Last updated: [17/03/2026] 

Please read this Privacy Notice carefully as it sets out how Cambridge University Press & Assessment and its group companies (Cambridge) use your personal information.

1) Who are we?

We are Cambridge University Press & Assessment, but you may know us as Cambridge. Everyone at Cambridge wants you to know that your personal information is in safe hands.

• help people learn English and prove their skills to the world, with qualifications and tests recognised worldwide;

• provide international education programmes, qualifications and resources for 3 to 19 year-olds worldwide;

• offer a broad portfolio of general and vocational qualifications – including GCSEs, A Levels, Cambridge Nationals and Cambridge Advanced Nationals; and

• publish books and journals and are dedicated to serving customers in higher education through world-leading research and education products and services.

We are responsible for keeping your personal information secure and using it properly. We follow the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 to keep your information safe. This Privacy Notice is for candidates and learners. It explains what information about you we collect, what we do with it, and how you can control it.

In some cases, your school, institution or exam centre provides us with personal information directly when managing your entry or access to learning platforms. Please contact your organisation directly to understand how they use your personal information.

If you use other Cambridge websites or services, those may have separate privacy notices.

2) How can you contact us?

If you have any questions about how we handle your personal information, we would love to hear from you.

• Email us at: privacy@cambridge.org
• Write to us at: Privacy Team at Cambridge University Press & Assessment, Shaftesbury Road, Cambridge, CB2 8EA, United Kingdom

3) What information do we collect & why do we use it?

• We may collect information directly from you, from your school/exam centre, and via learning platforms and digital products. The following outlines the categories of personal data we process, the specific purposes for that processing, and the relevant lawful basis we rely on.

• Please note: personal data categories may be used across multiple purposes described below. The below is intended to provide a transparent overview rather than to suggest that specific data items are used only for a single purpose.

  Identity & contact details

• Examples of the data we process: Name, date of birth, candidate ID, address, email, school/centre details.
• How we use it: To register candidates, administer entries, deliver qualifications, provide reasonable adjustments, communicate with candidates and centres, respond to enquiries, and verify results with third parties.

• Lawful basis: Contract; Public task; Legitimate interests

   

  Assessment & qualification records

• Examples of the data we process: Exam scripts, coursework, portfolios, grades, examiner comments, enquiries about results, certificates.
• How we use it: To mark and moderate assessments, calculate and issue results, quality assure marking, handle appeals and complaints, verify achievements, and maintain qualification standards.

• Lawful basis: Contract; Public task; Legitimate interests

   

  Health, access & special category data

• Examples of the data we process: Medical information, learning difficulties, access arrangements, special consideration evidence.
• How we use it: To assess and provide reasonable adjustments, ensure fair access to assessments, and consider special consideration requests.

• Lawful basis: Explicit consent or Substantial public interest

   

  Biometric & integrity data

• Examples of the data we process: Photographs, audio/video recordings, remote proctoring data
• How we use it: To verify identity, invigilate assessments, detect and investigate malpractice, and maintain the integrity of examinations.

• Lawful basis: Explicit consent or Substantial public interest

   

  Diversity and equality monitoring data (special category data)

• Examples of the data we process: Information about gender, ethnicity, or other diversity characteristics (where provided)
• How we use it: To carry out equality monitoring, analysis and research to improve our publications, events and activities, and to support inclusion and accessibility initiatives within our International Education programmes. Data is used in aggregated or anonymised form wherever possible.

• Lawful basis: Explicit consent or Substantial public interest

   

  Technical & usage data

• Examples of the data we process: IP address, device information, system logs, platform usage data
• How we use it: To operate and secure systems, detect unusual activity, prevent fraud, investigate incidents, and improve our digital services.

• Lawful basis: Legitimate interests

   

  Payment & financial Data

• Examples of the data we process: Transaction records, payment card details (processed by payment providers)
• How we use it: To process fees and meet financial and tax obligations.

• Lawful basis: Contract; Legal obligation

   

  Marketing & communications data

• Examples of the data we process: Contact details, communication preferences
• How we use it: To send marketing and learning-related communications where consent has been provided and to manage opt-outs.

• Lawful basis: Consent; Legitimate interests

   

  Compliance, safeguarding & investigation data

• Examples of the data we process: Malpractice reports, regulatory correspondence, law enforcement or third-party evidence
• How we use it: To comply with legal and regulatory duties, investigate malpractice or safeguarding concerns, and cooperate with regulators or law enforcement.

• Lawful basis: Legal obligation; Public task

   

  Research, standards & improvement data

• Examples of the data we process: Aggregated, anonymised or pseudonymised assessment data, survey responses, feedback
• How we use it: To carry out research, standards setting, statistical analysis, and improve the quality and delivery of our qualifications and services.

• Lawful basis: Legitimate interests

   

  Our Cookie Notice explains more about how our Site uses cookies and device identifiers. 

4) Use of Audio and Video Recordings

We may create and use audio and video recordings of the candidates during assessments and when you use certain online services. This may include recording online tests for exam security, quality assurance, or investigation of suspected malpractice. These recordings may also be used to support delivery of digital learning tools or customer service interactions where relevant.

5) Marketing Communications and Opting Out

If you choose to receive marketing communications from us, we will use your contact details and send you information about products, services, events, or updates. You can withdraw your consent or opt out of marketing at any time by following the instructions in our messages or by contacting us. We will not send you marketing without your permission.

6) Who we share your information with

We share your personal information only when necessary to perform our core functions as an awarding body, provide our services, or comply with legal obligations. We ensure all recipients are required to protect your data in line with our standards and applicable data protection laws.

We may share your personal data (including core personal details, assessment results, and relevant special category data) with the following trusted third parties and for the purposes outlined:

Educational network and related bodies    

Recipient: Your school, college, or exam centre
Purpose: To administer your entries, manage your access to learning platforms, track your progress and performance, and communicate results and other qualification-related matters.

Recipient: Corporate group of your school
Purpose: To coordinate educational services and access across the institutions within your school’s network.

Recipient: The British Council
Purpose: If they are involved in the administration, delivery, or invigilation of your assessment, particularly in international locations.

Recipient: Other schools or educational establishments you attend
Purpose: To coordinate your qualifications or learning records.

Progression, verification, and marketing

Recipient: Universities, Colleges Admissions Service (UCAS) & potential employers
Purpose: To verify your qualifications and achievements.

Recipient: Scholarship providers, governments and associated bodies
Purpose: To award scholarship based on your performance.

Regulatory, integrity, and legal compliance

Recipient: UK/international regulators such as Ofqual, Qualifications Wales, and the Northern Ireland Council for the Curriculum, Examinations and Assessment (CCEA)
Purpose: To evidence outcomes, progression, and participation in relation to regulated qualifications.

Recipient: Awarding bodies who are members and non-members of the Joint Council for Qualifications (JCQ) and other awarding bodies
Purpose: Malpractice investigations, standard-setting, research, statistical purposes, and safeguarding matters.

Recipient: Government departments, public bodies and their international equivalents
Purpose: Statistical, policy development purposes, and evidencing outcomes and progression. This includes sharing data with DfE or its partners for the dispatch and delivery of exam scripts in England.

Recipient: Law enforcement agencies, courts, regulators, and relevant third parties
Purpose: In connection with crimes affecting our assessments, malpractice, safeguarding concerns, verification of access arrangements or special consideration, where required by law or court order, for criminal or legal investigations, and to preserve the security and integrity of our services and assessments.

Our service providers and group companies

Recipient: Service Providers (e.g. IT support, data centres, hosting providers, couriers, examiners, markers, assessment specialists, auditors, and legal advisers)
Purpose: To enable the secure delivery, marking, moderation, analysis, hosting, storage, technical support, communications, quality assurance, and administration of our services and assessments.

Recipient: Cambridge University Group and other affiliated organisations owned by it
Purpose: For group-wide operational support, system hosting, quality assurance, governance, compliance, research, and the improvement of our products and services.

Anonymised and pseudonymised data

We may also share anonymised and pseudonymised data (data that cannot directly identify you) with third parties for academic research, statistical analysis, and standards setting to further improve the integrity and delivery of our qualifications.

We share only what is necessary, and we make sure these organisations keep your information safe.

7) Sending information outside the UK

We work with offices and trusted partners around the world. As we are based in the UK, your personal information may be transferred from the UK to be stored or processed in countries outside the UK and your own. This can happen, for example, when we deliver exams, provide online services, provide customer services or meet legal or regulatory requirements.

Whenever we transfer personal information internationally, we ensure it remains protected to the same high standards required under the UK GDPR, the Data Protection Act 2018 and other applicable data protection law. We do this by using Standard Contractual Clauses approved by the European Commission or in accordance with the UK’s equivalent Standard Contractual Clauses, or by transferring information only to countries that provide an adequate level of data protection. For these purposes, Cambridge carries out relevant assessments of the data protection laws in the recipient countries and the vendor safeguards.

8) How we use Artificial Intelligence

We, and some of our service providers, use AI tools in our digital systems to support and improve the delivery of our services. Before deploying any AI tool, we carry out internal reviews to ensure it is secure, performs as intended, and complies with data protection laws.

We may use AI to process personal data such as contact details, assessment-related data, and biometric data. Examples include: 

• Automated marking and feedback generation

• Preventing exam malpractice

• Chatbot functionality by improving chatbot responses to customer queries

• Generating resources to support teaching, learning and research 

• Content improvement   

Where possible, we anonymise or pseudonymise the personal data used in AI tools. In cases where that is not feasible (such as remote proctoring), we apply strict limitations and safeguards to protect your privacy.

We do not use AI to make decisions that have legal or similarly significant effect on you without human involvement, unless permitted by law and subject to appropriate safeguards. Where required, we will inform you separately if we plan to process special category data using AI or need your consent to do so.

9) Automated decision-making

In some cases, we use your personal data within automated tools to support marking and assessment processes. These tools are designed to assist our examiners, not replace them, and we review the outputs to make sure they are accurate, consistent and fair. 

We do not make decisions about you that have legal or similarly significant effects based solely on automated processing. If an automated process ever produces a decision that affects you significantly, we will inform you accordingly and in those cases you will have the right to request human review.

10) Profiling

We may use automated tools and analytical techniques, sometimes referred to as profiling, to help us understand patterns in how our services are used and how assessments are completed. This may include analysing information about your assessment activity, usage of our systems, or interactions with our services in order: 

• to help maintain the security and integrity of assessments, for example where computer-based tests show unusual activity;

• to support the delivery or improvement of our services; or

• carry out limited marketing purposes, where you have agreed to receive marketing.

We do not make decisions about you solely based on profiling without some human involvement.

11) How we protect your information

We use a mix of technical, organisational, and contractual measures to keep your information safe.

• We use security tools such as encryption, access controls, and multi-factor authentication to protect our systems and data.

• We make sure that only authorised people can access your information and that our staff understand how to handle it securely and responsibly.

• We require our service providers and partners to protect your information through written agreements that include confidentiality and data protection obligations.

• We regularly review our security measures to make sure they stay effective.

While no system is completely secure, we take reasonable and proportionate steps to protect your information from loss, misuse, or unauthorised access.

12) What if we link to other websites?

Sometimes our website or apps link to other organisations’ pages or services. Each of those will have its own privacy notice, which we encourage you to read. We are not responsible for how other websites use your information once you leave our systems.

13) How long do we keep your information for?

We keep your personal information only as long as necessary to deliver assessments and learning services, meet our legal and regulatory obligations, and handle enquiries or appeals. Retention periods may vary depending on the type of information and the requirements of the countries in which we operate.

• Assessment results and related records – retained on a long-term basis so you or third parties (such as universities or employers) can verify your achievements. 

• Exams and financial records – usually kept up to 6 years to meet legal, contractual, and tax requirements.

• Health or access arrangement information – kept only for as long as needed to arrange and administer your assessment, in line with our internal policies for special category data.

• Anonymised or de-identified information – may be kept for longer for research, statistical analysis, and quality assurance because it no longer identifies you.

14) How you can control your personal information

You have rights over your personal information. You can:

• Ask for a copy of your information

• Ask us to correct or delete it 

• Tell us to stop using it in some cases

• Ask us to send it to someone else 

• Withdraw consent (such as: stop marketing messages).

These rights are not absolute - if a right does not apply or only applies to some of your information or some of the things we do with it, we will let you know as part of our reply to you.

To exercise your rights, contact us at privacy@cambridge.org.

Our Data Protection Officer is Trilateral Research Ltd. 

• Contact them at: dpo@admin.cam.ac.uk or write to them at:

• Trilateral Research Ltd, 1 Knightsbridge Green, London SW1X 7QA.

If you are unhappy with how we have used your information, you can make a complaint to a data protection supervisory authority.

• If you are in the UK, the supervisory authority is the Information Commissioner's Office (ICO). You can visit their website here.

• If you are in the EU, you can find your local data protection authority here

15) Children’s personal data

Some of our learners and candidates are under 18. We handle children’s data with particular care, in line with data protection law and relevant safeguarding requirements. 

We do not typically rely on consent to process children’s personal data. Most of our processing is based on public task, legal obligation, or legitimate interest (e.g., delivering qualifications, ensuring access arrangements, or complying with exam regulations).

However, where consent is required for a specific service – such as certain online tools or marketing communications – we follow the UK GDPR age threshold for digital consent, which is 13 years old. If a learner is under 13, we require consent to be given by someone with parental responsibility.

In some cases, a parent, guardian, or school may also act on the children’s behalf to exercise data protection rights, depending on the child’s age and ability to understand those rights.

We take additional steps to protect children’s data, such as:

• Limiting access to staff with a need to know 

• Applying appropriate retention periods

• Ensuring clear communication suitable for younger audiences

• Embedding child-protection considerations in service design.

16) Updates to this notice

We update this notice if things change.

You can always find the latest version on our website.