IB Questionbank privacy notice

Last updated:

The International Baccalaureate Organization (the “IB,” “we,” “us,” “our”) is committed to protecting the privacy and security of personal data entrusted to us by students, parents/guardians, school staff, examiners, alumni, and other members of the IB community (collectively, “you” or “users”). This Privacy Policy explains what personal data we collect, how we collect it, how we use and share it, how we protect it, how long we keep it, and what rights and choices you have.

TrustEd Apps Data Privacy Certified Badge Small.png

1. Scope and Who We Are

This Policy applies to personal data processed by the IB in connection with:

  • IB programmes and services (PYP, MYP, DP, CP, and related offerings)
  • Registration, administration, and assessment of IB examinations and coursework
  • Online services and platforms operated by the IB (e.g., IBIS, My IB, programme communities, professional development platforms, candidate and alumni portals, and event registration systems)
  • IB events, professional development, and communications
  • IB research, quality assurance, and improvement activities

This Policy applies regardless of how you access our Services (websites, web apps, mobile interfaces, APIs, or paper-based workflows) and in addition to any programme-specific regulations, assessment procedures, or agreements between the IB and IB World Schools.

Controller / “School Official” roles

  • For many activities, the IB acts as an independent data controller (for example, when designing assessments, setting standards, or managing IB-wide research and quality assurance).
  • In the United States, when we process student education records on behalf of a school or school district, we generally act as a “school official” with a legitimate educational interest under FERPA, operating under the direct control of the school for those records. See Section 13 (FERPA) for details.
  • The IB’s role may vary by context and applicable law. Depending on the activity, the IB may act as an independent controller, joint controller, processor/service provider, or school official acting on behalf of an educational institution.

2. Key Definitions

For purposes of this Policy:

  • Personal Data / Personal Information means any information that identifies or is reasonably linkable to an individual (e.g., name, email address, IP address).
  • Services means IB programmes, assessments, websites, platforms, events, and related services.

3. Personal Data We Collect

We collect and process only the personal data necessary to provide and improve our educational programmes and Services. We seek to collect and retain only the minimum personal data reasonably necessary for the purposes described in this Policy.

We collect the following categories of personal data. We do not collect other categories of personal data without first updating this Policy or providing additional notice.

3.1 Identity and Contact Data

  • Full name, preferred name
  • Email addresses (school, personal)

3.2 School Staff and Professional Data

  • Names and contact details of IB coordinators and teachers

3.3 Account and Authentication Data

  • Usernames, hashed passwords, password reset tokens
  • Multi-factor authentication configuration (e.g., second-factor device or method)
  • Access logs (timestamps, IP address, device/browser metadata)
  • Role and permissions within IB systems

3.4 Communications and Support Data

  • Messages and inquiries submitted via web forms, email, or phone
  • Records of support requests, incident tickets, and resolutions
  • Feedback surveys, user satisfaction responses, and complaints

3.5 Technical, Usage, and Device Data

  • IP address and approximate location derived from IP (city/region, where permitted)
  • Browser type and version, device type, operating system
  • Time and date of access, pages viewed, features used, and time spent
  • Error logs and performance data (e.g., crash logs)
  • Unique identifiers such as session IDs and first-party cookies

3.9 Cookie and Similar Technology Data

For detailed information, see Section 9 (Cookies and Similar Technologies). We use a limited set of first-party cookies and similar technologies for:

  • Authentication and session management
  • Security (e.g., CSRF protection, rate limiting, fraud detection)
  • Basic, privacy-preserving analytics to understand usage and improve our Services

4. How We Collect Personal Data

We collect personal data through the following methods:

4.1 Directly from You

You may provide data to us when you:

  • Create or use an account on an IB platform
  • Communicate with the IB by email, phone, web forms, or support channels
  • Complete a survey, questionnaire, or feedback form

4.2 Automatically When You Use Our Services

When you visit an IB website or use an IB platform, we automatically collect technical and usage data (see Section 3.8) using:

  • Server logs
  • First-party cookies and local storage
  • Privacy-preserving analytics tools

We do not use third-party advertising trackers or cross-site behavioral advertising technologies in our Services.

5. Why We Use Personal Data (Purposes)

We use personal data for the following purposes:

  1. Supporting Students and Schools
  • Providing customer support and resolving issues
  1. Communications and Limited Marketing
  • Sending service-related messages (e.g., exam schedules, system updates)

We never use student education records to target students with commercial advertising.

5.1 Legal Bases for Processing (EEA/UK and Similar Jurisdictions)

Where data protection laws require a legal basis for processing personal data, the IB relies on one or more of the following:

  • Performance of a contract or steps requested before entering into a contract;
  • Compliance with legal obligations;
  • Legitimate interests in delivering, securing, improving, and evaluating educational programmes and services;
  • Protection of vital interests;
  • Consent, where required by law.

Where we process special category or sensitive personal data, we rely on additional lawful grounds permitted under applicable law, including substantial public interest, educational accommodation obligations, safeguarding obligations, or explicit consent where required.

6. Who Owns the Data and How We Use It

6.1 Data Ownership

  • Individuals retain rights and interests in their personal data as provided under applicable law.
  • Schools may retain primary responsibility for education records under FERPA and similar laws and the IB processes those records as a “school official” or equivalent, where applicable.
  • The IB does not buy or sell personal data and does not claim ownership over student work, examination scripts, or education records.

6.2 Licenses to Use Data

To deliver the Services, you and/or your school grant the IB a limited, non-exclusive license to use personal data and education records for the purposes described in this Policy and in IB regulations, including:

  • Administering and improving IB programmes and assessments
  • Conducting research and statistical analyses (where possible using de-identified or aggregated data)
  • Fulfilling legal and regulatory obligations

We do not use personal data in ways that are incompatible with these purposes without obtaining additional consent or providing additional notice, as required by law.

7. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes outlined in this Policy, including to meet legal, regulatory, archival, and legitimate educational needs. When data is no longer required, we will delete it or irreversibly de-identify it.

We maintain a detailed internal retention schedule. Actual retention periods may vary depending on legal obligations, disputes, security needs, accreditation requirements, or operational necessity.

As a general guide (subject to legal requirements):

  • Account and authentication data (e.g., user accounts, access logs): retained while the account is active and for [up to 3 years] after last activity, unless required longer for security or legal reasons.
  • Technical logs and basic analytics data: retained for [up to 13 months] unless required longer for security or troubleshooting.
  • Support and communications records: retained for [up to 7 years] after closure of the issue or completion of the programme.

Where law or educational standards require us to keep certain records (for example, exam results or disciplinary outcomes), we will retain those records even if other personal data are deleted, but we will minimize what we keep, restrict access, and store it securely.

8. Security and Protection of Personal Data

We implement a comprehensive information security programme designed to protect personal data against unauthorized access, disclosure, alteration, and destruction.

8.1 Organizational and Technical Measures

Our controls include, at a minimum:

  • Role-based access control and least-privilege access
  • Security awareness and privacy training for staff and contractors
  • Secure software development practices, including code review and vulnerability management
  • Network security controls (firewalls, intrusion detection/prevention)
  • Secure backup and disaster recovery processes
  • Logging, monitoring, and auditing of critical systems and actions

8.2 Encryption

To protect confidentiality and integrity:

  • All personal data transmitted over public networks is encrypted in transit using strong protocols (such as TLS 1.2 or higher).
  • The IB uses industry-standard encryption protocols for personal data transmitted over public networks.
  • All confidential and sensitive personal data is encrypted at rest using industry-standard encryption (such as AES-256 or equivalent).
  • Encryption keys are managed under documented key management procedures with access limited to authorized personnel.

8.3 Passwords and Authentication

Where IB manages user authentication, we:

  • Require strong passwords that meet or exceed minimum requirements (e.g., at least 12 characters and sufficient complexity), and prevent reuse of recent passwords.
  • Store passwords only in hashed and salted form using industry-standard algorithms.
  • Provide and/or require multi-factor authentication (MFA) for administrative, staff, and other sensitive accounts and make MFA available to other user categories where technically feasible.

8.4 Two-Step / Multi-Factor Authentication

For IB platforms that handle sensitive personal data or secure assessment content:

  • MFA is required for IB staff, examiners, moderators, and other elevated roles.
  • Schools are strongly encouraged, and may be required by IB policy, to enable MFA for coordinators, teachers, and other staff accessing IB secure systems.
  • Where SSO is used, we rely on the institution’s MFA policies and controls.

8.5 Cookies and Security

We use cookies only as described in Section 9. We do not rely on third-party advertising cookies and do not permit third parties to use cookies on our Services for advertising purposes.

8.6 Incident Response

We maintain incident response procedures, including:

  • Rapid detection, containment, and investigation of potential security incidents
  • Timely notification to affected schools, institutions, and individuals, where required by law or contract
  • Cooperation with schools and regulators to mitigate harm and prevent recurrence

9. Cookies and Similar Technologies

We use a limited and well-defined set of cookies and similar technologies on our websites and platforms.

9.1 Types of Cookies We Use

  1. Strictly Necessary Cookies
  • Required for the site or platform to function (e.g., login, session management, security).
  • Without these cookies, key Services cannot be provided.
  • These cookies do not track you across websites and are not used for advertising.
  • The IB does not permit third parties to use data collected through IB Services for cross-context behavioural advertising.
  1. Preference Cookies
  • Remember choices such as language, display settings, or accessibility preferences.
  • Used only to improve your experience on IB Services.
  1. Analytics Cookies (First-Party or Privacy-Preserving)
  • Help us understand how our Services are used (e.g., pages visited, time spent) so we can improve them.
  • Configured to use limited data and, where feasible, IP anonymization or pseudonymization.
  • Data from these cookies is not used for behavioral advertising or sold to third parties.

We do not use:

  • Third-party advertising cookies
  • Cross-site tracking cookies for marketing or behavioral profiling
  • Web beacons or similar technologies solely for advertising purposes

9.2 Cookie Choices

Where required by law, we provide a cookie banner and/or preferences center to allow you to:

  • Accept or reject non-essential cookies
  • Change your cookie preferences at any time

You can also control cookies through your browser settings; however, disabling strictly necessary cookies may impair the functioning of our Services.

10. Third-Party Service Providers and Data Sharing

We rely on carefully selected third-party service providers (“processors”) to help us deliver our Services.

10.1 Categories of Service Providers

We may share personal data with service providers that support:

  • Secure cloud hosting and data storage
  • Delivery of digital assessments and online learning environments
  • Communication tools (e.g., email sending, webinar platforms)
  • Identity and access management (e.g., SSO integration, MFA)
  • Professional development and event management
  • Payment processing (for those Services that require payments)
  • Statistical analysis and research support, using de-identified or aggregated data where possible

10.2 What Information Is Shared with Each Category

For each category of service provider, we limit data sharing to what is necessary:

  • Hosting providers: encrypted storage and processing of personal data in IB databases and files.
  • Communication tools: email addresses, names, and message content necessary to send communications or host webinars.
  • Identity and access providers: usernames, identifiers, roles, and limited profile data to authenticate users and enforce access control.
  • Research and analytics partners: de-identified or aggregated data unless otherwise permitted by law and agreements.

We maintain or publish a list of major categories of service providers, and for institutional customers, we can provide a current list of sub-processors on request or via a dedicated portal.

10.3 No Selling or Advertising Use

We do not sell personal data or education records and do not share personal data with third parties for their independent advertising or marketing purposes.

If, in the future, we engage in activities that are considered a “sale” or “sharing” of personal information under applicable U.S. state laws, we will:

  • Update this Policy
  • Provide clear notice
  • Offer individuals the right to opt out of such sale or sharing

10.4 Contractual Protections and Responsibility

All service providers that process personal data on our behalf are:

  • Bound by written contracts requiring them to protect personal data, use it only for IB’s documented purposes, and implement appropriate security measures.
  • Prohibited from selling the data, using it for advertising, or using it for their own purposes.
  • Required to assist the IB in supporting schools and individuals in exercising their privacy rights.

The IB remains responsible for the acts and omissions of its processors, consistent with applicable law and our agreements with schools and institutions.

10.5 Changes in Service Providers (Sub-Processors)

For Services provided to schools and institutions:

  • We maintain a current list of core third-party processors.
  • We will provide advance notice (for example, [at least 30 days]) of any material change to that list, through direct communication to institutional contacts or via an administrator portal.
  • Where required by contract or law, institutions may object to new processors, or may terminate use of the affected Services if a resolution cannot be reached.

10.6 Other Sharing

We may share personal data when:

  • Reasonably necessary to comply with applicable law, legal process, or enforceable governmental request
  • Necessary to protect the rights, property, or safety of the IB, our users, or others

In all cases, we limit sharing to what is lawful and necessary.

11. International Data Transfers

The IB operates globally. Personal data may be transferred to and processed in countries that may have different data protection laws than your country of residence.

Where required by law, we implement appropriate safeguards, such as:

  • Adequacy decisions for certain countries
  • Standard contractual clauses or equivalent mechanisms for transfers
  • Additional contractual and technical measures to protect data in transit and at rest

Schools and institutions remain responsible for ensuring any cross-border transfers of education records comply with their local legal obligations.

Depending on the Service, personal data may be stored or processed in multiple jurisdictions, including jurisdictions where the IB or its service providers maintain operations or infrastructure.

12. Your Rights and Choices

Your rights depend on where you reside and the legal frameworks that apply (e.g., GDPR, UK Data Protection Act, U.S. state privacy laws, FERPA, COPPA).

Subject to applicable law, you may have the right to:

  • Access your personal data and obtain a copy
  • Correct inaccurate or incomplete data
  • Delete your personal data (subject to legal and educational record-keeping obligations)
  • Restrict or object to certain processing
  • Receive your data in a portable format, where technically feasible
  • Opt out of non-essential processing (such as optional analytics or communications)
  • Opt out of any “sale” or “sharing” of personal information, where applicable under U.S. state law
  • Not be discriminated against for exercising your privacy rights
  • Individuals located in the EEA, UK, or other jurisdictions with similar rights may also have the right to lodge a complaint with their local data protection supervisory authority

12.1 Exercising Your Rights

You (or, in the case of minor students, your parent/guardian where required) can submit privacy requests by contacting us:

By email: [email protected]

By mail:

Data Protection Officer
International Baccalaureate Organization
IB Global Centre, Cardiff
Fusion Point One, Dumballs Road,
Cardiff, Wales
CF10 5BF
United Kingdom

We will verify your identity (and, where applicable, your relationship to the student) before fulfilling your request. Where we process data on behalf of a school, we may need to coordinate with that school to respond, and in some cases the school will respond directly as the primary record holder.

12.2 Deletion of Your Data

Upon a valid and verified request and subject to legal, regulatory, and educational requirements, we will:

  • Delete your personal data; or
  • De-identify it so that it is no longer reasonably linkable to you; or
  • Retain only the minimum necessary data required for legal, regulatory, or archival purposes (for example, to maintain the integrity and verifiability of academic records), while restricting access and use.
  • Where we use de-identified or aggregated data, we take reasonable measures designed to prevent re-identification and require recipients to use the data only for authorized purposes.

If we cannot fully delete certain data, we will explain what will be retained and why.

12.3. Automated Decision Making

The IB does not make solely automated decisions that produce legal or similarly significant effects on students without appropriate human review.

The IB may use automated tools to support assessment administration, academic integrity processes, platform security, analytics, accessibility, or service improvement. Such tools are used with appropriate safeguards and human oversight where required.

13. FERPA and U.S. Education Privacy

For U.S. schools and students, the IB handles education records in a manner designed to support compliance with the Family Educational Rights and Privacy Act (FERPA) and related state student privacy laws.

13.1 School Official with Legitimate Educational Interest

When a school in the United States shares education records with the IB so that the IB can provide educational programmes, assessments, or related services:

  • The IB acts as a “school official” with a legitimate educational interest in the records, as permitted under FERPA.
  • The IB processes student education records only to provide these Services and for closely related educational purposes, under the direct control of the school.
  • The IB does not re-disclose education records except as permitted by FERPA, authorized by the school, or required by law.

These rights are primarily exercised through the student’s school or district. The IB will cooperate with schools that receive FERPA requests and will support them in fulfilling those requests.

14. COPPA and Children’s Privacy

The IB works with schools that serve children under 13, including in the United States. We design our Services to support compliance with the Children’s Online Privacy Protection Act (COPPA) where it applies.

Where required by applicable law, the IB relies on schools, parents/guardians, or authorized educational institutions to provide necessary permissions or consents for minor students.

14.1 No Direct Registration by Children Under 13

  • IB online Services that collect personal information are intended to be used under the direction of a school or parent/guardian when children under 13 are involved.
  • We do not knowingly permit children under 13 to create accounts directly with the IB without verifiable consent from a parent/guardian or from a school acting as the parent’s agent, consistent with COPPA.

14.2 Consent via Schools or Parents

For U.S. school-based use of IB Services by children under 13:

  • The IB relies on the school to provide appropriate notice to parents and to obtain any necessary parental consent, as permitted by COPPA, before the child uses the Service.
  • The IB uses the child’s data only for educational purposes authorized by the school and does not use it for commercial advertising or for any purpose inconsistent with COPPA.

Where the IB collects personal data directly from a child under 13 (outside the school context), we will obtain verifiable parental consent and provide the disclosures COPPA requires.

14.3 Parents’ Rights for Children Under 13

Parents of children under 13 can:

  • Review the personal information collected from their child
  • Request deletion of that information
  • Refuse to allow further collection or use of the child’s personal information

To exercise these rights, parents may contact their child’s school or contact the IB directly using the details in Section 16.

15. Advertising and Marketing Practices

15.1 No Third-Party Advertising in Student-Facing Services

  • The IB does not display third-party commercial advertisements in student-facing learning or assessment environments.
  • The IB does not allow third-party advertisers to track students or build profiles for advertising based on their use of IB educational Services.
  • The IB does not profile students for commercial purposes or use sensitive personal data to infer characteristics for advertising.

15.2 Limited Communications to Educators and Institutions

We may send information about IB programmes, events, and resources to:

  • Adult educators, coordinators, school leaders, and administrators
  • Institutional contacts, in accordance with our contracts and their communication preferences

Recipients can opt out of non-essential promotional communications at any time by following the instructions in the message or contacting us.

16. How to Contact Us

If you have questions or concerns about this Policy or our privacy practices, or if you wish to exercise your rights, please contact:

Data Protection Office
International Baccalaureate Organization
IB Global Centre, Cardiff
Fusion Point One, Dumballs Road,
Cardiff, Wales
CF10 5BF
United Kingdom]
Email: [email protected]
Telephone: +44 29 2054 7777

For U.S. COPPA-related inquiries, you may specifically note “COPPA Request” in your communication.

Where required by law (e.g., in the EU/UK), we may also provide contact details for our data protection officer (DPO) and, if applicable, our EU/UK representative.

17. Changes to This Policy and Notice of Third-Party Changes

We may update this Privacy Policy from time to time to reflect changes in our Services, our practices, or legal requirements.

  • Substantive changes will be highlighted by updating the “Last updated” date and, where appropriate, by additional notice (e.g., email to institutional contacts or in-service notifications).
  • Where required by law, we will obtain consent to material changes. Otherwise, continued use of the Services after the effective date of the updated Policy will be subject to the revised Policy.

Important Note

This template is intended as a starting point for a robust IB-focused privacy policy that supports FERPA, COPPA, U.S. state privacy laws, and global standards. It must be:

  • Reviewed and customized by your legal and compliance teams
  • Aligned with your actual technical and organizational controls, vendor list, and retention schedule
  • Kept up to date as laws, IB programmes, and technologies evolve