LSAC Canadian Privacy Notice Supplement

Last updated June 14, 2024

Law School Admission Council, Inc. and its affiliates (collectively, “LSAC,” “we,” “our” or “us”) are committed to privacy and to transparency in our information practices. In this Canadian Privacy Notice Supplement (“Canadian Supplement”), we provide additional notices to supplement the information in the LSAC Privacy Notice. This Canadian Supplement is subject to the LSAC Privacy Notice and is incorporated by reference as a supplement thereto.

To fully understand how we collect, use, disclose, and process your Personal Information (as defined in the LSAC Privacy Notice) that we collect in relation to our Services, this Canadian Supplement should be read in conjunction with the LSAC Privacy Notice. Capitalized terms used in this Canadian Supplement, which are not otherwise defined, have the meanings assigned to them in the LSAC Privacy Notice.

Consent to LSAC Privacy Notice and Canadian Supplement

By providing us with your Personal Information in the situations described in the LSAC Privacy Notice, or by otherwise using or Services, you consent to its collection, use and disclosure in accordance with the LSAC Privacy Notice and this Canadian Supplement.  In some cases, your consent may be “implied”, meaning that your agreement is presumed based on your action or inaction at the time of collection of your Personal Information. We generally obtain your consent when we want to use your Personal Information for a new purpose or for a purpose other than those identified at the time of collection in the LSAC Privacy Notice, in accordance with applicable privacy laws.

Your Rights

If you are in Canada, you have certain rights and protections under the law regarding the processing of your Personal Information. Subject to certain limitations and exceptions, your rights include but are not limited to:

  • the right to vary or withdraw your consent to the use and disclosure of your Personal Information or opt-out of certain uses and disclosures, subject to legal and contractual restrictions;
  • the right to access your Personal Information and/or information about our collection, use, and disclosure of your Personal Information; and
  • the right to challenge the accuracy and completeness of your Personal Information and, to the extent that you have proven such inaccuracy or incompleteness, the right to have it amended as appropriate.

These rights are subject to certain limitations. When you would like to exercise your rights, please send your request to privacy@LSAC.org. You can also use the same contact information to contact us if you have any questions, remarks, or complaints in relation to this Canadian Supplement.

Please note that withdrawal of your consent may affect our ability to provide you with certain Services or to process your requests where the use and/or disclosure of your Personal Information is necessary. In certain circumstances, legal requirements may also prevent the withdrawal of your consent.

Cross-Border Transfers of Personal Information

Your Personal Information may be transferred, stored, accessed, or used in a jurisdiction outside your jurisdiction of residence (for example, outside your province or outside Canada). We engage third-party service providers to assist us in providing our Services to you; for example, in order to process payment, manage business functions, or manage our communications with you.

We use commercially reasonable efforts to require that all of our third-party service providers take reasonable security measures to protect your Personal Information (this includes technical, administrative, and physical safeguards to protect your Personal Information). We use commercially reasonable efforts to require our third-party service providers to only use your Personal Information for authorized purposes we have made known to you or which are otherwise permitted by applicable law. 

Where Personal Information is located outside of your province of residence or outside Canada, it is subject to the laws of that jurisdiction which may differ from those in your jurisdiction and any Personal Information transferred to another jurisdiction will be subject to law enforcement, regulatory, and national security authorities in that jurisdiction. Subject to these applicable laws, we will make commercially reasonable efforts to use contractual measures to maintain protections that are at least equivalent to those that are applicable in the province in Canada that you are located in.

Safeguards and Data Governance

We have implemented physical, organizational, contractual and technological security measures in an effort to protect your Personal Information and reduce the risk of loss or theft, unauthorized access, disclosure, copying, misuse or modification of your Personal Information. These measures include restricting physical access to our offices and records, restricting access to your Personal Information to only those employees or agents who require access to fulfill their responsibilities, and restricting unauthorized access, disclosure, use and misuse of your Personal Information in our custody and control. We also periodically update and review such security measures.

Our goal is to prevent unauthorized access, loss, misuse, sharing or alteration of Personal Information in our possession. We also use these commercially reasonable safeguards when we dispose of or destroy your Personal Information.

We maintain policies and practices which require the protection of your Personal Information. Depending on the volume and sensitivity of the information, the purposes for which it is used and the format in which it is stored, we implement a combination of measures to protect your Personal Information, including:

  • Internal policies and procedures that define the roles and responsibilities of our employees and limits their access to such information;
  • If information is collected or stored in electronic format, technical safeguards such as encryption, firewalls, antivirus software, password protected access and other similar measures;
  • A designated Data Protection Officer to monitor our compliance with applicable data protection laws;
  • Employee privacy and data security training;
  • Procedures for receiving, investigating and responding to complaints or inquiries regarding our information handling practices, including any security incidents involving Personal Information;
  • Framework governing the retention and destruction of Personal Information; and
  • Contractual protections and other measures to require that third-party service providers with whom we share Personal Information maintain adequate privacy protections and standards. For example, we generally require our third-party service providers to limit their use and retention of Personal Information to what is necessary to perform the services on our behalf and to notify us in case of any actual or suspected security incident.