We take care of your data
We are committed to keeping your data safe and secure and ensuring that you receive the best possible service from ABRSM.
ABRSM is a Data Controller in relation to our exams. You can read the advice we received about this here.
Want more information?
If you have any questions, please contact [email protected]
Keeping your personal information safe is very important to us. We are committed to complying with privacy and data protection laws and being transparent about how we process personal data.
This policy applies to both ABRSM and ABRSM Publishing, which are two separate legal entities.
Both ABRSM and ABRSM Publishing are data controllers registered with the UK Information Commissioner’s Office (registration numbers Z6618494 for ABRSM and Z6329415 for ABRSM Publishing).
We have policies, procedures and training in place to help our employees and volunteers understand their data protection responsibilities and follow the data protection principles:
- We will process your personal information fairly, lawfully and transparently
- When we gather personal information from you, we will ensure what we collect is adequate, relevant and not excessive to our needs
- We take care to ensure your personal information is accurate and up to date
- We will only keep personal information for as long as necessary
- We will only use your personal information for the reasons for which it was collected
- We have put in place technical and organisational measures to protect your personal information from accidental loss or unlawful processing
We have policies, procedures and training in place to ensure that everyone who works or volunteers for us understands their responsibilities to protect personal data, and we apply these data protection principles:
- Lawfulness, fairness and transparency – we will use personal data in a way that complies with the law, and in a way that our customers and staff expect and have been told about.
- Purpose limitation – we will only use personal data for the reasons we collect it for, and not for something extra or unrelated.
- Data minimisation – we will limit the amount of personal data we collect to what we need it for.
- Accuracy – we will ensure the personal details in our records are accurate and kept up to date.
- Storage limitation – we will only keep personal data for as long as we need it. When it is no longer needed, we will securely destroy or delete the personal data.
- Integrity and confidentiality (security) – we will ensure personal data is kept securely and that the details of our customers and staff are protected but accessible when it is needed.
- Accountability – we will take responsibility, have appropriate measures in place and keep records to demonstrate how we achieve data protection compliance.
Our Data Protection Lead is Rachael Casstles, Director of Legal and Compliance.
email: [email protected]sm.ac.uk
or write to Rachael Casstles, Data Protection Lead at the following address:
ABRSM, 4 London Wall Place, London, EC2Y 5AU
We may collect personal data in person or via post, email, SMS or the website, from you and from third parties for a number of purposes.
ABRSM will only use your personal data if we have a legal basis for doing so, and for the purposes for which it was collected. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do this.
We have set out below all the ways we use your personal data, and which of the legal bases we rely on to do so. We may process personal information where it is in our legitimate interests to do so and where we are confident that such processing will not infringe on your rights and freedoms. Our 'legitimate interests' in this context include supporting musical learning and progress, and supporting the professional development of music teachers. Where required, we will process personal information in order to comply with our legal obligations, to assist the prevention and detection of crime, and in order to assist the police and other competent authorities with investigations (including criminal and safeguarding investigations).
Lawful basis for processing
To process an exam, event, webinar booking, take payment and contact you in relation to our service
Performance of a contract
To inform you about changes to our service
Performance of a contract/Legitimate interests
To respond to a query and manage the complaint process
To perform credit checks
To process your order from our online shop
Performance of a contract
To process your subscription to an ABRSM app
Performance of a contract
To send marketing messages to you
You can change your mind on how you receive marketing messages or you can stop receiving them at any time.
To consider and award scholarships and funding grants
To consider applications to work or volunteer
To process special category information that we need to run events, courses, meetings and exams
To improve our website and our services to you
To administer our own discussion forum
We may use your anonymised information to identify trends and to design market research. Market research agencies acting on our behalf may get in touch with you to invite you to take part in research. Any responses you provide will be reported back to us anonymously unless you give us permission for your details to be shared.
We may share your information with relevant agencies, law enforcement and other third parties for the purpose of preventing or detecting crime, or where it is the public interest.
Legitimate interests/Legal obligation/Public interest
The information that we collect may include:
- Contact details such as name, address, email address and phone numbers
- Your instrument and grade
- Your musical interests
- Your relationship to a candidate
- Credit or debit card details and any purchases you have made
- Date of birth, gender and title
- Any access or Special Educational Needs (SEN) requirements for your exams and medical reports where relevant
- Dietary requirements where this is required for catering
- Qualifications and school or organisation you belong to/work for
- Name of your parent or guardian (if you are under 13 years old)
- Optional information about race and ethnicity for monitoring purposes
- Recordings or transcripts of exam submissions, meetings, telephone calls, webchat
- Emails, letters
In respect of job applicants, we may also collect:
- Your image and likeness where this is required for business or security purposes
- Information about your family, social circumstances and extra-curricular activities
- Your bank account details, tax and residency status
- References from previous employers or educational institutions
- Contact details for your family members and next of kin
- Information concerning your health and medical conditions
- Optional information about your race, ethnicity and sexual orientation
- Details of criminal convictions
We ask you for Special Educational Needs (SEN) requirements, which may require supporting evidence, in order to consider making reasonable adjustments for candidates taking exams. We will retain the supporting evidence only for a maximum of six months. We keep details of any access arrangements and reasonable adjustments, and brief details of the supporting evidence given, for compliance purposes indefinitely, but records are deleted if the candidate has not taken an exam for five years. Systems used to store supporting documents have restricted access.
We need to collect and use relevant information about young people so that they can enter exams and competitions, attend events, and sign up to some of our services. We consider a young person to be under 14 years old. If you are under 14 years old, please get your parent/guardian's permission before you provide any personal information to us.
Aggregate information is collected from users using our own web tracker. This information includes users' Internet Protocol (IP) addresses, browser type, internet service provider (ISP), referring/exit pages, platform type, date/time of visit, number of clicks, error pages and number of unique visits. This information is not linked to personal profiles or to personally identifiable information provided by users. We use it to analyse visitor trends and use of our website, administer the website and to gather broad demographic information of our website users.
We may provide your personal data to third parties who we engage to provide supplemental services such as caterers, schools, conference and course providers, referees, tutors and examiners. We may also share your information with our bank in order to process a payment; our professional advisers (such as our legal advisers) where it is necessary to obtain their advice; our IT support and data storage providers; mailing house; website administrator, and printers. We also share data with suppliers that provide key support to Online Theory. We are required to share personal data with the Department for Education and to share anonymised data with our regulators, Ofqual, CCEA and Qualifications Wales.
Payments in relation to exams are processed by Barclaycard, PayPal or Stripe.
Payments for events are processed by Eventbrite.
By completing the payment, you agree that these third parties may process your data in accordance with their Privacy Policies.
In accordance with the Payment Card Industries Data Security Standard (PCI DSS), ABRSM does not process, transmit or store credit card data. A truncated PAN (Primary Account Number) that consists of the first and last four digits of the card number is provided by the payment gateway provider for reporting and reconciliation purposes.
Aggregate information is collected from users using our own web tracker. This information includes users' Internet Protocol (IP) addresses, browser type, internet service provider (ISP), referring/exit pages, platform type, date/time of visit, number of clicks, error pages and number of unique visits. This information is not linked to personal profiles or to personally identifiable information provided by users. We use it to analyse visitor trends and use of our website, to administer the website, and to gather broad demographic information of our website users.
We take every precaution to protect our staff and customers’ information. ABRSM annually renews its National Cyber Security Centre’s Cyber Essentials Plus accreditation that validates our commitment to secure configuration and action against cyber security threats.
All exam entries for Grades 1 - 8 and Music Medals are made through our online booking portals. Paper entries forms are used for Choral Singing and Instrumental Ensembles. Diploma entries are submitted by PDF via a secure link.
Exam entries are stored on the ABRSM’s secure cloud database server in the UK and a copy of this data is transferred onto our UK-hosted Microsoft Dynamics 365 CRM system. All online information is held purely for the purpose of exam entries and is retained on this secure database server so that applicants can view their past entries.
When our online examination entry form asks users to enter sensitive information (such as credit card number and expiry date), that information is encrypted and is protected with industry-standard Secure Socket Layer (SSL) software. While on a secure page, such as our online portal(s) the lock icon on the bottom of web browsers such as Google Chrome, Microsoft Internet Explorer, Edge and Safari becomes locked, as opposed to un-locked, or open, when users are just ‘surfing.’
We use SSL encryption to protect sensitive information online and we also do everything in our power to protect user-information offline. Access by staff to personal information is restricted to only appropriate departments, minimising access privileges to certain individuals within them. All employees are provided with a unique username and password in order to gain access to this information. On premise, servers that store personally identifiable information are held in a secure environment and in a locked facility. Regular backups are made of this data, and these are securely stored off site and managed by Iron Mountain (http://www.ironmountain.co.uk/) who ensure rigorous protocols and logistics for delivery and retrieval of media to and from designated ABRSM IT staff.
If you no longer wish to receive communications about products and services from us, please contact [email protected]. You can also unsubscribe at any time to emails that we may send to you about the products and services that we think will be of interest to you.
You also have the right to:
- Request a copy of the information we hold about you.
- Tell us to change or correct your personal information if it is incomplete or inaccurate.
- Ask us to restrict our processing of your personal data or to delete your personal data if there is no compelling reason for us to continue using or holding this information (and, where our processing is based on your consent, you may withdraw that consent, without affecting the lawfulness of our processing based on consent before its withdrawal).
- Receive from us the personal information we hold about you which you have provided to us, in a reasonable format specified by you, including for the purpose of you sending that personal information to another data controller.
- Object, on grounds relating to your specific situation, to any of our particular processing activities where you feel this has a disproportionate impact on you.
We will retain your personal information in accordance with our Retention Policy which follows the principle of retaining information for only as long as is necessary. You can request a copy of the Retention Policy by contacting the Data Protection Lead, Rachael Casstles whose contact details are set out above.
For more information about international transfers of personal data (or to request a copy of the standard contractual clauses), you can contact our Data Protection Lead, Sue Cambridge, by emailing [email protected] or writing to Sue Cambridge, ABRSM, 4 London Wall Place, London, EC2Y 5AU.