Privacy Policy
Overview
PSI Services (UK) Limited, PSI Services LLC, and its US subsidiary, PSI Solutions LLC (collectively “PSI”, “us”, “we”, “our”) recognize that many of their customers, exam candidates, and PSI website (the “Site”) users value their privacy. As a result, PSI works to protect personal information collected through its business or generated through the Site, and maintained in PSI’s business files, records, databases, or the Site.
This Privacy Policy (the “Policy”) is aimed at informing such candidates as well as our Clients, contractors, partners, and users of our Site (collectively, “you”, “your”) as to how PSI collects, uses, shares, and otherwise processes information from our Clients, partners, candidates, and users of the PSI website (the “Site”) including any personal information or other information from which we can identify you (“Personal Data”) when you visit our Site or assessment platforms. This Policy applies in all regions across the globe in which PSI operates and covers the Personal Data of candidates, Clients, contractors, partners, and users of our Site.
PSI Privacy Policy
Welcome to PSI’s Privacy Policy.
Please read this Privacy Policy. PSI provides assessment and talent management solutions (“Services”) and products to private and public sector organizations (“Clients”). PSI has acquired leading testing technology and workforce assessment companies around the globe that now operate under the PSI brand.
PSI takes its obligation to protect your privacy and personal information very seriously. PSI provides services to Clients pursuant to a legally binding contract between the parties. Clients use our Services to administer assessments to candidates and anyone else that Clients may instruct us to assess for their own business purposes. This Privacy Policy (the “Policy”) is aimed at informing you as to how PSI collects, uses, shares, and otherwise processes information from our Clients, partners, candidates and users of the PSI website including any personal information or other information from which we can identify you (“Personal Data”) when you visit our Site or assessment platforms. This Policy applies in all regions across the globe in which PSI operates and covers the Personal Data of candidates, Clients, contractors, partners, and users of our Site.
Please note that this Privacy Policy applies to PSI’s data processing activities generally throughout the provision of our Services and products to candidates, Clients, and users of the PSI website. PSI provides a variety of Services across the globe. As such, certain sections of this Privacy Policy may not apply to you. For example, certain sections refer to data processing in relation to a category of data subjects, such as candidates, therefore that section shall only apply to candidates.
By visiting our Site, or using any of our Services and products, you agree that your Personal Data will be handled as described in this Policy unless agreed upon otherwise in your contract with PSI. If you do not agree to the terms in this Policy, you must not use our Sites. Your use of our Site or Services and products, and any dispute over privacy, is subject to this Policy and our Terms of Use and Terms & Conditions (as applicable), including applicable limitations on damages and the resolution of disputes or any service-specific terms made available to you when you sign up for the Services and products. Our Terms of Service are incorporated by reference into this Policy. If you have any questions or complaints in relation to this Policy, you may contact our Data Protection Officer here.
Information We Collect
Based on the Services provided, we may process the following categories of Personal Data about you as necessary to provide such Services. You can obtain details of the specific categories of information collected by contacting us. Please refer to the Your Legal Rights section below.
For candidates:
We collect Personal Data from candidates for the purposes of administering an assessment if instructed by and on behalf of Clients. The information we collect is generally categorized as follows:
Minimum Personal Data. The following information is the minimum information required to take an assessment and generally use our Services. All Minimum Personal Data is collected regardless of the assessment type taken by a candidate:
- Contact Information including, but not limited to: first name, last name, candidate ID (which may be candidate’s social security number or an assigned identifier by PSI or the Client), and email address.
- Assessment Information including your responses to assessments and the resulting reports.
Optional Personal Data. We offer many different types of assessments. As such, we may collect optional information in addition to the Minimum Personal Data described above. Whether Optional Personal Data is collected depends on the assessment and Services requested by the Client.
Please be aware that Optional Personal Data may not always be collected. We collect and retain Optional Personal Data solely at the Client’s discretion and utilize it exclusively to deliver our Services. It is important to note that the collection of Optional Personal Data may be restricted in certain jurisdictions; in such cases, we refrain from collecting such data in those specific regions. If you seek more information regarding Optional Personal Data and its collection in an assessment, we recommend reaching out to the relevant Client who directed you to take the assessment.
- Contact Information, including, but not limited to phone number, billing address and delivery address. We may also collect telephone number for the purposes of identity verification (e.g. for multi-factor authentication).
- Identity Information, including, but not limited to address, date of birth, age (range), nationality, identification number, social security number, digital photographs, job function, managerial responsibilities, organization, sector, industry, occupation level, video and audio recordings of assessments, and signatures.
- Remote Proctoring. We may collect Identity Information through remote proctoring. We provide a service whereby Clients who conduct examinations outside of our examination centres use our remote proctoring service. This service requires the users to log onto our Remote Proctoring platform. The user takes the examinations while being monitored through their webcam, microphone (audio) and through their computer’s desktop which are all accessible to a remote examiner. We collect Identity Information for identity verification, conducting the examination, fraud prevention, quality monitoring purposes, security and integrity, and as otherwise required by law.
Remote proctored examinations are always recorded, including video and audio, regardless of whether a proctor is monitoring in real-time. Additionally, assessments may be recorded in test centres if requested by Clients. The retention period for these recordings is customized by the Client. For more information, please contact the Client or organization who instructed you to take the assessment.
We may also use AI technology during remote proctoring to identify irregularities and ensure the integrity of the examination process. It’s important to note that the use of AI does not impact the assessment itself, nor is the information stored or used for any purposes other than identifying and highlighting potential irregularities. Any flagged irregularity is promptly reviewed and confirmed by human remote proctors to maintain accuracy and fairness in our examination procedures.
- When strictly required for the purposes of providing the Services, we may also collect Sensitive or Special Category Information, including but not limited to the following:
- Sensitive Information, including age, race or ethnic origin, religion, creed, sex, gender identity and expression, sexual orientation, and criminal convictions and offences;
- Biometric Information, including fingerprint and facial images; or
- Medical Information, including exam results or examination candidates’ requests for examination accommodation.
Biometric information is collected with explicit consent from candidates or on another lawful basis permissible by law. This information is for identification and verification purposes to ensure the secure and efficient delivery of our Services to Clients. The duration for which biometric data is retained complies with the specifications provided by the Client.
- Financial Information, including, but not limited to bank account and payment card details.
- Professional or Employment-related Licensure Information, including, but not limited to: licence application information, licence activity, licence history, information relating to continuing education credits, public complaints, board actions taken against a licensee, or any public actions taken against a licensee by regulatory boards or agencies (“Licensee Updates”).
For Clients:
- Transaction Information, including, but not limited to details about payments to and from you by us and other details about Services and products you have purchased from us.
For PSI employees or PSI job applicants:
- Recruitment Information, including curriculum vitae, information on references and other information provided to us during the recruitment process, and results of any reference checks and background checks conducted as part of the recruitment process.
For Site visitors:
- Technical Information, including, but not limited to internet protocol (IP) addresses, your login information, browser type and version, and operating system and platform information. Information about our use of cookies can be found here.
- Usage Information, including information about how you use our Site and Services and products.
For anyone who has provided their consent in relation to:
- Marketing and Communications Information, including your preferences in receiving marketing information from us and our third parties along with your communication preferences.
Purposes of Processing
We may use your Personal Data for one of the following activities:
For candidates:
- Provide Services and products to you and our Client, as agreed in the contract.
- Upon authorization from a Client, for internal analysis and research to help us improve our Services and products.
- For other purposes for which we obtain your consent.
For Clients:
- Provide Services to you as agreed in the contract between Client and PSI.
For PSI employees or PSI job applicants:
- For recruitment purposes in cases where you have applied for a job with us.
- For internal analysis purposes related to recruitment and employment.
For all users or visitors of the Services or Site (as applicable):
- When you have opted-in, for marketing purposes.
- For internal analysis and research to help us improve our products and Services.
- Keeping accounts and financial records related to any business or other activity carried out by us.
- To send you information regarding the Services and products you have requested if you have opted-in to receive such information or if another legal basis permits the processing of your Personal Data.
Third Party Disclosures
We do not share your Personal Data with third parties for their own marketing purposes unless you have provided us with your consent. Before doing so, we will inform you about the purpose, the information shared, the third parties with whom we share the data, and your rights. You always have the right to opt out of such sharing at any time by visiting your account settings within the applicable online portal or contacting our Data Protection Officer here.
We may disclose your Personal Data internally, within entities of the PSI group, and externally, with the Client, and other third parties as set forth below. When we disclose Personal Data, the recipient is required to keep that Personal Data confidential, secure and process the Personal Data only for the specific purpose for which they are engaged:
- Clients: We share your information, including results of your assessment, job demographics, and other information about you with the Client who engaged us to provide the Services.
- Government and Professional Licencing Agencies: We disclose Personal Data, exam information, Licensure Updates and other information relating to regulatory boards or state governments for inclusion in their files and records.
- Sub-Processors/Service Providers: We share information with our sub-processors, including PSI group companies and other third-party providers who provide Services to us. A list of our sub-processors can be found here.
- Law Enforcement/Public Authorities: We may be required to disclose information to public authorities, regulators or governmental bodies, as required by the applicable law or regulation, under a code of practise or conduct, where necessary to facilitate any investigation, or where we believe that disclosure is appropriate to protect our rights and interests or the rights and interests of third parties.
- Corporate Transactions: If we are acquired by, or merge with, another company, any of our assets are transferred to another company, or bankruptcy proceeding ensues, we may transfer the information we have collected from you to the other party.
Security Measures
We have put in place various electronic safeguards and managerial processes designed to prevent unauthorized access or disclosure, maintain data integrity, and ensure the appropriate use of Personal Data.
We use industry best practises and guidance from sources such as the National Institute of Standards and Technology (“NIST”), Payment Card Industry (“PCI”), standards promulgated by the Centre for Internet Security (“CIS”), and International Standards Organization (“ISO”), ISO/IEC 27001:2012 (Security techniques — Information security management systems — Requirements) to design and maintain our information security program.
We maintain Personal Data, exam data, and Licensee Updates on secured computers and all Clients, exam candidates, and employer accounts are password protected. No such security or safeguards are 100% effective, but we will take commercially reasonable efforts to employ security measures designed to protect the information. No Personal Data is knowingly disclosed to third parties except as described herein. Unfortunately, since data transmission over the internet cannot be completely secure, we cannot ensure or warrant the security of any information transmitted to us.
We limit access to your Personal Data to those employees, agents, contractors, sub-processors and other third parties who have a business need to know. They will only process your Personal Data on our instructions, and they are subject to a duty of confidentiality.
We have procedures put in place to deal with any suspected Personal Data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
Location and Retention
The location of the servers where your Personal Data is stored will be dependent on the specific Services provided by us to the Client and governed by the contract between us and the Client. Please refer to our list of sub-processors for further information on the locations where your Personal Data may be processed by our sub-processors.
We will only retain your Personal Data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your Personal Data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you or our Client.
To determine the appropriate retention period for Personal Data, we consider the amount, nature and sensitivity of the Personal Data, the potential risk of harm from unauthorized use or disclosure of your Personal Data, the purposes for which we process your Personal Data, whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other retention requirements.
You have the right to request that we delete your information. Please see “Your Legal Rights” below for further information.
Unless agreed otherwise, we may use your Personal Data after anonymization (so that it can no longer be identified as your information) for research or statistical purposes, in which case we may use this information for a reasonable period of time without further notice to you. We may also use your Personal Data as part of statistical, aggregated data for research purposes in a pseudonymized form, if approved by our Client.
International Transfers
We may share your Personal Data within the PSI group for the purposes stated above. We primarily store your information in the United States and the European Economic Area (“EEA”). To provide our Services, we may transfer and access such information from around the world. Whenever PSI transfers personal information from one country to another, we will implement appropriate safeguards, consistent with the laws of the territory from which the data is exported. If you have any questions about or need further information concerning the safeguards PSI has in place to protect your personal information, please contact us at [email protected]
This may involve transferring your information outside the EEA, Switzerland, or the United Kingdom (“UK”). Whenever we transfer your Personal Data, we implement the following safeguards where applicable:
Data Privacy Framework. When PSI Services LLC and its US subsidiary (PSI Solutions LLC) transfer personal data from the EEA, Switzerland, or the UK to the United States, we rely on our certifications under the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF), and the UK Extension to the EU-U.S. DPF (UK-U.S. DPF).
Standard Contractual Clauses. We operate globally and may transfer your personal information to PSI group companies or third parties in locations around the world for the purposes described in this Policy. Therefore, your Personal Data may be processed outside your jurisdiction, including in countries and jurisdictions that are not subject to an adequacy decision by the European Commission or your local legislature or regulator, and that may not provide for the same level of data protection as your jurisdiction. Wherever your Personal Data is transferred, stored or processed by us, we will take reasonable steps to safeguard the privacy of your Personal Data. These steps may include implementing standard contractual clauses or an alternative mechanism for the transfer of data as approved by the European Commission or other applicable regulators or legislators. Where required by applicable law, we will only share, transfer or store your Personal Data outside of your jurisdiction with your prior consent or other lawful means of transfer.
Other International Transfers. Personal Data may be processed outside your jurisdiction by our sub-processors. Please refer to our list of sub-processors and the locations where Personal Data may be processed by the sub-processors. We ensure that our sub-processors offer an adequate level of protection to Personal Data by entering into appropriate agreements committing them to compliance with GDPR and other applicable laws.
Self-certification to the Data Privacy Framework
PSI’s participation in the Framework(s)
PSI Services LLC and PSI Solutions LLC comply with the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF”) as set forth by the U.S. Department of Commerce. PSI Services LLC PSI Solutions LLC have certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (“EU-U.S. DPF Principles”) with regard to the processing of Personal Data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. PSI has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (“Swiss-U.S. DPF Principles”) with regard to the processing of Personal Data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (“DPF”) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.
PSI Services LLC and PSI Solutions LLC have certified that it adheres to the DPF Principles of notice, choice, accountability for onward transfer, security, data integrity and purpose limitation, access, and recourse, enforcement, and liability with respect to all Personal Data received from the EU, UK, or Switzerland in reliance on the DPF. PSI Services LLC and PSI Solutions LLC are subject to the investigatory and enforcement powers of the US Federal Trade Commission (“FTC”), which has jurisdiction over PSI’s compliance with this Policy and the DPF.
Complaints, dispute resolution, data subject requests, and limiting the use and disclosure of Personal Data
In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, PSI Services LLC and PSI Solutions LLC commit to resolve DPF Principles-related complaints about our collection and use of your Personal Data. EU, UK, and Swiss individuals with inquiries or complaints regarding our handling of Personal Data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF should first contact our DPO here.
In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, PSI Services LLC and PSI Solutions LLC commit to cooperate and comply with the advice of the panel established by the EU data protection authorities (DPAs), the UK Information Commissioner’s Office (“ICO”), the Gibraltar Regulatory Authority (“GRA”), and the Swiss Federal Data Protection and Information Commissioner (“FDPIC”) with regard to unresolved complaints concerning our handling of Personal Data received in reliance EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF.
Data subjects may contact the relevant independent recourse mechanism listed below:
- EU Data Protection Authorities (DPAs)
- Swiss Federal Data Protection and Information Commissioner
- UK Information Commissioner’s Office
The Federal Trade Commission has jurisdiction over PSI Services LLC and PSI Solutions LLC compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF.
If a dispute or complaint cannot be resolved by PSI Services LLC and PSI Solutions LLC nor by the EU Data Protection authorities, the Swiss FDPIC, or the UK ICO, a data subject has the right to require that PSI enter into binding arbitration pursuant to the DPF’s Recourse, Enforcement and Liability Principle and Annex I of the DPF.
We will not share, sell or distribute any of the information you provide to us without your consent, except as described in the relevant privacy notice provided at or near the time of collection, or when acting on behalf of our Clients, at the direction of our Clients (the data controllers) on whose behalf we are processing Personal Data.
Accountability for onward transfer
PSI Services LLC and PSI Solutions LLC comply with the DPF Principles for all onward transfers of Personal Data from the EU, UK and Switzerland, including the onward transfer liability provisions. PSI Services LLC and PSI Solutions LLC will only transfer Personal Data about E.U., UK and Swiss individuals to third-parties where the third-party (a) has provided satisfactory assurances to PSI Services LLC and PSI Solutions LLC that it will protect the information consistently with this DPF Policy; or (b) is located in the E.U. or a country considered “adequate” for privacy by the European Commission or UK ICO, and therefore is required to comply with the E.U. or UK data protection laws or substantially equivalent privacy laws depending upon where the Personal Data originated. Where PSI Services LLC and PSI Solutions LLC have knowledge that a third-party to whom it has provided E.U., UK or Swiss Personal Data is processing that information in a manner contrary to this DPF section, PSI Services LLC and PSI Solutions LLC will take reasonable steps to prevent or stop the processing.
Legal Bases for Processing
We process your Personal Data in accordance with the contract, your instructions, the applicable contract with our Client, and applicable law. Based on the specific circumstances, the legal basis for our processing is one of the following:
- Performance of a Contract. We collect and process Personal Data for the purposes of the performance of a contract with you or our Client.
- Consent. In certain cases where required under the law, we process your Personal Data based on your specific and informed consent. For example, where you have opted-in to receive our marketing information, we may use your information to send you news and newsletters, special offers, and promotions, or to otherwise contact you about Services and products or information we think may interest you.
We may also process Personal Data considered special or sensitive under applicable laws based on your explicit consent. Your consent serves as the lawful basis for such processing, and you have the right to withdraw your consent at any time. Please note that if you choose not to provide consent or withdraw it, it may impact our ability to provide certain services. For further details or to withdraw your consent, please contact us through our Privacy Portal.
- Legitimate Interest. We process Personal Data where it is necessary for our legitimate interests (or those of a third party). This includes activities related to everyday business operations, such as invoice processing, business planning, and handling Client service-related queries and complaints, and other activities such as recruitment.
- Legal Obligation. We process your Personal Data when we need to comply with a legal obligation, meet our on-going regulatory and compliance obligations, including in relation to recording and monitoring communications, disclosures to tax authorities, financial service regulators and other regulatory and governmental bodies, and to investigate security incidents and prevent crime.
- Other bases. We may rely on other legal bases for processing as set out in the contract with the Client.
Your Legal Rights
Under applicable data protection laws, which may include the General Data Protection Regulation 2016/679 (“GDPR”), California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2023 (“CCPA”), and other applicable data protection laws (collectively, “Data Protection Laws”), PSI is generally a “Processor” or “Service Provider” (or reasonably equivalent term under Data Protection Laws) of candidates’ Personal Data with respect to the Services provided to our Clients.
Our Client, or the relevant organization in the supply chain, determines the purposes and means of the processing and is generally the “Controller” or “Business” (or reasonably equivalent term under Data Protection Laws). The contract with our Client sets out our mandate to process your Personal Data in such instances.
We may also act as a Controller/Business in instances where we process Clients’ business-related Transaction Information, provide Services and products directly to you and where we determine the purposes and means of processing your Personal Data. Depending on your jurisdiction, the following rights under Data Protection Laws may apply to you in relation to your Personal Data:
- The right of access
- The right of rectification
- The right of erasure
- The right to data portability
- The right to restrict processing
- The right to object
- The right to withdraw consent at any time when the data subject has given consent to the processing of his or her personal data for one or more specific purposes.
- The right to lodge a complaint with a supervisory authority
- The right to not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her
- The right to opt-out of the sale of personal information
- The right to limit the use and disclosure of sensitive personal information.
If you are a candidate and seek to exercise an applicable right under Data Protection Laws, we encourage you to contact the Client, which is the relevant organization for whom you have taken an assessment, directly, to exercise your rights. As the Client is the Controller/Business, PSI, as a Processor/Service Provider, can only act on the instructions of the Client.
If you wish to contact us directly, we can only forward your request to the Client for instructions on how best to respond to your request. If you wish to exercise any of any applicable rights that you may have or to contact us, please submit a request to us by emailing our Data Protection Officer through our Privacy Portal.
We will not discriminate against you for exercising any of the foregoing rights under Data Protection Laws. You will not have to pay a fee to access your Personal Data or to exercise any of the other rights under Data Protection Laws. Only you, or someone legally authorized to act on your behalf, may make a verifiable request. Your request must provide sufficient information that allows us to reasonably verify that you are the person about whom we collected Personal Data. As a security measure, we may need to request specific information from you to help us confirm your identity.
We try to respond to all legitimate requests within the provided time period under Data Protection Laws. Occasionally it may take us longer than the provided time period if your request is particularly complex or you have made several requests. In this case, we will notify you.
Marketing Communications
We may engage in marketing campaigns in order to introduce new Services and products that may be of interest to our current or prospective Clients. Where required by applicable law, we will only engage in such marketing communications if the individual has opted into these communications.
Individuals may opt out of the processing of their Personal Data by exercising their right to withdraw consent and the right to object to the processing of their information. To opt-out of commercial emails, simply click the link labelled “unsubscribe” at the bottom of any email sent by us. Please note that even if you opt out of commercial emails, we may still need to contact you with important transactional information about your account or a scheduled exam to fulfil a contractual obligation. For example, we will still send assessment confirmations and reminders, information about centre changes and closures, and information about assessment results even if commercial emails have been opted-out (or not opted-in).