To obtain further information about how we balance our legitimate interests against your rights and freedoms where applicable, please contact us using the contact details provided under the “Who we are” heading above.
Processing on behalf of institutional customers
Some of our Services are provided on behalf of third parties, for example on behalf of an educational institution or partner (for example your employer) with whom you are affiliated. Where that is the case, the institution in question will be the controller of your personal data it is their responsibility to inform you of the purpose and lawful basis of their processing activities. This will commonly be the case where an institutional customer has purchased access to our Services on your behalf.
Where this is the case, your personal data will only be used in accordance with the institutional customer's lawful instructions. This typically involves:
i. processing your personal data to provide the Services. For instance, processing email addresses for learners in order to issue passwords securely and to send out service messages where necessary;
iii. for a variety of services, including digital learning services:
a. providing schools (or other academic institutions) with access to the information we hold about their students;
b. analysis of users' use and progress across the service so that we can help learners make progress with their learning. For instance, to evaluate the educational efficacy and effectiveness of the services and to make appropriate recommendations to users and institutional customers based on this evaluation;
For more information, please visit the privacy notice on the website of your educational institution, employer or such other third party who provided you with access to our Services.
Notwithstanding the above, depending on the Service in question there may be instances when our customer (your employer or academic institution) accepts that we have [limited] rights to process your data as a controller in accordance with this Notice, for example to administer your account/relationship with us, and to use analytics to improve our Services. We will let you know when this is relevant using just in time notices.
Return to top
6. USE OF VIDEO AND RECORDINGS
Some of our Services, for example online assessments and examinations take images, and audio or video recordings of you. This can include your spoken responses and background noise taken during tests. We do this:
- to collect your responses so that you can receive a score;
- to simulate the test environment for you during practice tests;
- to verify that the correct person is taking the test;
- to proctor the test to check that you are not cheating.
This includes use of special category face and voice personal data, and matching technology provided by our service providers, using artificial intelligence to ensure that the test responses match the reference voice and photograph we have on file for you and that there are not any cheating “flags” raised during your test.
This technology does not involve real-time surveillance and flags do not track emotional behaviors like your facial movements during the test, but will track whether the recording matches against the data we hold on file for you based on objective pre-defined criteria.
Where a flag is raised, automated or otherwise Pearson’s human reviewers will review any mismatch in IDs and/or where potential cheating has been identified and in those cases, we will not release a test completion certificate and will either (i) issue a free retest; or (ii) where cheating has clearly taken place and this has been confirmed through human review, we may suspend your account. You have the right to appeal any account suspensions, see our websites for our security requirements and policies.
Note that during these practice tests, we will not be using the technology mentioned above to verify your identity or to identify cheating flags.
We will also process still or video images from your device during some of our online learning services for example to allow you to participate in virtual classrooms.
Please note in some instances we will use 3RD Parties to support facial recognition and ID services for matching during tests and assessments. Those third parties may use the data captured about you for the purposes of improving their technology. Where this activity takes place, it will be signposted, is subject to their own privacy notice and we will link to that privacy notice.
Return to top
7. ACCOUNT LINKING
Some of our Services provide you with the ability to connect your account to other platforms and services. For example, some of digital learning services allow learners to connect their accounts to Google Drive (and similar platforms) so they upload/download documents directly from or into it.
Before you connect to a third-party platform, you will receive a prompt asking you to click "Allow" to enable the Services to connect to the third-party service (e.g. Google Drive). In Google Drive, you may remove this connection in the My Account settings for your Google account at any time.
Return to top
8. AUTOMATED DECISION MAKING
In some instances, our use of your personal data will result in automated decisions being taken (including profiling) that legally affect you or similarly significantly affect you.
Automated decisions mean that a decision concerning you is made automatically based on a computer determination (using software algorithms), without our human review. For example, we use automated decisions as part of our scoring processes and as part of our language learning applications. This helps us to drive consistency and mitigate human bias. We have implemented measures to safeguard the rights and interests of individuals whose personal data is subject to automated decision-making, for example When we make an automated decision about you, you have the right to contest the decision, to express your point of view, and to require a human review of the decision. You can exercise this right by contacting us at firstname.lastname@example.org.
Return to top
9. MARKETING COMMUNICATIONS AND OPTING OUT
Depending on our relationship with you, and the service you use we will send you marketing communications where you have not told us that you wish to unsubscribe from marketing, or where you signed up to receive such updates. Contact details for teachers, learners who are 18 or over, and adult subscribers to the Services may be used for these purposes:
i. to contact the user with more information about our Services and those of our group companies, except where the user has told us not to;
ii. to invite the user to participate in surveys, discussions and prize draws and ask for the user's views on our Services via online surveys and discussion forums.
iii. participation in surveys and discussion forums is entirely voluntary. Users may unsubscribe from being contacted for these purposes at any time. Survey information will be used for market research with the aim of improving our Services.
Marketing will only be sent to any user aged under 18 registered to use the Services where permitted by law and subject to having obtained prior consent, which may include verified parental consent where appropriate. Such consent may be withdrawn at any time.
We will not send marketing emails to a user who has opted out of receiving them. Any marketing communications we send will include an unsubscribe link at the end of the email.
Return to top
10. HOW LONG WILL WE STORE YOUR PERSONAL DATA OR PERSONALLY-IDENTIFIABLE INFORMATION
We will keep your personal data only for as long as necessary to fulfil the purposes for which we are processing your personal data unless the law permits or requires longer. For example:
i. Pearson services. When you use our Services directly, or another creates a profile on your behalf. We will generally keep your personal data for the entire duration you use our Services and a reasonable period after. In general, after a year or so of inactivity Pearson reserves the right to email users that their account will be deleted after six months if there is no further activity.
ii. Information kept for longer periods. The nature of some of our Services for example Virtual Schools, Qualifications mean it is appropriate for us to keep your data for longer periods. We will always retain for longer if the law requires this. For example:
a. it is necessary to keep qualifications information (including candidate name, gender, address, examination result, qualification(s) awarded, grade information) for a minimum of forty years and sometimes indefinitely;
b. in relation to virtual schools certain safeguarding information for a longer period;
c. where a longer period is required by law for example we keep invoices and certain payment information for 6 years plus the relevant financial year in which the invoice was issued.
iii. Information kept for shorter periods. We store certain images and audios for six months after a test is complete.
The specific periods we keep your personal data differ depending on the nature of the Services or products you receive from the different parts of our business, so please see the FAQs that can be accessed within that product and service.
Return to top
11. DISCLOSURES AND TRANSFERS
Disclosures to Group Companies
- We may disclose personal data or personally-identifiable information to other companies within the Pearson family ([insert link]), so that we can analyze, test and develop new exciting features for our Services.
- With your consent (where required by law), we would share your personal data with the Pearson family so that they can inform you about the relevant Services that our group companies offer - these would only be products and services which we think you would be interested in. Please note information on individuals aged under 18 will not be shared with group companies for marketing purposes.
Disclosures to Businesses, Partners and Trusted Organizations
For certain Services, we work closely with employers and educational institutions who are making the service available to staff and learners. This can involve the sharing of personal data with those parties for purposes such as safeguarding, monitoring application usage/progress, and data relating to misconduct, cheating or misuse of systems. They may have their own privacy notices for their processing of your personal data as a controller, so please make sure you request this and read them.
We may disclose personal data in the following circumstances:
- when we share it with external providers and data processors such as data centers, web hosts, cloud storage and cloud software providers, customer support providers, payment processors, debt collectors, accountants, insurers and other providers which assist us with the delivery of our Services;
- when we share it with prospective sellers or buyers of our business or assets (and their professional advisors) to investors and our professional advisors, including in the event that we experience financial difficulties;
- for learners under 18, with the parent / guardian, where they have purchased access to the product or service on behalf of the learner;
- when you give us consent or request us to share your data (for example, to send certificates confirming completion of a test to an employer and/or institution or as part of a virtual classroom so they can provide feedback on assessments. This data sharing can be revoked by users at any time); and
We are part of a global organisation and use global service providers. Accordingly, data may be processed and shared outside of the country in which you live, however, we will only do this in compliance with local laws and where we have appropriate measures to ensure that the recipient of your data provides the same standard of protection as required by applicable data protection laws.
Where you are a resident of the European Union or the United Kingdom, we will only transfer your personal data: (a) to countries that have been deemed to provide an adequate level of protection by the European Commission for personal data listed here (or equivalent in the United Kingdom); and/or (b) where we have specific contracts approved by the European Commission and information Commissioner’s Office which give personal data the same protection. The safeguards we use include:
- the European Commission’s Standard Contractual Clauses as issued on 4 June 2021;
- the European Commission’s Standard Contractual Clauses together with the UK Addendum.
This is how transfers of personal data between our group companies will be safeguarded. All group companies are required to protect personal data that they process from Europe (and the UK) in accordance with European Union (and UK) data protection law.
Our Standard Contractual Clauses can be provided on request. Please note that some sensitive commercial information may be redacted from the Standard Contractual Clauses. We have also implemented Standard Contractual Clauses with our third-party service providers and partners and further details can be provided upon request.
Return to top
12. WHAT RIGHTS DO I HAVE?
Depending on the country you are in, you may have different rights in relation to your personal data.
Where you are a resident of the European Union or the United Kingdom:
- Right of access. You can ask us for copies of your personal data. There are some exemptions, which means you may not always receive all the information we process. These exemptions include situations where the information requested also includes personal data about somebody else.
- Right to rectification. You can ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
- Right to erasure. You can ask us to erase your personal data in certain circumstances.
- Right to object to processing. You can object to processing of your personal data, including profiling, where we are processing it on the basis of a legitimate interest.
- Rights related to automated decision making. In relation to decisions based solely on automated processing which produce legal or similarly significant effects, you have the right to obtain human intervention in the decision-making process, and to express your views about or contest such a decision. Please see section 8 (AUTOMATED DECISION MAKING) for more information.
- Right to opt-out of marketing communications we send you at any time. You can exercise this right by clicking on the “unsubscribe” or “opt-out” link in the marketing e-mails we send you. To opt-out of other forms of marketing (such as postal marketing or telemarketing), please contact us (using the contact details indicated above).
- Right to restriction of processing. You can ask us to restrict the processing of your information in certain circumstances.
- Right to withdraw consent. Where we are relying on consent to process your personal data, you can withdraw it at any time. This will not affect the lawfulness of any processing carried out before you withdraw your consent.
- Right to data portability. This only applies to information you have given us. You can ask that we transfer the information you gave us from one organisation to another or give it to you. The right only applies if we are processing information based on performance of a contract and/or your consent.
You are not required to pay any charge for exercising your rights, although we may charge a reasonable fee if your request is unfounded, repetitive or excessive. We have one month to respond to you (unless you have made a number of requests or your request is complex, in which case we may take up to an extra two months to respond but we will inform you where this is the case). Where we ask you for proof of identification, the one-month time limit does not begin until we have received this. If we require any clarification on the scope of the request, the one-month deadline is paused until we receive that information.
You also have the right to make a complaint at any time to a supervisory authority, including your local authority. Of course, we would appreciate the chance to deal with your concerns before you approach a supervisory authority.
Under UK and EU data protection laws it is the data controller's responsibility to respond to your data protection rights requests.
Please note the data controller for your personal data may not be a Pearson entity in all cases, as depending on the service you are accessing our role may be limited to handling data on behalf of another organisation (for example your employer or academic institution). Our role in relation to the personal data will be confirmed to you in the "just in time notices" and in the terms and conditions.
For Services in the United Kingdom and Europe, Pearson Education Limited or Pearson UK Limited are normally to be the controlling Pearson entity, but further specific details are available in the terms and conditions applicable to your Service.
Return to top
We may update this policy or our specific statements from time to time. We will always include the date of a new version so that you know when there has been a change. Where required by law, we will notify you of any material changes.
This policy was last updated June 2023.
Return to top
PRIVACY NOTICE SUMMARY