongoing consent, ABRSM will retain the supporting evidence only for the duration of the current session (a maximum of six months from the closing date for examinations) and the candidate will need to resubmit supporting evidence for any future exams requiring reasonable adjustments.
We need to collect and use relevant information about young people so that they can enter exams and competitions, attend events, and sign up to receive or use some of our services. If you are aged 18 or under, please get your parent/guardian's permission before you provide any personal information to ABRSM.
Applicants from the UK, Singapore and Malaysia can enter exam candidates online. We also process paper entry forms.
Exam entries are stored on the ABRSM secure web server and a copy of this data is transferred daily onto our UK-based system. All online information is held purely for the purpose of exam entries and is retained on this secure server so that applicants can view their past entries.
We use the contact information provided in online and paper application forms to ensure that examination schedules, results and certificates are forwarded to the correct address. In the event of any problems or complications with exam entries, this information is also used to contact the applicant. We keep accurate records of applicant and candidate exam history, which allows us to provide a quicker and more effective service to our applicants.
We request financial information from online applicants (such as credit card number and expiry date). This information is used to process payments for examination entries and administration. The online entry form is held on a secure HTTPS site (demonstrated by the visible padlock logo).
Graded Music Exam payments for UK applicants and Music Medals are processed by and paid to ABRSM via Barclays Merchant Services.
Graded Music Exam payments for Malaysia applicants are processed via the HSBC/GlobalPay payment gateway and paid to the Malaysian Education Syndicate.
Graded Music Exam payments for Singapore applicants are processed via the HSBC/GlobalPay payment gateway and paid to Singapore Symphonia Company Limited via DBS Bank Limited.
Diploma Exam payments for UK applicants as well as administrative payments such as duplicate certificate requests are processed by ePDQ Lite and paid to ABRSM via Barclays Merchant Services. In accordance with the Payment Card Industries Data Security Standard (PCI DSS), ABRSM transmits this data via a secured, isolated terminal that only has access to ePDQ Lite over HTTPS. In accordance with the Payment Card Industries Data Security Standard (PCI DSS), ABRSM does not process, transmit or store this data. A truncated PAN (Primary Account Number) that consists of the first and last four digits of the card number is provided by the payment gateway provider for reporting and reconciliation purposes.
Payments to use the JOURNEYS platform are processed via Barclaycard or Paypal and paid to ABRSM Publishing Ltd via Barclays Merchant Services.
If you choose to register for and attend one of our courses or events, we will use the personal information that you provide to manage your attendance.
We will request your explicit consent to hold and use any medical or religious information that you may provide in relation to your attendance. This may include, for example, information about any disabilities you may have, any specific dietary requirements, or your availability around religious holidays.
If you contact ABRSM to make a general enquiry, your personal information will be used to respond to your enquiry.
If you choose to participate in an ABRSM discussion forum, apart from your username and the content you post, other personal information you provide will not be made available to those who also have access to that discussion forum. Each participant’s opinion on a discussion forum is their own and should not be considered as reflecting the opinion of ABRSM.
If you join the ABRSM mailing list, we will send you information that we hope will be of interest to you. If you choose to provide your email address (or address and postcode), interests and/or your instrument(s) of specific interest, we will provide you with information of direct relevance to your country, area and personal music interests.
You can opt-in to receive information by email (or by post in some cases), which may include copies of new syllabuses, new publications and other information on specific instruments and events that you have informed us would be relevant to your interests.
Aggregate information is collected from users using our own web tracker. This information includes users' Internet Protocol (IP) addresses, browser type, internet service provider (ISP), referring/exit pages, platform type, date/time of visit, number of clicks, error pages and number of unique visits. This information is not linked to personal profiles or to personally identifiable information provided by users. We use it to analyse visitor trends and use of our website, to administer the website, and to gather broad demographic information of our website users.
We award scholarships, awards and bursaries to outstanding students at the Royal Schools of Music and elsewhere. We process personal information of applicants provided to us by the Admissions Boards at the Schools in order to assess applications.
We retain personal information of successful applicants in order to manage scholarships. We process these awards using information captured during the exam process. The names of those students who have been awarded scholarships, bursaries or awards are published in the ABRSM Annual Review.
If you provide us with information about yourself such as a CV or resume in connection with a job application or enquiry, we may use this information to process your enquiry. We will not store this information for any purpose other than that relating to your application.
We communicate with our customers on a regular basis to provide requested services, and in regards to issues relating to their account we reply via email, post or phone in accordance with their wishes.
We will seek your consent to process your personal information when appropriate. We will normally ask for your consent to process any medical or religion-related information that you provide to us, for example in relation to an exam entry or attendance at an event. We will process your personal information without necessarily obtaining your consent where another legal basis exists.
We may process personal information because it is necessary for the performance of a contract to which you are a party (or to take steps at your request prior to entering a contract). For example, we may process your personal data (as is necessary for our exam regulations and related contracts):
- to provide you with an exam, course or other product that you have requested from us;
- to process enquiries and complaints.
- to provide JOURNEYS customers with the JOURNEYS services that the customer has paid for.
In this respect, we may provide your personal data to third-party service providers who we engage to provide these services to you – for example caterers, schools, conference and course providers, referees, tutors and examiners. We may also share your information with:
- our bank in order to process a payment;
- our professional advisers (such as our legal advisers) where it is necessary to obtain their advice;
- our IT support and data storage providers.
We may process personal information where it is in our legitimate interests to do so and where we are confident that such processing will not infringe on your rights and freedoms. Our 'legitimate interests' in this context include promoting musical achievement and education through examination and assessment, professional development of music teachers and the provision of published resources, for example:
- to train our staff and to improve our website and the services that we offer;
- to provide you with an exam, course or other product that has been arranged on your behalf by a third party – for example, if your parent, school or tutor has instructed us to deliver your exam or a course that you will attend;
- to analyse use of and to administer our website;
- to process your application, a scholarship or bursary;
- to research our market and to promote our goods, services and events by post, telephone and email, except in situations where it is required or appropriate to seek your specific consent.
In this respect, we may share your data with third-party organisations who will process personal information on our behalf – for example, a mailing house, our website administrator or printers.
ABRSM will also share personal information with ABRSM Publishing so that ABRSM Publishing can contact you about exam-related products and services – for example, printed sheet music or theory books.
Where required, we will process personal information in order to comply with our legal obligations. In this respect, we may use your personal data to comply with subject access requests, tax legislation, for the prevention and detection of crime, and to assist the police and other relevant authorities with investigations (including criminal and safeguarding investigations).
For more information about international transfers of personal data (or to request a copy of the standard contractual clauses), you can contact our Data Protection Lead, Sue Cambridge, by emailing [email protected] or writing to Sue Cambridge, ABRSM, 4 London Wall Place, London, EC2Y 5AU.
We take every precaution to protect our customers’ information. ABRSM holds and maintains the National Cyber Security Centre’s Cyber Essentials Plus accreditation that validates our commitment to secure configuration and action against cyber security threats.
When our online examination entry form asks users to enter sensitive information (such as credit card number and expiry date), that information is encrypted and protected with industry-standard Secure Socket Layer software. While on a secure page such as our online entry form, the lock icon on the bottom of web browsers such as Netscape Navigator and Microsoft Internet Explorer becomes locked, as opposed to unlocked or open when users are just ‘surfing’.
We use SSL encryption to protect sensitive information online and do everything in our power to protect user information offline. Personal information is restricted in our offices and made available only to the appropriate departments. All employees are provided with a unique username and password in order to gain access to this information.
Our servers that store personally identifiable information are password-protected and held in a secure environment in a locked facility. Regular backups are made of this data and these are securely stored off-site and managed by Iron Mountain, who ensure rigorous protocols and logistics for delivery and retrieval of media to and from designated ABRSM IT staff.
If you no longer wish to receive communications about products and services from us, please contact [email protected]. You can also unsubscribe at any time to emails that we may send to you about the products and services that we think will be of interest to you.
You also have the right to:
- request a copy of the information we hold about you (requests should be addressed to [email protected].ac.uk, and we will respond within one month);
- tell us to change or correct your personal information if it is incomplete or inaccurate;
- ask us to restrict our processing of your personal data or to delete your personal data if there is no compelling reason for us to continue using or holding this information (and, where our processing is based on your consent, you may withdraw that consent without affecting the lawfulness of our processing based on consent before its withdrawal);
- receive from us the personal information we hold about you that you have provided to us, in a reasonable format specified by you, including for the purpose of you sending that personal information to another data controller;
- object, on grounds relating to your specific situation, to any of our particular processing activities where you feel this has a disproportionate impact on you.
Please contact [email protected] or phone us on 0207 636 5400 if you think our records are inaccurate. If you wish us to update or delete your personal information, or if you wish to exercise your other rights under applicable data protection laws, please contact Sue Cambridge by emailing [email protected] or writing to Sue Cambridge, ABRSM, 4 London Wall Place, London, EC2Y 5AU.
We will retain your personal information in accordance with our retention policy, which follows the principle of retaining information for only as long as is necessary. You can request a copy of the retention policy by emailing Sue Cambridge at [email protected] or writing to her at ABRSM, 4 London Wall Place, London, EC2Y 5AU.
If you are not satisfied with our response to any query you raise with us, or you believe we are processing your personal data in a way that is inconsistent with the law, you can complain to the Information Commissioner’s Office through their helpline: 0303 123 1113.