GMAT Score Confidentiality

Collection of Test-Taker Data

According to the GMAT Handbook, the Graduate Management Admission Council (GMAC) collects certain information from test-takers at registration and on the day of the test. When registering for the GMAT, students must provide their full legal name and contact information (postal address, telephone number, and email address) as well as gender, date of birth, ethnicity, and country of citizenship. Data collected at the test center includes photo identification, digital photograph, signature, palm vein pattern, and video and audio surveillance of the test's administration. Students also may voluntarily submit their education history, a list of schools to receive score reports, and their native language, and may also opt into receiving information about various products, services, and surveys. Voluntarily submitted information may be altered by the user at any time (although test-takers may not change the destinations of their score reports after the test date without paying an additional fee). Students may request the deletion of voluntary information and the deactivation of their user accounts by contacting GMAC.

GMAC's Use of Student Data

GMAC states that student information is collected for GMAT registration purposes, to conduct research, to comply with any applicable legal requirements, to promote exam security and integrity, and to process payment through third-party vendors. Research on the GMAT is generally done in aggregate form and without individually identifying test-takers. Palm vein patterns are kept for five years, and scores are kept for 10 years. GMAC does not give students access to audio or videotape of the test, or to test records such as exam questions, answers, or essays. Students may only alter the name given at registration under limited circumstances.

GMAT Score Privacy

GMAC's privacy policy applies to GMAT scores, which will only be disclosed in identifiable form to the student and to the institutions that he or she designates. Students can assume that their scores will be included in statistical research on the GMAT (such as three-year profiles of score percentiles), but this research is done without identifying the individual test-takers. Score reports sent to business schools include data from all test attempts within the last five years. Test-takers may not selectively report their GMAT scores, and business schools will consider each test attempt as a complete entity (they will not choose the highest sectional scores from each distinct GMAT administration).

2008 GMAT Cheating Scandal

GMAC prohibits advance access to live (currently used) GMAT questions. After hearing that a website called Scoretop.com was selling live GMAT questions, GMAC contacted the FBI, which confirmed these suspicions through surveillance. GMAC filed a lawsuit against the company, which led to the discovery of over 6,000 people using the database. GMAT scores were ultimately cancelled for 84 test-takers who had been shown to knowingly use the site for fraudulent purposes, and the domain name for Scoretop.com was awarded to GMAC. Though admittedly an extreme case, this is an instance in which GMAC will reveal relevant student data for the purpose of a legal proceeding. Students preparing for the GMAT should not use any service that promises live GMAT questions, which constitute copyright infringement. GMAC regularly peruses the internet for such websites, and promises strict action against any of their users.

Non-Disclosure Agreement

Students who take the GMAT are required to sign a non-disclosure agreement in which they agree not to share the contents of the test with any third party by any means (conversation, email, internet post, etc.). Penalties for violation of the non-disclosure agreement may include cancellation of scores, bans on future test attempts, and civil or criminal penalties.

Applicable Federal and State Regulations

Test-taker data is subject to U.S. law. Since GMAC is headquartered in the Commonwealth of Virginia, all legal actions that involve GMAC privacy policies must be filed in that jurisdiction. When scores are sent to institutions, the laws of the states or countries in which those schools are located also apply. In terms of federal protections for student data, the most relevant statute is the Family Educational Rights and Privacy Act (FERPA). FERPA gives students certain rights that concern their "education records," of which test scores are a part. FERPA severely limits the disclosure of education records without the student's consent. Most states do not regulate organizations such as GMAC, although California and Connecticut do offer some additional student data protections.