Contents

• Data Protection and Privacy Policy

• Membership Terms and Conditions

• Platform Terms and Conditions

• Privacy Notice

---

Data Protection and Privacy Policy

Last updated: October 2025

TABLE OF CONTENTS

1. OVERVIEW
2. ABOUT THIS POLICY
3. DEFINITIONS
4. THE EXAMS OFFICE STAFF’S GENERAL OBLIGATIONS
5. DATA PROTECTION PRINCIPLES
6. LAWFUL USE OF PERSONAL DATA
7. TRANSPARENT PROCESSING – PRIVACY NOTICES
8. DATA QUALITY – ENSURING THE USE OF ACCURATE, UP TO DATE AND RELEVANT PERSONAL DATA
9. PERSONAL DATA MUST NOT BE KEPT FOR LONGER THAN NEEDED
10. DATA SECURITY
11. DATA BREACH
12. APPOINTING CONTRACTORS WHO ACCESS THE EXAMS OFFICE’S PERSONAL DATA
13. INDIVIDUALS’ RIGHTS
14. MARKETING AND CONSENT
15. AUTOMATED DECISION MAKING AND PROFILING
16. DATA PROTECTION IMPACT ASSESSMENTS (DPIA)
17. TRANSFERRING PERSONAL DATA TO A COUNTRY OUTSIDE THE EEA

1. OVERVIEW

The Exams Office considers the way it collects, manages and protects Personal Data an utmost priority. Protecting the confidentiality and integrity of its member centres’ Personal Data is a key responsibility for The Exams Office and its Staff.

As an organisation that collects, uses and stores Personal Data about its member exam centres, The Exams Office recognises that having controls around the collection, use, retention and destruction of Personal Data is important in order to comply with its obligations under Data Protection Laws and, in particular, its obligations under Article 5 of GDPR.

The Exams Office has implemented this Policy to ensure that all The Exams Office Staff are aware of what they must do to ensure the correct and lawful treatment of Personal Data.

The Exams Office Staff receive a copy of this Policy when they start and may receive periodic revisions of this Policy. This Policy does not form part of any member of The Exams Office Staff’s contract of employment and The Exams Office reserves the right to change this Policy at any time. All members of The Exams Office Staff are obliged to comply with this Policy at all times.

If you have any queries concerning this Policy, please contact our Data Protection Officer, who is responsible for ensuring The Exams Office’s compliance with this Policy.

2. ABOUT THIS POLICY

This Policy (and the other policies and documents referred to in it) sets out the basis on which The Exams Office will collect and use Personal Data either where The Exams Office collects it from individuals itself, or where it is provided to The Exams Office by third parties. It also sets out rules on how The Exams Office handles uses, transfers and stores Personal Data.

It applies to all Personal Data stored electronically, in paper form, or otherwise.

3. DEFINITIONS

3.1. The Exams Office – Registered Office: The Exams Office, 44 Holly Walk, Leamington Spa, CV32 4HY

3.2. The Exams Office Staff – Any The Exams Office employee, worker or contractor who accesses any of The Exams Office’s Personal Data and will include employees, consultants, contractors, and temporary Staff hired to work on behalf of The Exams Office.

3.3. Controller – Any entity (e.g. company, organisation or person) that makes its own decisions about how it is going to collect and use Personal Data.

3.4. Data Protection Laws – The General Data Protection Regulation (Regulation (EU) 2016/679) and all applicable laws relating to the collection and use of Personal Data and privacy and any applicable codes of practice issued by a regulator including in the UK, the Data Protection Act 2018.

3.5. Data Protection Officer – Our Data Protection Officer is Jugjit Chima, and can be contacted at: dataprotection@theexamsoffice.com

3.6. EEA – Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden and the UK.

3.7. ICO – the Information Commissioner’s Office, the UK’s data protection regulator.

3.8. Individuals – Living individuals who can be identified, directly or indirectly, from information that The Exams Office has. For example, an individual could be identified directly by name, or indirectly by gender, job role and office location if you can use this information to work out who they are. Individuals include employees, students, parents, visitors and potential students. Individuals also include partnerships and sole traders.

3.9. Personal Data – Any information about an Individual (see definition above) which identifies them or allows them to be identified in conjunction with other information that is held. It includes information of this type, even if used in a business context.

3.10. Processor – Any entity (e.g. company, organisation or person) which accesses or uses Personal Data on the instruction of a Controller. A Processor is a third party that processes Personal Data on behalf of a Controller. This is usually as a result of the outsourcing of a service by the Controller or the provision of services by the Processor which involve access to or use of Personal Data. Examples include: where software support for a system, which contains Personal Data, is provided by someone outside the business; cloud arrangements; and mail fulfilment services.

3.11. Special Categories of Personal Data – Personal Data that reveals a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data (i.e. information about their inherited or acquired genetic characteristics), biometric data (i.e. information about their physical, physiological or behavioural characteristics such as facial images and fingerprints), physical or mental health, sexual life or sexual orientation and criminal record. Special Categories of Personal Data are subject to additional controls in comparison to ordinary Personal Data.

4. THE EXAMS OFFICE STAFF’S GENERAL OBLIGATIONS

4.1. All The Exams Office Staff must comply with this Policy.

4.2. The Exams Office Staff must ensure that they keep confidential all Personal Data that they collect, store, use and come into contact with during the performance of their duties.

4.3. The Exams Office Staff must not release or disclose any Personal Data:

4.3.1. outside The Exams Office; or

4.3.2. inside The Exams Office to The Exams Office Staff not authorised to access the Personal Data, without specific authorisation from their manager or the Data Protection Officer; this includes by phone calls or in emails.

4.4. The Exams Office Staff must take all steps to ensure there is no unauthorised access to Personal Data whether by other The Exams Office Staff who are not authorised to see such Personal Data or by people outside The Exams Office.

5. DATA PROTECTION PRINCIPLES

5.1. When using Personal Data, Data Protection Laws require that The Exams Office complies with the following principles. These principles require Personal Data to be:

5.1.1. processed lawfully, fairly and in a transparent manner;

5.1.2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;

5.1.3. adequate, relevant and limited to what is necessary for the purposes for which it is being processed;

5.1.4. accurate and kept up to date, meaning that every reasonable step must be taken to ensure that Personal Data that is inaccurate is erased or rectified as soon as possible;

5.1.5. kept for no longer than is necessary for the purposes for which it is being processed; and

5.1.6. processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

5.2. These principles are considered in more detail in the remainder of this Policy.

5.3. In addition to complying with the above requirements The Exams Office also has to demonstrate in writing that it complies with them. The Exams Office has a number of policies and procedures in place, including this Policy and the documentation referred to in it, to ensure that The Exams Office can demonstrate its compliance.

6. LAWFUL USE OF PERSONAL DATA

6.1. In order to collect and/or use Personal Data lawfully The Exams Office needs to be able to show that its use meets one of a number of legal grounds. See also https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing.

6.2. In addition, when The Exams Office collects and/or uses Special Categories of Personal Data, The Exams Office has to show that one of a number of additional conditions is met. See also https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/special-category-data.

6.3. The Exams Office has carefully assessed how it uses Personal Data and how it complies with the obligations set out in paragraphs 6.1 and 6.2. If The Exams Office changes how The Exams Office uses Personal Data, it needs to update this record and may also need to notify Individuals about the change. If The Exams Office Staff therefore intend to change how they use Personal Data at any point they must notify the Data Protection Officer who will decide whether their intended use requires amendments to be made and any other controls which need to apply.

7. TRANSPARENT PROCESSING – PRIVACY NOTICES

7.1. Where The Exams Office collects Personal Data directly from Individuals, The Exams Office will inform them about how The Exams Office uses their Personal Data. This is in the Privacy Notice.

7.2. If The Exams Office receives Personal Data about an Individual from other sources, The Exams Office will provide the Individual with a privacy notice about how The Exams Office will use their Personal Data. This will be provided as soon as reasonably possible.

7.3. If The Exams Office changes how it uses Personal Data, The Exams Office may need to notify Individuals about the change. If The Exams OfficeStaff therefore intend to change how they use Personal Data please notify the Data Protection Officer who will decide whether The Exams Office Staff’s intended use requires amendments to be made to the privacy notices and any other controls which need to apply.

8. DATA QUALITY – ENSURING THE USE OF ACCURATE, UP TO DATE AND RELEVANT PERSONAL DATA

8.1. Data Protection Laws require that The Exams Office only collects and processes Personal Data to the extent that it is required for the specific purpose(s) notified to the Individual in a privacy notice (see paragraph 7 above) and as set out in The Exams Office’s record of how it uses Personal Data. The Exams Office is also required to ensure that the Personal Data The Exams Office holds is accurate and kept up to date.

8.2. All The Exams Office Staff that collect and record Personal Data shall ensure that the Personal Data is recorded accurately, is kept up to date and shall also ensure that they limit the collection and recording of Personal Data to that which is adequate, relevant and limited to what is necessary in relation to the purpose for which it is collected and used.

8.3. All The Exams Office Staff that obtain Personal Data from sources outside The Exams Office shall take reasonable steps to ensure that the Personal Data is recorded accurately, is up to date and limited to that which is adequate, relevant and limited to what is necessary in relation to the purpose for which it is collected and used. This does not require The Exams Office Staff to independently check the Personal Data obtained.

8.4. In order to maintain the quality of Personal Data, all The Exams Office Staff that access Personal Data shall ensure that they review, maintain and update it to ensure that it remains accurate, up to date, adequate, relevant and limited to what is necessary in relation to the purpose for which it is collected and used. Please note that this does not apply to Personal Data which The Exams Office must keep in its original form (e.g. for legal reasons or that which is relevant to an investigation). .

8.5. The Exams Office recognises the importance of ensuring that Personal Data is amended, rectified, erased or its use restricted where this is appropriate under Data Protection Laws. The Exams Office has a Rights of Individuals Policy and a Rights of Individuals Procedure which set out how The Exams Office responds to requests relating to these issues. Any request from an individual for the amendment, rectification, erasure or restriction of the use of their Personal Data should be dealt with in accordance with those documents.

9. PERSONAL DATA MUST NOT BE KEPT FOR LONGER THAN NEEDED

9.1. Data Protection Laws require that The Exams Office does not keep Personal Data longer than is necessary for the purpose or purposes for which The Exams Office collected it.

9.2. The Exams Office has assessed the types of Personal Data that it holds and the purposes it uses it for and has set retention periods for the different types of Personal Data processed by The Exams Office, the reasons for those retention periods and how The Exams Office securely deletes Personal Data at the end of those periods. These are set out in the Data Retention Policy.

9.3. If The Exams Office Staff feel that a particular item of Personal Data needs to be kept for more or less time than the retention period set out in the Data Retention Policy, for example because there is a requirement of law, or if The Exams Office Staff have any questions about this Policy or The Exams Office’s Personal Data retention practices, they should contact the Data Protection Officer for guidance.

10. DATA SECURITY

The Exams Office takes information security very seriously and The Exams Office has security measures against unlawful or unauthorised processing of Personal Data and against the accidental loss of, or damage to, Personal Data. The Exams Office has in place procedures and technologies to maintain the security of all Personal Data from the point of collection to the point of destruction.

11. DATA BREACH

11.1. Whilst The Exams Office takes information security very seriously, unfortunately, in today’s environment, it is possible that a security breach could happen which may result in the unauthorised loss of, access to, deletion of or alteration of Personal Data. If this happens there will be a Personal Data breach and The Exams Office Staff must comply with The Exams Office’s Data Breach Notification Policy. Please see paragraphs 11.2 and 11.3 for examples of what can be a Personal Data breach. Please familiarise yourself with it as it contains important obligations which The Exams Office Staff need to comply with in the event of Personal Data breaches.

11.2. Personal Data breach is defined very broadly and is effectively any failure to keep Personal Data secure, which leads to the accidental or unlawful loss (including loss of access to), destruction, alteration or unauthorised disclosure of Personal Data. Whilst most Personal Data breaches happen as a result of action taken by a third party, they can also occur as a result of something someone internal does.

11.3. There are three main types of Personal Data breach which are as follows:

11.3.1. Confidentiality breach- where there is an unauthorised or accidental disclosure of, or access to, Personal Data e.g. hacking, accessing internal systems that a The Exams Office Staff member is not authorised to access, accessing Personal Data stored on a lost laptop, phone or other device, people gaining access to Personal Data they have no right to access, putting the wrong letter in the wrong envelope, sending an email to the wrong student, or disclosing information over the phone to the wrong person;

11.3.2. Availability breach- where there is an accidental or unauthorised loss of access to, or destruction of, Personal Data e.g. loss of a memory stick, laptop or device, denial of service attack, infection of systems by ransom ware, deleting Personal Data in error, loss of access to Personal Data stored on systems, inability to restore access to Personal Data from back up, or loss of an encryption key; and

11.3.3. Integrity breach- where there is an unauthorised or accidental alteration of Personal Data.

12. APPOINTING CONTRACTORS WHO ACCESS THE EXAMS OFFICE’S PERSONAL DATA

12.1. If The Exams Office appoints a contractor who is a Processor of The Exams Office’s Personal Data, Data Protection Laws require that The Exams Office only appoints them where The Exams Office has carried out sufficient due diligence and only where The Exams Office has appropriate contracts in place.

12.2. One requirement of GDPR is that a Controller must only use Processors who meet the requirements of the GDPR and protect the rights of individuals. This means that data protection due diligence should be undertaken on both new and existing suppliers. Once a Processor is appointed they should be audited periodically to ensure that they are meeting the requirements of their contract in relation to Data Protection.

12.3. Any contract where an organisation appoints a Processor must be in writing.

12.4. You are considered as having appointed a Processor where you engage someone to perform a service for you and as part of it they may get access to your Personal Data. Where you appoint a Processor you, as Controller remain responsible for what happens to the Personal Data.

12.5. GDPR requires the contract with a Processor to contain the following obligations as a minimum:

12.5.1. to only act on the written instructions of the Controller;

12.5.2. to not export Personal Data without the Controller’s instruction;

12.5.3. to ensure Staff are subject to confidentiality obligations;

12.5.4. to take appropriate security measures;

12.5.5. to only engage sub-processors with the prior consent (specific or general) of the Controller and under a written contract;

12.5.6. to keep the Personal Data secure and assist the Controller to do so;

12.5.7. to assist with the notification of Data Breaches and Data Protection Impact Assessments;

12.5.8. to assist with subject access/individuals rights;

12.5.9. to delete/return all Personal Data as requested at the end of the contract;

12.5.10. to submit to audits and provide information about the processing; and

12.5.11. to tell the Controller if any instruction is in breach of the GDPR or other EU or member state data protection law.

12.6. In addition the contract should set out:

12.6.1. The subject-matter and duration of the processing;

12.6.2. the nature and purpose of the processing;

12.6.3. the type of Personal Data and categories of individuals; and

12.6.4. the obligations and rights of the Controller.

13. INDIVIDUALS’ RIGHTS

13.1. GDPR gives individuals more control about how their data is collected and stored and what is done with it. Some existing rights of individuals have been expanded upon and some new rights have been introduced. It is extremely important that The Exams Office plan how they will handle these requests under GDPR.

13.2. The different types of rights of individuals are reflected in this paragraph.

13.3. Subject Access Requests

13.3.1. Individuals have the right under the GDPR to ask The Exams Office to confirm what Personal Data they hold in relation to them and provide them with the data. This is not a new right but additional information has to be provided and the timescale for providing it has been reduced from 40 days to one month (with a possible extension if it is a complex request). In addition, you will no longer be able to charge a fee for complying with the request.

13.3.2. Subject Access Requests are becoming more and more common and are often made in the context of a dispute which means that it is crucial that they are handled appropriately to avoid a complaint being made to the ICO.

13.4. Right of Erasure (Right to be Forgotten)

13.4.1. This is a limited right for individuals to request the erasure of Personal Data concerning them where:

13.4.1.1. the use of the Personal Data is no longer necessary;
13.4.1.2. their consent is withdrawn and there is no other legal ground for the processing;
13.4.1.3. the individual objects to the processing and there are no overriding legitimate grounds for the processing;
13.4.1.4. the Personal Data has been unlawfully processed; and
13.4.1.5. the Personal Data must be erased for compliance with a legal obligation.

13.4.2. In a marketing context, where Personal Data is collected and processed for direct marketing purposes, the individual has a right to object to processing at any time. Where the individual objects, the Personal Data must not be processed for such purposes.

13.5. Right of Data Portability

13.5.1. An individual has the right to request that data concerning them is provided to them in a structured, commonly used and machine readable format where:

13.5.1.1. the processing is based on consent or on a contract; and
13.5.1.2. the processing is carried out by automated means

13.5.2. This right is not the same as subject access and is intended to give individuals a subset of their data.

13.6. The Right of Rectification and Restriction

13.6.1. Finally, individuals are also given the right to request that any Personal Data is rectified if inaccurate and to have use of their Personal Data restricted to particular purposes in certain circumstances.

13.7. The Exams Office will use all Personal Data in accordance with the rights given to Individuals’ under Data Protection Laws, and will ensure that it allows Individuals to exercise their rights in accordance with The Exams Office’s Rights of Individuals Policy and Rights of Individuals Procedure. Please familiarise yourself with these documents as they contain important obligations which The Exams OfficeStaff need to comply with in relation to the rights of Individuals over their Personal Data.

14. MARKETING AND CONSENT

14.1. The Exams Office will sometimes contact Individuals to send them marketing or to promote The Exams Office. Where The Exams Office carries out any marketing, Data Protection Laws require that this is only done in a legally compliant manner.

14.2. Marketing consists of any advertising or marketing communication that is directed to particular individuals. GDPR will bring about a number of important changes for organisations that market to individuals, including:

14.2.1. providing more detail in their privacy notices, including for example whether profiling takes place; and
14.2.2. rules on obtaining consent will be stricter and will require an individual’s “clear affirmative action”. The ICO like consent to be used in a marketing context.

14.3. The Exams Office also need to be aware of the Privacy and Electronic Communications Regulations (PECR) that sit alongside data protection. PECR apply to direct marketing i.e. a communication directed to particular individuals and covers any advertising/marketing material. It applies to electronic communication i.e. calls, emails, texts, faxes. PECR rules apply even if you are not processing any personal data

14.4. Consent is central to electronic marketing. We would recommend that best practice is to provide an un-ticked opt-in box.

14.5. Alternatively, The Exams Office may be able to market using a “soft opt in” if the following conditions were met:

14.5.1. contact details have been obtained in the course of a sale (or negotiations for a sale);

14.5.2. The Exams Office is marketing its own similar services; and

14.5.3. The Exams Office gives the individual a simple opportunity to refuse to opt out of the marketing, both when first collecting the details and in every message after that.

15. AUTOMATED DECISION MAKING AND PROFILING

15.1. Under Data Protection Laws there are controls around profiling and automated decision making in relation to Individuals. Automated Decision Making happens where The Exams Office makes a decision about an Individual solely by automated means without any human involvement and the decision has legal or other significant effects; and Profiling happens where The Exams Office automatically uses Personal Data to evaluate certain things about an Individual.

15.2. Any Automated Decision Making or Profiling which The Exams Office carries out can only be done once The Exams Office is confident that it is complying with Data Protection Laws. If The Exams Office Staff therefore wish to carry out any Automated Decision Making or Profiling The Exams Office Staff must inform the Data Protection Officer.

15.3. The Exams Office Staff must not carry out Automated Decision Making or Profiling without the approval of the Data Protection Officer.

15.4. The Exams Office does not carry out Automated Decision Making or Profiling in relation to its employees.

16. DATA PROTECTION IMPACT ASSESSMENTS

16.1. The GDPR introduce a new requirement to carry out a risk assessment in relation to the use of Personal Data for a new service, product or process. This must be done prior to the processing via a Data Protection Impact Assessment (“DPIA”). A DPIA should be started as early as practical in the design of processing operations. A DPIA is not a prohibition on using Personal Data but is an assessment of issues affecting Personal Data which need to be considered before a new product/service/process is rolled out. The process is designed to:

16.1.1. describe the collection and use of Personal Data;

16.1.2. assess its necessity and its proportionality in relation to the purposes;

16.1.3. assess the risks to the rights and freedoms of individuals; and

16.1.4. the measures to address the risks.

16.2. A DPIA must be completed where the use of Personal Data is likely to result in a high risk to the rights and freedoms of individuals. The ICO’s standard DPIA template is available from www.ico.org.uk.

16.3. Where a DPIA reveals risks which are not appropriately mitigated the ICO must be consulted.

16.4. Where The Exams Office is launching or proposing to adopt a new process, product or service which involves Personal Data, The Exams Office needs to consider whether it needs to carry out a DPIA as part of the project initiation process. The Exams Office needs to carry out a DPIA at an early stage in the process so that The Exams Office can identify and fix problems with its proposed new process, product or service at an early stage, reducing the associated costs and damage to reputation, which might otherwise occur.

16.5. Situations where The Exams Office may have to carry out a Data Protection Impact Assessment include the following (please note that this list is not exhaustive):

16.5.1. large scale and systematic use of Personal Data for the purposes of Automated Decision Making or Profiling (see definitions above) where legal or similarly significant decisions are made;

16.5.2. large scale use of Special Categories of Personal Data, or Personal Data relating to criminal convictions and offences e.g. the use of high volumes of health data; or

16.5.3. systematic monitoring of public areas on a large scale e.g. CCTV cameras.

16.6. All DPIAs must be reviewed and approved by the Data Protection Officer.

17. TRANSFERRING PERSONAL DATA TO A COUNTRY OUTSIDE THE EEA

17.1. Data Protection Laws impose strict controls on Personal Data being transferred outside the EEA. Transfer includes sending Personal Data outside the EEA but also includes storage of Personal Data or access to it outside the EEA. It needs to be thought about whenever The Exams Office appoints a supplier outside the EEA or The Exams Office appoints a supplier with group companies outside the EEA which may give access to the Personal Data to Staff outside the EEA.

17.2. So that The Exams Office can ensure it is compliant with Data Protection Laws The Exams Office Staff must not export Personal Data unless it has been approved by the Data Protection Officer.

17.3. The Exams Office Staff must not export any Personal Data outside the EEA without the approval of the Data Protection Officer.

---

Membership Terms and Conditions

See https://www.theexamsoffice.org/iump-tos-page/.

---

Platform Terms and Conditions

Last updated: October 2025

These Terms and Conditions explain The Exams Office’s terms of use for its platforms and any white-labelled equivalents, hereinafter referred to as “the Platforms”. You must agree to the Terms and Conditions to use the Platforms and their supporting resources.

The Platforms include, but are not limited to: The Exams Office Hub.

Who we are

The Exams Office is the trading name for The Exams Office Limited which is a registered UK company. Company Registration Number: 7293792

Using the Platforms

You agree to use the Platforms only for purposes as listed below and detailed in these Terms and Conditions.

By using, you are confirming:

• that the centre which allowed you to log in to the Platforms acquired your prior permission to use your details to create your user account
• you understand that any certificate you achieve belongs to the issuing centre
• you understand that it is at the discretion of the issuing centre whether a copy of any certificate you achieve is issued to you (or shared with another centre you may work with)
• the Platforms, their supporting resources and all intellectual property contained within cannot be used for commercial gain.

Legal action will be taken against any centre/anyone who uses the Platforms and/or its content for commercial gain.

The Platforms will be updated on an annual basis in line with the Joint Council for Qualifications (JCQ) regulation changes. However, we may change or remove content at any time without notice.

The content is subject to copyright – either from The Exams Office or the Joint Council for Qualifications (JCQ).

The invigilator training videos, training materials and user guides are also subject to copyright and must not be used outside the Platforms without the prior permission of The Exams Office.

Contact us if you want to reproduce a piece of content but are not sure if it’s covered by copyright.

We do not give any guarantees, conditions or warranties about the accuracy or completeness of any content. We’re not liable for any loss or damage that may come from your use of these products.

Disclaimer

While we make every effort to keep the Platforms content up to date, we do not provide any guarantees, conditions or warranties that the information will be:

• current
• secure
• accurate
• complete
• free from bugs or viruses

You should get professional or specialist advice before doing anything on the basis of the content within.

We are not liable for any loss or damage that may come from using the Platforms. This includes:

• any direct, indirect or consequential losses
• any loss or damage caused by civil wrongs (‘tort’, including negligence), breach of contract or otherwise
• the use of the content and any websites that are linked to or from it
• the inability to access the platform and/or use content and any websites that are linked to or from it

This applies if the loss or damage was foreseeable, arose in the normal course of things or you advised us that it might happen.

This includes (but is not limited to) the loss of your:

• income or revenue
• salary, benefits or other payments
• business
• profits or contracts
• opportunity
• anticipated savings
• data
• goodwill or reputation
• tangible property
• intangible property, including loss, corruption or damage to data or any computer system
• wasted management or office time

Requests to remove content

Contact us to ask for content to be removed. You’ll need to explain why you think it should be removed. We’ll reply to let you know whether we’ll remove it.

We remove content at our discretion in discussion with the Joint Council for Qualifications (JCQ) and its awarding bodies. You can still request information under the Freedom of Information Act and the Data Protection Act.

Information about you and your visits to the Platforms

We collect information about you in accordance with the guidelines on this page. By using the Platforms you agree to us collecting this information and confirm that any data you provide is accurate.

Virus protection

We make every effort to check and test all content in the Platforms for viruses at every stage of production. You must make sure that the way you use the Platforms does not expose you to the risk of viruses, malicious computer code or other forms of interference which can damage your computer system.

We’re not responsible for any loss, disruption or damage to your data or computer system that might happen when you use the Platforms.

Viruses, hacking and other offences

When using the Platforms, you must not introduce viruses, trojans, worms, logic bombs or any other material that’s malicious or technologically harmful.

You must not try to gain unauthorised access to the Platforms, the server on which it’s stored or any server, computer or database connected to it.

You must not attack the Platforms, and/or its content, in any way. This includes denial-of-service attacks.

We’ll report any attacks or attempts to gain unauthorised access to the relevant law enforcement authorities and share information about you with them.

Governing law

These Terms and Conditions are governed by and construed in accordance with the laws of England and Wales.

Any dispute you have which relates to these Terms and Conditions, or your use of the Platforms (whether it be contractual or non-contractual), will be subject to the exclusive jurisdiction of the courts of England and Wales.

General

We’re not liable if we fail to comply with these Terms and Conditions because of circumstances beyond our reasonable control.

We might decide not to exercise or enforce any right available to us under these Terms and Conditions. We can always decide to exercise or enforce that right at a later date.

Doing this once will not mean we automatically waive the right on any other occasion.

If any of these Terms and Conditions are held to be invalid, unenforceable or illegal for any reason, the remaining Terms and Conditions will still apply.

Changes to these Terms and Conditions

Please check these Terms and Conditions regularly. We can update them at any time without notice.

You’ll agree to any changes if you continue to access and use the Platforms after the Terms and Conditions have been updated.

---

Privacy Notice

Last updated: October 2025

The Exams Office and its associated brands, companies and trading names (“us”, “we” or “our”) are committed to respecting your privacy and to complying with all applicable data protection and privacy laws.

If you, or anyone on your behalf, submits personal information to us for any reason, for example, but not limited to, those outlined below you can be assured that we will use your personal information only for the reason you supplied it to us and to support your continuing relationship with our businesses as outlined here.

We have provided this Notice to help you understand how we collect, use and protect your information when you, or your representative, submit this to us and for the duration of the time you continue to use our products and services.

We wish to help you make informed decisions, so please take a few moments to read the sections below and learn how we may use your personal information.

Our contact details

Name: Jugjit Chima
Address: The Exams Office, 44 Holly Walk, Leamington Spa, CV32 4HY
Phone Number: 0333 7000 755
Email: dataprotection@theexamsoffice.com

The type of personal information we collect

We only collect and use your personal information with your knowledge and consent and typically when you, or your representative:

• Order and/or subsequently use our products and services
• Make general enquiries
• Register for information
• Request product or service details
• Submit online applications for any reason (e.g. job applications)
• When you respond to communications from us (such as questionnaires or surveys),
• Attend our training events or annual conferences
• Or, in any way requiring us to do so to serve you as a paid member of any of our membership businesses

The type of personal information we collect is kept to the absolute minimum for us to communicate and supply you with the information or services for which you allowed us your details.

We typically only collect your name, email, and professional telephone number as personal identifiable fields but it may be that we also need to capture further details such as, but not limited to:

• Educational establishment details, including, postal address, telephone number, email address
• and other key contact information to help us communicate with you or your representatives or organisation(s)

Any interactions with us, and our group of businesses, will always make clear the information we are collecting and the reason for which you, or your representatives, are being asked to submit this to us.

We understand that much of the data for which we are entrusted has a cross-over with personal and professional contact information, so we treat any, and all, data captured in the same way: as personally identifiable data.

If you, or your representative, choose to provide us with information it will only be used in support of the intended purposes stated at the time at which it was collected.

Non-personal identifying information

We may also, on occasion, collect non-personally identifying information about your interaction with our online access areas using digital cookies.

Some of this information is required for the functioning of the online elements of our business and these must be allowed to access the requested online service(s).

Other information may include the pages you browse, and products and services requested but, where possible, we keep non-essential data to an absolute minimum and entirely optional.

We may also use cookies to enhance your browsing experience and allow our website to function.

How we get the personal information and why we have it

We only use your information for the purpose in which you gave it to us which will be clear at the time this is supplied.

We never share your personal data with any third-party organisation(s) without your express permission.

Under the General Data Protection Regulation (GDPR), the lawful bases we rely on for processing this information are:

• Your consent. You can remove your consent at any time. You can do this by contacting us at dataprotection@theexamsoffice.com or via the contact details outlined in this Notice
• We have a contractual obligation
• We have a legal obligation
• We have a vital interest
• We need it to perform a public task
• We have a legitimate interest

How we store your personal information

We recognise that it is important to protect personal information from misuse and abuse and about data privacy in general. We are constantly reviewing and enhancing our technical, physical, managerial, working procedures and rules to protect all personal data and keep it safe from unauthorised access, accidental loss and/or destruction.

We use industry standard practices throughout the business and secure encryption of data in transit and storage where possible and applicable. For example, all access to Platforms is covered by secure, encrypted connections.

Please be aware that communications over the Internet, especially as emails, are not always secure unless they have been encrypted in the way all our online communication channels are. Encryption to the point of data leaving your control is your responsibility and we can only accept responsibility for your data once it is in our control and is received by our secure channels (secure website access and secure email data for example).

We do not accept responsibility for any unauthorised access or loss of personal information at a point that is external to our business or systems and beyond our control, for example unencrypted emails sent or received by local devices before or after data has entered or left our secure network connections (unprotected Wi-Fi channels or potentially insecure email connections).

How long we keep your information for

To make sure we meet our legal data protection and privacy obligations, we only hold on to your information for as long as we need it for the purposes we acquired it, which will be/was made clear at the time this is/was submitted.

In most cases, this means we will keep your information for as long as you are an active member of one of our businesses and/or continue to use our services, and for a reasonable period afterwards.

When no longer required we delete all personal data, other than where we lawfully need to keep this (for example, seven years for accounting records and VAT reporting). This is all subject to an individual’s right to unsubscribe or be forgotten at any time.

Your data protection rights

Under data protection law, you have rights including:

• Your right of access – You have the right to ask us for copies of your personal information
• Your right to rectification – You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete
• Your right to erasure – You have the right to ask us to erase your personal information in certain circumstances
• Your right to restriction of processing – You have the right to ask us to restrict the processing of your personal information in certain circumstances
• Your right to object to processing – You have the the right to object to the processing of your personal information in certain circumstances
• Your right to data portability – You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances

You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you as outlined below.

Access to your information

You can write to us at any time to obtain details of the personal information we may hold about you, request amendments or remove data where we have no legal or contractual obligation to store such information.

Please write to, via recorded delivery: Data Protection Officer, The Exams Office, 44 Holly Walk, Leamington Spa, CV32 4HY or email dataprotection@theexamsoffice.com ensuring you receive a receipt of acknowledgement.

Please quote your full name and address together with a preferred contact method (e.g. telephone number or email).

With proof of delivery or acknowledgment of receipt we will respond to any requests no later than we are legally required to do so: This is the nearest subsequent business day on the equivalent date of the day after receiving the initial enquiry in the following Calender month or, where there isn’t such a date, the nearest subsequent business day according to the last day of the following month.

Any changes or deletions will also be handled within the same timescale of receiving and acknowledging the request.

This is usually within 28 days of receiving proof of delivery or acknowledgment of receipt of the initial request.

We will take all reasonable steps to confirm your identity before acting upon any reasonable request as outlined above.

How to complain

If you have any concerns about our use of your personal information, you can make a complaint to us at:
The Exams Office, 44 Holly Walk, Leamington Spa, CV32 4HY or email dataprotection@theexamsoffice.com.

You can also complain to the ICO if you are unhappy with how we have used your data.

The ICO’s address is: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Helpline number: 0303 123 1113
ICO website: https://www.ico.org.uk/

Privacy support

We reserve the right to amend or modify this Notice at any time and in response to changes in applicable data protection and privacy legislation.

If we decide to change our Privacy Notice, we will post the changes on our website, so you know what information we collect and how we use it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will tell you. You will always have a choice as to whether we are able to use your information in this new manner.

Further information

See our full Data Protection and Privacy Policy.