Data Privacy and Security Plan – NY Education Law 2-d


NWEA recognizes the importance of protecting the privacy and security of its Subscribers and Users of the Assessment System. NWEA’s Privacy Policy informs Subscribers and Users of NWEA’s policies and procedures regarding the collection, use, and disclosure of Student Education Records, Deidentified Data, and Anonymized Data consistent with applicable federal and state law. Subscriber shall provide NWEA with copies of district specific privacy and data security policies that are applicable to the service, and provide NWEA with an opportunity to review and confirm its acceptance of them.

Administrative, Operational and Technical Safeguards for Sensitive Data

NWEA develops and implements privacy and information security measures aligned to NIST Cybersecurity Framework to protect the confidentiality, integrity, and availability of Student Education Records. In doing so, personal data is stored and processed in a manner that is designed to ensure the appropriate security of Student Education Records, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical and organizational measures. Specific administrative, operational, and technical safeguards for Student Education Records are detailed in our Security Whitepaper

Employee Training for Sensitive Data

All NWEA employees undergo information security awareness training as part of the onboarding process and receive ongoing security awareness training throughout their NWEA careers. During the onboarding process, new employees agree to our employee guide and information security handbook which, among other things, highlights our commitment to keep student and confidential information safe and secure. NWEA recognizes that dedicated employee engagement is a key means of raising security and privacy awareness. Additionally, certain roles (for example, software developers and architects) undergo additional information security training.

Cyber Supply Chain Risk Management

NWEA may share Student Education Records with third-party contractors to in order to provide the services and support the Assessment System. NWEA utilizes a cyber supply chain risk management (SCRM) process for third parties. The primary objective of the cyber SCRM is to identify and assess external parties to ensure they meet NWEA’s security profile (based on NIST security controls) and contractual requirements. As a part of this process, third parties are contractually committed to protect the availability, confidentiality, and integrity of Student Education Records. Third parties are prohibited from engaging in targeting advertising and any other use except in support of the Assessment System.

 Incident management

NWEA maintains an incident management process for security events that may affect the confidentiality, integrity, or availability of systems or data. If an incident occurs, the security team, privacy professional, or designated incident commander logs and prioritizes it according to its severity. The process specifics courses of action, procedures for notification, escalation, mitigation, and documentation. NWEA’s security incident management program is structured around NIST SP 800-61 Rev 2, Computer Security Incident Handling. NWEA notifies Subscribers of a Security Breach  in accordance with applicable state law or without unreasonable delay, whichever occurs sooner.

Erasure, Rectification, Access & Portability of Student Education Records

Users or parents of such Users (if a User is a minor) may review and amend Student Education Records of such User by contacting the Subscriber and following the Subscriber's procedures for amending such User's Student Education Records. NWEA will not make any changes to any Student Education Records without the applicable Subscriber's express written permission, and then, only in accordance with applicable law.

Data Retention, Destruction & Return

Subscribers may use the Assessment System to download its Student Education Records and data. NWEA retains Student Education Records for the length of time necessary to meet NWEA's contractual and legal commitments to Subscribers. These commitments generally extend past the end date of contractual agreements as Subscribers may need continued access to Student Education Records and educational data for reporting; and many Subscribers resume their subscriptions later and want their historical Student Education Records intact for longitudinal growth studies or legal compliance.

NWEA honors Subscribers' requests to delete Student Education Records if required by applicable law.  To request that Student Education Records relating to a particular Subscriber and/or User(s) be deleted, Subscriber shall send a written request to NWEA via email to and include the following: (i) requestor's name, title, and contact information; (ii) the name of requestor's school or entity with NCES number (if available); (iii) a request to delete Subscriber's Student Education Records; and (iv) an attestation that requestor is duly authorized and has legal capacity to execute the request. NWEA will subsequently contact Subscriber to confirm the destruction request before executing the destruction request. NWEA retains Anonymized Data indefinitely for the purposes stated in its Privacy Policy.

Last Modified: March 15, 2022