NWEA Privacy Policy - Assessment Products

Introduction

NWEA (also referred to as “we”, “our”, or “us” in this Policy) recognizes the importance of protecting the privacy and security of its Subscribers and Users of the Assessment Products. The purpose of this Privacy Policy ("Policy") is to inform Subscribers and Users of our policies and procedures regarding the collection, use, and disclosure of Student Education Records, Deidentified Data, and Anonymized Data.  Nothing in this Policy grants any Subscriber or User the right to use or access the Assessment Products. Subscribers and Users only have the right to use and access the Assessment Products as set forth in the agreement(s) entered into between a Subscriber and us (“Agreement”).  By using the Assessment Products, Subscribers and Users agree to this Policy.

Definitions

"Assessment Products" means, to the extent included in an applicable Schedule, the Assessment System provided to Subscriber by us.  Assessment Products excludes Subscribers operating environment and other systems not within our control.

“Anonymized Data” means any Student Education Record rendered anonymous in such a manner that the student is no longer identifiable or public information within a Student Education Record. For example, this includes non-identifiable student assessment data and results, and other metadata, testing response times, scores (e.g., goals, RIT), NCES codes, responses, item parameters, and item sequences that result from the Services.

“COPPA” means the Children’s Online Privacy Protection Act, 15 U.S.C. §§ 6501–6506, including the rules and regulations promulgated thereunder, in each case as amended.

“Deidentified Data” means a Student Education Record processed in a manner in which the Student Education Record can no longer be attributed to a specific student without the use of additional information, provided that such additional information is kept separately using technical and organizational measures.

“FERPA” means the Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g, including the Protection of Pupil Rights Amendment, including the rules and regulations promulgated thereunder, in each case as amended.

“Student Education Record” means personally identifiable information of Subscriber’s students as defined by FERPA, COPPA and other applicable federal and state laws.

"Users" means Subscriber's students, teachers, administrators, and other individuals licensed to use the Assessment Products under the Agreement.

Except as set forth in this Policy, all other capitalized terms in this Privacy Policy shall have the meaning set forth in the Agreement between the parties, which incorporates the material terms of our Master Subscription Agreement found here.

Compliance with Applicable US Laws

Student Education Records may be protected under applicable federal and state student data privacy laws, which may include COPPA, FERPA, and the California Student Online Personal Information Protection Act, Ch. 22.2, §§ 22584 et seq. of the California Business and Professions Code, and Section 49073.1 of the California Education Code. For the avoidance of doubt, the California Student Online Personal Information Protection Act is referenced because it is the most comprehensive legislation related to state student data privacy, however we comply with all applicable student data privacy laws.

Consent

FERPA permits a school to provide educational records (including Student Education Records) to certain service providers without requiring the school to obtain specific parental consent. FERPA permits this where the service provider acts as a “school official” by performing services that would otherwise be performed by the school's own employees. We fulfill FERPA requirements for qualifying as a school official by giving the school direct control with respect to the use and maintenance of the education records (including Student Education Records) and refraining from re-disclosing or using this Student Education Records except for purposes outlined in this Policy and the Agreement.  We comply with FERPA by relying on this form of consent.

COPPA permits a school, acting in the role of “parent,” to provide required consents regarding Student Education Records who are under the age of 13. We rely on this form of COPPA consent. We provide Subscribers with this Policy, to ensure that the Subscriber, in providing its COPPA consent, has full information and assurance that our practices comply with COPPA.

Accordingly, Subscribers are responsible for providing all notices and obtain all such consents required under FERPA and COPPA to allow us to provide the Assessment Products to Users and process Student Education Records in accordance with this Policy.

In addition to Subscribers’ obtaining consents regarding personal information of Users other than students (such as teachers and school administrators) on our behalf, we may also obtain consents regarding such personal information. To obtain these consents we (a) notify the Users of our privacy practices by including links to this Policy within our Assessment Products, and (b) rely on their continued use of our Assessment Products to indicate their consent to this Policy.

Subscriber Control and Choices Regarding Student Education Records

The collection, input, use, retention, disposal, and disclosure of Student Education Records by Users via the Assessment Products are controlled solely by the Subscriber. As outlined in the Agreement, Subscriber owns the Student Education Records.  

We will not delete, change, or divulge any Student Education Records from our Assessment Products controlled by the Subscriber except as outlined in this Policy. If a User has questions regarding control of Student Education Records related to the Assessment Products licensed by the Subscriber, then User shall contact User's applicable school, district, or educational entity (i.e., Subscriber). If a User desires to revoke User's consent or "opt-out" of a particular use of User's Student Education Records, User shall contact User's applicable school, district, or educational entity. If we receive a request from a User to "opt-out" we shall forward the request to the applicable school, district, or educational entity for handling. The applicable school, district, or educational entity is solely responsible for handling the User’s “opt-out” in the Assessment Products.     

The parents of a student can obtain access — through their child’s school — to information concerning their child that is available on our Assessment Products. To do so, the parent should follow the school’s procedures for such access.

Information Collected & Maintained

We collect and maintain the following information:

• Usage Information. When Users access the Assessment Products, we may automatically collect certain details of the User's access to and use of the Assessment Products, including traffic data, session and user counts, pageviews, time on page, geographic location data, logs and other communication data, and the resources that Users access and use on or through the Assessment Products. This information is Anonymized Data.
• Cookies. A cookie is a small file placed on computing devices such as computers, tablets, and smartphones. We may use cookies to collect usage details for authentication purposes. For authentication purposes, cookies allow Users to navigate across multiple parts of the Assessment Products without needing to re-authenticate. It may be possible to refuse to accept cookies by activating the appropriate setting on the computing devices. However, selection of these settings may disable access to certain parts of the Assessment Products. The information collected via cookies is Deidentified Data. We do not use Deidentified Data from cookies to identify Users. Data from cookies may be collected by us using Google Analytics™ or other third-party tools in the Assessment Products. Google Analytics™ and these other third-party tools do not collect, store, transit, use, or have access to Student Education Records. Google’s privacy policy is located at: https://policies.google.com/privacy.    
• Web Beacons. A web beacon is a small electronic file such as a clear gif, pixel tag, or single-pixel gif. We may use web beacons to collect usage details. It may be possible to refuse to accept web beacons by activating the appropriate setting on the computing devices. However, selection of these settings may disable access to certain parts of the Assessment Products. The information collected via web beacons is Anonymized Data that is aggregated. Data from web beacons may be collected by us using Google Analytics™ or other third-party tools in the Assessment Products. Google Analytics™ and these other third-party tools do not collect, store, transit, use, or have access to Student Education Records.    
• Device Information. We may collect information about a User's computing device, mobile device, and network or Internet connection; including the device's unique device identifier, IP address, operating system, browser type, geographic location, and mobile network information. This information is Anonymized Data that is aggregated.
• System Administrator Information.  We collect registration information from the Subscriber designated system administrator when signing up with us or changing administrators, which may include the school administrator's own first and last name, business address and phone number, email address, profile information and account information.
• Information input by Users to the Assessment Products.
• Roster Information. As part of the rostering process, Users may input the following information to the Assessment Products:
• School Name; Instructor ID (current and previous); Instructor State ID; Instructor First. Middle, and Last Name; Instructor Username; Instructor Email;  Class Name; Student ID (current and previous); Student First, Middle and Last Name; Student Date of Birth; Student Gender; Student Grade; Student Ethnic Group;  Student State ID; Clever ID; Ed-Fi ID; ClassLink ID; One Roster ID; Student Information System ID; Student Username; Student Email; Subject; Role; School State Code; Economically Disadvantaged Status; English Language Learner or Migrant Status; Homeless Status; Disability, Accessibility, or Accommodation Status; and Date of Enrollment.
• Information generated from using the Assessment Products. Users' use of the Assessment Products generates Deidentified or Anonymized Data, which may include:
• Assessment scores; Assessment responses and response times; Item responses and response times; Growth and norming information; and Assessment interaction behavior such as completed, paused, suspended, or terminated tests.

How We Use Student Education Records

We may use Student Education Records for the following purposes:  

• To Deliver the Assessment Products. We may use Student Education Records to provide Subscribers and Users with access to the Assessment Products and to generate reports and other services associated with the Assessment Products or requested by the Subscriber.
• To Communicate with Users and Subscribers. We may use Student Education Records to communicate with Users as necessary to fulfill our obligations to Subscribers and provide Subscriber with notices about its account, including expiration, renewal, or changes in the Assessment Products.  
• For Compliance, Fraud Prevention, and Safety.  We may use Student Education Records as necessary or appropriate to: (a) enforce our Master Subscription Agreement and policies; (b) protect our rights, privacy, safety or property, and that of our Users or Subscribers; and (c) protect, investigate, and deter against fraudulent, harmful, unauthorized, unethical, or illegal activity.
• To Improve our Assessment Products.  We may use Student Education Records to improve the performance, availability, and functionality of the Assessment Products.
• To Create Deidentified and Anonymized Data.  We may use Student Education Records to create Deidentified Data or Anonymized Data.
• With Consent.  We may ask for consent from Subscribers or Users to collect, use, or share Student Education Records for purposes not described in this Policy.

How We Use Deidentified and Anonymized Data

We may aggregate information collected, including Deidentified and Anonymized Data, and uses such aggregated information and other non-personally identifiable information collected as follows:

• Legitimate Educational Research.  We may use Deidentified and Anonymized Data to conduct legitimate educational research or produce aggregate statistical studies and analysis related to our products and services, by us or third parties, as an added benefit to our Subscribers, which may be distributed publicly (e.g., norming studies, research papers, etc.).
• Third Party Legitimate Educational Research.  We may share Deidentified and Anonymized Data with third parties for them to conduct legitimate educational research.
• To Improve our Assessment Products.  We may use and share Deidentified and Anonymized Data with third party vendors to improve performance, availability, and functionality of the Assessment Products.
• Authorized Public Agency Legitimate Educational Research. We may share Deidentified and Anonymized Data with state educational agencies for legitimate educational purposes.
• General Research.  We may use Deidentified and Anonymized Data for general research and to develop new products, features, and technologies.

Disclosure of Student Education Records

We use Student Education Records for our internal purposes only, with the following limited exceptions:

• Authorized Service Providers.  We may share Student Education Records with service providers to permit them to provide the contracted services to us to help support the Assessment Products.  A list of service providers that maintain or have access to Student Education Records is available to Subscribers here: https://legal.nwea.org/privacy-policy-third-party-contractors.html.
• Subscribers and Users. We may share Student Education Records with the applicable Subscriber and Users.  We do not control and are not responsible for Subscriber or Users handling of Student Education Records. Similarly, we do not control and are not responsible for the roles-based access to Student Education Records, which is determined by the Subscriber’s system administrator.
• Administrative and Legal Purposes.  We may share Student Education Records: (i) if it is required to do so by law or legal process, such as to comply with a court order or subpoena; (ii) for public health or safety purposes; (iii) in response to bankruptcy proceedings; (iv) to protect the security or integrity of our Assessment Products; (v) to enable us to take precautions against liability, enforce legal rights, and detect, investigate and prevent activities that violate our polices or that are illegal; and (vi) to the extent we believe necessary or appropriate to protect our rights, safety, or property or that of our Subscribers and Users.
• Business Transitions.  We may sell, transfer, or otherwise share some or all our assets, including our license to use Student Education Records collected to perform the services under our agreement with Subscriber, in connection with a merger, acquisition, reorganization, sale of assets, or in the event of bankruptcy, in which case the successor entity is subject to the same commitments set forth in this Policy.
• Consent.  We may share Student Education Records with third parties that a Subscriber has authorized.

We do not sell Student Education Records to third parties for their commercial use and do not use such data to target advertisement at students.  We do not share, sell, rent, or transfer Student Education Records other than as described in the Agreement between the parties and this Policy.

We do not publicly disseminate Student Education Records submitted by Users. We permit Users to share comments and feedback in the Assessment Products, but we do not publicly disseminate those comments and feedback outside of the Assessment Products. Third parties are prohibited from storing Student Education Records outside the borders of the United States of America. 

Erasure, Rectification, Access & Portability of Student Education Records

Users or parents of such Users (if a User is a minor) may review and amend Student Education Records of such User by contacting the Subscriber and following the Subscriber's procedures for amending such User's Student Education Records. We will not make any changes to any Student Education Records without the applicable Subscriber's express written permission, and then, only in accordance with applicable law.

Service Providers

We use a cyber supply chain risk management (SCRM) process for third party service providers that have access to Student Education Records. The primary objective of the cyber SCRM is to identify and assess external parties to ensure they meet the required security profile (based on NIST security controls) and contractual requirements. As a part of this process, third parties are contractually committed to protect the availability, confidentiality, and integrity of Student Education Records in written terms no less restrictive regarding Student Education Records than the terms of this Policy. Third parties are prohibited from engaging in targeting advertising and any other use except in support of the Assessment Products.

Security

We develop and implement privacy and information security measures aligned to NIST Cybersecurity Framework to protect the confidentiality of Student Education Records. In doing so, personal data is stored and processed in a manner that is designed to ensure the appropriate security of Student Education Records, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical and organizational measures. All Student Education Records are stored in facilities located within the borders of the United States of America. Further information on our data security measures can be found here: https://legal.nwea.org/map-growth-information-security-whitepaper.html.

Please be aware that despite our efforts, no data protection measures can guarantee security.  Users should take steps to protect against unauthorized access to their password, phone, and computer by, among other things, signing off after using a shared computer, choosing a robust password that nobody else knows or can easily guess, and keeping your log-in and password private.  We are not responsible for any lost, stolen, or compromised passwords or for any activity on a User's account via unauthorized password activity.

Data Retention & Destruction

We retain Student Education Records for the length of time necessary to meet our contractual and legal commitments. These commitments generally extend past the end date of contractual agreements as Subscribers may need continued access to Student Education Records and educational data for reporting; and many Subscribers resume their subscriptions later and want their historical Student Education Records intact for longitudinal growth studies or legal compliance.

We honor Subscribers' requests to delete Student Education Records if required by applicable law.  To request that Student Education Records relating to a particular Subscriber and/or User(s) be deleted, Subscriber shall send a written request to us via email to legalservices@nwea.org and include the following: (i) requestor's name, title, and contact information; (ii) the name of requestor's school or entity with NCES number (if available); (iii) a request to delete Subscriber's Student Education Records; and (iv) an attestation that requestor is duly authorized and has legal capacity to execute the request. We will subsequently contact Subscriber to confirm the destruction request before executing the destruction request. We retain Anonymized Data indefinitely for the purposes stated in this Policy.

Links to Third-Party Websites and Services

Users accessing the Assessment Products, Documentation, and/or our sites may find links to external websites and applications owned and operated by other organizations. We are not responsible for and has no control over the content or privacy policy of any linked site. We encourage Users to read the privacy statements of any linked site as its privacy policy may differ from our Policy.

Jurisdiction Specific Data Privacy Addendum

California

With respect to Pupil Records (as defined in Cal. Educ. Code 49073.1) that we process on behalf of Subscriber in California, the following provisions shall apply to the extent required by applicable law:

• Pupil Records that that we process on behalf of Subscriber are Subscriber Student Education Records and under the control of Subscriber.
• We shall limit our use of Pupil Records to those purposes specified in the Agreement and this Policy.
• Procedures for the review and correction of Pupil Records shall be in accordance with this Policy.
• We shall implement, maintain, and use reasonable measures to ensure the security and confidentiality of Pupil Records as specified in this Policy and the Agreement.
• Procedures for notification in the event of a confirmed security breach of Pupil Records shall be in accordance with the terms of the Agreement.
• We agree that retention of Pupil Records shall be in accordance with the terms of the Agreement and this Policy.
• Both parties agree that access to and use of Student Education Records shall be subject to this Policy and the Agreement.
• We will not use Student Education Records to engage in targeted advertising.

New York

With respect to personally identifiable information (as defined in N.Y. Comp. Codes R. & Regs. tit. 8, § 121.3(m)) (“NY Student Education Records”) that we process for Subscribers in New York, the following provisions shall apply to the extent required by applicable law:

• We agree that our safeguards and practices align with the NIST Cybersecurity Framework.
• We shall comply in all material respects with applicable state and federal laws.
• We shall limit access to and use of NY Student Education Records consistent this Policy and the Agreement.
• We shall not disclose NY Student Education Records except in accordance with this Policy and the Agreement.
• We shall use encryption to protect NY Student Education Records in transit and at rest.
• We shall not sell NY Student Education Records and shall limit its use and disclosure in accordance with this Policy and the Agreement.
• Our NY Data Security and Privacy Plan can be found at: https://legal.nwea.org/nwea-ny-privacy-and-security-plan.html.

General Data Protection Regulation (GDPR) and UK Data Protection Law (UK GDPR)

We comply with all applicable laws governing international partners, including the GDPR and UK GDPR. We primarily act in the role of a processor with respect to its processing of personal data of Subscribers.   Information regarding our data processing activities and our compliance with GDPR and UK GDPR in our role as a processor is described in the NWEA MAP® Growth™ GDPR Overview and our International Master Subscription Agreement.We also ensure that any EU personal data transferred to the United States for processing on behalf of our Subscribers receives adequate protection by entering into Standard Contractual Clauses approved by the approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as currently set out at https://eurlex.europa.eu/eli/dec_impl/2021/914/oj.  For UK personal data, we enter into the Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the Information Commissioner’s Office and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as revised under Section 18 of those Mandatory Clauses ("Approved Addendum"). 

Subscribers subject to the GDPR or UK GDPR need to obtain informed consent of individual students and parent Users for the collection, processing, and transfer of personal data under our agreement with them. NWEA's Explicit Consent to Process Data Form can be found here. This is provided for informational purposes only as Subscribers are responsible for ensuring they have provided notice and obtained written consent from student and parent Users necessary to provide personal data to us and the Assessment Products.  Subscribers should submit the completed consent forms to legalservices@nwea.org. 

We may also collect personal data in its role as a controller, such as name, address, email address, organization, title, and other contact information as well as IP address and usage information about Subscribers and their personnel (such as school administrators and teachers)(“Subscriber Users”) that access and use the Assessment Products.  Such personal data is used for the purposes set forth in the section entitled Use of Information Collected.  The legal bases for using such personal data are (a) necessity to perform our contractual obligations (such as providing the Assessment Products), (b) for our legitimate interests (such as to improve products and services or to market to current and prospective customers); (c) compliance with legal obligations;  (d) protection of the vital interests of data subjects; and (e) in accordance with the data subject’s consent, which can be withdrawn by emailing us at  legalservices@nwea.org.

Data subjects for which we act as a controller may make the following requests:

• Right to access and rectification: You can request details of the personal data we hold, along with a copy of your personal data, and the correction of any errors in your personal data.
• Right to erasure (“right to be forgotten”): The right, in certain circumstances, to ask for your personal data to be deleted. In specific cases, we may not be able to delete some types of personal data, in particular, where we have a legal obligation to keep that personal data (e.g. for regulatory reporting purposes) or, for example, where you want us to continue to provide you with our products and services and the processing of the personal data is necessary for the provision of those products and services.
• Marketing communications and sharing with third parties. We provide you with an opportunity to express your preferences with respect to receiving certain marketing communications from us, and our sharing of personal data with trusted partners for their direct marketing purposes.
• Right to portability: The right in some cases to receive your personal data in a digital format or to have it transmitted directly to another controller (where technically feasible).
• Right to object: The right to object (on grounds relating to your particular situation) to the processing of your personal data on the basis of our legitimate interests, including for direct marketing purposes.
• Right to withdraw consent: You can withdraw your consent at any time in respect of any processing of personal data which is based upon a consent.

If you believe our processing of your personal data violates data protection laws, you have a legal right to lodge a complaint with a supervisory authority responsible for data protection. You may do so in the EU member state of your habitual residence, your place of work, or the place of the alleged violation or in the case of UK residents with the UK Information Commissioner’s Office (see https://ico.org.uk/make-a-complaint/).

Data subjects may make such requests by emailing us at legalservices@nwea.org. We will respond to all such requests within 30 days of our receipt of the request, unless there are extenuating circumstances, in which event we may take up to 60 days to respond. We will inform you if we expect our response to take longer than 30 days. Please note, however, that certain personal data may be exempt from such rights pursuant to applicable data protection laws. In addition, we will not respond to any request unless we are able to appropriately verify the requester’s identity. We may charge you a reasonable fee for subsequent copies of personally identifiable information that you request. In addition, if we consider that a request is manifestly unfounded or excessive, we may either request a reasonable fee to deal with the request or refuse to deal with the request.

Retention

In broad terms, we will only retain your personal data and other information for as long as is necessary for the purposes described in this Policy and in accordance with our retention policies. Retention periods may vary according to the type of personal data and the reason that we have collected the personal data.  We may also retain personal data a number of years in order to comply with various legal obligations.  After a retention period has lapsed, the personal data is securely deleted, unless it is necessary for the establishment, exercise or defense of legal claims or to comply with legal obligations.

Google API Services

Certain Assessment Products may use Google API as one of Our Service Providers.

AI Services

NWEA does not use your Personal Information to develop, improve, or train generalized/non-personalized artificial intelligence and/or machine learning (collectively “AI”) models. We may transfer certain de-identified information to third-party AI tools to generate scoring and feedback results or perform analyses or other functions that are required for the Assessment Product to function as intended. In some cases, Users have the option of disabling AI. Users are responsible for reviewing AI outputs.

Updates

We may periodically revise this Policy from time to time and will make updated version of this Policy available here. However, we will not make material changes to this Policy without first providing notice to Subscriber as provided in the Master Subscription Agreement. Notwithstanding the foregoing, should laws and regulations change to regarding the collection, use, or distribution of Student Education Records, we shall be permitted to make appropriate changes to this Policy to comply with the laws and regulations without issuing prior notice to Subscriber.

 

Contact Us

You may contact us with questions or concerns regarding this Policy at the following address: privacy@hmhco.com

Document Effective Date:   November 29, 2024

Last Modified: October 29, 2024

NWEA’s previous Privacy Policy – Assessment System can be found here: https://legal.nwea.org/nwea-privacy-policy-2023.html