Thumbnail

Privacy Evaluation for Engrade

Last updated December 19, 2018

Overview

Engrade by McGraw-Hill Education is a learning management system (LMS) and assessment engine. Engrade empowers educators and unlocks student achievement. Engrade McGraw-Hill Education's policies are not transparent about whether users can interact with trusted or untrusted users. Engrade McGraw-Hill Education's terms state they will not sell users' PII to other organizations or use information from educational records for marketing purposes. In addition, the policies state that Engrade McGraw-Hill Education will establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of users' personally identifiable information. The terms of Engrade McGraw-Hill Education's policies state that they use user information to provide the digital learning solution on behalf of a school in order to meet its contractual obligations with the school or district.

Please Note: The terms state they do not apply to any data submitted to or collected by Engrade - McGraw-Hill Education in connection with the educational or instructional use of their products and services by customers, students, and/or educational institutions. If a user registers to use the services on behalf of an educational institution, they will be required to agree to additional terms and conditions in connection with the registration process that are not used in this evaluation process.

Engrade by McGraw-Hill Education can be accessed through its website. The Privacy Policy and Terms of Use used for this evaluation can be found on Engrade’s website. Additionally, other policies used for this evaluation include: Terms of Service. This evaluation only considers policies that have been made publicly available prior to an individual using the application or service.

Safety

Engrade McGraw-Hill Education's policies are not transparent about whether users can interact with trusted or untrusted users. In addition, the terms are unclear whether information may be shared or revealed by a user in order to participate in social interactions or that a user's personal information can be displayed publicly in any way. The terms also state Engrade McGraw-Hill Education reserves the right, but not the obligation to remove, to not transmit any user content that they deem to be in violation of their terms. However, Engrade McGraw-Hill Education does not and cannot review all user content or service uploads from users, and their policies state they are not responsible for such content. Engrade McGraw-Hill Education may report communications or materials provided by users to their educational institution if they believe the communications or content are in violation of their terms. Lastly, Engrade McGraw-Hill Education provides external links to resources to learn more about safety.

Privacy

Engrade McGraw-Hill Education's policies state they are a global organization and follow privacy laws and regulations that are applicable to their company and services in the areas where they do business. Their policies state Engrade McGraw-Hill Education is committed to protecting the privacy of users' personal information, and they regularly review and update their privacy practices as required. In addition, they have recently updated their Privacy Center and Terms of Use to be more transparent about how they collect and use user information, and to provide users with more control over that information.

The policies state Engrade McGraw-Hill Education collects Personally identifiable information, such as contact information and education details, in order to provide users with the product and/or service they requested. When a user registers, or is registered within one of the offered digital learning solutions, Engrade McGraw-Hill Education collects their name, school, instructor, class, and login information. However, the terms also specify Engrade McGraw-Hill Education does not collect, use, or disclose PII that is not reasonably related to a legitimate business purpose necessary to serve its users. When a user visits or make transactions on Engrade McGraw-Hill Education's web sites, they automatically collect certain information from users through the use of cookies, web beacons or other tracking mechanisms. This includes information about users' experience such as their IP address, operating systems, pages viewed, and time spent.

In addition, Engrade McGraw-Hill Education's terms state they purchase and rent marketing lists from various providers including event management companies and education non-profits. Engrade McGraw-Hill Education's policies state they may share user information with third parties to provide users with marketing information. However, McGraw-Hill Education's terms state they will not share users' PII with third parties for them to market to users on their own behalf. McGraw-Hill Education's terms also specify they will not market to students using the information from their educational records, which are records directly related to a student and maintained by an educational agency or institution, or by a party acting for the agency or institution.

Engrade McGraw-Hill Education's terms state they will not sell users' PII to other organizations or use information from educational records for marketing purposes. The terms of Engrade McGraw-Hill Education state they may use users' PII to provide them with materials that they believe are of interest to users. In addition, Engrade McGraw-Hill Education's policy states they may display advertisements to users in connection with user content, and may use user content to advertise and promote Engrade McGraw-Hill Education's products and services. This allows Engrade McGraw-Hill Education to collect information about customer usage and online behavior to tailor marketing to areas that they believe may be more appropriate for the user. Lastly, Engrade McGraw-Hill Education's terms state they allow third parties to collect information automatically from users across websites and over time through the use of their own cookies, web beacons, and tracking mechanisms.

Security

Engrade McGraw-Hill Education's policies state they may collect users' name, initials, and contact information when they create an account. In addition, the policies state Engrade McGraw-Hill Education will establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of users' Personally Identifiable Information. The terms specify Engrade McGraw-Hill Education owns, controls, and operates its services from their offices in the United States. However, the terms do not state whether personal information is encrypted while in transit or while in storage and there is no information provided about notification to users in the event of a data breach.

Compliance

The terms of Engrade McGraw-Hill Education state they use user information to provide the digital learning solution on behalf of a school in order to meet its contractual obligations with the school or district. In addition, users will also be subject to any additional terms of use, agreements, guidelines or rules provided by Engrade McGraw-Hill Education applicable to the services provided. Engrade McGraw-Hill Education's products are intended for use by parents, students, and teachers. The terms further specify if a user is an educator, parent, or student, Engrade McGraw-Hill Education is a service provider to their school or organization. The service providers parents, students, and teachers with the ability to access, modify, and delete personal information. In addition, the terms state Engrade McGraw-Hill Education will retain users' data for the minimum amount of time necessary to accomplish the purpose for which it was collected, and thereafter no longer than is permitted under McGraw-Hill Education's data retention policies.

Further, the terms specify that due to the increasing focus on the security and protection of personal and student information, Engrade McGraw-Hill Education's privacy practices comply with such federal regulations as COPPA and FERPA. Engrade McGraw-Hill Education acknowledges that it will be considered a "School Official" (as that term is used in FERPA) and agrees that it will comply with the requirements in FERPA concerning the confidentiality and release of Personally Identifiable Information.

Lastly, McGraw-Hill Education has taken a leadership role with Future of Privacy Forum (FPF) and the Software and Information Industry Association (SIIA) in setting the agenda for self-regulatory goals for student privacy in the industry. The terms further specify they have an internal Privacy Council comprised of senior leaders throughout our company that provides the tone at the top to perpetuate best practices across our business.

Data Collection
SCORE: 50%

What data does it collect?

  • Personally identifiable information (PII) is collected.
  • The categories of collected personally identifiable information are indicated.
  • Collection or use of data is limited to product requirements.
  • Geolocation data are collected.
  • Biometric or health data are collected.
  • Behavioral data are collected.
  • Unclear whether this product collects sensitive data.
  • Non-personally identifiable information is collected.
  • Unclear whether this product treats combined information as personally identifiable information (PII).
  • Personal information from children under 13 years of age is collected online.
Data Sharing
SCORE: 90%

What data does it share?

  • Collected information is shared with third parties.
  • The categories of information shared with third parties are indicated.
  • The purpose for sharing a user's personal information with third parties is indicated.
  • Use of information is limited to the purpose for which it was collected.
  • Data are shared for analytics.
  • Data are shared for research and/or product improvement.
  • Data are shared with third-party service providers.
  • The roles of third-party service providers are indicated.
  • Social or federated login is supported.
  • Contractual limits are placed on third-party data use.
Data Security
SCORE: 40%

How does it secure data?

  • Unclear whether a user's identity is verified with additional personal information.
  • Account creation is required.
  • Parental controls or managed accounts are available.
  • Unclear whether two-factor account protection is available.
  • Unclear whether third-party contractual security protections are required.
  • Industry best practices are used to protect data.
  • Employee or physical access to user information is limited.
  • Unclear whether this product encrypts all data in transit.
  • Unclear whether this product encrypts all data at rest.
  • Unclear whether this product provides notice in the event of a data breach.
Data Rights
SCORE: 95%

What rights do I have to the data?

  • Opt-in consent is requested from users at the time personal information is collected.
  • Users can control their information through privacy settings.
  • Users can create or upload content.
  • Users retain ownership of their data.
  • Processes to access and review user data are available.
  • Processes to modify inaccurate data are available.
  • A data-retention policy is available.
  • Processes for the school, parents, or students to delete data are available.
  • Processes to delete user data are available.
  • Processes to download user data are available.
Data Sold
SCORE: 50%

Is the data sold?

  • Data are not sold or rented to third parties.
  • Users can opt out from the disclosure or sale of their data to a third party.
  • User information can be transferred to a third party.
  • Unclear whether users are notified if their information is transferred to a third party.
  • Unclear whether user information can be deleted prior to its transfer to a third party.
  • Third-party transfer is contractually required to use the same privacy practices.
  • User information is shared in an anonymous or deidentified format.
  • Unclear whether the vendor describes their deidentification process of user information.
  • Data are shared for research and/or product improvement.
  • Unclear whether contractual limits prohibit third parties from reidentifying deidentified information.
Data Safety
SCORE: 15%

How safe is this product?

  • Unclear whether this product supports interactions between trusted users and/or students.
  • Unclear whether users can interact with untrusted users, including strangers and/or adults.
  • Unclear whether profile information is shared for social interactions.
  • Unclear whether this product displays personal information publicly.
  • Unclear whether this product allows users to control how their data are displayed.
  • User-created content is not reviewed, screened, or monitored by the vendor.
  • Unclear whether user-created content is filtered for personal information before being made publicly visible.
  • Unclear whether social interactions between users are moderated.
  • Unclear whether social interactions of users are logged.
  • Users can report abuse or cyberbullying.
Ads & Tracking
SCORE: 60%

Are there advertisements or tracking?

  • Data are shared for third-party advertising and/or marketing.
  • Traditional or contextual advertisements are displayed.
  • Behavioral or targeted advertising is displayed.
  • Data are collected by third-party advertising or tracking services.
  • Data are used to track and target advertisements on other third-party websites or services.
  • Unclear whether this product creates and uses data profiles for data enhancement, and/or targeted advertisements.
  • The vendor can send marketing messages.
  • The vendor does not provide promotional sweepstakes, contests, or surveys.
  • Users can opt out of traditional, contextual, or behavioral advertising.
  • Users can opt out or unsubscribe from marketing communications.
Parental Consent
SCORE: 50%

Can I provide parental consent?

  • Intended for children under 13.
  • Intended for parents or guardians.
  • Unclear whether vendor has actual knowledge that personal information from users under 13 years of age is collected.
  • Children's privacy is applicable.
  • Unclear whether this product indicates COPPA parental consent exceptions.
  • Parental consent is required.
  • Unclear whether this product limits parental consent with respect to third parties.
  • Parents can withdraw consent for the further collection of their child's information.
  • Unclear whether this product deletes children's personal information if collected without parental consent.
  • Unclear whether this product provides parental consent notice and method for submission.
School Purpose
SCORE: 70%

Is the product intended for school?

  • Intended for students.
  • Personal information or education records are collected from preK-12 students.
  • Intended for teachers.
  • Product is primarily used by, designed for, and marketed toward students in grades preK–12.
  • Product does create education records.
  • Notification of a contract or additional rights is provided.
  • Vendor is designated as a school official.
  • Parental consent obligations are transferred to the school or district.
  • Unclear whether the vendor indicates FERPA parental consent exceptions.
  • Unclear whether this product discloses directory information.

Common Sense Standard Privacy Report (SPR)

The standard privacy report (SPR) displays all the privacy practices from a product's policies in a single, easy-to-read outline. The report shows a green check mark for better privacy practices and an orange alert for risky or unclear practices. This alert indicates that more time should be focused on these particular details prior to use.

About Privacy Evaluations

The privacy evaluations have been designed with the help and support of a consortium of schools and districts across the United States. These evaluations are designed to help educators make informed decisions about the potential privacy implications of educational technology used to support teaching and learning.

Our core evaluation criteria will always be freely available. People are encouraged to read the questions we use and our information security primer. Vendors are encouraged to use our questions and the information security primer to self-evaluate. You can also learn more about our evaluation process. Please be in touch with any questions or feedback.