Pearson Clinical Assessment Digital Platforms Operations
Security & Data privacy
Pearson Global Information Security
Pearson’s global information security policies are based on the ISO-27001 information security norm. These policies are subject to annual review. The policies are owned by the Chief Information Security Officer (CISO), and under direct control of the CISO office is the dedicated Security Operations Control group (SOC). This group continuously monitors our infrastructure on security threats and manages incidents as they arise.
ISO 27001 certification
- Pearson Clinical is certified for ISO 27001 across Europe, for those countries where we hold an office, since December 2021.
- Local implementation of our policies and controls is/will be governed by the local Information Security Management System (ISMS).
- An ISMS review and risk assessment is conducted annually by the local Management Review team. This is under supervision of the Regional Information Security Officer (RISO) for our Core region (which includes Europe).
ISO-27001 based Global Information Security Management Policies:
- 5 Information Security Policies
- 6 Organization of Information security
- 7 Human Resources Security
- 8 Asset Management
- 9 Access Control
- 10 Cryptography
- 11 Physical and Environmental Security
- 12 Operations Security
- 13 Communications Security
- 14 System Acquisition, Development and Maintenance
- 15 Supplier Relationships
- 16 Information Security Incident Management
- 17 Information Security Aspects of Business Continuity Management
- 18 Compliance
Data Privacy & GDPR
- Pearson has implemented a program to ensure compliance of its organization and products with the General Data Protection Regulation (GDPR).
- Pearson is the data processor for the purposes of the GDPR of all personal data perspective.
- Pearson will fully cooperate with clients to let them fulfil their obligations as the data controller under GDPR.
- Pearson will formally enforce compliance by all of its vendors with these obligations (sub-processors in the definition of GDPR).
- Our Data Privacy Officer is currently based in the UK.
Sub-Processors
Pearson works together with the vendors listed below to deliver service to its customers. For the purpose of GDPR, these are Sub-Processors. Compliance to both the Pearson Information Security and Data Privacy policies and controls as well as the obligations under GDPR are enforced via a formal agreement between Pearson and these vendors.
| Company Name | Reg-no. | Address | Description of processing | Grounds of transfer | |
| Sub-data processor (1. Tier) |
Amazon Web Services Canada, Inc. | 857305932 | 120 Bremner Blvd, 26th Floor, Toronto, ON, M5J 0A8, Canada |
Cloud computing services and data centre operations. Hosting of Customer Personal Data. Customer-initiated support. Access to data only with the Customer's explicit consent at the point of request. |
European Union adequacy decision |
| Sub-data processor (2. Tier) |
Amazon Data Services Canada, Inc. | 797963121 | 160 Elgin Street Suite 2600, Ottawa, ON, K1P 1C3 | Cloud computing services and data centre operations. Hosting of Customer Personal Data. |
European Union adequacy decision |
| Company Name | Reg-no. | Address | Description of processing | Grounds of transfer | |
| Sub-data processor (1. Tier) |
Bahnhof | 831671 | Sveavagen 41, 111 40 Stockholm, Sweden | Hosting of Customer Personal Data. | N/A |
| Sub-data processor (2. Tier) |
None |
| Company Name | Reg-no. | Address | Description of processing | Grounds of transfer | |
| Sub-data processor (1. Tier) |
SendGrid by Twilio (Twilio Ireland Limited) |
IE557454 | 3 Dublin Landings, North Wall Quay, Dublin 1, Ireland | Routing and transmission of emails. Personal data contained in emails is transmitted to the target email. The email body data is only retained for as long as it takes to send it. The target email address is retained for analytics purposes. |
European Union adequacy decision – Data Privacy Framework |
| Sub-data processor (2. Tier) |
AWS Amazon USA | 0000174230 | 410 Terry Avenue North, Seattle, WA 98109-5210, U.S.A. | Hosting of SendGrid data. | European Union adequacy decision – Data Privacy Framework. |
| Company Name | Reg-no. | Address | Description of processing | Grounds of transfer | |
| Sub-data processor (1. Tier) |
MongoDB Atlas (MongoDB Limited Limited) |
4999921 | Building Two, Number One Ballsbridge, Shellbourne Road, Dublin 4, Co Dublin, Ireland | Database as a service for the hosting of customer personal data. |
N/A |
| Sub-data processor (2. Tier) |
Amazon Web Services Canada, Inc. | 857305932 | 120 Bremner Blvd, 26th Floor, Toronto, ON, M5J 0A8, Canada | Hosting of MongoDB Atlas data. | European Union adequacy decision |
| Company Name | Reg-no. | Address | Description of processing | |
| Sub-data processor (Pearson group entity) |
Pearson Education Limited (UK) | 872828 | 80 Strand, London, WC2R 0RL, United Kingdom | Customer support. Access to examinee/ assessment data only with the customer's explicit consent at the point of request. |
| Sub-data processor (Pearson group entity) |
Pearson Canada Assessment Inc. (Canada) | 1163650766 | 176 Yonge Street, 6th Floor, Toronto, ON, M5C 2L7, Canada | Technical Support. |
| Sub-data processor (Pearson group entity) |
NCS Pearson, Inc (USA) | 410850527 | 5601 Green Valley Drive, Bloomington, MN 55437, United States | 3rd line technical support. Access to examinee/ assessment data only with the customer's explicit consent at the point of request. |
More information:
- Please send your inquiries to dataprivacy@pearson.com