Data Privacy and Security Policies

Data Privacy and Security Policies

The New York City Department of Education (DOE) takes the confidentiality of information about you and your children seriously. Several federal and state laws and regulations protect the confidentiality of your children's education records, including information that can be used to identify your children. Such information, which includes student‐specific data, is known as "personally identifiable information" or "PII."

These laws and regulations also place requirements on the DOE and other parties to ensure your child's PII remains confidential and secure. Below are descriptions of these various laws, along with the rights they grant you as a parent. If you are a student who is 18 years or older, the information shared below about "your child" or an "eligible student" refers to you directly.

This page also includes a notice to users of the DOE's websites and applications.

Overview of Laws and Regulations

The federal laws that protect your child's PII include:

• Family Educational Rights and Privacy Act (FERPA)
• Children's Online Privacy Protection Act (COPPA)
• Protection of Pupil Rights Amendment (PPRA)
• Individuals with Disabilities Education Act (IDEA)

State laws, such as N.Y. Education Law 2-d and the related regulations of the N.Y. State Commissioner of Education, as well as the DOE's Chancellor's Regulation A-820, protect the confidentiality of your child's information.

Family Educational Rights and Privacy Act (FERPA)

FERPA is a federal law that protects the privacy of student education records. FERPA gives parents certain rights with respect to their children's education records.

If you are a student who is 18 years or older (also known as an eligible student), these rights belong to you, and not to your parents or guardians.

In short, FERPA grants you the right to:

1. Inspect and review your child's education records within 45 days after the DOE receives your request and has verified your identity. Parents and eligible students should submit a written request to their school's principal. Your school will arrange for access and notify you of the time and place where you may inspect your requested records. Sample records request and consent forms are in Chancellor's Regulation A-820 and can be found below. Chancellor's Regulation A-820 also gives you the right to receive copies of your child's education records.
2. Request changes to your child's education records when you believe they are inaccurate, misleading, or violate your child's privacy rights under FERPA. View our How to Request Changes to Education Records section below for more information.
3. Provide written consent before personally identifiable information (PII) in your child's education records is disclosed. Please note: in certain cases, FERPA allows disclosure without consent. Learn more about this provision in the When Consent is Not Required to Disclose Student PII and the Directory Information and Opt-Out Forms" sections below.
4. File a complaint with the U.S. Department of Education if you believe the DOE failed to comply with FERPA's requirements.
5. Receive notification of your rights under FERPA.

Visit the DOE's Annual FERPA Notification and the U.S. Department of Education's Protecting Student Privacy page for more information and resources about these rights, including printable documents and translations.

New York State Education Law § 2-d

New York State Education Law § 2-d is a state law that places responsibilities on the DOE and outside parties who receive your child's PII from the DOE through a written agreement. Education Law § 2-d requires the DOE to do the following:

• Publish a Parents Bill of Rights for Data Privacy and Security. You can read more about the Parents Bill of Rights in the next section.
• Provide annual training to DOE staff who have access to your child's PII.
• Ensure that the use and disclosure of PII benefits students.
• Ensure outside parties who receive your child's PII have appropriate safeguards, policies, and practices in place to protect the data.
  • These safeguards must meet industry standards and best practices.
  • Examples of safeguards include encryption, firewalls and password protection.
• Enter into written agreements with outside parties who receive your child's PII from the DOE. The written agreements outline how outside parties will keep your child's data confidential and secure.
• Post Supplemental Information for Parents About DOE Agreements With Outside Entities. On this page you will find information about what data an outside party is collecting, their reason for collecting the data, and how they plan to protect the data.
• Notify families of unauthorized release of student data in a timely manner. Visit the Data Security Incidents page for information on incidents of note, including the Illuminate Education data security incident.

Education Law § 2-d also requires outside parties that receive student information from the DOE to address legal and privacy requirements in a written agreement with the DOE. These safeguards promote transparency and provide additional protections for the benefit of our families. For example, outside parties must agree to the following:

1. Collect and disclose students' PII only as necessary and only for educational purposes.
2. Minimize the collection, processing and transmission of PII.
3. Have safeguards in place to protect students' PII when it is stored or transferred. These safeguards must meet industry standards and best practices.
4. Not sell, use, or disclose PII for marketing, advertising, or other commercial purposes.
5. Train staff in applicable laws, policies, and safeguards associated with industry standards and best practices.
6. Not maintain copies of PII once it is no longer needed for the agreed upon educational purpose. Outside parties should permanently and securely delete PII no later than when the contract ends.
7. Abide by the DOE's Parents' Bill of Rights for Data Privacy and Security within their written agreement with the DOE and provide supplemental information for parents about their agreement with the DOE.

The New York State Education Department has additional resources for you regarding the rights of your children regarding New York State Education Law § 2-d.

Parents Bill of Rights for Data Privacy and Security

Under New York State Education Law § 2-d, if you are a parent of a child in the New York City public school district (the DOE), you have several rights regarding the privacy and security of your child's PII, including the following:

• Your child's personally identifiable information (PII) cannot be sold or released for any marketing or other commercial purposes.
• If your child is under 18 years old:
  • You have the right to inspect and review the complete contents of your child's education records within 45 days of the DOE receiving your request and verifying your identity.
  • You also have the right to request changes to your child's education records when you believe they are inaccurate, misleading, or violate your child's privacy.
  • Your rights extend to education records stored by DOE contractors or other outside parties on the DOE's behalf.
• You have the right to be notified if a breach or unauthorized release of your child's PII occurs.
• You have the right to make complaints about possible breaches and unauthorized disclosures of your child's PII and to have such complaints addressed. The DOE must provide you with a response no more than 60 calendar days from when we receive your complaint. If more time is needed, the DOE will provide an explanation to you, along with an approximate date for a response.

Visit the Parents Bill of Rights for Data Privacy and Security for the complete list of your data-related rights.

Chancellor's Regulation A-820

Chancellor's Regulation A-820 outlines your rights and the DOE's responsibilities for keeping student education records confidential. The regulation also includes sample consent forms and information on how to request education records. The sample consent forms are also linked in the Consent for Disclosing Student PII section below.

Visit our Volume A Regulations page to view printable and translated versions of A-820.

DOE Privacy and Data Security Compliance Process for Outside Parties

The DOE is committed to protecting the privacy of our students', families' and staff members' personal information. The DOE has a process in place to help make sure that outside parties who access, receive, or host PII from the DOE agree to comply with the law and help protect your information. The compliance process, which consists of up to three parts, requires outside parties to:

1. Sign an agreement with data privacy and security requirements
2. Complete a security assessment conducted by the DOE's Division of Information and Instructional Technology (DIIT)
3. For outside parties storing PII or other sensitive DOE information in the cloud, undergo a cloud review, conducted by the NYC Office of Technology and Innovation (OTI)

For more information about the compliance process, visit the Data Privacy and Security Compliance Process page.

Consent for Disclosing Student PII

You have the right to provide written consent before PII in your child's education records is disclosed.

Sample Consent Forms

When Consent is Not Required to Disclose Student PII

Generally, the DOE must have written permission from a parent or student who is 18 years or older to release any information from a student's education record. However, in certain cases, FERPA allows disclosure without consent. Cases permitting disclosure without consent include:

• Disclosure to DOE school officials who need to review education records to fulfill their professional responsibilities.
  • These can include outside parties performing services or functions for the DOE, such as contractors and consultants.
  • See the DOE's Annual FERPA Notification for a complete description of whom the DOE considers to be "school officials."
• When another school, district or education institution requests your child's education records to support enrollment or transfer.
• Circumstances in connection with financial aid applications that you or your child filled out.
• Authorized government officials in connection with audits, evaluations, or certain other activities.
• Organizations conducting studies on behalf of the DOE.
• Accrediting organizations carrying out accrediting functions.
• Parents of students aged 18 and over who are considered dependents for Internal Revenue Service (IRS) tax purposes.
• Compliance with a judicial order or lawfully issued subpoena.
• Appropriate officials in connection with a health or safety emergency.
• Information that the DOE has designated as "directory information," as outlined in more detail below.

Most of these types of disclosures are subject to certain additional requirements and limitations. Please see the Annual FERPA Notification and Chancellor's Regulation A-820 webpages for more information about them.

Directory Information and Opt-Out Forms

Certain types of basic information about you and your child are considered "directory information." Schools can disclose directory information without your consent if, and only if, they first inform you of the following:

• The types of information they designate as "directory information"
• Who they are disclosing the directory information to and why they are disclosing it
• Your right to tell the school not to disclose the directory information (known as an "opt-out")
• The timeframe you have to opt out of the disclosure

Schools may ask parents to opt out of sharing some of their child's directory information, rather than ask all parents to first consent to sharing the information, when they are celebrating students' achievements or noting their participation in activities with the entire school community, including other parents. This may be particularly true for school-based publications and announcements of honors, awards or other recognition or participation in school activities, including:

• Graduation and honor rolls
• Receipt of scholarships or awards
• School publications that likely include student names and photographs, such as yearbooks, playbills, graduation lists, and participation in school sports and other activities

What is considered directory information?

Only a few pieces of information about your child are eligible to be considered directory information. These include their name; participation in school activities; honors, awards and recognition they've received; photographs of them; school enrollment and graduation details; their major field of study; their grade level and, in the context of their participation in school-based athletics, their height and weight.

There are also other types of student information that can be considered directory information, including home addresses, telephone numbers, and dates of birth. However, the DOE considers these types of information to be sensitive in nature. As such, schools are strongly encouraged not to designate this information as directory information.

What is not considered directory information?

The following types of information are never treated as directory information: student ID numbers (i.e., OSIS numbers); grades on assignments, courses, and exams; daily attendance statistics; race, ethnicity, or other demographic details; special education status; disciplinary history; and any other information that could be considered sensitive or a violation of privacy upon release. Social Security numbers also cannot be considered directory information.

Opt-Out Forms

The DOE currently oversees several district-wide disclosures of directory information. Parents and eligible students can opt out of these district-wide disclosures by completing the following forms:

• Military and/or institutions of higher learning (High school)
• National Student Clearing House (High school)
• NYC Kids Rise Save for College Program
• Promotional mailings about charter schools

Information About Data Security Incidents

Parents and students who have reached age 18 have the right to be notified when their PII has been the subject of unauthorized acquisition, access, use, or disclosure. The Data Security Incidents page provides information on incidents of note, including the Illuminate Education data security incident of spring 2022. An incident of note is when the DOE relied on a vendor to assist with parental and student notifications.

How to Make a Complaint about Data Privacy Violations

You have the right to submit complaints about suspected or alleged breaches or unauthorized releases of students' PII. Complaints should be submitted by email to studentprivacy@schools.nyc.gov or mailed to:

Chief Privacy Officer
New York City Department of Education
52 Chambers Street, Room 308
New York, NY 10007

The DOE will acknowledge your submission in writing (which can include an email) within five business days of receiving your complaint. We will investigate your complaint and take the necessary precautions to maintain the confidentiality of the information you provide. Your personal information will only be disclosed to the extent necessary to conduct the investigation. This may include referral of your complaint to the Special Commissioner of Investigation for the New York City School District (NYC SCI), for it to conduct its own investigation. It will also include notice to the New York State Education Department, as required by law.

The DOE will provide you with our findings within a reasonable period of time. If the DOE needs more than 60 calendar days to complete its investigation, we will provide you with a written explanation for why more time is needed and when you can expect to receive a response. Reasons why additional time may be needed include when the response might compromise the security of DOE data or its applications or data systems, or if the response would impede any law enforcement investigation, including ones conducted by the NYC Special Commissioner of Investigation for the New York City School District.

How to Request Changes to Education Records

You have the right to request changes to your child's education records, whether the records are held at your child's school, elsewhere within the DOE, or by an outside party on behalf of the DOE. This right applies when you believe the record to be inaccurate, misleading, or is otherwise in violation of your child's right to privacy. This right extends to education records, whether in physical or digital format, that are being maintained or stored by outside parties, including vendors your school has contracted with or whose services they have purchased.

Please submit your request in writing (email is acceptable) to your child's school. The request must include the following:

• Your child's name, date of birth, student identification number (also known as OSIS number) and school or program;
• Your name and your relationship to the child;
• A description of the information you believe to be inaccurate, misleading or in violation of your child's right to privacy;
• If known, the outside entities to whom you believe the DOE has disclosed the information; and
• The remedy or resolution you are seeking.

If you wish to request changes to education records held by an outside party on behalf of the DOE, please email your request to studentprivacy@schools.nyc.gov or mail it to:

Chief Privacy Officer
New York City Department of Education
52 Chambers Street, Room 308
New York, NY 10007

You will receive a response within 15 school days of your request. If your request is denied in whole or in part, you will be provided with notice of your right to appeal and request a hearing from your Community or High School Superintendent within 20 school days of the decision. The appeal and hearing process is described below:

• The hearing officer may be any person who does not have an interest in the outcome of the proceeding.
• The hearing shall be held within a reasonable time period, but no later than 20 school days, after DOE’s receipt of the appeal. You will be given advance notice of the date, place, and time of the hearing.
• You will be given the opportunity to present evidence relevant to the issues raised in the appeal and may be assisted or represented by individuals of your own choice, at your own expense, including an attorney.
• While the hearing officer is not required to maintain a formal record of the hearing, they must take sufficient notes of the testimony heard and evidence presented in order to prepare a written decision. The hearing officer’s decision must be based solely on the evidence presented at the hearing.
• The hearing officer’s decision will include, at a minimum, a summary of the evidence, their decision, and the reasons for their decision. The written decision will be issued within 14 school days from the conclusion of the hearing. The hearing officer’s decision is final.
• If the hearing officer determines that the information in question is inaccurate, misleading, or in violation of the student’s privacy rights, they will direct your child’s school or the vendor who maintains the education record at issue to amend the education record accordingly. The school must notify you when the changes are made.  
• If the hearing officer determines that the information in question is not inaccurate, misleading, or otherwise in violation of privacy rights, you have the right to place a statement in the student’s education record commenting on the contested information or stating why you disagree with the hearing officer’s final decision, or both. This statement shall be maintained with the contested part of the student’s education record for as long as the record is maintained, and it shall be disclosed whenever that portion of the education record is disclosed.

Notice to Users of DOE Web Sites and Applications

This notice informs you, as a user of our systems and applications, about how the NYC Department of Education (the "Department", "we", "us") collects, uses, and protects information about you through your use of this website. We also describe other policies that directly affect you, as users of these services. Please read this notice carefully before using our websites or applications. We may change this notice from time to time, and reserve the right to do so without advance notice. By accessing and using our websites and applications, you consent to these uses and any other uses.

Collection of Information

In order to improve the content and usability of Department websites and applications, we may automatically collect certain information from you, including:

• The Internet Protocol ("IP") address of your Internet Service Provider ("ISP") and/or computer.
• The Domain Name of your ISP and/or computer.
• The type and version of your operating system and browser (such as Internet Explorer, Opera, Firefox, Chrome, etc.).
• The date, time, and duration of your visit.
• Your clicks within the application.
• The web address of the previous site visited by your browser (if detectable).
  We also may request and collect information from you when you interact with our websites and applications, such as information you provide when creating an account, submitting an electronic form, participating in a survey, etc.

Use of Information and Privacy

We do not collect personally identifiable information for commercial or marketing purposes, and we do not sell the personally identifiable information we collect. The personally identifiable information we collect is stored in a secure environment.

We use and may share the information we collect to make sure our systems are up-to-date and compatible with other systems, and to improve services offered through Department applications and websites. We may also use it to fulfill our duties and for other educational purposes, including, but not limited to:

• Developing new application functionality;
• Providing notifications, alerts, or event updates;
• Responding to requests made under the Freedom of Information Law (FOIL), through subpoenas, court orders and other administrative, judicial and legal processes (however, we may withhold certain information if the law permits us to do so);
• Providing technical notices, updates, security alerts, and administrative messages;
• Responding to user comments, questions, and requests for customer service;
• Monitoring and analyzing trends, usage and activities in connection with services;
• Personalizing and improving services;
• Complying with any allowable educational purpose, applicable law, regulation, legal process, or governmental request; and
• Conducting statistical analyses for any of the above reasons.
  Certain laws and regulations govern our ability to share or otherwise disclose information about you that we collect. For example, as described in more detail above, disclosure and release of PII of our current and former students is governed by Chancellor's Regulation A-820 and the Family Educational Rights and Privacy Act (FERPA). Other laws and regulations may apply, depending on the types of information involved.

We may monitor and review all content and traffic on Department-provided networks and applications. This includes traffic on or from devices that are owned by the Department, as well as devices not owned by the Department if DOE resources are being accessed or have been accessed from such devices.

Data Security

The Department takes reasonable measures to help protect its websites and applications and the information within them from loss, theft, misuse, unauthorized access, disclosure, alteration, and destruction.

If you receive or create a password when registering for any of our applications, you should not divulge this password to anyone. We will never ask for your password in a telephone call, fax, e-mail, or other form of unsolicited communication. When you are finished with an application, you should sign out of the application. If the browser you used to access the application is publicly accessible (such as on a computer at a public library or internet cafe), you should close the browser session and, if possible, clear any browser history, cookies, or other areas where your password might have been stored. Otherwise, you risk having information about you becoming available to third parties.

Cookies

Cookies are computer files that enable an application or website to distinguish between users. We use "temporary cookies" on some parts of our sites and applications, which expire when you close the browser session. We may also use "persistent cookies" to understand how people access and use our sites and applications.

You can customize most browsers to reject cookies, to accept or reject cookies after a visual warning, or to delete cookies. However, some application and website features may require cookies to function properly.

Web Bugs

We do not use web bugs (also known as "web beacons") on our web pages or in email for any purposes other than:

• To identify site performance needs;
• To ensure compatibility with the technology used by site visitors; and
• To add and improve services offered by our applications.

Intellectual Property

The content of our applications and webpages is copyrighted, and may contain some third-party images or graphics that are used with permission. This section serves as notice to all users of this website to presume the need to obtain permission from the copyright holder(s) before reproducing or otherwise using images/graphics from this and other DOE websites.