Skip to Content

Data Protection

Test Partnership has invested in the appropriate controls to protect customer and candidate data, inline with pricinples such as GDPR, CCPA, and PIPEDA. Learn why more than 6,000 companies trust Test Partnership to run their candidate assessments.

Privacy Policy

Read our full privacy policy for more details.

Privacy Policy
Accredited under UK Government's Cyber Essentials program

The Cyber Essentials scheme identifies fundamental technical security controls that an organisation needs to have in place, to help defend against internet-borne threats.

cyber essentials
Clients

Test Partnership has always been focused on data protection and security. We've designed our systems and processes to make sure your use of our services keeps data safe. We will work with you to help you work through data protection requirements including putting in place robust data protection clauses, making sure candidates are informed and any notices are clearly displayed.

Candidates

When a company invites you to take one of our tests, we might be given your name and email address. When you answer questions, you'll be sharing your data with us in the form of how you interact with our website. We take great care to protect your data against loss, exposure, and unauthorised access. We are transparent about what data you share with us, where it is stored, and how it is used.


DATA PROTECTION PRINCIPLES

Clients (Data controllers)

When you use our assessments, you will be in control of your candidates' data, and you will be trusting us to process that data safely and securely.

When you invite candidates to take one of our assessments, you will be the data Controller, and we will be the data Processor processing the data you send us on your behalf.

When you assess candidates through our platform, you will probably send us personal data belonging to your candidates (for example, name and email address). This means you have to look after that data, and make sure that we (as processors) look after it too. We have robust security measures in place, and we will process personal data only in accordance with your prior written instructions (as detailed in our Terms).

It's up to you as data Controller, but we recommend you don't enter real candidate names and email addresses in our system, but instead use anonymous IDs; this means that only you know who is who on our system. If you do use candidate personal data such as candidate names or email addresses, our standard terms should provide the necessary instructions to make sure we process your candidates' data securely and lawfully.

When your candidates take one of our assessments, we collect personal data about how they interact with our website (such as referral URLs, time on site, mouse movements, and browser), in order to accurately assess candidates' performance, and to provide technical support. To see a full list of the data we collect, and our legal basis for doing so, see our Privacy notice.

As per your instructions to us in the Terms, we process only the personal data necessary to perform our service, and only for the purposes of providing psychometric assessments.

We don't make decisions on whether you do or do not select candidates; all we do is provide scores from our assessments, and it's up to you to make your own selection decisions. It's up to you as data Controller, but we recommend you do not make automated decisions based on our scores.

What we do

We are processors of your candidates' data, so we put in place appropriate technical and organisational measures. This includes the following measures:

  • Anonymisation and pseudonymisation of data;
  • Due diligence of all our sub-processors;
  • Conduct a transfer risk assessment (TRA);
  • Backup and failover technology to ensure availability of data;
  • External penetration testing and disaster recovery testing;
  • Access control and 2FA for different personnel;
  • Maintaining documented information security policies;
  • Technical controls including those defined in Cyber Essentials;
  • Collection of only the data we need to provide our service;
  • We use UK-based servers with ISO 27001 accreditation.

We have a Data Protection Addendum, which can be executed between Test Partnership and clients.

We process data only in accordance with your prior written instructions (which can form part of our DPA with you if you like).

What you need to do

You will be the controller of candidates' data, so you should read and understand the full GDPR legislation. Whilst not legal guidance, this page includes some of the things you should do as data controller.

Be clear and upfront to candidates about how you use their data, who has access to it, how it is secured, where it is stored, and how long you store it for.

We recommend you review Appendix B of our Terms and Conditions. This describes the basis on which we process your candidates' personal data on your behalf. This will cover things like:

  • Authorised personnel
  • Security measures
  • Cross-border transfers
  • Processing of children's data
  • The use of sub-processors
  • Liability
  • Standard contractual clauses

Think carefully whether you will use the results of assessments to make automatic decisions without you having any manual intervention. We recommend you do not make automatic decisions based on scores; you should use scores together with other factors such as a structured interview or work sample test. If you do decide to make automatic decisions, you have additional obligations, such as fully explaining and justifying the basis of your automatic decisions.

You shouldn't store candidates' data for longer than you need to. Our default data retention policy for storing results is 24 months, but you should think about what period suits you. You can change the period for which we store results in your client dashboard by navigating to Account > My Account > Edit Client Details > Data Retention Period.

Check if you need a data protection officer. This is not always necessary; it depends on the type and volume of data you process.

Prepare a process for handling Data Subject Access Requests (we can help you with this). When a candidate asks for a copy of all the data you hold on them, you should know your obligations and how to respond.

Think carefully if you need to enter candidate names and email addresses into our platform. You could avoid using personal data by entering candidate IDs instead of actual names. And you could avoid entering candidate email addresses by entering your business email address and forwarding the emails onto each candidate. Or use HR software which integrates with our API. Think carefully about the personal candidate data you enter onto our platform; sometimes it is not essential to enter personal information.

Make sure you put in place the appropriate notices to your candidates (we can help you with this). You need to tell candidates: how their data is being used; for how long; where it is being processed; who has access to it; how they can object to its use; how they can check accuracy and update their data; and what measures are in place to protect their data. Our website gives appropriate notices to candidates before they start an assessment.

GDPR controller processor diagram

HOW WE PROTECT YOUR DATA

Candidates (Data Subjects)

Who are Test Partnership?

Test Partnership are professional psychometric test publishers. Our team of occupational psychologists, data scientists, and software developers design tests that employers can use to help them select the best candidates.

We're based in London, UK, and have over 6,000 clients who use our tests to help them find the best people to hire.

If you've been asked to take one of our tests, it probably means an employer is using our software to find out more about your abilities and personality traits.

What happens to my data?

When you visit our website or take one of our assessments, we collect information about how you interact with our website, and how you respond to our questions. This information collection is all necessary for providing our psychometric assessment service, and includes:

  • Internet browser
  • IP address
  • Device (desktop/tablet/phone)
  • Operating system
  • Screen resolution
  • Duration (time on site and time on page)
  • Page content and page URL
  • Mouse movements
  • Your name (only if you or someone else gives it to us)
  • Your email address (only if you or someone else gives it to us)
  • Your responses to our assessments

What can I do?

You have the right to: obtain copies of your data*; correct data* held on you; and have your data* erased.

If you would like to exercise any of these rights, you can contact the company for whom you are being assessed, and you can also contact us (Test Partnership). The company that initiated your assessment are the controllers of your data, and Test Partnership is a processor of that data. To contact us the best email is: info@testpartnership.com.

* Note: we cannot give out your individual answers to our questions, because this is commercially-sensitive information, and releasing this would invalidate the utility of our psychometric tools. We are also contractually obliged to seek permission from the company that instructed us to assess you before we release any of your data (since they are the data controller).


Our information security systems

  • Encryption and Logs

    Encryption technologies protect the gateways and pipelines through which our data travel. Security logging helps us audit potential threat vectors.
  • Access Controls

    We employ privacy by design principles, and data can be accessed only by authorised authenticated users. This includes differentiated access rights in relation to role.
  • Firewalls

    We have high throughput firewalls with multiple zone support and SSL VPN tunnel secure access.
  • Backups

    We take full backups at regular intervals, and incremental database transaction logs throughout the day to ensure data integrity.
  • Passwords and 2FA

    Passwords are encrypted at rest and in transit. Additionally clients can activate 2FA on a per-user level based on role permissions.
  • Documentation

    We have a documented Information Security Management System based on ISO27001 which ensures all of our operations adhere to best-practice.
Question Answer
Description of the services Psychometric assessment of candidates
Does Test Partnership have an Information Security Policy? Yes, developed inline with ISO27001 principles
Does Test Partnership have an Acceptable Use policy that all employees must agree to adhere to? Yes
Does Test Partnership have a Security Incident Management Policy & associated processes? Yes
Does Test Partnership maintain a Business Continuity Plan? Yes
Does Test Partnership run annual penetration tests? Yes
Is a due diligence exercise completed before executing contracts with Test Partnership suppliers? Yes
Does your organisation have an Access Control Policy? Yes, developed inline with ISO27001 principles
Does Test Partnership enforce multi factor authentication across all admin accounts? Yes
Does Test Partnership have a documented Software Development Lifecyle? Yes, developed inline with ISO27001 principles
Does Test Partnerhsip have a Data Protection Officer? Yes, see Section 1 of our Privacy Policy.
In which geographical locations will Test Partnership store data? UK, and USA. For a detailed list see Section 8 of our Privacy Policy.
Is MFA supported? Yes
What RBAC controls are in place? Access to personal data stored on our systems is granted on a least-privilege need-to-know basis only to staff who need access to it to perform their role (e.g. client support, software developers, and senior management). Each user has login credentials unique to them with activity logging.
Can clients apply their own data retention policies? Yes, from with their account area.

Have any questions?

The GDPR can be quite complicated, so please do get in touch with us if you'd like to know more about how we comply and how you can be compliant. Our Data Protection Officer can be contacted on: info@testpartnership.com