Cambium Assessment processes personal data on behalf of the Controller. The Controllers are State Education Boards, School Districts and Schools. As a Processor, CAI processes personal data according to the directives of the Controller.
- Data Classification
- Data Security
- Data Collection principles
- Data Use
- Data Retention and destruction
- Sharing of data across Cambium Assessment groups
- Sharing of data with third parties and vendors
- Responding to data requests
- Data breach notification
Cambium Assessment has established policies for classifying and handling personal information. Cambium Assessment’s compliance with The Family Educational Rights and Privacy Act (FERPA) requires protection of students’ personally identifiable information (PII) from unauthorized disclosure. By default, all user PI are considered Confidential by Cambium Assessment. This includes direct identifiers, such as a student’s name or identification number, indirect identifiers, such as a student’s date of birth, or other information which can be used to distinguish or trace an individual’s identity either directly or indirectly through linkages with other information.
Protection of data during collection, storage and handling are described below:
All personally identifiable data are encrypted at rest, in transmission and during backup. All of our systems protect individual privacy and confidentiality in a manner consistent with the Family Educational Rights and Privacy Act (FERPA) and other federal and state laws. All secure data transmitted across the public Internet are encrypted using NIST and FIPS approved standards. All PI and FERPA protected information are encrypted at rest using FIPS compliant encryption technologies. No sensitive personal information is written to unencrypted disk. All sensitive PI are encrypted on backups.
Our systems implement configurable privacy rules that strictly limit access to data to appropriately authorized personnel. In addition to the online protection of PI, we have policies and procedures in place to prevent accidental disclosure of items. All of our personnel undergo background checks and participate in our extensive security training, which is periodically updated and revised. Every staff member’s laptop has an encrypted hard drive, so files stored in temporary folders or work in progress will never be at risk if a portable computer is lost. All of our personnel are required to sign a Non-Disclosure Agreement (NDA), and NDA language is used in all contracts with third parties that involve confidential information.
Data Collection principles
All student personal and demographic information and their associations to school/district data is collected from the customer using secure methods. Our student registration system gathers data from districts, schools, or departments and stores this information in a secure roster tracking system. This data may include information about the educational networks in the State, such as which schools are in which districts, which teachers are in which schools, and which students are in which classes. This system also maintains data about the attributes of the various entities in the system, such as school addresses, student demographics, and any other information that the authorized customer provides.
Data collected during student testing is securely stored in separate systems. Other systems store only an arbitrary Cambium Assessment-assigned ID. When student data must be matched with identifiers (e.g., when presenting an individual’s results in a report), the encrypted identifiers are merged and decrypted. All PII and FERPA protected information are encrypted at rest using Federal Information Processing Standard (FIPS-140) compliant encryption technologies.
We only collect data for legitimate business use from data owners under contracts. We hold the data as trustees.
It is our policy not to use persistent cookies to store personal information of users. Cambium Assessment only uses session cookies for web testing activities that last for the duration of the user’s session. We do not use any persistent cookies to store personal information.
Personal Information collected by Cambium Assessment is strictly used for our legitimate business objectives of test delivery, test administration, students’ assessment and contractual obligations.
Data Retention and destruction
Cambium Assessment holds students’ data as trustees on behalf of our clients who are the school districts and states. Our data retention period will vary based on contracts with our clients and legal requirements.
Cambium Assessment has data archival and retention policies for our registration system, roster tracking system, test delivery system and analysis applications. Policies include schedules for purging data from files and databases based on what is to be purged and when. Again, this varies by contract, however, typically at the start of every school year, attributes and relationships logs and data tables from old school years are deleted. Student demographic data may be maintained across years, until the end of the contract with the customer. Analysis data is retained for 2 school years.
Sharing of data across Cambium Assessment groups
When sharing data, Cambium Assessment strictly abides by the privacy commitments made at the time of data collection in strict compliance with contractual and legal obligations.
Sharing of data with third parties and vendors
Cambium Assessment uses contracts to cover when and how personal data can be shared with external third parties and vendors. Contracts use appropriate language to ensure that third parties process the data they receive in a way that does not conflict with Cambium Assessment’s privacy and data security policies. Any sharing of data with third parties is done for legitimate business reasons with the consent of the data owner.
CAI shall not use any PI information in student records in any form of advertising.
Notifying changes to data security processes
Data breach notification
In the event of a data breach, notification to internal and external stakeholders will be conducted according to the table below:
|Communication process and contact
|Internal and External Communications
||Per Incident or Contract Requirement||Impacted Stakeholders, Consumers, and Controllers||Top Management, Legal Counsel, Client Liaison. Contact and communication with Law Enforcement will depend on legal requirements and privacy regulations.||As appropriate. Sensitive information will be transmitted using secure channels.
Person to contact regarding the breach:
Information Systems Security
Data handling policies in the event of sale, merger, or bankruptcy
In the event of sale, merger, or bankruptcy of CAI, all our contractual obligations and commitments made to our controllers/consumers regarding data handling policies shall remain the same.
Privacy Office: Contact Information
If you have questions about CAI’s privacy policies and practices or wish to file a privacy related complaint, then you can use the following dedicated email to contact us:
Cambium Assessment Privacy Office
1000 Thomas Jefferson St., N.W.
Washington, D.C. 20007
Phone: (202) 403-5000
This privacy statement was last updated January 6, 2021.