GMAT Score Confidentiality
Collection of Test-Taker Data
According to the GMAT Handbook, the Graduate Management Admission Council (GMAC) collects certain information from test-takers at registration and on the day of the test. When registering for the GMAT, students must provide their full legal name and contact information (postal address, telephone number, and email address) as well as gender, date of birth, ethnicity, and country of citizenship. Data collected at the test center includes photo identification, digital photograph, signature, palm vein pattern, and video and audio surveillance of the test's administration. Students also may voluntarily submit their education history, a list of schools to receive score reports, and their native language, and may also opt into receiving information about various products, services, and surveys. Voluntarily submitted information may be altered by the user at any time (although test-takers may not change the destinations of their score reports after the test date without paying an additional fee). Students may request the deletion of voluntary information and the deactivation of their user accounts by contacting GMAC.
GMAC's Use of Student Data
GMAC states that student information is collected for GMAT registration purposes, to conduct research, to comply with any applicable legal requirements, to promote exam security and integrity, and to process payment through third-party vendors. Research on the GMAT is generally done in aggregate form and without individually identifying test-takers. Palm vein patterns are kept for five years, and scores are kept for 10 years. GMAC does not give students access to audio or videotape of the test, or to test records such as exam questions, answers, or essays. Students may only alter the name given at registration under limited circumstances.
GMAT Score Privacy
2008 GMAT Cheating Scandal
GMAC prohibits advance access to live (currently used) GMAT questions. After hearing that a website called Scoretop.com was selling live GMAT questions, GMAC contacted the FBI, which confirmed these suspicions through surveillance. GMAC filed a lawsuit against the company, which led to the discovery of over 6,000 people using the database. GMAT scores were ultimately cancelled for 84 test-takers who had been shown to knowingly use the site for fraudulent purposes, and the domain name for Scoretop.com was awarded to GMAC. Though admittedly an extreme case, this is an instance in which GMAC will reveal relevant student data for the purpose of a legal proceeding. Students preparing for the GMAT should not use any service that promises live GMAT questions, which constitute copyright infringement. GMAC regularly peruses the internet for such websites, and promises strict action against any of their users.
Students who take the GMAT are required to sign a non-disclosure agreement in which they agree not to share the contents of the test with any third party by any means (conversation, email, internet post, etc.). Penalties for violation of the non-disclosure agreement may include cancellation of scores, bans on future test attempts, and civil or criminal penalties.
Applicable Federal and State Regulations
Test-taker data is subject to U.S. law. Since GMAC is headquartered in the Commonwealth of Virginia, all legal actions that involve GMAC privacy policies must be filed in that jurisdiction. When scores are sent to institutions, the laws of the states or countries in which those schools are located also apply. In terms of federal protections for student data, the most relevant statute is the Family Educational Rights and Privacy Act (FERPA). FERPA gives students certain rights that concern their "education records," of which test scores are a part. FERPA severely limits the disclosure of education records without the student's consent. Most states do not regulate organizations such as GMAC, although California and Connecticut do offer some additional student data protections.