Data Privacy and Security Policies

Data Privacy and Security Policies

New York City Public Schools (NYCPS) takes the privacy of information about you and your children seriously. Several federal and state laws and regulations protect the privacy of your children's education records and personally identifiable information, or "PII."

These laws and regulations place requirements on NYCPS and other parties to ensure your child's PII remains confidential and secure. Below are descriptions of these various laws, along with the rights they grant you as a parent. If you are a student who is 18 years or older, the information shared below about "your child" or an "eligible student" refers to you directly.

This page also includes a notice to users of NYCPS's websites and applications.

Overview of Laws and Regulations

The federal laws that protect your child's PII include:

• Family Educational Rights and Privacy Act (FERPA)
• Children's Online Privacy Protection Act (COPPA)
• Protection of Pupil Rights Amendment (PPRA)
• Individuals with Disabilities Education Act (IDEA)

State laws, such as N.Y. Education Law 2-d and the related regulations of the N.Y. State Commissioner of Education, also protect the privacy of your child's information.

Family Educational Rights and Privacy Act (FERPA)

FERPA is a federal law that protects the privacy of students’ education records and PII. FERPA gives parents certain rights with respect to their children's education records. If you are a student who is 18 years or older (also known as an eligible student), these rights belong to you, and not to your parents.

In short, FERPA grants you the right to:

1. Inspect and review your child's education records within 45 days after NYCPS receives your request and has verified your identity. Parents and eligible students should submit a written request to their school's principal. Upon verifying your identity and authorization to received the requested records, your school will either provide a copy of the requested records or arrange a time and place where you may inspect your requested records. Sample records request and consent forms can be found below.
2. Request changes to your child's education records when you believe they are inaccurate, misleading, or violate your child's privacy rights under FERPA. View our How to Request Changes to Education Records section below for more information.
3. Provide written consent before personally identifiable information (PII) in your child's education records is disclosed. Please note: in certain cases, FERPA allows disclosure without consent. Learn more about this provision in the When Consent is Not Required to Disclose Student PII and the Directory Information and Opt-Out Forms (updated May 2025) sections below.
4. File a complaint with the U.S. Department of Education, New York State Education Department, or NYCPS if you believe NYCPS failed to comply with FERPA's requirements.
5. Receive notification of your rights under FERPA.

Visit NYCPS's Annual FERPA Notification and the U.S. Department of Education's Protecting Student Privacy page for more information and resources about these rights, including printable documents and translations.

New York State Education Law § 2-d

New York State Education Law § 2-d is a state law that places responsibilities on NYCPS and outside parties who receive your child's PII from NYCPS through a written agreement. Education Law § 2-d requires NYCPS to do the following:

• Publish a Parents Bill of Rights for Data Privacy and Security. You can read more about the Parents Bill of Rights in the next section.
• Provide annual training to NYCPS staff who have access to your child's PII.
• Ensure that the use and disclosure of PII benefits students.
• Ensure outside parties who receive your child's PII have appropriate safeguards, policies, and practices in place to protect the data.
  • These safeguards must meet industry standards and best practices.
  • Examples of safeguards include encryption, firewalls and password protection.
• Enter into written agreements with outside parties who receive your child's PII from NYCPS. The written agreements outline how outside parties will keep your child's data confidential and secure.
• Post Supplemental Information for Parents About DOE Agreements With Outside Entities. On this page you will find information about what data an outside party is collecting, their reason for collecting the data, and how they plan to protect the data.
• Notify families of unauthorized release of student data in a timely manner. Visit the Data Security Incidents page for information on incidents of note.

Education Law § 2-d also requires outside parties that receive student information from NYCPS to address legal and privacy requirements in a written agreement with NYCPS. These safeguards promote transparency and provide additional protections for the benefit of our families. For example, outside parties must agree to the following:

1. Collect and disclose students' PII only as necessary and only for educational purposes.
2. Minimize the collection, processing and transmission of PII.
3. Have safeguards in place to protect students' PII when it is stored or transferred. These safeguards must meet industry standards and best practices.
4. Not sell, use, or disclose PII for marketing, advertising, or other commercial purposes.
5. Train staff in applicable laws, policies, and safeguards associated with industry standards and best practices.
6. Not maintain copies of PII once it is no longer needed for the agreed upon educational purpose. Outside parties should permanently and securely delete PII no later than when the contract ends.
7. Abide by NYCPS's Parents' Bill of Rights for Data Privacy and Security within their written agreement with NYCPS and provide supplemental information for parents about their agreement with NYCPS.

The New York State Education Department has additional resources for you regarding the rights of your children regarding New York State Education Law § 2-d.

Parents Bill of Rights for Data Privacy and Security

Under New York State Education Law § 2-d, if you are a parent of a child in New York City Public Schools, you have several rights regarding the privacy and security of your child's PII, including the following:

• Your child's personally identifiable information (PII) cannot be sold or released for any marketing or other commercial purposes.
• If your child is under 18 years old:
  • You have the right to inspect and review the complete contents of your child's education records within 45 days of NYCPS receiving your request and verifying your identity.
  • You also have the right to request changes to your child's education records when you believe they are inaccurate, misleading, or violate your child's privacy.
  • Your rights extend to education records stored by NYCPS contractors or other outside parties on NYCPS's behalf.
• You have the right to be notified if a breach or unauthorized release of your child's PII occurs.
• You have the right to make complaints about possible breaches and unauthorized disclosures of your child's PII and to have such complaints addressed. NYCPS must provide you with a response no more than 60 calendar days from when we receive your complaint. If more time is needed, NYCPS will provide an explanation to you, along with an approximate date for a response.

Visit the Parents Bill of Rights for Data Privacy and Security for the complete list of your privacy-related rights.

Chancellor's Regulation A-820 (Revised May 2025)

Chancellor's Regulation A-820 outlines your rights and NYCPS's responsibilities for keeping student education records confidential. Chancellor’s Regulation A-820 was revised in May 2025 to reflect changes to student privacy law and policies and practices that NYCPS has put into place over the past few years. The revised regulation also clarifies the privacy rights of our students and families, such as:

• Your right to be notified of a breach or inadvertent disclosure of your child’s information;
• Your right to opt out of certain surveys under the Protection of Pupil Rights Amendment (PPRA);
• Your right to have your child’s information safeguarded from being sold or used for commercial or marketing purposes;
• Your right to have safeguards in place to protect your child’s information when it is stored or transferred, and for those safeguards to meet industry standards and best practices;
• Reiterating that parents, including parents of students in foster care, retain their rights to access education records unless a court order or legally binding document specifically states otherwise.  

The revised regulation also modifies the procedures for fulfilling records requests by custodial, non-custodial, and restricted parents. Under revised Chancellor's Regulation A-820, notice to the custodial parent is only required when a records request comes from a “restricted parent,” a new term.  This change has been made to reflect the various living situations of NYCPS families. A restricted parent is a parent who has had their access to the child or the child’s education records restricted by a court order, state statute, or legally binding document relating to such matters as divorce, separation, or custody. A restricted parent is also an individual who asserts that they are a parent but who is not identified as one in NYCPS records. The process for fulfilling records requests by parents and restricted parents is described in the Records Requests section below.

Records Requests

Federal, state, and local laws grant parents, eligible students, and former students the right to inspect and review their education records within 45 days after NYCPS receives the written request and verifies the parent’s or eligible student’s identity. When sharing education records, schools will make sure that they are communicating with a person who has a right to the information, and will take measures to prevent sharing information about other students that may be in your child’s records .

As of May 2025, the process for fulfilling records requests by parents is the same regardless of where the student primarily resides. The process for fulfilling records requests by restricted parents is new.

When a restricted parent requests access to their student’s records:

• Schools must notify the custodial parent of the request and verify the existence of a current court-order, state statue, or legally binding document that revokes or limits the restricted parent’s access to the child’s records. During this period, no education records or student information will be shared with the restricted parent.
• If you believe the disclosure of your child’s records or certain information in their records will endanger the safety of your child or family, contact your school immediately.
• Schools will notify the restricted parent that the custodial parent is being informed of the request and has the chance to provide NYCPS with evidence of a legal document restricting the other parent’s access to the child’s education records.

If there are no limitations on the restricted parent’s access to the student’s records, schools must fulfill the records request within 45 days of receiving the request and verifying the parent’s identity. 

How to Request Changes to Education Records

If you believe your child’s education record is inaccurate, misleading, or is otherwise in violation of your child's right to privacy, you have the right to request changes to that record (in physical or digital format), whether it is held at your child's school, elsewhere within NYCPS, or by an outside party on behalf of NYCPS, such as a vendor.

Please submit your request in writing (email is acceptable) to your child's school. The request must include the following:

• Your child's name, date of birth, student identification number (also known as OSIS number) and school or program;
• Your name and your relationship to the child;
• A description of the information you believe to be inaccurate, misleading or in violation of your child's right to privacy;
• If known, the outside entities to whom you believe NYCPS has disclosed the information; and
• The remedy or resolution you are seeking.

If you wish to request changes to education records held by an outside party on behalf of NYCPS, please email your request to studentprivacy@schools.nyc.gov or mail it to:

Chief Privacy Officer
New York City Department of Education
52 Chambers Street, Room 308
New York, NY 10007

You will receive a response within 15 school days of your request. If your request is denied in whole or in part, you will be provided with notice of your right to appeal and request a hearing from your Community or High School Superintendent within 20 school days of the decision. The appeal and hearing process is described below:

• The hearing officer may be any person who does not have an interest in the outcome of the proceeding.
• The hearing shall be held within a reasonable time period, but no later than 20 school days, after NYCPS's receipt of the appeal. You will be given advance notice of the date, place, and time of the hearing.
• You will be given the opportunity to present evidence relevant to the issues raised in the appeal and may be assisted or represented by individuals of your own choice, at your own expense, including an attorney.
• While the hearing officer is not required to maintain a formal record of the hearing, they must take sufficient notes of the testimony heard and evidence presented in order to prepare a written decision. The hearing officer’s decision must be based solely on the evidence presented at the hearing.
• The hearing officer’s decision will include, at a minimum, a summary of the evidence, their decision, and the reasons for their decision. The written decision will be issued within 14 school days from the conclusion of the hearing. The hearing officer’s decision is final.
• If the hearing officer determines that the information in question is inaccurate, misleading, or in violation of the student’s privacy rights, they will direct your child’s school or the vendor who maintains the education record at issue to amend the education record accordingly. The school must notify you when the changes are made.  

If the hearing officer determines that the information in question is not inaccurate, misleading, or otherwise in violation of privacy rights, you have the right to place a statement in the student’s education record commenting on the contested information or stating why you disagree with the hearing officer’s final decision, or both. This statement shall be maintained with the contested part of the student’s education record for as long as the record is maintained, and it shall be disclosed whenever that portion of the education record is disclosed.

Consent for Disclosing Student PII

You have the right to provide written consent before PII in your child's education records is disclosed.

Sample Consent Forms

When Consent is Not Required to Disclose Student PII

Generally, NYCPS must have written permission from a parent or student who is 18 years or older to release any information from a student's education record. However, in certain cases, FERPA allows disclosure without consent. Cases permitting disclosure without consent include:

• Disclosure to NYCPS school officials who need to review education records to fulfill their professional responsibilities.
  • These can include outside parties performing services or functions for NYCPS, such as contractors and consultants. Information about how NYCPS and the outside parties keep your child’s information safe is on NYCPS Privacy and Data Security Compliance Process page and below. 
  • See NYCPS's Annual FERPA Notification for a complete description of who NYCPS considers to be "school officials."
• When another school, district or education institution requests your child's education records to support enrollment or transfer.
• Circumstances in connection with financial aid applications that you or your child filled out.
• Authorized government officials in connection with audits, evaluations, or certain other activities.
• Organizations conducting studies on behalf of NYCPS.
• Accrediting organizations carrying out accrediting functions.
• Parents of students aged 18 and over who are considered dependents for Internal Revenue Service (IRS) tax purposes.
• Compliance with a judicial order or lawfully issued subpoena.
• Appropriate officials in connection with a health or safety emergency.
• Information that NYCPS has designated as "directory information," as outlined in more detail below.

Most of these types of disclosures are subject to certain additional requirements and limitations. Please see the Annual FERPA Notification and Chancellor's Regulation A-820 webpages for more information about them.

Directory Information and Opt-Out Forms (Updated May 2025)

Directory Information is information about your child that is not considered harmful and won’t cause an invasion of privacy if disclosed. Under FERPA, NYCPS is allowed to share directory information unless you tell us not to. We will always notify you first and give you the chance to opt out before disclosing directory information. 

Sharing Directory Information Within the School Community

At NYCPS, we love recognizing student achievements and celebrating their accomplishments. Sometimes, this means sharing basic information about students, such as their names, image, grade level, and awards in school publications like yearbooks, school newspapers, and playbills, or in publicly posted achievements like the honor roll. To help schools do that, the following information may be designated as directory information:

• Name
• Age
• Grade level
• Schools attended and dates of enrollment
• Photograph
• Participation in school sports or activities
• Honors, awards, or other prizes

This is the only type of information schools may designate as directory information. Schools will only share this information within the school community in school publications (like the yearbook, school newspaper, and playbills) or to announce your child’s achievements.

You will receive a Directory Information Notice and Opt Out Form at the start of the school year. If you do not want your school to release any directory information about your child, please complete the form below and return it before the deadline. Students who are 18 or older must complete this form themselves.

Sharing Directory Information Outside the School Community

There are a few times when NYCPS designates certain student information as directory information to be shared outside of the school community. For example, NYCPS designates certain student information as directory information for the NYC Kids RISE Save for College Program and to share with National Student Clearinghouse to help students prepare for college and beyond.

We will always notify families of the following before sharing directory information outside of the school community:

1. The types of student information being designated as directory information. Sensitive information will never be designated as directory information. This includes, but is not limited to, Social Security numbers, student ID numbers (such as OSIS numbers), grades, test and exam scores, daily attendance, race, ethnicity, or other demographic information, special education status, multilingual learner status, and disciplinary history.
2. The party receiving the Directory Information.
3. The specific and exclusive purposes for sharing the Directory Information.
4. Your right to not have your child’s information shared as Directory Information.
5. The deadline to opt out of having your child’s information shared as Directory Information.

NYCPS prioritizes keeping your child’s information secure. Our Chief Privacy Officer will review and approve all proposed disclosures of directory information outside the school community. The organization receiving your child’s information must also sign a written agreement with NYCPS that obligates them to keep student information safe and secure. 

Other Opt-Out Forms

There are other disclosures of student information, unrelated to directory information, that you can opt out of as well. Those disclosures are related to:

• Military and/or institutions of higher learning (High school)
• Promotional mailings about charter schools

Date Privacy and Security Compliance Process for Outside Parties

NYCPS is committed to protecting the privacy of our students', families' and staff members' personal information. NYCPS has a process in place to help make sure that outside parties who access, receive, or host PII from NYCPS agree to comply with the law and help protect your information. The compliance process, which consists of up to three parts, requires outside parties to:

1. Sign an agreement with data privacy and security requirements
2. Complete a security assessment conducted by NYCPS's Division of Information and Instructional Technology (DIIT)
3. For outside parties storing PII or other sensitive NYCPS information in the cloud, undergo a cloud review, conducted by the NYC Office of Technology and Innovation (OTI)

For more information about the compliance process, visit the Data Privacy and Security Compliance Process page.

Information About Data Security Incidents

Parents and students who have reached age 18 have the right to be notified when their PII has been the subject of unauthorized acquisition, access, use, or disclosure. The Data Security Incidents page provides information on incidents of note. An incident of note is when NYCPS relied on a vendor to assist with parental and student notifications.

How to Make a Complaint about Data Privacy Violations

You have the right to submit complaints about suspected or alleged breaches or unauthorized releases of students' PII. Complaints should be submitted by email to studentprivacy@schools.nyc.gov or mailed to:

Chief Privacy Officer
New York City Department of Education
52 Chambers Street, Room 308
New York, NY 10007

NYCPS will acknowledge your submission in writing (which can include an email) within five business days of receiving your complaint. We will investigate your complaint and take the necessary precautions to maintain the confidentiality of the information you provide. Your personal information will only be disclosed to the extent necessary to conduct the investigation. This may include referral of your complaint to the Special Commissioner of Investigation for the New York City School District (NYC SCI), for it to conduct its own investigation. It will also include notice to the New York State Education Department, as required by law.

NYCPS will provide you with our findings within a reasonable period of time. If NYCPS needs more than 60 calendar days to complete its investigation, we will provide you with a written explanation for why more time is needed and when you can expect to receive a response. Reasons why additional time may be needed include when the response might compromise the security of NYCPS data or its applications or data systems, or if the response would impede any law enforcement investigation, including ones conducted by the NYC Special Commissioner of Investigation for the New York City School District.

You may also file a complaint about possible breaches of PII with the New York State Education Department. Complaints to the New York State Education Department may be made to:

Chief Privacy Officer
New York State Education Department
89 Washington Avenue
Albany, NY 12234

or by email to privacy@nysed.gov

You can file a complaint with the United States Department of Education if you believe the NYCPS failed to comply with FERPA’s or PPRA’s requirements. Such complaints may be filed with:

Student Privacy Policy Office
U.S. Department of Education
400 Maryland Avenue,
Washington, DC 20202

or by email to FERPA.Complaints@ed.gov 

Notice to Users of NYCPS Web Sites and Applications

This notice informs you, as a user of our systems and applications, about how the NYC Department of Education (the "Department", "we", "us") collects, uses, and protects information about you through your use of this website. We also describe other policies that directly affect you, as users of these services. Please read this notice carefully before using our websites or applications. We may change this notice from time to time, and reserve the right to do so without advance notice. By accessing and using our websites and applications, you consent to these uses and any other uses.

Collection of Information

In order to improve the content and usability of Department websites and applications, we may automatically collect certain information from you, including:

• The Internet Protocol ("IP") address of your Internet Service Provider ("ISP") and/or computer.
• The Domain Name of your ISP and/or computer.
• The type and version of your operating system and browser (such as Internet Explorer, Opera, Firefox, Chrome, etc.).
• The date, time, and duration of your visit.
• Your clicks within the application.
• The web address of the previous site visited by your browser (if detectable).
  We also may request and collect information from you when you interact with our websites and applications, such as information you provide when creating an account, submitting an electronic form, participating in a survey, etc.

Use of Information and Privacy

We do not collect personally identifiable information for commercial or marketing purposes, and we do not sell the personally identifiable information we collect. The personally identifiable information we collect is stored in a secure environment.

We use and may share the information we collect to make sure our systems are up-to-date and compatible with other systems, and to improve services offered through Department applications and websites. We may also use it to fulfill our duties and for other educational purposes, including, but not limited to:

• Developing new application functionality;
• Providing notifications, alerts, or event updates;
• Responding to requests made under the Freedom of Information Law (FOIL), through subpoenas, court orders and other administrative, judicial and legal processes (however, we may withhold certain information if the law permits us to do so);
• Providing technical notices, updates, security alerts, and administrative messages;
• Responding to user comments, questions, and requests for customer service;
• Monitoring and analyzing trends, usage and activities in connection with services;
• Personalizing and improving services;
• Complying with any allowable educational purpose, applicable law, regulation, legal process, or governmental request; and
• Conducting statistical analyses for any of the above reasons.
  Certain laws and regulations govern our ability to share or otherwise disclose information about you that we collect. For example, as described in more detail above, disclosure and release of PII of our current and former students is governed by Chancellor's Regulation A-820 and the Family Educational Rights and Privacy Act (FERPA). Other laws and regulations may apply, depending on the types of information involved.

We may monitor and review all content and traffic on Department-provided networks and applications. This includes traffic on or from devices that are owned by the Department, as well as devices not owned by the Department if DOE resources are being accessed or have been accessed from such devices.

Data Security

The Department takes reasonable measures to help protect its websites and applications and the information within them from loss, theft, misuse, unauthorized access, disclosure, alteration, and destruction.

If you receive or create a password when registering for any of our applications, you should not divulge this password to anyone. We will never ask for your password in a telephone call, fax, e-mail, or other form of unsolicited communication. When you are finished with an application, you should sign out of the application. If the browser you used to access the application is publicly accessible (such as on a computer at a public library or internet cafe), you should close the browser session and, if possible, clear any browser history, cookies, or other areas where your password might have been stored. Otherwise, you risk having information about you becoming available to third parties.

Cookies

Cookies are computer files that enable an application or website to distinguish between users. We use "temporary cookies" on some parts of our sites and applications, which expire when you close the browser session. We may also use "persistent cookies" to understand how people access and use our sites and applications.

You can customize most browsers to reject cookies, to accept or reject cookies after a visual warning, or to delete cookies. However, some application and website features may require cookies to function properly.

Web Bugs

We do not use web bugs (also known as "web beacons") on our web pages or in email for any purposes other than:

• To identify site performance needs;
• To ensure compatibility with the technology used by site visitors; and
• To add and improve services offered by our applications.

Intellectual Property

The content of our applications and webpages is copyrighted, and may contain some third-party images or graphics that are used with permission. This section serves as notice to all users of this website to presume the need to obtain permission from the copyright holder(s) before reproducing or otherwise using images/graphics from this and other DOE websites.