At Pearson, we respect and protect the rights of everyone who entrusts us with their information and take every possible step to secure it. We work diligently to ensure that the information and services upon which our learners and customers rely are always secure and resilient, so that we can better support them at every stage of their development.
Information Security and Data Privacy is inherent in everything we do. Seven principles guide Pearson employees in their roles in our fulfilling our duty of care to our customers, learners and partners and ensuring that we meet our wider legal, regulatory and contractual requirements.
Pearson's Information Security and Data Privacy policies and procedures are based on these seven principles:
Learn - We ensure that all our people are trained in Security and Privacy. Respect - We tell people what we do with their personal information, seek their consent where appropriate and encourage them to exercise their rights over their information.
Report – We report anything that does not seem right to the Security Operations Centre (SOC). Being vigilant is one of the most effective things we can do to keep our information safe and secure.
Consult – We consult the Chief Information Security Office (CISO) and the Data Privacy Office (DPO) at the earliest opportunity when acquiring, developing or revising services or products, and when engaging vendors, to ensure that risks are managed, and effective security & privacy controls are built in from the outset.
Protect – We ensure that the correct level of protection is in place for all information stored, transmitted and shared to prevent unauthorized access to and copying, damage or loss of data. We ensure the resilience of our services so that they are available to our learners, customers and staff as and when required and in accordance with our legal and contractual obligations.
Restrict – We use strong access controls to our information and buildings to ensure they are secure. We only share the minimum amount of information with the fewest people when there is a justified need in support of a legitimate business activity.
Retain – We only keep personal information for as long as it is needed to deliver the services that have been requested and securely delete, destroy or anonymize it as soon as it is no longer required by the business.