Need help?
Call Us

Privacy Policy

Introduction

Personal data means any information capable of identifying an individual.  It does not include anonymised data.

This privacy notice provides you with details of how we collect and process your personal data through your use of our website, www.apeas.org.uk, our email system, by direct contact with us or by our use of our IT administration system.

By providing us with your data, you confirm that you are 13 years of age or over.

APEAS is the data controller and we are responsible for your personal data (referred to as “we”, “us” or “our” in this privacy notice).

Contact Details

Full name of organisation:     The Architects Professional Examination Authority in Scotland Ltd

Email address:     info@apeas.org.uk

Registered office:     15 Rutland Square, Edinburgh, EH1 2BE

Mobile:     07483 153893

Email:     info@apeas.org.uk

If you are not happy with any aspect of how we collect and use your data, you have the right to complain to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would be grateful if you would contact us first if you do have a complaint so that we can try to resolve it for you.

For ease of accessibility much of the information presented in this Privacy Notice has been organised in terms of different APEAS stakeholders (e.g. candidate, examiner, employment mentor etc).  Just click on the section below that applies to you for specific information about your category of stakeholder.  However, before you do this please read the rest of the information on these pages as it provides important details regarding data security, data storage, third party links, cookies and international transfers.

Data Security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.  In addition, we limit access to your personal data to those employees, practice examiners, external examiners, PSAs, Board members and suppliers who need to know such data. These persons are subject to a duty of confidentiality.

Data Breach

We have put in place a procedure to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

How do we store information?

We store information in both paper and digital formats.  The paper copy protects the information held by APEAS from the potential risk of a technological failure with our website and IT administration system. The digital copy protects the information held by APEAS from physical damage e.g. fire or water damage.

All paper records are held securely within alarmed premises.

Digital information is stored on a secure server with an SSL certificate. Information is backed up on a secure, portable encrypted hard drive with additional key pad protection. This hard drive is stored in a lockable cupboard in the office when not in use. The APEAS website has an SSL certificate that is maintained on an annual basis. APEAS maintains anti-virus software to protect its computer systems.

Third Party links

The APEAS website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we advise you to read the privacy notice of every website you visit.

Cookies

A cookie is a small file which asks permission to be placed on your computer’s hard drive. Once you agree, the file is added and the cookie helps analyse web traffic or lets you know when you visit a particular site. Cookies allow web applications to respond to you as an individual. The web application can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences.

Overall, cookies help us provide you with a better website, by enabling us to monitor which pages you find useful and which you do not. A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us.

You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. This may prevent you from taking full advantage of the website.

Here are all the cookies used by the site:

ASPSESSIONID

This cookie is essential for the website to function properly. It lasts only for the length of time you are viewing the website and improves your experience by letting the site remember things as you move between pages. For example, if you are logged into the site on one page, this fact is held in your session and you continue to be logged in when you view a different page.

cc_cookie_accept & cc_cookie_decline

These cookies allow us to store the fact that you have previously approved the use of cookies for our website.

More Information

Want to know more about deleting or controlling cookies? Go to http://www.aboutcookies.org.

International Transfers

Countries outside of the European Economic Area (EEA) do not always offer the same levels of protection to your personal data, so European law has prohibited transfers of personal data outside of the EEA unless the transfer meets certain criteria.

Whenever we transfer your personal data out of the EEA, we do our best to ensure a similar degree of security of data by ensuring at least one of the following safeguards is implemented:

  • We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission; or
  • Where we use providers based in the United States, we may transfer data to them if they are part of the EU-US Privacy Shield which requires them to provide similar protection to personal data shared between Europe and the US
  • If none of the above safeguards is available, we may request your explicit consent to the specific transfer. You will have the right to withdraw this consent at any time.

Please email us at info@apeas.org.uk if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA.

This privacy notice explains how APEAS collects and uses information about you in order to provide our Part 3 Examination services.

The nature of our relationship with you will determine what personal data we collect about you and how we use it.

What information do we collect about you?

If you are registered to sit the Part 3 Examination in Professional Practice and Management (Part 3 Examination) with APEAS, we will collect information about you. The types of information we collect include:

  • Personal details – for example: name, signature, address, telephone numbers, date of birth, email address
  • APEAS registration number (allocated by APEAS)
  • examination results
  • examination submissions
  • special arrangement requirements where necessary
  • employer’s name, address, telephone numbers, email address
  • university
  • gender
  • nationality
  • photograph
  • anonymised questionnaire responses
  • information concerning appeal / complaint
  • email correspondence
  • information on payment of fees

How do we collect your information and what do we use it for?

We collect information about you from your online registration, payment of fees through our bank or online processes, your examination submissions and the candidate questionnaire you complete at the Oral Examinations. We may also collect or update information directly from you when you contact us.

We use the information we collect about you:

  • to make arrangements for you to sit the Part 3 Examination (more details provided in the Appendix)
  • to publish overall candidate pass/fail results
  • to award and issue your pass certificate
  • to maintain a limited record of your results
  • to respond to enquiries
  • in order to respond to any appeal or complaint made by you
  • for statistical* and research purposes
  • With your consent APEAS will share information about you having a medical condition, or requiring a specific adjustment to be made to ensure an accessible venue, or a Specific Learning Difficulty or if English is an additional language with your practice examiners, with the Convenor of the Examination Committee, the Senior Examiner of the Practice Examiners Committee and the external examiners. This is to ensure that you are examined on ‘the same level playing field’ as all other candidates. Such data is always handled in strictest confidence by APEAS and is kept securely whether on paper or held electronically.

We anonymise some candidate personal data (so that it can no longer be associated with you) for statistical purposes. We may use this information indefinitely without further notice to you. The anonymised data is used, e.g. to calculate annual and cumulative overall pass rates and also for different categories of candidates (e.g. male/female, non-white, candidates’ who practice outwith Scotland, re-sit candidates). Data is also used to analyse candidate failures on a component basis and review trends in moderation of internal grades.

Legal basis for processing your information

We use and share your information:

  • to fulfil our legitimate business to provide a efficient, high quality Part 3 Examination service
  • to comply with any legal or regulatory obligation
  • with your consent where we have asked for and you have given it

Who do we share your information with?

We may receive or send personal data about you from/to various third parties and public sources as set out below:

  • confirmation of payment of registration and/or examination fees by candidates
  • to your university – to confirm your registration with APEAS
  • to the Architects Registration Board (ARB), Royal Institute of British Architects (RIBA) and Royal Incorporation of Architects (RIAS) the details shown below so that you can be registered with these bodies:
  • Forename;
  • Surname;
  • Date of Birth;
  • University
  • registration enquires from the ARB, RIBA, RIAS or other professional bodies located outside the United Kingdom
  • occasionally at APEAS Board or Examination Committee meetings some candidate personal data is provided because it is relevant to an issue under discussion. Members of the two Committees understand the importance of keeping any issues involving individuals and their personal data in the strictest confidence at all times.

How long do we keep your information?

Successful Candidate

APEAS will delete all personal data on a candidate who has successfully passed the Part 3 Examination at the latest 2 years after he/she sat their Oral Examination with the exception of the following data which will be archived for any future enquiries by a former candidate.

  • Forename (s)
  • Surname
  • Date of Birth
  • University
  • Year passed Part 3 Examination
  • Email address
  • Mobile telephone number

Re-sit/Deferred Candidate

APEAS will retain data on a re-sit/deferred candidate all the while he/she has not passed the Part 3 Examination. Once the candidate has passed the Part 3 Examination his/her data will be deleted according to the rule applied to successful candidates.

Posting/receiving paper information including personal details

APEAS communicates with its candidates mainly by electronic communication. However, there are still a few occasions when APEAS sends information to its candidates by post. These include the following:

  • a letter indicating if a candidate has passed or failed the Part 3 Examination, and if he/she has failed what component, or components, of the Part 3 Examination he/she has to re-sit.
  • a candidate’s APEAS Certificate where he/she successfully passed the Part 3 Examination, but was unable to attend the APEAS Award Ceremony

What are my rights?

You have certain rights under data protection laws with regard to your personal data. These include the right to:

  • Request access to your personal data
  • Request correction of your personal data
  • Request erasure of your personal data
  • Object to processing of your personal data
  • Request restriction on processing your personal data
  • Request transfer of your personal data
  • Right to withdraw consent

You can see more about these rights at

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/

If you wish to exercise any of the rights set out above, please email us at info@apeas.org.uk

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

Access to your information

You have the right to request a copy of the information that we hold about you by emailing us at info@apeas.org.uk

If you make such a request we will provide you with the following information:

  • Data we hold on you in the APEAS Moodle/Turnitin on-line system
  • Data we hold on you in our IT administration system
  • Any email correspondence with you which we hold
  • Any paper information containing any of your personal details

We will try to respond to all reasonable requests within one month. However, it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

Correcting your information

We always want to make sure that your information is accurate, complete and up to date. Our records regarding you are based on the information you provide on the on-line registration form. You can update your registration details at any time while your records are active on the on-line registration system. You also have an opportunity to provide the APEAS Administrator with updated personal data at the Oral Examinations. The Administrator will transfer this information into the on-line registration system. You can also ask us to correct any information about you that you believe is incorrect or incomplete by emailing us at info@apeas.org.uk.

Deletion of your information

 You have the right to ask us to delete information about you if:

  • you think that we have kept it longer than we need to
  • we are using your information with your consent and you withdraw it – see ‘Withdrawing consent to using your information’ below
  • you have objected to our use of your personal information – see ‘Objecting to how we use your information’ below
  • APEAS uses your information unlawfully

Objecting to how we use your information

You have the right to ask us to stop using your information to:

  • send you marketing materials
  • carry out some of our roles and functions
  • carry out research

Restricting how we may use your information

You have the right to ask us to restrict how we use your personal information in certain circumstances. For example, where you have asked us to check the accuracy of your information or where we no longer need your information but you want us to keep it to help you make a legal claim.

Withdrawing consent using your information

Where you have given us your consent to use your personal information, you can withdraw that consent at any time and we will stop using your personal information for that purpose(s).

Appendix

Purpose / Activity
To register with APEAS as a candidate using the APEAS Moodle/Turnitin on-line system
To transfer candidate data submitted via the APEAS Moodle/Turnitin on-line system to the APEAS IT administration system
To confirm payment of candidate Registration, Examination, Re-sit or Deferment Fees on the APEAS IT administration system (payment is normally made via a third party source such as STRIPE or BACs payment)
To allocate and record for each candidate the following in the APEAS IT administration system

(a)  the pair of practice  examiners who will examine them

(b)  the date and time of their Oral Examination

Use the information from the previous row to enrol a candidate into the correct ‘Submission’ on the APEAS Moodle/Turnitin on-line system (so that the candidate’s on-line documentary submission is assigned to the correct pair of practice examiners)
To receive the candidates’ on-line documentary submissions by the deadline dates and times specified by APEAS
To communicate with candidates via the APEAS website* the venue, dates and times of their oral examination interview

*Candidates are only identified by their registration numbers

To communicate with candidates via the APEAS website and post whether they have passed or failed the Part 3 Examination

Candidates are only identified on the website by their registration numbers

To analyse completed candidate questionnaires to produce both quantitative and qualitative (candidate comments) data to inform the review of the APEAS Part 3 Examination process. All questionnaires are submitted anonymously.

This privacy notice explains how APEAS collects and uses information about you in order to provide our Part 3 Examination services.

The nature of our relationship with you will determine what personal information we collect about you and how we use it.

What information do we collect about you?

If you are included in the APEAS Pool of Practice Examiners to examine candidates for the Part 3 Examination in Professional Practice and Management (Part 3 Examination) with APEAS, we will collect information about you. The types of information we collect include:

  • personal details, for example: name, home address, work address, telephone numbers, e-mail address
  • examination results of candidates you have examined
  • examination submissions marking
  • gender
  • photograph
  • identification documentation, eg copy of passport
  • questionnaire responses
  • information concerning appeal / complaint against you
  • email correspondence
  • information on payment of fees and expenses including bank account details

How do we collect your information and what do we use it for?

We collect information about you from:

  • submission of your CV
  • submission of travel and subsistence expenses forms, including bank details
  • payment of fees through our bank
  • from your examination submissions marking online and in paper format and submission of results
  • we may also collect information directly from you when you contact us

We use the information we collect about you:

  • to annually select examiners to examine candidates sitting the Part 3 Examination
  • to pair practice examiners
  • to allow examiners to access their identified group of candidate submissions via the Moodle/ Turnitin on-line system for assessment purposes
  • to maintain a record of the results you submit both pre and post oral examination
  • to issue invitations to attend seminars or other events
  • to inform the review of the APEAS Part 3 Examination process by gathering information submitted by completion of questionnaires – all summary information is anonymised
  • to make payments for fees and expenses as required via the RBS online banking system
  • to respond to enquiries
  • to investigate cases of appeal / complaint / possible misconduct
  • for statistical and research purposes

Legal basis for processing your information

We use and share your information:

  • to fulfil our legitimate business to provide an efficient, high quality Part 3 Examination service
  • to comply with any legal or regulatory obligation
  • with your consent where we have asked for and you have given it

Who do we share your information with?

We may share your personal information with the following bodies:

  • information contained in your CV when we are seeking re-prescription with the Architects Registration Board (ARB)

How long do we keep your information?

APEAS will retain data on you for the period you are in the APEAS pool of practice examiners and, therefore, available to examine. Once you retire from the APEAS pool of practice examiners all your data will be deleted at the latest one year after you have retired from the pool. We will retain a note of your email address and telephone number in case we need to contact you at some future date in connection with some aspect of APEAS business.

If you were unsuccessful in applying to be an examiner in the APEAS pool of practice examiners your personal data will be deleted at the latest 3-months after you were interviewed to join the pool.

Posting/receiving paper information including personal details

APEAS communicates with its practice examiners almost exclusively by electronic communication and will only post information to practice examiners very occasionally.

APEAS does receive some paper copies of practice examiner candidate documentary submissions (where an examiner has printed part or all candidate documentary submissions for assessment purposes), Assessment Sheets and Travel and Subsistence forms. Paper copies of candidate documentary submissions and Assessment Sheets are stored securely in a locked cupboard in the APEAS office until they are destroyed by shredding within a year of APEAS receiving them. Travel and Subsistence Forms are processed for payment purposes and filed in the yearly receipts/expenses/invoices folder which is stored in a locked cupboard in the APEAS office. The information contained in the yearly receipts/expenses/invoices folder is retain for 6-years in line with financial requirements.

What are my rights?

You have certain rights under data protection laws with regard to your personal data. These include the right to:

  • Request access to your personal data.
  • Request correction of your personal data.
  • Request erasure of your personal data.
  • Object to processing of your personal data.
  • Request restriction on processing your personal data.
  • Request transfer of your personal data.
  • Right to withdraw consent.

You can see more about these rights at

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/

If you wish to exercise any of the rights set out above, please email us at info@apeas.org.uk

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

Access to your information:

You have the right to request a copy of the information that we hold about you by emailing us at info@apeas.org.uk

If you make a request to APEAS to see the personal data we hold on you we will provide the following information

  • Data we hold on you in the the APEAS Moodle/Turnitin on-line system
  • Data we hold on you in our IT administration system
  • Any email correspondence with you which we hold
  • Any paper information containing any of your personal details

We will try to respond to all reasonable requests within one month. However it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

Correcting your information 

We always want to make sure that your information is accurate, complete and up to date. APEAS will undertake a periodic review of the data it holds on practice examiners to ensure it has the most up to date information. APEAS will contact practice examiners by email to check if it has the most up to date information on them. The APEAS IT administration system will be updated with any revisions to practice examiner details. You can ask us to correct any information about you that you believe is incorrect or incomplete by emailing us at info@apeas.org.uk.

Deletion of your information

You have the right to ask us to delete information about you if:

  • you think that we have kept it longer than we need to
  • we are using your information with your consent and you withdraw it – see ‘Withdrawing consent to using your information’ below
  • you have objected to our use of your personal information – see ‘Objecting to how we use your information’ below
  • APEAS uses your information unlawfully

Objecting to how we use your information 

You have the right to ask us to stop using your information to:

  • send you marketing materials
  • carry out some of our roles and functions
  • carry out research

Restricting how we may use your information

You have the right to ask us to restrict how we use your personal information in certain circumstances. For example, where you have asked us to check the accuracy of your information or where we no longer need your information but you want us to keep it to help you make a legal claim.

Withdrawing consent using your information

Where you have given us your consent to use your personal information, you can withdraw that consent at any time and we will stop using your personal information for that purpose(s).

This privacy notice explains how APEAS collects and uses information about you in order to provide our Part 3 Examination services.

The nature of our relationship with you will determine what personal information we collect about you and how we use it.

What information do we collect about you?

If you are an external examiner for APEAS we will collect information about you. The types of information we collect include:

  • personal details, for example: name, home address, work address, telephone numbers, e-mail address
  • gender
  • photograph
  • identification documentation, eg copy of passport
  • information concerning appeal / complaints
  • your external examiner reports
  • email correspondence
  • information on payment of fees and expenses including bank account details

How do we collect your information and what do we use it for?

We collect information about you from:

  • submission of your CV
  • submission of travel and subsistence expenses forms, including bank details
  • payment of fees through our bank
  • we may also collect information directly from you when you contact us

We use the information we collect about you:

  • to invite you to participate in the APEAS Part 3 Examination process
  • to allow you to access candidates submissions via the Moodle/ Turnitin system
  • to allow you to undertake your task of reviewing the APEAS Part 3 Examination process (see the Appendix for more details)
  • to issue invitations to attend seminars or other events
  • to inform the review of the APEAS Part 3 Examination process by collating and evaluating information submitted by you in your external examiners report
  • to make payments for fees and expenses as required via the RBS online banking system
  • to respond to enquiries
  • to investigate cases of appeal / complaint / possible misconduct
  • for statistical and research purposes

Legal basis for processing your information

We use and share your information:

  • to fulfil our legitimate business to provide a Part 3 Examination service and ensure that rigorous quality assurance procedures and standards are applied to this Examination service
  • to comply with any legal or regulatory obligation
  • with your consent where we have asked for and you have given it

Who do we share your information with?

We may share your personal information with the following bodies:

  • by inclusion of your external examiners report in the annual Architects Registration Board (ARB) monitoring report and by insertion of your external examiner reports in five yearly ARB re-prescription documentation
  • by inclusion of some of your external examiner reports in the documentation prepared for the Royal Institute of British Architects (RIBA) five yearly re-validations

How long do we keep your information?

APEAS will retain personal data on you all the while you are working for APEAS. Once you retire as an external examiner your data will be deleted from all APEAS records at the latest one year after retirement. We will retain a note of your email address and telephone number in case we need to contact you at some future date in connection with some aspect of APEAS business.

Posting/receiving paper information including personal details

APEAS communicates with its external examiners almost exclusively by electronic communication and will only post information to external examiners very occasionally.

APEAS does receive paper copies of Travel and Subsistence forms and invoices from external examiners. Travel and Subsistence forms and invoices are processed for payment purposes and filed in the yearly receipts/expenses/invoices folder which is stored in a locked cupboard in the APEAS office. The information contained in the yearly receipts/expenses/invoices folder is retain for 6-years in line with financial requirements.

What are my rights?

You have certain rights under data protection laws with regard to your personal data. These include the right to:

  • Request access to your personal data.
  • Request correction of your personal data.
  • Request erasure of your personal data.
  • Object to processing of your personal data.
  • Request restriction on processing your personal data.
  • Request transfer of your personal data.
  • Right to withdraw consent.

You can see more about these rights at

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/

If you wish to exercise any of the rights set out above, please email us at info@apeas.org.uk

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

Access to your information

You have the right to request a copy of the information that we hold about you by emailing us at info@apeas.org.uk

If you make a request to APEAS to see the personal data we hold on you we will provide the following information

  • Data we hold on you in the the APEAS Moodle/Turnitin on-line system
  • Data we hold on you in our IT administration system
  • Any email correspondence with you which we hold
  • Any paper information containing any of your personal details

We will try to respond to all reasonable requests within one month. However it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

Correcting your information

We always want to make sure that your information is accurate, complete and up to date. APEAS will undertake a periodic review of the data it holds on external examiners to ensure it has the most up to date information. APEAS will contact external examiners by email to check if it has the most up to date information on them. The APEAS IT administration system will be updated with any revisions to external examiner details. You can ask us to correct any information about you that you believe is incorrect or incomplete by emailing us at info@apeas.org.uk.

Deletion of your information

You have the right to ask us to delete information about you if:

  • you think that we have kept it longer than we need to
  • we are using your information with your consent and you withdraw it – see ‘Withdrawing consent to using your information’ below
  • you have objected to our use of your personal information – see ‘Objecting to how we use your information’ below
  • APEAS uses your information unlawfully

Objecting to how we use your information

 You have the right to ask us to stop using your information to:

  • send you marketing materials
  • carry out some of our roles and functions
  • carry out research

Restricting how we may use your information

You have the right to ask us to restrict how we use your personal information in certain circumstances. For example, where you have asked us to check the accuracy of your information or where we no longer need your information but you want us to keep it to help you make a legal claim.

Withdrawing consent using your information

Where you have given us your consent to use your personal information, you can withdraw that consent at any time and we will stop using your personal information for that purpose(s).

Appendix

Purpose / Activity
To provide external examiners with electronic copies of candidate documentary submissions, the Practice Paper and candidate pre-Oral grades (including cross-marked grades) for review purposes.
To provide external examiners with an analysis of pre-Oral grades information to inform, amongst other things, which examiner pairings may be marking too hard and which pairings may be marking too leniently.
To provide external examiners with all post-Oral grades and overall pass/fail results for the second meeting of the Practice Examiners Committee and the Examination Committee meeting which follow on shortly after the completion of the Oral Examinations.
To submit their jointly agreed external examiners report to APEAS for consideration by the APEAS Board and Examination Committee.

This privacy notice explains how APEAS collects and uses information about you in order to provide our services.

The nature of our relationship with you will determine what personal information we collect about you and how we use it.

What information do we collect about you?

If you are an Employment Mentor for a candidate who is sitting the Part 3 Examination in Professional Practice and Management (Part 3 Examination) with APEAS, we will collect information about you. The types of information we collect include:

  • personal details, for example: title, name, work address, telephone numbers, e-mail address
  • signature, qualifications, position
  • email correspondence

How do we collect your information and what do we use it for?

We collect information about you from:

  • practice paper declaration for candidate for whom you are a mentor
  • comments and signature included on PEDR submission from candidate
  • candidate online registration

We use the information we collect about you:

  • to communicate with you when required

Legal basis for processing your information

We use and share your information:

  • to fulfil our legitimate business to provide a Part 3 Examination service
  • to comply with any legal or regulatory obligation
  • with your consent where we have asked for and you have given it

Who do we share your information with?

We currently do not share your personal information with other service providers and third parties who we use to provide our services.

How long do we keep your information?

A mentor will normally have his/her data deleted at the same time as his/her successful candidate’s data is deleted by APEAS. Or if notification is received that you are no longer a mentor.

Posting/receiving paper information including personal details

APEAS communicates with employment mentors almost exclusively by electronic communication and will only post information to mentors very occasionally.

What are my rights?

You have certain rights under data protection laws with regard to your personal data. These include the right to:

  • Request access to your personal data.
  • Request correction of your personal data.
  • Request erasure of your personal data.
  • Object to processing of your personal data.
  • Request restriction on processing your personal data.
  • Request transfer of your personal data.
  • Right to withdraw consent.

You can see more about these rights at

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/

If you wish to exercise any of the rights set out above, please email us at info@apeas.org.uk

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

Access to your information:

You have the right to request a copy of the information that we hold about you by emailing us at info@apeas.org.uk

If you make a request to APEAS to see the personal data we hold on you we will provide the following information

  • Data we hold on you in our IT administration system
  • Any email correspondence with you which we hold
  • Any paper information containing any of your personal details

We will try to respond to all reasonable requests within one month. However, it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

Correcting your information

We always want to make sure that your information is accurate, complete and up to date. You can ask us to correct any information about you that you believe is incorrect or incomplete by emailing us at info@apeas.org.uk.

Deletion of your information

 You have the right to ask us to delete information about you if:

  • you think that we have kept it longer than we need to
  • we are using your information with your consent and you withdraw it – see ‘Withdrawing consent to using your information’
  • you have objected to our use of your personal information – see ‘Objecting to how we use your information’
  • APEAS uses your information unlawfully

Objecting to how we use your information

You have the right to ask us to stop using your information to:

  • send you marketing materials
  • carry out some of our roles and functions
  • carry out research

Restricting how we may use your information

You have the right to ask us to restrict how we use your personal information in certain circumstances. For example, where you have asked us to check the accuracy of your information or where we no longer need your information but you want us to keep it to help you make a legal claim.

Withdrawing consent using your information

Where you have given us your consent to use your personal information, you can withdraw that consent at any time and we will stop using your personal information for that purpose(s).

University of Edinburgh, University of Strathclyde, Glasgow School of Art, University of Dundee, Robert Gordon University

This privacy notice explains how APEAS collects and uses information about you in order to provide our services.

The nature of our relationship with you will determine what personal information we collect about you and how we use it.

What information do we collect about you?

If you are a Professional Studies Advisor with one of the Higher Education Institutions identified above, we will collect information about you. The types of information we collect include:

  • personal details, for example name, signature, work address, telephone numbers, e-mail address
  • gender
  • email correspondence
  • information on payment of agreed expenses including bank account details

How do we collect your information and what do we use it for?

We collect information about you from:

  • we may collect information directly from you when you contact us
  • comments and signatures included on PEDR submissions from candidates
  • submission of travel and subsistence expenses forms, including bank details
  • payment of expenses through our bank

We use the information we collect about you:

  • to invite you to participate in the APEAS Examination Committee
  • to issue invitations to attend seminars, award ceremonies or other events
  • to send you information on which of your candidates have registered with APEAS
  • to inform the review of the APEAS Part 3 Examination by incorporating your written views on that process
  • to make payments of expenses as required via the RBS online banking system
  • to respond to enquiries
  • for statistical and research purposes

Legal basis for processing your information

We use and share your information:

  • to fulfil our legitimate business to provide a Part 3 Examination service and ensure that rigorous quality assurance procedures and standards are applied to this Examination service
  • to comply with any legal or regulatory obligation
  • with your consent where we have asked for and you have given it

Who do we share your information with?

We may share your personal information with:

  • potential candidates, unattached to one of the five Scottish Higher Education Institutions shown above, who are seeking PSA services

How long do we keep your information?

We will retain your personal data all the while you are in your job as a Professional Studies Advisor. All your data will be deleted at the latest one year after you have left your job except where information is retained in relation to candidates in which case the data will be deleted as per rules for candidates.

Posting/receiving paper information including personal details

APEAS communicates with Professional Studies Advisors almost exclusively by electronic communication and will only post information to Professional Studies Advisors very occasionally.

APEAS does receive paper copies of Travel and Subsistence forms from Professional Studies Advisors. Travel and Subsistence forms are processed for payment purposes and filed in the yearly receipts/expenses/invoices folder which is stored in a locked cupboard in the APEAS office. The information contained in the yearly receipts/expenses/invoices folder is retain for 6-years in line with financial requirements.

What are my rights?

You have certain rights under data protection laws with regard to your personal data. These include the right to:

  • Request access to your personal data.
  • Request correction of your personal data.
  • Request erasure of your personal data.
  • Object to processing of your personal data.
  • Request restriction on processing your personal data.
  • Request transfer of your personal data.
  • Right to withdraw consent.

You can see more about these rights at

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/

If you wish to exercise any of the rights set out above, please email us at info@apeas.org.uk

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

Access to your information

You have the right to request a copy of the information that we hold about you by emailing us at info@apeas.org.uk

If you make a request to APEAS to see the personal data we hold on you we will provide the following information

  • Data we hold on you in our IT administration system
  • Any email correspondence with you which we hold
  • Any paper information containing any of your personal details

We will try to respond to all reasonable requests within one month. However, it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

Correcting your information

We always want to make sure that your information is accurate, complete and up to date. APEAS will undertake a periodic review of the data it holds on Professional Studies Advisors to ensure it has the most up to date information. APEAS will contact Professional Studies Advisors by email to check if it has the most up to date information on them. The APEAS IT administration system will be updated with any revisions to Professional Studies Advisor’s details. You can ask us to correct any information about you that you believe is incorrect or incomplete by emailing us at info@apeas.org.uk.

Deletion of your information

You have the right to ask us to delete information about you if:

  • you think that we have kept it longer than we need to
  • we are using your information with your consent and you withdraw it – see ‘Withdrawing consent to using your information’ below
  • you have objected to our use of your personal information – see ‘Objecting to how we use your information’ below
  • APEAS uses your information unlawfully

Objecting to how we use your information

 You have the right to ask us to stop using your information to:

  • send you marketing materials
  • carry out some of our roles and functions
  • carry out research

Restricting how we may use your information

You have the right to ask us to restrict how we use your personal information in certain circumstances. For example, where you have asked us to check the accuracy of your information or where we no longer need your information but you want us to keep it to help you make a legal claim.

Withdrawing consent using your information

Where you have given us your consent to use your personal information, you can withdraw that consent at any time and we will stop using your personal information for that purpose(s).

This privacy notice explains how APEAS collects and uses information about you in order to provide our services.

The nature of our relationship with you will determine what personal information we collect about you and how we use it.

What information do we collect about you?

If you are a member of the APEAS Board, we will collect information about you. The types of information we collect include:

  • personal details, for example: name, address, telephone numbers, e-mail address
  • gender
  • profile, including photograph, for publishing on APEAS website
  • email correspondence
  • information on payment of agreed fees and expenses including bank account details

How do we collect your information and what do we use it for?

We collect information about you from:

  • we may collect information directly from you when you contact us
  • submission of travel and subsistence expenses forms, including bank details
  • payment of expenses through our bank

We use the information we collect about you:

  • to ensure that the make-up of the Board complies with APEAS requirements
  • to issue invitations to attend Board meetings, seminars or other events
  • to issue you with agendas, minutes and papers for Board meetings, seminars and other events
  • to make payment of expenses as required via the RBS online banking system
  • to respond to enquiries
  • for statistical and research purposes
  • in order to respond to any complaint or allegation of misconduct

Legal basis for processing your information

We use and share your information:

  • to fulfil APEAS legitimate business interests in terms of the company meeting the three objectives set out in the company’s Memorandum and Articles of Association, setting policy, ensuring that the appropriate human and financial resources are in place for the long term stability of APEAS and ensuring that rigorous quality standards are applied to the Part 3 Examination process
  • to comply with any legal or regulatory obligation
  • with your consent where we have asked for and you have given it

Who do we share your information with?

We currently do not share your personal information with other service providers and third parties who we use to provide our services.

How long do we keep your information?

Data on a Board member will be retained in line with retention of Board and other company records, e.g. minutes of meetings.

Posting/receiving paper information including personal details

APEAS communicates with Board members almost exclusively by electronic communication and will only post information to Board members very occasionally.

APEAS does receive paper copies of Travel and Subsistence forms from Board members. Travel and Subsistence forms are processed for payment purposes and filed in the yearly receipts/expenses/invoices folder which is stored in a locked cupboard in the APEAS office. The information contained in the yearly receipts/expenses/invoices folder is retain for 6-years in line with financial requirements.

What are my rights?

You have certain rights under data protection laws with regard to your personal data. These include the right to:

  • Request access to your personal data.
  • Request correction of your personal data.
  • Request erasure of your personal data.
  • Object to processing of your personal data.
  • Request restriction on processing your personal data.
  • Request transfer of your personal data.
  • Right to withdraw consent.

You can see more about these rights at

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/

If you wish to exercise any of the rights set out above, please email us at info@apeas.org.uk

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

Access to your information

If you make a request to APEAS to see the personal data we hold on you we will provide the following information:

  • Data we hold on you in our IT administration system
  • Any email correspondence with you which we hold
  • Any paper information containing any of your personal details

We will try to respond to all reasonable requests within one month. However, it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

Correcting your information

We always want to make sure that your information is accurate, complete and up to date. APEAS will undertake a periodic review of the data it holds on Board members to ensure it has the most up to date information. APEAS will contact Board members by email to check if it has the most up to date information on them. The APEAS IT administration system will be updated with any revisions to Board members details. You can ask us to correct any information about you that you believe is incorrect or incomplete by emailing us at info@apeas.org.uk.

Deletion of your information

You have the right to ask us to delete information about you if:

  • you think that we have kept it longer than we need to
  • we are using your information with your consent and you withdraw it – see ‘Withdrawing consent to using your information’ below
  • you have objected to our use of your personal information – see ‘Objecting to how we use your information’ below
  • APEAS uses your information unlawfully

Objecting to how we use your information

You have the right to ask us to stop using your information to:

  • send you marketing materials
  • carry out some of our roles and functions
  • carry out research

Restricting how we may use your information

You have the right to ask us to restrict how we use your personal information in certain circumstances. For example, where you have asked us to check the accuracy of your information or where we no longer need your information but you want us to keep it to help you make a legal claim.

Withdrawing consent using your information

Where you have given us your consent to use your personal information, you can withdraw that consent at any time and we will stop using your personal information for that purpose(s).

This privacy notice explains how APEAS collects and uses information about you in order to provide our services.

The nature of our relationship with you will determine what personal information we collect about you and how we use it.

What information do we collect about you?

If you are a member of APEAS staff, we will collect information about you. The types of information we collect include:

  • personal details, for example: name, signature, address, telephone numbers, e-mail address
  • identification documentation, eg copy of passport
  • gender
  • salaries information
  • pension information
  • holiday entitlement information
  • sickness absence information
  • profile, including photograph, for publishing on APEAS website
  • email correspondence
  • information on payment of agreed expenses including bank account details

How do we collect your information and what do we use it for?

We collect information about you from:

  • we may collect information directly from you
  • from your Written Statement of Particulars
  • from the company accountant
  • submission of travel and subsistence expenses forms, including bank details
  • payment of expenses through our bank

We use the information we collect about you:

  • to comply with HMRC requirements
  • to satisfy Pension company requirements
  • to monitor holidays taken against holiday entitlement
  • to make payment of expenses as required via our online banking system
  • to respond to enquiries
  • in order to respond to any complaint or allegation of misconduct

Legal basis for processing your information

We use and share your information:

  • to fulfil our legitimate business to provide a Part 3 Examination service and ensure that rigorous quality assurance procedures and standards are applied to this Examination service
  • to comply with any legal or regulatory obligation
  • with your consent where we have asked for and you have given it

Who do we share your information with?

We may share your personal information with, and obtain information about you, from:

  • the company’s accountant
  • Her Majesties Revenue and Customs (HMRC)
  • the pension company managing your stakeholder pension (if applicable)
  • the Architects Registration Board (ARB)
  • the Royal Institute of British Architects (RIBA) and the Royal Incorporation of Architects in Scotland

How long do we keep your information?

Data on you will be retained by APEAS in line with retention of company records, e.g. financial records.

Posting/receiving paper information including personal details

APEAS communicates with staff verbally or by electronic communication. Information will only be posted to staff very occasionally e.g. in the case of a disciplinary matter or a grievance.

APEAS does receive paper copies of staff pay slips and Travel and Subsistence forms. Pay slips and Travel and Subsistence forms are processed for payment purposes. Pay slips are given to staff as soon after payments are processed as possible. Travel and Expense forms are filed in the yearly receipts/expenses/invoices folder which is stored in a locked cupboard in the APEAS office. The information contained in the yearly receipts/expenses/invoices folder is retain for 6-years in compliance with financial requirements.

What are my rights?

You have certain rights under data protection laws with regard to your personal data. These include the right to:

  • Request access to your personal data.
  • Request correction of your personal data.
  • Request erasure of your personal data.
  • Object to processing of your personal data.
  • Request restriction on processing your personal data.
  • Request transfer of your personal data.
  • Right to withdraw consent.

You can see more about these rights at

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/

If you wish to exercise any of the rights set out above, please email us at info@apeas.org.uk

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

Access to your information

You have the right to request a copy of the information that we hold about you by emailing us at info@apeas.org.uk

If you make a request to APEAS to see the personal data we hold on you we will provide the following information

  • Data we hold on you in our IT administration system
  • Any email correspondence with you which we hold
  • Any paper information containing any of your personal details

We will try to respond to all reasonable requests within one month. However, it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

Correcting your information

We always want to make sure that your information is accurate, complete and up to date. You can ask us to correct any information about you that you believe is incorrect or incomplete by providing it verbally or in writing to the Administrator or by emailing us at info@apeas.org.uk.

Deletion of your information

 You have the right to ask us to delete information about you if:

  • you think that we have kept it longer than we need to
  • we are using your information with your consent and you withdraw it – see ‘Withdrawing consent to using your information’ below
  • you have objected to our use of your personal information – see ‘Objecting to how we use your information’ below
  • APEAS uses your information unlawfully

Objecting to how we use your information

You have the right to ask us to stop using your information to:

  • send you marketing materials
  • carry out some of our roles and functions
  • carry out research

Restricting how we may use your information

You have the right to ask us to restrict how we use your personal information in certain circumstances. For example, where you have asked us to check the accuracy of your information or where we no longer need your information but you want us to keep it to help you make a legal claim.

Withdrawing consent using your information

Where you have given us your consent to use your personal information, you can withdraw that consent at any time and we will stop using your personal information for that purpose(s).

This privacy notice explains how APEAS collects and uses information about you in order to provide our services.

The nature of our relationship with you will determine what personal information we collect about you and how we use it.

What information do we collect about you?

If you supply goods or service to APEAS, we will collect information about you. The types of information we collect include:

  • personal details, for example: title, name, signature, home address, office address, telephone numbers, e-mail address
  • email correspondence
  • information on supplier bank account details for payment purposes

How do we collect your information and what do we use it for?

We collect information about you from:

  • we may collect information directly from you
  • company accountant
  • submission of receipts, delivery notes and invoices
  • payment of expenses through our bank

We use the information we collect about you:

  • to order goods or services from you
  • to receive the appropriate goods or services
  • to process the payment of invoices for your goods and services
  • to deal with any queries regarding the goods or services provided

Legal basis for processing your information

We use and share your information:

  • to fulfil our legitimate business to provide a Part 3 Examination service
  • to comply with any legal or regulatory obligation
  • with your consent where we have asked for it and you have given it

Who do we share your information with?

We may share your personal information with:

  • the company’s account

How long do we keep your information?

Data from suppliers (including the company’s accountant) will be retained in line with APEAS’s requirement to keep financial records.

Posting/receiving paper information including personal details

APEAS communicates with its suppliers almost exclusively by electronic communication and will only very occasionally post information to suppliers.

Supplier paper receipts and invoices containing contact names are filed in the yearly receipts/expenses/ invoices folder which is stored in a locked cupboard in the APEAS office.

Paper copies of annual Financial Statements are also stored in a locked cupboard in the APEAS office.

What are my rights?

You have certain rights under data protection laws with regard to your personal data. These include the right to:

  • Request access to your personal data.
  • Request correction of your personal data.
  • Request erasure of your personal data.
  • Object to processing of your personal data.
  • Request restriction on processing your personal data.
  • Request transfer of your personal data.
  • Right to withdraw consent.

You can see more about these rights at

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/

If you wish to exercise any of the rights set out above, please email us at info@apeas.org.uk

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

Access to your information

You have the right to request a copy of the information that we hold about you by emailing us at info@apeas.org.uk

If you make a request to APEAS to see the personal data we hold on you we will provide the following information

  • Data we hold on you in our IT administration system
  • Any email correspondence with you which we hold
  • Any paper information containing any of your personal details

We will try to respond to all reasonable requests within one month. However, it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

Correcting your information

We always want to make sure that your information is accurate, complete and up to date. You can ask us to correct any information about you that you believe is incorrect or incomplete by emailing us at info@apeas.org.uk.

Deletion of your information

You have the right to ask us to delete information about you if:

  • you think that we have kept it longer than we need to
  • we are using your information with your consent and you withdraw it – see ‘Withdrawing consent to using your information’ below
  • you have objected to our use of your personal information – see ‘Objecting to how we use your information’ below
  • APEAS uses your information unlawfully

Objecting to how we use your information

You have the right to ask us to stop using your information to:

  • send you marketing materials
  • carry out some of our roles and functions
  • carry out research

Restricting how we may use your information

You have the right to ask us to restrict how we use your personal information in certain circumstances. For example, where you have asked us to check the accuracy of your information or where we no longer need your information but you want us to keep it to help you make a legal claim.

Withdrawing consent using your information

Where you have given us your consent to use your personal information, you can withdraw that consent at any time and we will stop using your personal information for that purpose(s).

This privacy notice explains how APEAS collects and uses information about you in order to provide our services.

The nature of our relationship with you will determine what personal information we collect about you and how we use it.

What information do we collect about you?

If you correspond with APEAS, we will collect information about you. The types of information we collect include:

  • personal details, for example: title, name, signature, home address, office address, telephone numbers, e-mail address
  • email correspondence

How do we collect your information and what do we use it for?

We collect information about you from:

  • electronic or paper-based correspondence from you

We use it to:

  • maintain a record of our correspondence with you

We use the information we collect about you:

  • to maintain a record of correspondence

Legal basis for processing your information

We use and share your information:

  • to fulfil our legitimate business to provide a Part 3 Examination service
  • to comply with any legal or regulatory obligation
  • with your consent where we have asked for it and you have given it

Who do we share your information with?

We do not anticipate sharing your data with any third party.  In any event, we would not do so without your consent where we have asked for it and you have given it, unless complied to do so by a legal or regulatory obligation.

How long do we keep your information?

Data will be kept for 2 years, after which time it will be destroyed.

Posting/receiving paper information including personal details

Paper correspondence is filed and kept securely in the APEAS office.

What are my rights?

You have certain rights under data protection laws with regard to your personal data. These include the right to:

  • Request access to your personal data.
  • Request correction of your personal data.
  • Request erasure of your personal data.
  • Object to processing of your personal data.
  • Request restriction on processing your personal data.
  • Request transfer of your personal data.
  • Right to withdraw consent.

You can see more about these rights at

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/

If you wish to exercise any of the rights set out above, please email us at info@apeas.org.uk

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

Access to your information

You have the right to request a copy of the information that we hold about you by emailing us at info@apeas.org.uk

If you make a request to APEAS to see the personal data we hold on you we will provide the following information

  • Data we hold on you in our IT administration system
  • Any email correspondence with you which we hold
  • Any paper information containing any of your personal details

We will try to respond to all reasonable requests within one month. However, it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

Correcting your information

We always want to make sure that your information is accurate, complete and up to date. You can ask us to correct any information about you that you believe is incorrect or incomplete by emailing us at info@apeas.org.uk.

Deletion of your information

You have the right to ask us to delete information about you if:

  • you think that we have kept it longer than we need to
  • we are using your information with your consent and you withdraw it – see ‘Withdrawing consent to using your information’ below
  • you have objected to our use of your personal information – see ‘Objecting to how we use your information’ below
  • APEAS uses your information unlawfully

Objecting to how we use your information

You have the right to ask us to stop using your information to:

  • send you marketing materials
  • carry out some of our roles and functions
  • carry out research

Restricting how we may use your information

You have the right to ask us to restrict how we use your personal information in certain circumstances. For example, where you have asked us to check the accuracy of your information or where we no longer need your information but you want us to keep it to help you make a legal claim.

Withdrawing consent using your information

Where you have given us your consent to use your personal information, you can withdraw that consent at any time and we will stop using your personal information for that purpose(s).

Introduction

This documents sets out the APEAS procedure for dealing with a data breach in an effective, timely and consistent manner.

Definition of a Data Breach

The Information Commissioners Office gives the following definition of a data breach:

‘A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data. In short, there will be a personal data breach whenever any personal data is lost, destroyed, corrupted or disclosed: if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable, for example, when it has been encrypted by ransomware, or accidentally lost or destroyed.

A security incident may include, but not be limited to, any of the following:

  • loss or theft of confidential data, or the equipment on which the data is stored (e.g. loss or theft of a laptop, tablet, memory stick, hard dive or paper record)
  • system failure
  • unauthorised access, use of or modification to data held on the APEAS on-line Moodle/Turnitin system, APEAS IT administrative system or paper records
  • unauthorised disclosure of confidential/sensitive information
  • APEAS website defacement
  • hacking attacks
  • fire or flood of the APEAS office
    • human error

Scope of this Procedure

This procedure applies to the following APEAS categories of individuals:

  • candidates
  • practice examiners
  • external examiners
  • APEAS Board members
    • APEAS staff

Reporting an incident

Any person accessing, using or managing APEAS information is responsible for reporting any data breach immediately to the APEAS Chief Executive Officer (info@apeas.org.uk or 01324 484652). If the breach is identified outside of normal working hours it must be reported as soon as reasonably practicable.

The report must contain the following details:

  • the name of the person reporting the breach
  • details of the nature of the incident
  • the date and time when the breach occurred
  • if personal data is likely to be involved
    • the potential number of persons affected by the breach

Containment of the breach

5.1  The APEAS Chief Executive Officer (CEO) will first ascertain if the breach is still taking place. If it is, the CEO will take appropriate measures immediately to minimise the impact of the data breach.

5.2  The CEO will make an initial assessment of the severity of the breach and determine if anything can be done to retrieve any losses and limit the damage the breach might cause.

5.3  The CEO will decide who needs to be notified about the breach as part of initially containing it.

5.4  The CEO will decide a suitable course of action to be taken to resolve the breach as soon as possible.

5.5  The advice and support of the APEAS IT consultant may be sought at any stage while the steps in 5.1 to 5.4 are being implemented.

5.6  The CEO will advise the Chairperson of the APEAS Board, as soon as practical and certainly within 24-hours of learning of the breach, that a breach has occurred and what steps have been taken to minimise the effects of the breach.

5.7  Where the CEO is absent the APEAS Office Manager (OM) will takes the steps outlined in 5.1 to 5.6.

Investigation

6.1  The CEO will undertake an investigation of the breach normally within 24 hours of the breach being reported/discovered.

6.2  The investigation of the breach will include an assessment of the risks associated with it. This risk assessment will include which individuals are potentially affected by the breach, how serious are the consequences for those affected and how likely it is that these consequences might be realised.

6.3  The investigation will need to take account of the following:

  • the type of data involved (e.g. is personal data involved)
  • how sensitive/confidential is the data
  • is the data encrypted
  • what has happened to the data (has it been lost or stolen)
  • whether the data can be used for inappropriate or illegal purposes
  • whether there are any greater consequences of the data breach

Notifications

7.1 The CEO will, in consultation with the Chair of the APEAS Board, OM and APEAS IT consultant, determine if the breach should be notified to the Information Commissioners Office (ICO). This should normally be done within 72 hours of the breach being reported/discovered.

7.2  In deciding whether the ICO should be informed the following factors will be taken into account:

  • is the breach likely to lead to a high risk that individuals’ rights and freedoms will be badly affected under data protection legislation
  • whether notification would help individuals affected by the breach
  • whether notification would assist in preventing unauthorised or unlawful use of personal data
  • Whether notification is necessary. Not all data breach incidents require notification. Unnecessarily notifying the ICO may lead to considerable extra work.
  • Where individuals’ personal data has been affected by the breach and there is a high risk of their rights and freedoms being affected the CEO/Office Manager should inform such individuals of the breach within 24 hours of it occurring. Any such notification should include details of the date and time the breach occurred, how it occurred and the data involved. APEAS should also advise the individuals of what steps it has taken to minimise the effects of the breach and what they can do to protect themselves. Individuals should be advised that they can contact APEAS by email (info@apeas.org.uk) or by phone (01324 484652) for further information or to ask questions regarding the data breach.

7.4  The CEO may find it necessary to contact third parties such as the police, banks, insurers or credit card companies. This would be appropriate if illegal activity is suspected or known to have occurred or there is the risk that it might happen in the future.

7.5  APEAS will keep a record of any personal data breach that has occurred irrespective of whether it was notified to the ICO or not.

After the data breach has been contained the CEO will carry out a review into the causes of the breach and the effectiveness of the APEAS response. Any such review should consider the following (the list is not exhaustive) questions:

  • What controls where in place to minimise the data breach, were they adequate or do they need to be enhanced or changed?
  • What system modifications could be made to enhance security?
  • Are there any potential weak points within current security measures?
  • Are methods of transmitting data secure?
  • Does APEAS need to change any of its policies or procedures to enhance security?
  • Is only the minimum data being asked for?
  • Is there any need for staff training

Report to the APEAS Board

8.1  Where a data breach has occurred the CEO will make a report to the next meeting of the APEAS Board. This report should include the following details:

  • the date and time the data breach occurred
  • did the breach involve personal data
  • the severity of the breach
  • what immediate steps were taken to minimise the effects of the breach
  • where the ICO notified
  • who else was notified
  • what further measures have been implemented to minimise the possibility of a similar data breach occurring in the future
The Architects Professional Examination Authority in Scotland Ltd
Find us on
Copyright © 2022 APEAS. All Rights Reserved
Site by Internet Creation
chevron-down