NWEA Privacy Policy - Assessment System

Introduction

NWEA recognizes the importance of protecting the privacy and security of its Subscribers and Users of the Assessment System. The purpose of this Privacy Policy ("Policy") is to inform Subscribers and Users of NWEA's policies and procedures regarding the collection, use, and disclosure of Student Education Records, Deidentified Data, and Anonymized Data.  Nothing in this Policy grants any Subscriber or User the right to use or access the Assessment System. Subscribers and Users only have the right to use and access the Assessment System as set forth in the agreement(s) entered into between a Subscriber and NWEA (the "Master Subscription Agreement").  By using the Assessment System, Subscribers and Users agree to this Policy.

Definitions

"Use" means Subscriber's students, teachers, administrators, and other individuals licensed to use the Assessment System under the Master Subscription Agreement.

"Assessment System" means MAP® Growth™ and MAP® Skills™.  

Except as set forth in this Policy, all other capitalized terms in this Privacy Policy shall have the meaning set forth in the Master Subscription Agreement between the parties, which can be found here.

Subscriber Control and Choices Regarding Student Education Records

The collection, input, use, retention, disposal, and disclosure of Student Education Records by Users via the Assessment System are controlled solely by the Subscriber. The Subscriber is responsible for providing all necessary notices and obtaining all necessary consents from Users to collect, use, disclose, and submit the Student Education Records via the Assessment System for NWEA to use in accordance with the Master Subscription Agreement, including, if applicable, any notices and/or consents required under the Federal Educational Records Privacy Act (FERPA), the Children's Online Privacy Protection Act (COPPA) and applicable international laws, including, but not limited to, the General Data Protection Regulation (GDPR)

NWEA will not delete, change, or divulge any Student Education Records from its Assessment System controlled by the Subscriber except as outlined in this Policy. If a User has questions regarding control of Student Education Records related to the Assessment System licensed by the Subscriber, then User shall contact User's applicable school, district, or educational entity (i.e. Subscriber). If a User desires to revoke User's consent or "opt-out" of a particular use of User's Student Education Records, User shall contact User's applicable school, district, or educational entity. If NWEA receives a request from a User to "opt-out" it shall forward the request to the applicable school, district, or educational entity for handling. The applicable school, district, or educational entity is solely responsible for handling the User's "opt-out" in the Assessment System.     

Information Collected & Maintained

NWEA collects and maintains the following information:

  • Usage Details. When Users access the Assessment System, NWEA may automatically collect certain details of the User's access to and use of the Assessment System, including traffic data, geographic location data, logs and other communication data, and the resources that Users access and use on or through the Assessment System. This information is Anonymized Data
  • Cookies (or mobile cookies). A cookie is a small file placed on computing devices such as computers, tablets, and smartphones. NWEA may use cookies to collect usage details for authentication purposes. For authentication purposes, cookies allow Users to navigate across multiple parts of the Assessment System without needing to re-authenticate. It may be possible to refuse to accept cookies by activating the appropriate setting on the computing devices. However, selection of these settings may disable access to certain parts of the Assessment System. The information collected via cookies is Deidentified Data. NWEA does not use Deidentified Data from cookies to identify Users. Data from cookies may be collected by NWEA using Google Analytics™ or other third-party tools in the Assessment System. Google Analytics™ and these other third-party tools do not collect, store, transit, use, or have access to Student Education Records.   
  • Web Beacons. A web beacon is a small electronic file such as a clear gif, pixel tag, or single-pixel gif. NWEA may use web beacons to collect usage details. It may be possible to refuse to accept web beacons by activating the appropriate setting on the computing devices. However, selection of these settings may disable access to certain parts of the Assessment System. The information collected via web beacons is Anonymized Data that is aggregated. Data from web beacons may be collected by NWEA using Google Analytics™ or other third-party tools in the Assessment System. Google Analytics™ and these other third-party tools do not collect, store, transit, use, or have access to Student Education Records.    
  • Device Information. NWEA may collect information about a User's computing device, mobile device, and network or Internet connection; including the device's unique device identifier, IP address, operating system, browser type, geographic location, and mobile network information. This information is Anonymized Data that is aggregated.
  • Information input by Users. As part of the rostering process, Users may provide Student Education Records to the Assessment System that may include:
    • First, Last, and Middle Name;
    • Date of Birth;
    • Student Identification Number;
    • Personal Characteristics (which may, but does not always, include race, grade, ethnicity, gender, nationality, and language);
    • Economically Disadvantaged Status;
    • English Language Learner or Migrant Status;
    • Homeless Status;
    • Disability, Accessibility, or Accommodation Status;
    • Email Address
    • Name of School and Date of Enrollment;
    • Telephone Number; and
    • Assigned Courses and Instructors.
  • Information generated from using the Assessment System. Users' use of the Assessment System generates Deidentified or Anonymized Data, which may include:
    • Assessment scores;
    • Assessment responses and response times;
    • Item responses and response times;
    • Growth and norming information; and
    • Assessment interaction behavior such as completed, paused, suspended, or terminated tests.

Use of Information Collected

NWEA only uses the information, including Student Education Records, it collects pursuant to this Policy and the Master Subscription Agreement. The most common of those uses are as follows:

  • To provide Subscribers and Users with access to the Assessment System and its contents and any other information, products, or services that Subscriber requests from NWEA;
  • To communicate with Users as necessary to fulfill NWEA's obligations to Subscribers;
  • To provide Subscriber with notices about its account, including expiration and renewal notices;
  • To carry out the Subscriber's and NWEA's respective obligations and enforce NWEA's rights arising from the Master Subscription Agreement, including for billing and collection;
  • To notify Subscriber of changes to any products or services NWEA offers or provides;
  • To improve performance, availability, and functionality of the Assessment System.
  • To estimate Subscriber size and usage patterns; and
  • To store information about Subscriber preferences, allowing NWEA to customize its services.

Deidentified and Anonymized Data

NWEA aggregates information it collects, including Deidentified and Anonymized Data, and uses such aggregated information and other non-personally identifiable information it collects as follows:

  • To conduct legitimate educational research or produce aggregate statistical studies and analysis related to NWEA's products and services, by NWEA or third parties, as an added benefit to NWEA's Subscribers, which may be distributed publicly (e.g., norming studies, research papers, etc.);
  • For third party legitimate educational research;
  • To improve performance, availability, and functionality of the Assessment System;
  • To state educational agencies for legitimate educational purposes; and
  • For general research and to develop new products, features, and technologies.

Disclosure of Student Education Records

NWEA agrees to adhere to the disclosure requirements under FERPA and will not disclose any Student Education Records from the Assessment System to any third-party except as set forth in this Policy or as allowed by applicable law. 

Generally, NWEA may disclose Student Education Records under the following circumstances:

  • NWEA may share Student Education Records with third-party contractors to support the Assessment System. NWEA utilizes a cyber supply chain risk management (SCRM) review process for third parties.  The primary objective of the cyber SCRM is to identify and assess external parties to ensure they meet or exceed NWEA’s security profile (based on the NIST Cybersecurity Framework). As a part of this process, third parties are contractually committed to protect the availability, confidentiality, and integrity of Student Education Records. Third parties are prohibited from engaging in targeted advertising and any other use beyond support of the Assessment System. A list of third-party contractors that maintain or have access to Student Education Records is available to Subscribers upon written request.
  • Consistent with 20 U.S.C. 1232g(b), 34 C.F.R 99.31(a)(9) and other applicable law, NWEA may share Student Education Records if it is required to do so by law or legal process, such as to comply with a court order or subpoena. If required by applicable law and permitted under the court order or subpoena, NWEA shall make a reasonable effort to notify Subscriber of such court order or subpoena.
  • Consistent with 20 U.S.C 1232g(b)(1)(l), 34 C.F.R. 99.31(a)(10), 34 C.F.R. 99.36, 34 C.F.R. 99.32 and other applicable law, NWEA may share Student Education Records for health or safety emergencies purposes. If required by applicable law and permitted under the court order or subpoena, NWEA shall make a reasonable effort to notify Subscriber of such court order or subpoena.
  • Consistent with 20 U.S.C. 1232g(b)(1)(F), 34 C.F.R 99.31(a)(6) and other applicable law NWEA may share Student Education Records to organizations conducting certain studies for educational institutions.
  • NWEA may sell, transfer, or otherwise share some or all its assets, including NWEA's license to use Student Education Records it collects to perform the services under its agreement with Subscriber, in connection with a merger, acquisition, reorganization, sale of assets, or in the event of bankruptcy, in which case the successor entity is subject to the same commitments set forth in this Policy.
  • NWEA may share Student Education Records with third parties that a Subscriber has authorized.
  • NWEA may also disclose Student Education Records to its legal counsel solely in connection with legal advice and subject to executed confidentiality agreements.

NWEA does not sell Student Education Records to third parties for their commercial use and does not use such data to target advertisement at students.  NWEA does not share, sell, rent, or transfer Student Education Records other than as described in the Master Subscription Agreement and this Policy.

NWEA does not publicly disseminate Student Education Records submitted by Users. NWEA permits Users to share comments and feedback in the Assessment System. NWEA does not publicly disseminate those comments and feedback outside of the Assessment System. Third-parties are prohibited from storing Student Education Records outside the borders of the United States of America. 

Erasure, Rectification, Access & Portability of Student Education Records

Users or parents of such Users (if a User is a minor) may review and amend Student Education Records of such User by contacting the Subscriber and following the Subscriber's procedures for amending such User's Student Education Records. NWEA will not make any changes to any Student Education Records without the applicable Subscriber's express written permission, and then, only in accordance with applicable law.

Security

NWEA develops and implements privacy and information security measures aligned to NIST Cybersecurity Framework to protect the confidentiality, integrity, and availability of partner personal data. In doing so, personal data is stored and processed in a manner that is designed to ensure the appropriate security of Student Education Records, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical and organizational measures. Further information on NWEA’s data security measures can be found here: https://legal.nwea.org/map-growth-information-security-whitepaper.html.

Please be aware that despite NWEA's efforts, no data security measures can guarantee 100% security.  Users should take steps to protect against unauthorized access to their password, phone, and computer by, among other things, signing off after using a shared computer, choosing a robust password that nobody else knows or can easily guess, and keeping your log-in and password private.  NWEA is not responsible for any lost, stolen, or compromised passwords or for any activity on a User's account via unauthorized password activity.

Data Retention & Destruction

NWEA retains Student Education Records for the length of time necessary to meet NWEA's contractual and legal commitments to Subscribers. These commitments generally extend past the end date of contractual agreements as Subscribers may need continued access to Student Education Records and educational data for reporting; and many Subscribers resume their subscriptions later and want their historical Student Education Records intact for longitudinal growth studies or legal compliance. All Student Education Records are stored in facilities located within the borders of the United States of America.

NWEA honors Subscribers' requests to delete Student Education Records if required by applicable law.  To request that Student Education Records relating to a particular Subscriber and/or User(s) be deleted, Subscriber shall send a written request to NWEA via email to legalservices@nwea.org and include the following: (i) requestor's name, title, and contact information; (ii) the name of requestor's school or entity with NCES number (if available); (iii) a request to delete Subscriber's Student Education Records; and (iv) an attestation that requestor is duly authorized and has legal capacity to execute the request. NWEA will subsequently contact Subscriber to confirm the destruction request before executing the destruction request. NWEA retains Anonymized Data indefinitely for the purposes stated in this Policy.

Links to Third-Party Websites and Services

Users accessing the Assessment System, NWEA documentation, and/or NWEA sites may find links to external websites and applications owned and operated by other organizations. NWEA is not responsible for and has no control over the content or privacy policy of any linked site. NWEA encourages Users to read the privacy statements of any linked site as its privacy policy may differ from NWEA's.

General Data Protection Regulation (GDPR)

NWEA complies with all applicable laws governing international partners, including the GDPR. Information regarding GDPR compliance is described in the NWEA MAP® Growth™ GDPR Overview and our International Master Subscription Agreement. Subscribers subject to the GDPR need to obtain informed consent for the collection, processing, and transfer of personal data under our agreement with them. NWEA's Explicit Consent to Process Data Form can be found here. Subscribers should submit these completed forms to legalservices@nwea.org.

Updates

NWEA may periodically revise this Policy from time to time and will make updated version of this Policy available here. However, NWEA will not make material changes to this Policy without first providing notice to Subscriber as provided in the Master Subscription Agreement. Notwithstanding the foregoing, should laws and regulations change to regarding the collection, use, or distribution of Student Education Records, NWEA shall be permitted to make appropriate changes to this Policy to comply with the laws and regulations without issuing prior notice to Subscriber.

 

Additional questions regarding this Policy can be sent to:

Jacob Carroll – Sr Director, Privacy & Information Security

NWEA

121 NW Everett Street

Portland, Oregon 97209                                          

503-624-1951

legalservices@nwea.org

 

Document Effective Date: November 15, 2020

Last Modified: October 14, 2020

 

NWEA's previous Privacy Policy - Assessment System can be found here: MAP® Growth™ and Skills™ Privacy Policy October 2019.