ACER regularly assesses the information privacy impact of our school assessment services. This article contains a summary of privacy impact related questions frequently asked by schools and education authorities:
Policies, processes, and certifications
- ACER’s privacy policy
- Online Assessment and Reporting System terms and conditions
- ISO/IEC 27001:2013 standard certification
Data storage, technology, and security
- Where are the Online Assessment and Reporting System data stored?
- How long are data retained in ACER’s Online Assessment and Reporting System?
- Are data stored on devices?
Collection of information
- What student personal information is collected?
- Can students remain anonymous in ACER’s Online Assessment and Reporting System?
- Is it necessary to provide a date of birth for each student?
- Are unique student identifiers required in the system?
- Does ACER’s Online Assessment and Reporting System create a unique student identifier?
- Are other demographic data or potentially sensitive information collected?
Access and use of information
- Who can view data in the Online Assessment and Reporting System?
- Are data provided to third parties?
- Are students’ data transferred between schools?
- Is access to the Online Assessment and Reporting System role-based?
- How does ACER handle unsolicited personal information sent via unsecured channels, such as email?
Policies, processes, and certifications
ACER’s privacy policy
Online Assessment and Reporting System terms and conditions
https://oars.acer.edu.au/terms-conditions
ISO/IEC 27001:2013 standard certification
ACER has developed an Information Security Management System (ISMS) that ensures Information Security initiatives are directed by the senior executive.
The ISMS consists of a suite of policies, standards, specifications, and procedures in accordance with, and certified against, the ISO/IEC 27001:2013 standard and defines the security activities required for this service.
Data storage, technology, and security
Where are the Online Assessment and Reporting System data stored?
All system data are stored on the Amazon Web Services (AWS) cloud in Sydney.
How long are data retained in ACER’s Online Assessment and Reporting System?
Data are retained for 13 years unless a client requests data to be erased earlier.
Are data stored on devices?
Data are only stored on devices when downloaded from ACER's Online Assessment and Reporting System and saved by users.
Collection of information
What student personal information is collected in ACER’s Online Assessment and Report System?
The following personal student information may be collected:
- Given name
- Family name
- Middle names
- Username
- Password
- Gender (M, F, X)
- Date of birth
- Year Level
Can students remain anonymous in ACER’s Online Assessment and Reporting System?
Yes, you may opt to enter a pseudonym for a student or choose not to create a student record.
Is it necessary to provide a date of birth for each student?
The system requires a date of birth for each student, but it is possible to enter a false date (e.g. 1/1/2024) in lieu of the student’s actual date of birth.
Are unique student identifiers required in the system?
No, but schools have the option of recording a Unique ID that may be used to align data across different school databases.
Does ACER’s Online Assessment and Reporting System create a unique student identifier?
Yes, when a student account is created in a school’s account a System ID is created. In the case of a student’s data being transferred to another school, a new System ID will be created in the new school’s account.
Are other demographic data or potentially sensitive information captured in ACER’s Online Assessment and Reporting System?
System users have the option of creating tags for each student that may be based on demographic or sensitive information. The creation of tags is optional.
Access and use of information
Who can view data in the Online Assessment and Reporting System?
Each school is provided with a unique account and URL to prevent unauthorised access to data. These accounts may be viewable by a ‘system super user’ where a school’s licence agreement is managed by an education authority. ACER technical support staff may also have access to view a school’s data.
Are data provided to third parties?
Not unless there is an explicit agreement between ACER and an education authority.
Are students’ data transferred between schools?
Not unless there is an explicit agreement between ACER and an education authority or schools.
Is access to the Online Assessment and Reporting System role-based?
Yes, access to data and the system is role-based and the user's role within the system (for example ‘Teacher’ or ‘Student’) defines what account functionality they have access to once they are logged in. School staff can be assigned one of three roles:
Client Administrators have the rights to:
- Complete purchases in the Store
- Edit the school’s account details (contact, enrolments, school hours etc.)
- View, add and edit student information
- Assign tests to students
- View, create, edit and delete staff logins
- Generate reports
Candidate Managers have the rights to:
- View, add and edit student information
- Assign tests to students
Report Generators have the rights to:
How does ACER handle unsolicited personal information sent via unsecured channels, such as email?
Senders are asked to only supply personal information necessary for the use of ACER’s services and to do so by secure means. If the ACER support team receives more personal information than they need to perform their job, or if they receive information via an inappropriate channel, such as email, the data are deleted and the sender is notified.