Data Privacy and Security Compliance Process

Federal and state laws and regulations impose requirements on the DOE and certain outside parties to ensure students' personally identifiable information (PII) and certain staff PII (specifically, identifiable annual professional performance review data of principals, assistant principals and teachers) remain confidential and secure. The DOE has a standardized compliance review process for vetting any outside parties (contracted and non-contracted) who receive or access data from the DOE. This compliance process helps ensure that outside parties safeguard any and all protected information pursuant to federal, state, and local regulations.

Effective July 1, 2023, all vendors of third-party software will be required to complete the DOE's compliance process and OTI's cloud review process before conducting business with the DOE. DOE staff may not use software that accesses or receives student or staff PII if the software vendor has not completed the compliance process. That also means schools cannot use products while they are in the process of completing the compliance process.

This process applies to contracted and non-contracted vendors, as well as outside parties that offer products and services for free.

Requirements for Outside Parties

Outside parties who receive student and certain types of staff PII (together, referred to as “covered PII” on this page) must agree to comply with various requirements under FERPA, New York State Education Law 2-d, and Chancellor's Regulation A-820, in a written agreement (such as a nondisclosure agreement or data processing agreement).

Outside parties must agree to keep covered PII confidential, only collect and use covered PII for legitimate educational purposes, to inform the DOE if the covered PII is breached or disclosed without authorization, and plan for its return and disposal one no longer needed. Outside parties also must agree to have the appropriate safeguards, policies, and practices in place to protect the data, and must submit to a compliance process. These safeguards promote transparency and provide additional protections for the benefit of our families.

More specifically, outside parties must agree to the following:

  • Collect and disclose covered PII only as necessary and only for educational purposes.
  • Minimize the collection, processing and transmission of covered PII.
  • Not sell, use, or disclose covered PII for marketing, advertising, or other commercial purposes.
  • Under no circumstances shall this data be used for any other purposes or shared outside of the defined operational scope of NYCPS.
  • Have reasonable administrative, technical and physical safeguards in place to protect covered PII when it is stored or transferred.
    • These technologies, safeguards, and practices must align with the NIST Cybersecurity Framework.
    • Examples of such safeguards include encryption, firewalls and password protection.
    • Outside parties must use encryption to protect personally identifiable information in its custody while in motion or at rest using a standard specified by the US Department of Health and Human Services in the context of HIPAA.
  • Train staff in applicable laws, policies, and safeguards associated with industry standards and best practices.
  • Limit access to covered PII to only those employees or contractors who need access to the data in order to provide the contracted services.
  • Not maintain copies of covered PII once it is no longer needed for agreed upon educational purpose. Outside parties should permanently and securely delete covered PII no later than when the contract ends.
  • Not disclose any Covered PII to any other party without the prior written consent of the parent or eligible student, except as required to carry out the contract, or as otherwise required or permitted by law.
  • Notify the DOE of any breach or unauthorized release of Covered PII in the most expedient way possible and without unreasonable delay. With respect to such incidents, outside parties must also do the following:
    • Cooperate with the DOE and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Covered PII.
    • Pay for or promptly reimburse the DOE for the full cost of parental notifications, where a breach or unauthorized release is attributed to the outside party.
  • Abide by and attach the DOE's Parents' Bill of Rights for Data Privacy and Security to their written agreement.
  • Provide supplemental information for parents about their agreement with the DOE in their written agreement.

Artificial Intelligence (AI) Policies for Vendors

As of December 4, 2024, vendors are required to adhere to additional AI-related standards that build on existing policies.

  1. Any AI technologies must be disclosed, and will be held to the same standards:
    1. When going through the data privacy and security compliance process, vendors must disclose any use of AI technologies in their products and services. 
    2. If a vendor has already gone through the data privacy and security compliance process, they must alert NYCPS of any AI features added to the existing product.
    3. The addition of AI features may require a revised data processing agreement.
    4. Data processing agreements will be updated to include measures specific to the types of data being handled by a vendor. For example, vendors may not use PII or confidential information from NYCPS to train AI models.
  2. Intellectual property rights related to AI systems, including algorithms, models, and data, must be clearly defined and any proprietary AI technologies must be disclosed and licensed appropriately. 
  3. All GenAI systems must be transparent in their decision-making processes, providing clear and understandable explanations for outcomes. Vendors must provide mechanisms for users to review and challenge AI decisions as requested by NYCPS. 
    1. Vendors must take reasonable measures to mitigate the presence of bias in AI products and disclose those measures to NYCPS. NYCPS reserves the right to request an audit report containing information on the tool’s training data and bias mitigation measures that are in place.

Additional Guidance for NYCPS Staff

In addition to ensuring the tools themselves are compliant with ERMA standards for privacy, security, and confidentiality, schools and central staff must remain vigilant custodians of student data as users of these tools.

For example, schools and students should be mindful of the fact that information they share with generative AI tools may be retained and used by chatbots (which are a form of AI); some GenAI chatbots retain the information that is entered to train their data models. This means that any information entered could become public, or pose a threat should that information become available to a fourth party. For these reasons, school staff must not enter sensitive information or PII into generative AI tools not approved in ERMA.

The ERMA process is an essential part of NYCPS's efforts to ensure software products and tools have the necessary safeguards in place to mitigate data security risks and comply with relevant privacy laws.

  1. PII and other confidential or sensitive information should not be shared with any software or product, including AI tools, that have not been approved in ERMA. Only vendors appearing in ERMA have gone through the required privacy and data security compliance processes for external vendors.
  2. AI exists in software products, which must continue to go through NYCPS processes. Consistent with current policy, schools may not use third-party software products–including those that use AI–that have not been vetted by NYCPS Legal/Privacy and DIIT for compliance with data privacy and software security standards (ERMA). As part of the ERMA process, the Office of Technology & Innovation (OTI) reviews data storage systems to ensure they comply with all standards. 
  3. AI tools may have specific age restrictions and parental consent requirements: Before encouraging students to use commercially available GenAI tools, even if tools are approved in ERMA, school staff should follow tool-specific age restrictions and comply with any requirements for parental consent.

Guidance on Copyrighted Material

Staff and students should refrain from entering any copyrighted information, such as published texts, curriculum, images, music, or proprietary content, into GenAI tools unless explicit permission has been granted or the material is in the public domain. AI systems, particularly generative AI, can retain, reproduce, or even alter the content they process, leading to potential violations of copyright law. Unauthorized use of copyrighted material can result in legal consequences for both the individual and the school district. 

When in doubt, it is always safer to avoid inputting such content into GenAI systems or to seek guidance from the NYCPS Legal or IT departments. In addition to avoiding inputting copyrighted information, staff and schools should avoid using unattributed copyrighted material contained in GenAI outputs. Review the content and source when assessing outputs for copyrighted material.

Overview of Compliance Process

Effective July 1, 2023, all vendors of third-party software will be required to complete the DOE's compliance process and OTI's cloud review process before conducting business with the DOE. This applies to contracted and non-contracted vendors, as well as outside parties that offer products and services for free. DOE staff may not use software that access or receives student or staff PII if the software vendor has not completed the compliance process. That also means schools cannot use products while they are in the process of completing the compliance process.

The compliance process consists of up to three parts:

  1. Written agreement

    Outside parties who receive Covered PII must agree to comply with New York State Education Law 2-d and its implementing regulations, such as Chancellor's Regulation A-820, in a written agreement. Outside parties also must agree to have the appropriate safeguards, policies, and practices, some of which are described above, in place to protect the data. Requirements of outside parties are described in more detail above.

    These safeguards promote transparency and provide additional protections for the benefit of our families. To that end, outside parties are asked to complete four attachments as part of the written agreement:

    • Attachment A – a brief description of the product(s) and or service(s) being provided, including a list of required data fields that are necessary for you to provide those product(s) or service(s).
    • Attachment B – a copy of your Data Privacy and Security Plan, along with a copy of the DOE Information Security Requirements document. At a minimum, your Data Privacy and Security Plan, must address the following requirements:
      • Outline how Processor will implement all state, federal, and local data security and privacy contract requirements over the life of the agreement, consistent with NYC DOE's data security and privacy policy;
      • Specify the administrative, operational and technical safeguards and practices Processor has in place to protect the Protected Information that it will receive under the contract;
      • Demonstrate that it complies with the requirements of the DOE's Parents' Bill of Rights for Data Privacy and Security;
      • Specify how officers or employees of the third-party contractor and its assignees who have access to Protected Information receive or will receive training on the federal and state laws governing confidentiality of such data prior to receiving access;
      • Specify if Processor will utilize sub-contractors and how it will manage those relationships and contracts to ensure Protected Information is protected;
      • Specify how the Processor will manage data security and privacy incidents that implicate Protected Information including specifying any plans to identify breaches and unauthorized disclosures, and to promptly notify NYC DOE;
      • Describe whether, how and when data will be returned to the NYC DOE, transitioned to a successor contractor, at the NYC DOE's option and direction, deleted or destroyed by the third-party contractor when the contract is terminated or expires.
    • Attachment C – DOE's Parents' Bill of Rights for Data Privacy and Security, along with responses to each of the supplemental questions presented in the section. These responses will be posted on the Supplemental Information for Parents About DOE Agreements With Outside Entities page.
    • Attachment D – should be left blank but must be included.

      Schools and program offices should visit the Student Data Privacy and Security Policies InfoHub page for information about the DOE's data privacy and security policies.

  2. DIIT Security Questionnaire

    Outside parties who receive student and certain types of staff PII must complete an Information Security Questionnaire via the Panorays system. Outside parties will have up to 30 days to complete the assessment. Once the assessment is complete, the DOE's Division of Instructional and Information Technology (DIIT) Security team will assess the questionnaire answers and contact the outside party for follow-up and next steps.

  3. OTI Cloud Review
    New York City agencies are required to submit all cloud-based applications through a review of their access and data management architecture to ensure compliance with citywide security and privacy policies.

Getting Started

Schools and/or Central program offices are responsible for initiating the compliance process for outside parties who have access to, receive, or store personally identifiable information. The compliance process applies to contracted and non-contracted vendors, as well as outside parties that offer products and services for free.

Schools and program offices initiate the compliance process by submitting a request in the Enterprise Request Management Application (ERMA). Only principals, superintendents, and Central executives can submit requests, please use your employee login credentials to access ERMA. Visit the ERMA InfoHub page for step-by-step instructions on how to get started.

Updates on the Software Data Privacy and Security Process

Schools and program offices should visit the Software Data Privacy and Security Process page for updates from Chief Operating Officer Emma Vadehra on the expanded vetting process.