Fair processing notice: Students
16 February 2024
The data we collect about you
- Your name and contact details
- Personal details like your name, date of birth and, gender
- Sensitive personal details such as ethnic background and any disabilities
- Employment details like your organisation name and job title
- Details of your membership with us and other awarding bodies, such as your AAT membership ID and membership status
- Your education information, such as qualification records, level of education, association with a training provider, Unique Learner Number/Scottish Candidate Number, and English language ability
- Payment information, including your bank, card or direct debit details
- Certain health information you may disclose in respect of your personal circumstances, such as details of disabilities/learning difficulties requiring reasonable adjustments for assessments
- Basic student records covering your address history, member number, membership statuses and dates of initial registration, election and all status changes, qualification, work experience history, membership of other awarding bodies and practice management
- Any other relevant personal information contained in your application forms, supporting documents uploaded (such as your photo ID) with your application, or that you may provide to us with consent (eg responses to surveys and personal stories for marketing material).
You can view and update most of your personal details at any time in the Edit my details service. For a change of name please contact our customer services team providing a copy of your marriage certificate or deed poll certificate, along with your membership number to customersupport@aat.org.uk.
What we do with your data and on what grounds
We can only process your personal data if we have a basis to do so which is permitted by law. This may be that you have given your consent, or it may be one of the other lawful bases for data processing. These comprise situations where it is necessary:
- for our performance of a contract with you. We process your personal data where it’s necessary in order to fulfil a contract with you or to take steps, at your request, before entering into such a contract
- for our legitimate interests. We process your personal data as and when necessary to do so in order to conduct and manage our business to provide you with the best service and experience. We make sure we consider and balance any potential impact on you and your rights before we process your personal data for our legitimate interests. We don’t use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law)
- to meet our legal obligations. We process your personal data where it’s necessary for compliance with legal or regulatory obligations.
Purpose/activity | Lawful basis for processing including basis of legitimate interest |
---|---|
Managing our online e-learning resource provision and Continuing Professional Development (CPD) record service through the AAT Lifelong Learning Portal |
|
Assessment delivery and support, including to fulfil our legal obligations to ensure appropriate levels of assessment support for students who require reasonable adjustments or special consideration due to specific impairments |
|
To inform you and your employers of your assessment results on AAT qualifications (where your studies are funded by your employer) |
|
Customer support in relation to your application and membership, including:
|
|
Monitoring equality and accessibility to AAT courses and qualifications with regard to gender, ethnicity, and disability status |
|
Granting assistance, to offer support to students and members experiencing financial hardship |
|
Managing payment, including:
|
|
To make important communications relevant to your membership |
|
Marketing and promotional communications, including to:
|
|
Administering free prize draws and competitions. You can email aat.research@aat.org.uk to opt out at any time |
|
To meet our legal obligations, including:
|
|
Managing your student registration and membership applications, including to:
| Performance of a contract with you
|
Product development and quality control, including to:
|
|
IT system administration, to administer internal systems including maintaining access rights, troubleshooting issues and maintaining databases and backups |
|
To report Advanced (Level 3) achievement data to UCAS in order for students to claim credit/exemptions as part of their university studies | Your consent (if received) |
Archiving your collected data to support assessment queries, professional standards investigations and general customer queries |
|
Automated decision making
We do not currently, and do not envisage, that any decisions will be taken about you using solely automated means, however, we will notify you in writing if this position changes.
Who we share your personal data with
- Our third-party service providers of payment, user testing, IT, career management consultancy, benefits and rewards and mailing services
- The public, in relation to information regarding any disciplinary outcomes (which may include your name, membership number, alleged misconduct and sanctions)
- AAT Employer Scheme members, to provide your assessment results
- Training providers, to support you in managing your membership and studies
- External verifiers, for assessment quality management
- Journalists and magazine publishers, for marketing case studies
- Our pages on social media platforms, such as Facebook, Twitter and LinkedIn
- UCAS, if you wish to claim credit/exemptions as part of your university studies
- Supervisory/regulatory bodies, law enforcement and independent investigators relating to disciplinary investigations, complaints and regulatory reporting requirements (including the Financial Conduct Authority, Department for Education, and qualifications regulators).
- Relevant qualifications regulators, as applicable to your location, for example, the Office of Qualifications and Examinations Regulation (Ofqual - England), the Scottish Qualifications and Examinations Authority (SQA), Qualifications Wales, Council for the Curriculum, Examinations & Assessment (CCEA - Ireland) or Botswana Qualifications Authority.
- If you are based in England, Wales or Northern Ireland, some of the information provided as part of your registration will be used by the Education and Skills Funding Agency to fulfil its statutory functions, issue and/or verify your Unique Learner Number (ULN) and update and/or check your Personal Learning Record. The Education and Skills Funding Agency may share your ULN and Personal Learning Record with other education related organisations, such as the careers service, school, college, university, Government Departments and public bodies responsible for funding your education. Further details of how qualification data is processed and shared can be found at LRS: Privacy notice.
- Your assessment results details will be stored on our Centre assessment results and Centre statements of achievements services, which will be available to view by your current and any previous training providers.
Our use of data processors
We use a third-party supplier of an IT system (Jotform) to compete student, licensed, and member applications. This system is hosted in Europe.
We use a third-party supplier of a Customer Relationship Management (CRM) IT system, hosted within the UK by our IT service provider. We also use a second CRM system, Hubspot hosted in Europe.
We also use Microsoft Office 365 to process email and for file storage, hosted within the EU, and a third-party email archive system hosted within the UK.
We also use a third party service provider of our e-learning platform hosted in the UK and Europe.
Where a third-party data processor is used, we ensure that they operate under contractual restrictions with regard to confidentiality and security, in addition to their obligations under data protection legislation. This means that they cannot do anything with your personal data unless we have instructed them to do it. They will not share your personal data with any organisation apart from us. They will hold it securely and retain it for the period we instruct.
Where we get your data from
Other than directly from you, we may also receive personal data from the following third-party sources:
- training providers
- employers
- markers and our computer based assessment marking software
- publicly available sources, such as returned post
- our payment providers, such as BACS
- our third-party service providers of IT, career management consultancy and benefits and rewards services.
How long we keep your data
- Your basic student records, such as name, address history, membership statuses, work experience history and other awarding bodies and practice management details will be retained for 70 years from the end of your membership to support other required reporting and professional queries
- If you’ve undertaken any AAT assessments, information on these will be retained for 70 years from the date of assessment as will information on qualifications awarded
- if you’ve submitted any medical evidence to support Reasonable Adjustment and Special Consideration requests, this will be retained for 7 years from the end of the adjustment period
- Direct Debit instructions will be retained for two years from the date your direct debit is cancelled
- Correspondence such as email is retained for a maximum of 3 years
- Your communication preferences will be retained for two years after the end of your membership
- Credit card details will be managed in line with the Payment Card Industry Data Security Standard (PCI DSS). We do not store or retain any credit card data and use third party payment provider services to process card payments.
Transferring your data overseas
We transfer your data to the European Economic Area (EEA), as detailed above with regards to data processors. These transfers are based on the UK adequacy decision with regard to EEA countries.