Pearson TalentLens - Online Assessment System

Operations, Security & Data privacy

Last updated 14 May 2019

Pearson Global Information Security

  • Pearson has implemented a set of global information security policies.
  • These policies are based on the ISO-27001 information security norm.
  • The list of policies implemented and enforced globally can be found at the end of this document.
  • These policies are owned by the Chief Information Security Officer (CISO).
  • They are subject to annual review.
  • Global implementation of these policies by respective controls is formally defined by a set of Security Standards and Guidelines. These are directly based on the ISO-27002 framework and take into account security best practices as defined in the NIST recommendations.
  • Local implementation of our policies and controls is governed by the local Information Security Management System (ISMS).
  • An ISMS review and risk assessment are conducted annually by the local Management Review team. This is under the supervision of the Chief Information Security Officer (CISO).
  • Under direct control of the CISO office is the dedicated Security Operations Control group (SOC). This group continuously monitors our infrastructure on security threats and manages incidents as they arise.

 

Data Privacy & GDPR

  • Pearson is engaged in implementing a program to ensure compliance of its organization and products with the General Data Protection Regulation ( GDPR).
  • Pearson is the data processor for the purposes of the GDPR of all personal data perspective.
  • Pearson will fully cooperate with clients to let them fulfill their obligations as the data controller under GDPR.
  • Pearson will formally enforce compliance by all of its vendors to these obligations (sub-processors in the definition of GDPR).
  • For the EU, our Data Privacy Officer is based in the UK. Pearson will accommodate changing this when required as an effect of Brexit.

 

Talent Lens Online Platform – Subprocessor

  • PSI True Talent is owned by PSI Services LLC (PSI)
  • In terms of the processing of personal data/GDPR, PSI is the subprocessor.
  • Pearson uses a so-called ‘White-label’ version of the platform called Talent Lens Online
  • Talent Lens Online has two instances, one hosted from Ireland on Microsoft Azure Cloud, and one from a dedicated data center in Indianapolis/US.
  • System administration and database management are operated from local PSI offices, respectively in the EU and US.
  • There is no transfer of personal data between both platform instances. All personal data is kept in the regional hosting center.
  • Management of customer accounts is managed by local TalentLens teams.
  • Temporarily elevated authorizations to access personal information in the platform is only given to a small group of admins within Pearson Global team and requires management approval when an incident occurs.
  • Pearson has Model Contract Clauses in place to accommodate international data transfer (access). This satisfies the requirements as set in the GDPR
  • PSI has an EU-U.S. Privacy Shield certification
  • Daily management over the customer account and authorizations to access personal data is carried out by the customer. Pearson will never access clients personal data without any upfront formal authorizations by the client.
  • Compliance to both the Pearson Information Security and Data Privacy policies and controls as well as the obligations under GDPR are enforced via a formal agreement between Pearson and PSI

 

Get Feedback Platform – Subprocessor

  • The Get Feedback platform (GFB) is owned by Getfeedback.Net Ltd
  • In terms of the GDPR, GFB is the subprocessor for the data processing
  • Pearson uses a so-called ‘White-label’ version of the platform called TalentLens from Pearson
  • TalentLens from Pearson is hosted from the UK on their own dedicated servers in Tier 4 and Tier 2 carrier class data centres in the UK.
  • System administration and database management is operated from the UK by a local GFB office.
  • This complies to current and upcoming data privacy regulations throughout Europe
  • There is no transfer of personal data to third countries like the US. All personal data is kept in the EU and not accessed from the outside of it
  • Management of customer accounts is managed by a central European customer support team.
  • Temporary elevated authorizations to access personal information in the platform is only given to a small group of admins within Pearson European team and requires management approval when an incident occurs.
  • Daily management over the customer account and authorizations to access personal data is carried out by the customer. Pearson will never access clients personal data without any upfront formal authorizations by the client.
  • Compliance to both the Pearson Information Security and Data Privacy policies and controls as well as the obligations under GDPR are enforced via a formal agreement between Pearson and PAN.

ISO-27001 based Global Information Security Management Policies

  • 5 Information Security Policies
  • 6 Organization of Information security
  • 7 Human Resources Security
  • 8 Asset Management
  • 9 Access Control
  • 10 Cryptography
  • 11 Physical and Environmental Security
  • 12 Operations Security
  • 13 Communications Security
  • 14 System Acquisition, Development, and Maintenance
  • 15 Supplier Relationships
  • 16 Information Security Incident Management
  • 17 Information Security Aspects of Business Continuity Management
  • 18 Compliance

 

More information