Last Updated: July 5, 2018
Certification Management Services, Inc. (CMS, “we”, “our”, or “us”) offers several services and tools to manage, develop, analyze, and revise test items. Our services include psychometric consulting, tools for clients to manage their own item development projects, and end-to-end services where CMS recruits subject matter experts (SMEs) and manages the item development process for a client.
To streamline and better manage the item development process, CMS created, owns, and operates several tools including Review Events, Blueprint Surveys, Web Authoring, and AUTHORWise (together the system). Clients and SMEs (whether hired by CMS or by a client) use the system to develop test items. We have a legal obligation to our clients to identify by name who contributes to each part of the item development process. Therefore, at a minimum, we collect, process, and retain indefinitely the names of all individuals who contribute to the item development process.
As part of our consulting services, we also receive and process candidate testing data from clients (which may contain personal identifying information about testing candidates).
How We Collect and Use Personal Identifying Information
In the course of providing you (client or SME) access to our services or system, we collect and receive personal information in a few ways.
The system is used to manage and facilitate the item development process, whether by a client or by CMS. Blueprint Surveys and certain types of Review Events allow a SME to create a limited use profile to participate in that specific activity. This limited use profile is comprised of the SME’s name and email address. A SME may reuse their limited use profile to participate in additional similar Blueprint Surveys and Review Events.
To use all other parts of the system, an administrator must create a permanent profile for a user, which contains a username, first and last name, and email address.
A limited use profile and a permanent profile are tied to all of a user’s activities while they are logged on to the system. This data is used to identify the user who performs each task, and to communicate via email to users when they have action items to perform.
For SMEs that we personally recruit and manage, we additionally require a W-9 to be completed so we can provide payment for item development services. This data is received directly from each SME via electronic facsimile or other secure transfer mechanism.
We provide customer support via email. When you send us a support request, your name and email address, together with any information you provide in the email is automatically entered into our support system. This data is used to identify who is requesting support, and to correspond via email until the issue or question is resolved. All customer support requests and related correspondence are kept as a permanent record of support provided by CMS to our clients and SMEs.
Information Collected Automatically
CMS receives and records information from your browser, computer, or mobile device when you use the system, such as your Internet Protocol (IP) address, unique device identifier, and browser identifying information (e.g., user agent string).
We track which pages or screens you view, and which items you open to view or edit using the system. This information is collected automatically, is stored in secure logs, and is used to help us operate and optimize the tools we provide to you.
As you connect to and uses the system, your IP address is collected and used to facilitate secure point-to-point communication between your device and the system. Your IP address is used to enforce security policies related to system authentication and usage, and to detect and block attempts to gain unauthorized access to the system.
Information from Third Parties
Clients who use our system to manage their own item development projects create permanent profiles for users, which include a username, first and last name, and email address for each SME. These profiles are solely used for users to access the system, contribute to the item development process, and receive email when a user has an open action item.
Clients who use our psychometric services provide candidate testing data to us (either directly or indirectly through a test delivery provider), which may contain PII about each test candidate. The PII varies in quantity and content based on the services contracted by our clients. This data is only used to fulfill contractual commitments to our client by performing analysis services, and providing the agreed upon reports and score reports to the client. We retain test candidate PII related to contracted psychometric services for the duration of the agreement and contract.
Disclosure of Personal Information
CMS only uses information provided by clients and SMEs for the purpose of fulfilling the service contracts with our clients, including psychometric services, and item development activities. We never use PII for any other purpose.
Additionally, we may share personal information with third parties who provide services to CMS, such as payment processors, and email delivery services. When CMS shares your personal information with third party service providers, we require that they use your information only for the purpose of providing services to us.
We also disclose PII to respond to subpoenas, court orders, on legal process, or to establish or exercise our legal rights to defend against legal claims. We may also share such information if we believe it is necessary in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to physical safety of any person, violations of our Terms of Service, or as otherwise required by law.
Protecting Your Personal Information
Through the use of hardware and software firewalls, access control lists (ACLs), point-to-point encryption, application features, and data backup and retention policies, all data (including PII) is protected against accidental or unlawful access, destruction, loss, change, or damage. All data we collect is stored on secure servers and is transmitted to us using encryption. All data is backed up in compliance with industry standards for data backup, retention, and recovery. Backups are maintained on permanent redundant media in a secure facility for the duration of the contract with a client. Data backups are separated by client into their own individual files/locations. All client data can be deleted upon written notification from client.
All data, including PII data, is protected against access by any individual, except by those who need access to perform tasks related to their job function, and then only the required data is made available.
Your Choice and Control of the Information We Collect on You
We provide you with data controls of your personal information, created by the GDPR, but provided to you regardless of geographic location, where such controls do not limit the legal requirements we have to our clients to maintain a permanent record of each individual by name who contributes to the item development process.
As you use the system, you become part of a team of individuals who contribute to the same item development project. Team members see the names of other team members who contribute to the same project. For instance, SMEs can see the names of team members who create items, lock items for editing, add notes to items, complete item development tasks, etc. All of this happens automatically as users log on with their profile and use the system. We retain indefinitely the names of users who contribute to each part of the item development process.
Data Access and Portability
You have the right to obtain a copy of your personal data. This is made available by viewing your profile, or account information. From there, you can download a copy of your username, email address, and a list of activities that you have performed while logged on to the system.* The actual content and work product that you contribute are the intellectual property of the respective client and are not available for download.
You can update your name and email address via your profile, or account information.*
You can control if action item email are sent to you by either providing your real email address or typing ‘NONE’ in the email address field of your profile, or account information.*
You may change your name and remove your email address (by typing ‘NONE’ in the email address field) via your profile, or account information.* Your profile cannot be deleted because we are required by necessity to maintain your profile with your name, which is linked to the work you perform for a client.
Stop Processing Your PII
Because your profile is linked to all the work you perform while using the system, your name will indefinitely be associated with that work. You may change your email address to ‘NONE’ to stop the system from sending you future email.*
Requests Regarding Your Personal Information
You may send an email with any additional request regarding your personal information to ‘firstname.lastname@example.org’. Please note that in some circumstances, we may not be able to fully comply with your request, such as if it is frivolous or extremely impractical, if it infringes upon the rights of others, or if it is not required by law, but in those situations, we will still respond to notify you of such a decision. In some cases, we may need you to provide us with additional information to verify your identity and nature of your request.
*This feature is only available in the desktop application, or is scheduled for an upcoming release.