Skip to Content

Data Protection & GDPR

Test Partnership is fully compliant with GDPR, and we can help you follow a compliant process in your candidate testing.

Clients: we're your trusted partner

Test Partnership has always been focused on data protection and security, and we welcome the tightening of data controls brought about by the GDPR. We have consulted legal and security professionals to make sure all our processes are fully compliant. We've thought carefully about how our assessments & business need to operate, in order to ensure your candidates' data is safe.

Candidates: we protect your data

When a company invites you to take one of our tests, we might be given your name and email address. When you answer questions, you'll be sharing your data with us in the form of how you interact with our website. We take great care to protect your data against loss, exposure, and unauthorised access. We are transparent about what data you share with us, where it is stored, and how it is used.

Clients (Data Controllers)

Learn more about our approach to the GDPR.

  • Overview

    When you use our assessments, you will be in control of your candidates' data, and you will be trusting us to process that data safely and securely.

     

    When you invite candidates to take one of our assessments, in the context of the DPA and GDPR, you will be the data Controller, and we will be the data Processor.

     

    When you assess candidates through our platform, you will probably send us personal data belonging to your candidates (for example, name and email address). This means you have to look after that data, and make sure that we (as processors) look after it too. We have lots of security measures in place, and we will process personal data only in accordance with your prior written instructions (as detailed in our Terms).

     

    It's up to you as data Controller, but we recommend you don't enter real candidate names and email addresses in our system, but instead use anonymous IDs; this means that only you know who is who on our system. If you do use Personally Identifiable Information (PII) such as candidate names or email addresses, our standard terms should provide the necessary instructions to make sure we process your candidates' data securely and lawfully.

     

    When your candidates take one of our assessments, we collect personal data about how they interact with our website (such as referral URLs, time on site, mouse movements, and browser), in order to accurately assess candidates' performance, and to provide technical support. To see a full list of the data we collect, see our Privacy notice. We have a legitimate business interest in processing this data, and we couldn't provide our testing service without it.

     

    As per your instructions to us in the Terms, we process only the personal data necessary to perform our service, and only for the purposes of providing psychometric assessments.

     

    We don't make decisions on whether you do or do not select candidates; all we do is provide scores from our assessments, and it's up to you to make your own selection decisions. It's up to you as data Controller, but we recommend you do not make automated decisions based on our scores.

     

  • What We Do

    We are processors of your candidates' data, and so we put in place appropriate technical and organisational measures. This includes things like:

    • Anonymisation and pseudonymisation of data;
    • Due diligence of all our sub-processors;
    • Redundant software and hardware architecture to ensure availability of data;
    • Penetration testing and disaster recovery testing;
    • Access control for different personnel;
    • Writing and adhering to information security policies;
    • Technical controls such as those defined in Cyber Essentials;
    • Collection of only the data we need to provide a psychometric testing service;
    • We use only UK-based servers with ISO 27001 accreditation.

     

    We have a Data Protection Addendum, which can be executed between Test Partnership and clients.

     

    We process data only in accordance with your prior written instructions (which can form part of our DPA with you if you like).

     

  • What You Need To Do

    You will be the controller of candidates' data, so you should read and understand the full GDPR legislation. Whilst not legal guidance, this page includes some of the things you should do as data controller.

     

    Be clear and upfront to candidates about how you use their data, who has access to it, how it is secured, where it is stored, and how long you store it for.

     

    We strongly recommend you review Appendix B of our Terms and Conditions. This describes the basis on which we process your candidates' personal data on your behalf. This will cover things like:

    • Authorised personnel
    • Security measures
    • Cross-border transfers
    • Processing of children's data
    • The use of sub-processors
    • Liability
    • Standard contractual clauses

     

    Think carefully whether you will use the results of assessments to make automatic decisions without you having any manual intervention. We recommend you do not make automatic decisions based on scores; you should use scores together with other factors such as a structured interview or work sample test. If you do decide to make automatic decisions, you have additional obligations, such as fully explaining and justifying the basis of your automatic decisions.

     

    You shouldn't store candidates' data for longer than you need to. Our default data retention policy for storing results is 24 months, but you should think about what period suits you. You can change the period for which we store results in your client dashboard by navigating to Account > My Account > Edit Client Details > Data Retention Period.

     

    Check if you need a data protection officer. This is not always necessary; it depends on the type and volume of data you process.

     

    Prepare a process for handling Data Subject Access Requests. When a candidate asks for a copy of all the data you hold on them, you should know your obligations and how to respond.

     

    Think carefully if you need to enter candidate names and email addresses into our platform. You could avoid using personal data by entering candidate IDs instead of actual names. And you could avoid entering candidate email addresses by entering your business email address and forwarding the emails onto each candidate. Or use HR software which integrates with our API. Think carefully about the personal candidate data you enter onto our platform; sometimes it is not essential to enter PII.

     

    Make sure you put in place the appropriate notices to your candidates. You need to tell candidates: how their data is being used; for how long; where it is being processed; who has access to it; how they can object to its use; how they can check accuracy and update their data; and what measures are in place to protect their data.

     

  • Questions?

    The GDPR can be quite complicated, so please do get in touch with us if you'd like to know more about how we comply and how you can be compliant. Our Data Protection Officer can be contacted on: [email protected]

     

Candidates (Data Subjects)

If you're taking our tests, this is how we protect your data.

  • Who are Test Partnership?

    Test Partnership are professional psychometric test publishers. Our team of occupational psychologists, data scientists, and software developers design tests that employers can use to help them select the best candidates.

     

    We're based in London, UK, and have over 6,000 clients who use our tests to help them find the best people to hire.

     

    If you've been asked to take one of our tests, it probably means an employer is using our software to find out more about your abilities and personality traits.

     

  • What happens to my data?

    When you visit our website or take one of our assessments, we collect information about how you interact with our website, and how you respond to our questions. This information collection is all necessary for providing our psychometric assessment service, and includes:

     

    • Internet browser
    • Anonymised IP address (last digits omitted).
    • Device (desktop/tablet/phone).
    • Operating system
    • Screen resolution
    • Duration (time on site and time on page)
    • Page content and page URL
    • Mouse movements
    • Your name (only if you or someone else gives it to us)
    • Your email address (only if you or someone else gives it to us)
    • Your responses to our psychometric assessments

     

  • What can I do?

    You have the right to: obtain copies of your data*; correct data* held on you; and have your data* erased.

     

    If you would like to exercise any of these rights, you can contact the company for whom you are being assessed, and you can also contact us (Test Partnership). The company that initiated your assessment are the controllers of your data, and Test Partnership is a processor of that data. To contact us the best email is: [email protected].

     

    * Note: we cannot give out your individual answers to our questions, because this is commercially-sensitive information, and releasing this would invalidate the utility of our psychometric tools. We are also contractually obliged to seek permission from the company that instructed us to assess you before we release any of your data (since they are the data controller).

     

     

  • Questions?

    If you have any questions, please email us at: [email protected].

GDPR controller processor diagram
 

Our information security systems

green lines of text icon

Encryption

Encryption technologies protect the gateways and pipelines through which our data travel. Highly confidential data are also encrypted within the system.

green fingerprint swirl icon

Access control

We employ privacy by design and default, and release data only to authorised persons. This includes differentiated access rights in relation to role.

green world with padlock icon

Firewalls

We have a high throughput firewall with multiple zone support and SSL VPN secure access.

green server icon

Backups

We take full backups at regular intervals, and incremental database transaction logs throughout the day.

green locked padlock icon

Passwords

We don't store passwords in plaintext, instead they are encrypted using a cryptographically secure hashing algorithm.

green clipboard icon

Documentation

All of our policies are available to you. If you have any questions, you are welcome to contact our Data Protection Officer at [email protected]

Back to top