Fair processing notice: Students

Last updated: 16 February 2024

The data we collect about you

  • Your name and contact details
  • Personal details like your name, date of birth and, gender
  • Sensitive personal details such as ethnic background and any disabilities 
  • Employment details like your organisation name and job title
  • Details of your membership with us and other awarding bodies, such as your AAT membership ID and membership status
  • Your education information, such as qualification records, level of education, association with a training provider, Unique Learner Number/Scottish Candidate Number, and English language ability
  • Payment information, including your bank, card or direct debit details
  • Certain health information you may disclose in respect of your personal circumstances, such as details of disabilities/learning difficulties requiring reasonable adjustments for assessments
  • Basic student records covering your address history, member number, membership statuses and dates of initial registration, election and all status changes, qualification, work experience history, membership of other awarding bodies and practice management
  • Any other relevant personal information contained in your application forms, supporting documents uploaded (such as your photo ID) with your application, or that you may provide to us with consent (eg responses to surveys and personal stories for marketing material).

You can view and update most of your personal details at any time in the Edit my details service. For a change of name please contact our customer services team providing a copy of your marriage certificate or deed poll certificate, along with your membership number to customersupport@aat.org.uk.

What we do with your data and on what grounds

We can only process your personal data if we have a basis to do so which is permitted by law. This may be that you have given your consent, or it may be one of the other lawful bases for data processing. These comprise situations where it is necessary:

  • for our performance of a contract with you. We process your personal data where it’s necessary in order to fulfil a contract with you or to take steps, at your request, before entering into such a contract
  • for our legitimate interests. We process your personal data as and when necessary to do so in order to conduct and manage our business to provide you with the best service and experience. We make sure we consider and balance any potential impact on you and your rights before we process your personal data for our legitimate interests. We don’t use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law)
  • to meet our legal obligations. We process your personal data where it’s necessary for compliance with legal or regulatory obligations.
Purpose/activityLawful basis for processing including basis of legitimate interest
Managing our online e-learning resource provision and Continuing Professional Development (CPD) record service through the AAT Lifelong Learning Portal
  • Performance of a contract with you
Assessment delivery and support, including to fulfil our legal obligations to ensure appropriate levels of assessment support for students who require reasonable adjustments or special consideration due to specific impairments
  • Performance of a contract with you
  • Compliance with our legal obligations
  • Your consent (in respect of sensitive personal data)
To inform you and your employers of your assessment results on AAT qualifications (where your studies are funded by your employer)
  • Legitimate interests (for running our business)
  • Performance of a contract with you

Customer support in relation to your application and membership, including:

  • addressing enquiries and resolving issues
  • enabling access to third-party services made available as a benefit of membership
  • Performance of a contract with you
  • Supporting activities performed under your consent and in the substantial public interest (in respect of sensitive personal data)
Monitoring equality and accessibility to AAT courses and qualifications with regard to gender, ethnicity, and disability status
  • Your explicit consent
Granting assistance, to offer support to students and members experiencing financial hardship
  • Performance of a contract with you
  • Your consent (in respect of sensitive personal data)

Managing payment, including:

  • processing invoices and payments, including card and direct debit payments
  • enabling employers and training providers to pay students' fees
  • Performance of a contract with you
  • Legitimate interests (recovering sums owed to us)
To make important communications relevant to your membership
  • Legitimate interests (for running our business)
  • Performance of a contract with you

Marketing and promotional communications, including to:

  • have a bank of case studies available to contact for inclusion in marketing and promotional material
  • market to existing students via social media
  • market to existing students on behalf of third parties
  • invite people to participate in surveys, research interviews, and focus groups to provide feedback about an AAT product or service, and process feedback received, and follow up with responses if appropriate. Research conducted by AAT and/or a chosen third party
  • communicate third-party campaigns to AAT members
  • communicate non-essential information and send relevant promotional information
  • Your consent (if received)
  • Legitimate interests (to improve our business offerings)
Administering free prize draws and competitions. You can email aat.research@aat.org.uk to opt out at any time
  • Our legitimate interest to incentivise participation in surveys, interviews and focus groups

To meet our legal obligations, including:

  • data management, including to assess and maintain the quality of data stored, and deal with returned mail and bounced emails, whilst performing analysis on the completeness and correctness of data
  • to meet our regulatory reporting obligations
  • To meet our legal obligations
  • Supporting activities performed under your consent and the substantial public interest (in respect of sensitive personal data)

Managing your student registration and membership applications, including to:

  • register, reinstate and renew membership and to ensure data held is up to date and accurate
  • send essential communications about renewals, lapses and direct debit collections
  • enable training providers to renew their students’ memberships
  • produce your statement of achievement
  • collect and manage your annual declarations
  • verify your work experience credentials

Performance of a contract with you

 

Product development and quality control, including to:

  • recruit end users to test the website and other services
  • maintain internal quality levels by conducting call, email and CRM audits
  • identify trends and gather insight relating to AAT products and services
  • monitor engagement with third party services
  • pre-test exams to develop suitable assessments
  • ensure that an appropriate level of quality and consistency is provided by training providers, and maintained throughout assessments and marking, and that qualifications are fair and accessible to a diverse range of students
  • Legitimate interests (to improve our business offerings)
  • Supporting activities performed in the substantial public interest (in respect of sensitive personal data)
  • Necessary to meet our legal obligations
IT system administration, to administer internal systems including maintaining access rights, troubleshooting issues and maintaining databases and backups
  • Performance of a contract with you
  • Legitimate interests (for running our business)
To report Advanced (Level 3) achievement data to UCAS in order for students to claim credit/exemptions as part of their university studiesYour consent (if received)
Archiving your collected data to support assessment queries, professional standards investigations and general customer queries
  • Performance of a contract with you
  • To meet our legal obligations

Automated decision making

We do not currently, and do not envisage, that any decisions will be taken about you using solely automated means, however, we will notify you in writing if this position changes.

Who we share your personal data with

  • Our third-party service providers of payment, user testing, IT, career management consultancy, benefits and rewards and mailing services
  • The public, in relation to information regarding any disciplinary outcomes (which may include your name, membership number, alleged misconduct and sanctions)
  • AAT Employer Scheme members, to provide your assessment results
  • Training providers, to support you in managing your membership and studies
  • External verifiers, for assessment quality management
  • Journalists and magazine publishers, for marketing case studies
  • Our pages on social media platforms, such as Facebook, Twitter and LinkedIn
  • UCAS, if you wish to claim credit/exemptions as part of your university studies
  • Supervisory/regulatory bodies, law enforcement and independent investigators relating to disciplinary investigations, complaints and regulatory reporting requirements (including the Financial Conduct Authority, Department for Education, and qualifications regulators). 
  • Relevant qualifications regulators, as applicable to your location, for example, the Office of Qualifications and Examinations Regulation (Ofqual - England), the Scottish Qualifications and Examinations Authority (SQA), Qualifications Wales, Council for the Curriculum, Examinations & Assessment (CCEA - Ireland) or Botswana Qualifications Authority. 
  • If you are based in England, Wales or Northern Ireland, some of the information provided as part of your registration will be used by the Education and Skills Funding Agency to fulfil its statutory functions, issue and/or verify your Unique Learner Number (ULN) and update and/or check your Personal Learning Record. The Education and Skills Funding Agency may share your ULN and Personal Learning Record with other education related organisations, such as the careers service, school, college, university, Government Departments and public bodies responsible for funding your education. Further details of how qualification data is processed and shared can be found at LRS: Privacy notice.
  • Your assessment results details will be stored on our Centre assessment results and Centre statements of achievements services, which will be available to view by your current and any previous training providers.

Our use of data processors 

We use a third-party supplier of an IT system (Jotform) to compete student, licensed, and member applications. This system is hosted in Europe. 

We use a third-party supplier of a Customer Relationship Management (CRM) IT system, hosted within the UK by our IT service provider. We also use a second CRM system, Hubspot hosted in Europe. 

We also use Microsoft Office 365 to process email and for file storage, hosted within the EU, and a third-party email archive system hosted within the UK. 

We also use a third party service provider of our e-learning platform hosted in the UK and Europe.

Where a third-party data processor is used, we ensure that they operate under contractual restrictions with regard to confidentiality and security, in addition to their obligations under data protection legislation. This means that they cannot do anything with your personal data unless we have instructed them to do it. They will not share your personal data with any organisation apart from us. They will hold it securely and retain it for the period we instruct.

Where we get your data from

Other than directly from you, we may also receive personal data from the following third-party sources:

  • training providers
  • employers
  • markers and our computer based assessment marking software
  • publicly available sources, such as returned post
  • our payment providers, such as BACS
  • our third-party service providers of IT, career management consultancy and benefits and rewards services.

How long we keep your data

  • Your basic student records, such as name, address history, membership statuses, work experience history and other awarding bodies and practice management details will be retained for 70 years from the end of your membership to support other required reporting and professional queries
  • If you’ve undertaken any AAT assessments, information on these will be retained for 70 years from the date of assessment as will information on qualifications awarded
  • if you’ve submitted any medical evidence to support Reasonable Adjustment and Special Consideration requests, this will be retained for 7 years from the end of the adjustment period
  • Direct Debit instructions will be retained for two years from the date your direct debit is cancelled
  • Correspondence such as email is retained for a maximum of 3 years
  • Your communication preferences will be retained for two years after the end of your membership
  • Credit card details will be managed in line with the Payment Card Industry Data Security Standard (PCI DSS). We do not store or retain any credit card data and use third party payment provider services to process card payments.

Transferring your data overseas

We transfer your data to the European Economic Area (EEA), as detailed above with regards to data processors. These transfers are based on the UK adequacy decision with regard to EEA countries.

Related content