skip to main content

Thanks for treating our staff with respect

ACER staff aim to treat everyone with courtesy, respect and integrity and to be sensitive to the diverse needs of all our stakeholders. In turn, we expect everyone contacting ACER to offer our staff the same consideration – as workers and as human beings.

Close this message

We will do our best to help you in every case, but our staff will not tolerate any rude or aggressive behaviour, including:

  • verbal abuse
  • rude or otherwise vulgar expressions or gestures
  • threatening or offensive behaviour
  • threats of physical violence or self-harm.

If any caller to ACER engages in such behaviour, staff will warn them clearly that the conversation may be terminated. If the caller continues that behaviour regardless, the call may be transferred to a recorded message indicating they have breached ACER’s protocols.

ACER will respond firmly to any similar emails or social media messages, and we will notify police if anyone visiting ACER offices displays the same behaviour.

Confidentiality and privacy


By you registering for and/or sitting GAMSAT The Australian Council for Educational Research Ltd (ABN 19 004 98 145) of 19 Prospect Hill Road Camberwell Australia 3124 (collectively, ACER, we or us) will collect your personal information to prepare for, administer and finalise all activities to satisfy the purposes for which you may sit GAMSAT, including:

  1. investigating any suspected misconduct and determining and administering any consequences for misconduct.
  2. disclosing to the universities that require GAMSAT scores, the Central Applications Office, the Universities and Colleges Admissions Service, and the Graduate Entry Medical School Admissions System and them collecting, storing, using, disclosing your personal information in accordance with their policies from time to time;
  3. disclosing anonymised data only to approved research bodies that have an interest in GAMSAT data. Any research report will include anonymised data only;
  4. ACER’s contracted remote proctoring supplier for GAMSAT conducted online. By registering to sit GAMSAT you may need to, or ACER may, provide your Personal Information to the contracted remote proctoring supplier. Currently, ProctorU supplies such services. ProctorU is a company based in the United States. Personal Information you provide to ProctorU will be stored outside of Australia. You may view ProctorU’s privacy policy HERE. This privacy statement will be updated in the event the supplier changes;
  5. ACER disclosing your de-identified GAMSAT Written Communication responses to its current contracted plagiarism review contractor, TURNITIN, LLC, a Californian limited liability company which is based in the USA. It processes GAMSAT test taker responses in the USA to ascertain instances of plagiarism. You may view its privacy policy HERE this privacy statement will be amended in the event the supplier changes; and
  6. Processing any payments you make to ACER as a result of you registering for the GAMSAT. Such payments are processed by Stripe; their Privacy Policy can be found HERE.

(All of the above activities are collectively “The Purpose").

In respect of any act or omission of ACER in pursuit of the Purpose concerning your personal information ACER may be subject to the:

  • Privacy Act 1988 (Cth) (Australian Privacy Act); and /or
  • Applicable European or UK data law (i.e., EU/UK GDPR).

Applicable Privacy Law

Depending on the jurisdiction of the GAMSAT test taker, the applicable law may be either: the law that applies directly to ACER in Australia, by virtue of the head office location; or privacy law that extends to any processor by virtue of the jurisdiction of the test taker, examples are EU and UK GDPR legislation. Consequently, the applicability of the relevant privacy legislation is set out below.

The personal information ACER collects in pursuit of the Purpose:

The information ACER may collect in pursuit of the Purpose about you includes your:

  1. Name;
  2. DOB;
  3. Sex;
  4. Address;
  5. Postcode;
  6. Country;
  7. Phone;
  8. Email;
  9. ID document type & Expiry,
  10. Status as a registered health professional;
  11. Preferred test centre;
  12. Preferred test date;
  13. Preferred test session;
  14. Country of Birth;
  15. Citizen/PR of AU, Citizen of NZ;
  16. EU residency status;
  17. Ethnicity;
  18. Identity as an Aboriginal/First Nations and/or Torres Strait Islander person;
  19. Language/s spoken;
  20. Rural/remote/regional status (ASGC-RA area for Med entry);
  21. Secondary schooling completed;
  22. Secondary schooling type;
  23. Highest Qualification completed;
  24. Year - First degree completed;
  25. Major Subject Area;
  26. University attended;
  27. Registration information ;
  28. GAMSAT preparation information;
  29. GAMSAT resit history;
  30. Course application country/countries;
  31. CAO Registration number (required for CAO data distribution purposes);
  32. UCAS PID (required for UCAS data distribution purposes);

The following information will be generated/stored as part of a GAMSAT application and completion of the GAMSAT:

  1. Payment details (only the transaction id, date and time, value retained);
  2. GAMSAT answers (essays and correct responses) and results (psychometric skill score);
  3. Application (if any) for reasonable adjustments including health information and any approved adjustments;
  4. Communications with ACER relating to the Purpose.
  5. Communications with Proctoring Service and Actual GAMSAT participation recording including: chat data; machine application issues; video authentication; keystroke analysis; any proctor interventions; GAMSAT T&C’s acknowledged by test taker; verification, authentication and invigilation details;

The information listed above is referred to collectively as Personal Information/Data”.

What happens if you don’t provide your personal data to us?

If you don’t provide your personal data to us, we may not be able to:

  • permit you to sit the GAMSAT;
  • respond to your requests;
  • manage or administer our GAMSAT services; or
  • personalise your experience with us via the website.

The Australian Privacy Act (1988):

To the extent of the applicability of the Australian Privacy Act to your Personal Information collected in pursuit of the Purpose:


  •   Collecting and using any sensitive (such as health) information, for example in case you need reasonable adjustments in sitting GAMSAT;
  • Collecting, storing, using, disclosing, and transferring OUTSIDE OF AUSTRALIA (please see the ‘Introduction’ above for the relevant countries), for purposes related to your registration, your personal information in accordance with this Privacy Statement. YOU ARE NOTIFIED that the persons to whom the information is disclosed outside of Australia have no obligation to abide by the Australian Privacy Principles contained in the Privacy Act. The consequences of this may be, the:
    • country of the person may not have similar privacy laws or measures by which you may pursue any of your rights in respect of privacy as that of Australia; and
    • person may not handle your personal information in the manner designated under the Australian Privacy Principles and you may not have any mechanism with which to seek redress

Please note the remote proctoring advice above, in the purposed for collection concerning storage of your Personal Information in the United States of America.

Should you not wish to provide the above consents or wish to access and/or amend your personal information or wish to make a complaint related to privacy please contact the GAMSAT Office at

For further information concerning how ACER handles your personal information or what privacy rights you have and how you may exercise those rights please see:

GDPR and other applicable European data law

To the extent of the applicability of the GDPR (which term includes other applicable European law) to your Personal Data collected in pursuit of the Purpose This notice tells you how we collect and process your personal data in connection with the GAMSAT, including what we use it for and who we share it with. It also explains your rights in relation to the processing of your personal data. This Privacy Notice may be amended from time to time if our practices change.


The following items used or referred to in this document are defined below:

  • Data controller: the company, organisation or person that decides (jointly or alone) on the means and purpose of processing of personal data;
  • Processor: the company, organisation or person that processes the data for the controller under a processing agreement/contract for a specific purpose, and defines their uses of the data
  • Processing: any action including storage, collection, usage, destruction, combining, publishing or otherwise constitute any form of operation on personal data; and
  • Personal data: any information related to an identified or identifiable natural living person.

Contact us

Please contact us if you have any questions or comments about this Notice or if you wish to exercise your rights under applicable privacy laws, which are explained further below.

You can contact us by:

  1. sending an email to; or
  2. calling +44 (0) 20 3909 0659

Data Protection Officer and ACER's compliance with the GDPR

Our registered Data Protection Officer (DPO) monitors and advises on compliance with the GDPR which applies to ACER's processing of personal data of individuals (known as data subjects) in the context of its UK operations or in relation to ACER offering data subjects ACER's products or services within the EEA.

Our DPO can be contact by email at

Acer International United Kingdom Ltd (ACER UK) is the authorised EU Representative for ACER, which can be contacted as follows:

13-15 Canfield Place
Telephone: +44 020 3909 0659

ACER UK is registered with the UK's Information Commissioners Office (ICO) under Z1280311 as both a data controller and data processor.

ACER UK is the data controller for our website and services provided through our website at the address shown above. However, ACER is a processor when supplying GAMSAT services to universities.

On our website, you may find links to other third-party websites not operated by us. This Privacy Notice does not apply to them – always check the Privacy Notice of any other third-party website you enter.

What personal data do we collect and how?

The personal data we collect when you register to sit the GAMSAT includes that specified above.

Sometimes we may be required to collect special categories of data about you, such as your health information, if you apply for reasonable adjustments. We will only collect special categories of data from you or about you with your explicit consent, unless otherwise required or permitted by law.

By supplying special categories information about yourself, either directly or another authorised third party, you or the providing party will be taken to have given your explicit consent to our collection of that information to be used only for the specified purpose. When we obtain such information from a third party, we will insist that third party must obtain explicit consent from you before transfer occurs.

We will collect your personal data when you register to sit the GAMSAT or contact us in connection with   the GAMSAT.

Given the nature of our services to universities, we also collect personal data about you from the university to which you are applying. We may also collect information through secure web-based application systems if you do certain assessments, and from other third parties where you have agreed with them that your information may be disclosed.

How we use and process the personal data we collect about you?

Basis for processing personal data

Purpose for processing

To perform our contract with you and

respond to your related requests

We may use and process personal information under a

contract with you to administer and provide the GAMSAT to you.

With your consent

We may use your personal data for the purpose for which

you have given your consent, which we will ensure we or third party have obtained prior to processing your information. For example, with your consent, we may communicate with you (through the consented communication channels, including email, mail or social networking forums) for the specific purpose:

  • tell you about other ACER products, services and offers that may be of interest to you; or
  • invite you to events; or
  • run competitions and other promotions.

Consent can be withdrawn at any time without detriment. You can withdraw your consent for a specific communication channel by clicking on the 'unsubscribe' link in our communications or contacting us directly using the details above.

In connection with our legitimate interests

in carrying on our business

We may use your information for our legitimate interests

(where we have considered these are not overridden by your rights to privacy) by:

  • investigating any suspected misconduct and determining and administering any consequences for misconduct;
  • publishing anonymised educational material;
  • research and statistical analysis, for the public interest;
  • operating and managing the ACER Foundation (public charities);
  • verifying identity or preventing or investigating any fraud or crime or suspected fraud or crime.

Under a legal obligation

We may use and process your personal data where we are

required to do so by applicable laws, regulations or codes that apply to us.

Who do we share your personal data with?

We may share your personal data with other organisations consistent with the purposes for which we use and process your personal data as described above. This includes with the following types of entities:

  • universities that require GAMSAT scores, the Central Applications Office and Graduate Entry Medical School Admissions System;
  • entities who assist us in providing and administering our services (including hosting and data storage and remote proctoring suppliers); and
  • where we are required to do so by law, government agencies, or individuals appointed by government agencies, responsible for investigating and resolving breaches of law, fraud, criminal activities disputes or complaints concerning our products or services.

Sharing personal data outside of the EEA

The main Administrative office for ACER is run from Australia with satellite offices overseas (see website for details). If we need to share some of the personal data we collect about you with organisations both inside and outside Australia, we will take steps to ensure the transfer of personal data is lawful and complies with one of the safeguarding mechanisms as mandated by GDPR law, for example through the use of Standard Contractual Clauses. All enquiries pertaining to the transfer of personal data outside the EEA and the specific safeguards can be directed to our EU representative, as outlined above.

How do we hold your personal data and keep it secure?

We hold your personal data in a combination of electronic and hard copy files depending on the service. We may store your personal data with one or more third party secure data storage providers.

We may combine personal data we receive about you with other information we hold about you. This includes information received from third parties. Where possible, we will anonymise (de-identify) personal data we collect from studies we carry out as part of our research activities.

We take all reasonable steps to protect the security of your personal data by the use of various methods, including password protection and secure storage. Where we store your personal data with a third-party data storage provider, we require them to agree to keep it secure and only use or disclose it for the purpose for which the service was provided.

Please contact us immediately if you become aware or have reason to believe there has been any unauthorised use of your personal data that we hold.

What happens when we no longer need your personal data?

We generally keep your personal data for up to two years after you have taken the GAMSAT, or otherwise as required for our business operations or by applicable laws.

We may need to retain certain personal data after we cease providing you with services to enforce our terms, for fraud prevention, to identify issue or resolve legal claims, and for proper record keeping. When we no longer require your personal data, we’ll ensure that your personal data is destroyed or de-identified.

We also retain a record of any stated objection by you to receiving ACER marketing for the purpose of ensuring we can continue to respect your wishes and not contact you further.

Your personal data rights

Under the GDPR or applicable law incorporating this legislation, you are afforded a number of rights, as detailed below.

How to access your personal data

Subject to applicable laws, you may request to know if ACER is processing your personal data, and if so, you may request access to your personal data (including in a structured, commonly used and machine-readable format). We will need to verify your identity before we can give you access. We will acknowledge receipt, and we will endeavour to deal with and respond to your request within one calendar month.

In certain circumstances, we are permitted by law to refuse access to your personal data. In such cases, we will give you a written explanation for our decision and information about how you can complain if you are not satisfied with our decision to the appropriate supervisory authority (eg ICO in the UK).

Subject to those exemptions If you submit an access request to ACER, you are entitled to:

  • Be told:
    • the purpose of processing;
    • the categories of Personal Data concerned;
    • the recipients or categories of recipients to whom the Personal Data has been or will be disclosed, particularly third countries or international organisations - where this is the case, you are also entitled to be informed of appropriate safeguards relating to the transfer of information;
    • the period data will be stored;
    • the right to request rectification, erasure or restriction of processing;
    • the right to lodge a complaint; and
    • the existence of automated decision-making including profiling
  • Be given a:
    • description of the Personal Data, the reasons it is being processed, and whether it will be or has been given to any other organisations or people;
    • Be given a copy of the information comprising the Personal Data and given details of the source of the data (where this is available);

These rights apply to electronic Personal Data and to Personal Data in "manual" (i.e. non-electronic) formats subject to certain exemptions.

Exemptions to your right of access

The GDPR includes various exemptions in which a Data Controller or Processor can refuse to provide access to Personal Data. The most likely situations in which ACER could refuse to release information in response to a subject access request are where:

  • The release of the information would jeopardise the prevention or detection of crime, or the apprehension or prosecution of offenders;
  • The request relates specifically to access to assessment material;
  • The request relates to Personal Data contained in ACER's or the GAMSAT    University User Group's confidential information;
  • The request relates to Personal Data which records ACER's intentions in relation to any negotiations with you, and the release of the Personal Data would prejudice the negotiations;
  • The Personal Data requested is covered by legal professional privilege;
  • The Personal Data requested relates to management forecasting or management planning, and its release to you would prejudice ACER's business or activities; or
  • The request relates to access to Personal Data which has been retained for the purposes of historical or statistical research, the conditions set out in the data protection laws for processing for research purposes have been met, and the results of the research have not been published in a way which identifies individuals.

If personal Data is withheld from you as a result of an exemption under the GDPR, it will be explained why the Personal Data has been withheld and the relevant exemption, unless doing so would itself disclose information which would be subject to the exemption.

The GDPR allows ACER to refuse to act on your request, or to charge you a reasonable fee (taking into account the administrative costs of providing the information) where your request is considered to be manifestly unfounded or excessive, in particular because the request is repetitive or unduly onerous in character.

ACER has to protect the data protection rights and other legal rights of other individuals when it responds to subject access requests. Information which does not relate to you may be 'blanked out' or redacted, particularly if it relates to other individuals. Sometimes it may not be possible to release Personal Data relating to you because doing so would also reveal information about other persons who have not consented to their data being released, and it would not be reasonable in the circumstances to release the data without their consent. In such cases, you will be informed that Personal Data about you has been withheld and the reasons for doing so.

If we consider that you have made a subject access request which is manifestly unfounded or excessive in nature (for example, because a request is repetitive), it is possible for ACER to:

  • Charge a reasonable fee taking into account the administrative costs of providing the information; or
  • Refuse to act on the request.

If it is determined that a fee should be charged, you will be notified in writing of that fact, the level of the fee, and the reason for requesting the fee, without delay.

If it is determined that your request will be refused, you will be notified in writing of that fact and the reasons for the refusal to act on the request, without delay.

How do I submit a request?

You can make your subject access request by telephone or in person, by contacting the DPO at the contact details provided above.

When making your request please be as specific as possible about the Personal Data to which you want access, as this will assist in processing your request; for example, if you only want Personal Data relating to your academic record, you should indicate that. A general request such as 'please send me all of the Personal Data which you hold about me' is likely to lead ACER to contact you for further information or clarification.

Proof of ID will be required to ensure that ACER is releasing Personal Data to the correct person. ACER will inform you of what is required and in what form it is required. It will usually involve photographic and authoritative documentation such as passport and driving license documents.

What happens next?

You will be sent an acknowledgement of your request as soon as possible. This will indicate the deadline by when ACER will send you a response (usually within 28 days).

You may be asked for further information to assist.

Your request will be responded to as soon as possible, and within 28 days of receipt of your request (unless there are grounds to extend that timescale).

The Personal Data will usually be provided in the format in which you make the access request e.g. digitally or by post.

If you request further copies of the Personal Data, ACER may charge a reasonable fee based on administrative costs.

Can I appeal?

If you are dissatisfied with the response to your access request, you have the right to apply directly to the privacy regulator in your relevant country. Further information about how to enforce your rights under applicable data protection laws is available on the relevant privacy regulator's website.

Additional rights and choices

  1. In certain circumstances, you can:
  • If you think that any personal data we hold about you is inaccurate, you may ask us to correct it. We will take reasonable steps to correct it unless we disagree with your reasons. If we refuse to correct your personal data we will give you a written explanation why.
  • obtain information about the processing of your personal data;
  • ask us to erase your personal data, such as if you withdraw your consent and we are not otherwise legally entitled to retain it;
  • object to, and ask us to restrict, our processing of your personal data, if the legal basis is legitimate interest or public interest or we are applying profiling to your data, although we may continue to process your personal data while we verify your assertion or complaint;
  • withdraw your consent or object to processing for direct marketing or profiling purposes;
  • Raise a complaint with your supervisory authority about our handling of your personal data.

How do you complain?

If you believe that we have not processed your personal data compliantly with the GDPR and failed to provide your rights as detailed above, please contact us initially using the contact details above for our EU representative. We will investigate any complaint and notify you of our decision in relation to the complaint, as soon as practicable after it is received, but within 30 days.

If we are unable to satisfactorily resolve your concerns about our handling of your personal data, you have the right to make a complaint to the relevant European data protection authority (for example in the place you reside or where you believe we have breached your rights). The Supervisory Authority of our EU representative is the ICO, which will be able to investigate your complaint. The ICO can make use of the “One Stop Shop” mechanism to address complaints from residents within the EEA and outside the UK if that benefits the complainant and their home location.

Effective date: 9/05/2024