What is personal information?
We consider “personal information” to mean any information, recorded in any form, about an identified individual or an individual whose identity may be inferred or determined from such information. This policy does not cover “business contact information” (e.g. name, title, business address) or aggregated data from which the identity of the individual cannot be determined. Acuity retains the right to use business contact information or aggregated data in any ethical way that it determines appropriate.
Why Acuity may collect personal information
Acuity may collect and use the personal information provided orally or in writing (including via electronic media) by applicants, educational institutions or other third parties in order to do the following:
- Determine an applicant’s eligibility for Acuity’s online services
- Validate the identities of users of Acuity’s online services
- Provide and communicate information about Acuity services and timetables to applicants, educational institutions or other third parties;
- Provide applicants’ examination results and related data/documentation to participating educational institutions;
- Provide applicants’ required personal information to educational institutions (or their designates) where the applicant has applied for admission;
- Conduct surveys of applicants in order to analyze, for statistical and research purposes, such issues as demographics of applicants, influences on career choices etc.;
- Provide examination and training statistics to participating educational institutions;
- Manage our relationship with applicants and educational institutions;
- Meet legal and regulatory requirements; and
- Such other purposes consistent with these purposes.
How Acuity collects and uses personal information
Acuity only collects, uses and discloses personal information for purposes that would be considered reasonable in the circumstances and only such information as is required for the purposes listed above. We use only fair and lawful methods to collect personal information. Personal information is routinely collected from all applicants through Acuity’s online services, documents submitted via regular mail, electronic mail and fax to be added to the applicant’s file, and telephone calls to Acuity for verification purposes.
Our use and disclosure of personal information is limited to the purposes described in this policy and Acuity does not otherwise sell, trade, barter, exchange or disclose for consideration any personal information it has obtained.
When Acuity may disclose your personal information
Acuity may disclose your personal information to:
- Individuals or organizations who use our examination services;
- Academic programs that an applicant has indicated they would like results sent to;
- Individuals or organizations that perform services on behalf of Acuity, including raters and those involved in verifying the identity of users and maintaining, reviewing and developing our systems, procedures and infrastructure, including testing or upgrading our computer systems.
Where Acuity discloses personal information to third party organizations, Acuity will enter into a written agreement to require that the organization use and disclose such information solely for specified permitted purposes and have appropriate safeguards for the protection of that personal information. However, Acuity is not responsible for how such third party organizations use the personal information.
In some cases, the individuals or organizations that perform services on behalf of Acuity may use or store personal information outside of Canada. Personal information stored outside Canada may be subject to different laws than those in Canada and may be accessible to law enforcement agencies outside of Canada where permitted by law. Acuity is committed to the protection of privacy and will evaluate the privacy implications associated with disclosing personal information to a third party service provider in a given jurisdiction before establishing a relationship in which personal information will be disclosed.
Please note that there are circumstances where the use and/or disclosure of personal information may be justified or permitted or where Acuity is obliged to disclose information without consent. Such circumstances may include:
- Where required by law or by order or requirement of a court, administrative agency or governmental tribunal;
- Where Acuity believes, upon reasonable grounds, that it is necessary to protect the rights, privacy, safety or property of an identifiable person or group;
- Where it is necessary to establish or collect monies owing to Acuity;
- Where it is necessary to permit Acuity to pursue available remedies or limit any damages that we may sustain; or
- Where the information is public.
Where obliged or permitted to disclose information without consent, Acuity will not disclose more information than is required.
Unless permitted by law, no personal information is collected without first obtaining the consent of the individual concerned to the collection, use and dissemination of that information. However, we may seek consent to use and disclose personal information after it has been collected in those cases where Acuity wishes to use the information for a purpose not identified in this policy or for which the individual concerned has not previously consented.
The provision of personal information to Acuity means that the person concerned agrees and consents that we may collect, use and disclose their personal information in accordance with this policy. In addition, where appropriate, specific authorizations or consents may be obtained from time to time.
In most cases and subject to legal and contractual restrictions, an individual is free to refuse or withdraw his or her consent at any time upon reasonable, advance notice. It should be noted that in certain circumstances, services can only be offered if a person provides personal information to Acuity. Consequently, if an individual chooses not to provide us with any required personal information, we may not be able to offer the services requested.
The accuracy and retention of personal information
Acuity endeavors to ensure that any personal information provided and in its possession is as accurate, current and complete as necessary for the purposes for which we use that information. Acuity provides the opportunity for individuals to update their personal information to ensure accuracy and currency. Individuals are responsible for ensuring that their personal information is accurate and have access to change it at any time. Acuity will use its best efforts to inform third parties which were provided with inaccurate information so that those third parties may also correct their records.
We keep your personal information only as long as it is required for the reasons it was collected. This period may extend beyond the end of an individual’s relationship with us but it will be only for so long as it is necessary for us to have sufficient information to conduct research, respond to issues that may arise at a later date, and for any other reason consistent with the purposes for which the information was collected.
Protection of personal information
Acuity endeavors to maintain appropriate physical, procedural and technical security with respect to its offices and information storage facilities so as to prevent any loss, misuse, unauthorized access, disclosure, or modification of personal information. This also applies to our disposal or destruction of personal information.
Acuity further protects personal information by restricting access to it to those employees with a need to know that information in order for us to provide our services or information.
If any employee of Acuity misuses personal information, this will be considered a serious offence for which disciplinary action may be taken, up to and including termination of employment. If any individual or organization misuses personal information that was provided for the purpose of providing services to or for Acuity, this will be considered a serious issue for which action may be taken, up to and including termination of any agreement between Acuity and that individual or organization.
Access to your personal information
Acuity permits the reasonable right of access and review of personal information held by us about an individual and will endeavor to provide the information in question within a reasonable time, usually within 30 days following the request. To guard against fraudulent requests for access, we may require sufficient information to allow us to confirm that the person making the request is authorized to do so before granting access or making corrections.
Acuity reserves the right not to change any personal information but will append any alternative text the individual concerned believes to be appropriate.
Acuity reserves the right to decline to provide access to personal information where the information requested:
- Would disclose (i) personal information, including opinions, about another individual or about a deceased individual; or (ii) trade secrets or other confidential business information that may harm Acuity or the competitive position of a third party or interfere with contractual or other negotiations of Acuity or a third party;
- Is subject to solicitor-client or litigation privilege;
- Is not readily retrievable and the burden or cost of providing it would be disproportionate to the nature or value of the information;
- Does not exist, is not held, or cannot be found by Acuity;
- Could reasonably result in (i) serious harm to the treatment or recovery of the individual concerned, (ii) serious emotional harm to the individual concerned or another individual, or (iii) serious bodily harm to another individual;
- May harm or interfere with law enforcement activities and other investigative or regulatory functions of a body authorized by law to perform such functions; or
Any other grounds under applicable legislation.
- Where information will not or cannot be disclosed, the individual making the request will be provided with the reasons for non-disclosure.
Acuity will not respond to repetitious or vexatious requests for access and in making such a determination, we will consider such factors as the frequency with which information is updated, the purpose for which the information is used and the nature of the information.
Acuity will not charge you for verifying or correcting your information; however, to the extent permitted by applicable law, there may be a minimal charge imposed if you need a copy of records.
Resolving your privacy concerns
In the event of questions about: (i) access to your personal information; (ii) our collection, use, management or disclosure of personal information; or (iii) this policy, please contact firstname.lastname@example.org.
Acuity will investigate all complaints and if a complaint is justified, we will take all reasonable steps to resolve the issue.
Acuity Insights uses industry standard encryption protocols and practices to responsibly transmit sensitive information. We do not share or sell personal information with any third party organizations. All of our web based services utilize 256 bit SSL encryption.
Data Hosting and Storage
Our services and data are hosted on Heroku and Amazon Web Services servers within North America. For more information on their security specifications, please visit the AWS and Heroku security pages. No Acuity employee has physical access to any AWS or Heroku equipment.
Permissions and Authentication
Access to customer data is restricted to approved employees, who require it for their day to day duties. We utilize 2 factor authentication and strong password policies across our services. We utilize role based access control in the services we use to ensure employees only have access to necessary functionality.
Transparency & Communication
Although we aim to offer the highest quality experience, we know that there is the potential for downtime or breaches. In the case of a breach Acuity is committed to having open communications and contacting the respective authorities and affected customers.
We are partnered with Stripe which manages our payment processing needs. We do not store sensitive cardholder information throughout the process. We are PCI SAQ-A compliant and we annually ensure we are compliant with the latest PCI requirements.
Our building utilizes alarms systems, video surveillance, on-site 24/7 security, and restricted access to floors.
If you choose to remain anonymous, we will not disclose your identity unless required by law.