Research

American Institutes for Research (AIR) (for Study of Deeper Learning)

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement Term: 1/18/2023 – 4/30/2025, extended to 12/31/2026

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. For the Study of Deeper Learning, we examine the impact of attending a deeper learning network school on student outcomes, as well as relationships between opportunities for deeper learning and student outcomes. For these analyses, students are the unit of analysis. It is for this reason that we have requested student-level data. These data will not include student identifying information such as name or date of birth. However, student names and date of birth were collected from consent forms distributed to participating schools in the 2012-13 school year. We only have identifying information for students whose parents provided consent to participate in the study. This information is used to locate study participants and invite them to participate in a follow-up study. The study also administered a teacher survey in spring 2013, and so data also include individual teacher-level survey data collected by AIR.

Type of PII that the Entity will receive/access: Student PII and Staff PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Student-level data will be destroyed within five years of the completion of the study, which is currently scheduled to end on 12/31/2026. Student-level data will be maintained for five years to assist with the completion of manuscripts for scholarly journals and to allow for the possibility of securing additional funding to continue the Study of Deeper Learning.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. AIR has established in the Microsoft Azure Commercial Cloud its Secure Project Portal – Restricted Desktop (SPP-R), an enterprise-grade information enclave protected by a Next-Generation Firewall and comprised of hardened servers and infrastructure configured and maintained by AIR staff. This environment includes strong encryption in transit and at rest, rigorous access controls, and other security measures developed to meet the requirements of NIST 800-171 for Controlled Unclassified Information (CUI). All PII for this project will be stored and processed in SPP-R.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology. 

American Institutes for Research (for NYC Middle School Selective Admissions)

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement Term: 10/21/2024 – 06/30/2029

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. NYC has been actively experimenting with selective school admissions policies in the last decade. The proposed study seeks to produce evidence on the extent to which these reforms have fulfilled their goals to increase diversity in high-performing selective schools, reduce segregation, and close achievement gaps. Such evidence is important because it can equip policymakers, practitioners, and as importantly, parents and the public, with a greater understanding of the likely consequences of their decisions. To fulfill the objective of the study, individual student and teacher data are needed to estimate the extent to which the distribution of students and teachers as well as student academic and non-academic outcomes changed following changes in middle school admissions policies.

Type of PII that the Entity will receive/access: Student PII and Staff PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

Applied Curiosity Research (for Fast Track to College & Career Program Evaluation: Final Report)

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement Term: 10/25/2022 – 10/1/2025

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. Applied Curiosity Research is evaluating the efficacy of the Fast Track to College & Career (FTCC) pilot program taking place at 11 NYC DOE schools. FTCC was funded by the US Department of Education Perkins Innovation Grant to improve outcomes of students in participating NYC DOE Career and Technical Education (CTE) high schools by offering courses and activities aligned to their career pathway through CUNY’s College Now (CN) program. The program is designed to improve the transition of students from secondary education to postsecondary education by redesigning the high school experience to include dual enrollment courses as early as the 10th grade, and continuing through a structured sequence of college credit and work-based learning activities in 11th and 12th grade. We are requesting student scrambled data from the 11 FTCC schools and 13 control schools so we can compare outcomes and determine the impact of the program. We will need to limit our analysis to CTE-eligible students that entered 10th grade in 2019-2020 at one of 11 FTCC or 13 control schools.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor and using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology. 

Assessment Solutions (for Evaluating the Impact of buildOn's Service Learning Program)

Type of Entity: Commercial Enterprise and Research or Evaluation Institution or University

Contract / Agreement Term: 07/25/2025 – 07/30/2027

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. buildOn has engaged Assessment Solutions LLC to assess the effectiveness of its U.S. Service Learning Program in NYC. The evaluation will focus on both academic and non-academic outcomes. Academic outcomes include on-time high school graduation and college enrollment, while non-academic outcomes include attendance and student responses to select items from the NYC Department of Education’s annual School Survey. The evaluation will adopt a quasi-experimental design, comparing students who participated in buildOn with similar students in the same schools who did not participate (serving as the counterfactual). This approach allows us to estimate program impact while accounting for the real-world constraints of program implementation in school settings. The study is aligned with buildOn’s agreement with the New York City Department of Education (NYCDOE), which permits access to administrative data for evaluation purposes. This data includes academic and engagement-related indicators for both program and non-program students.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

The B.E.L.L. Foundation (for NYC Summer Rising - Arly & Scholastic Scholar Zone Review)

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 11/21/2024 – 12/31/2025

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. This evaluation will compare pre and post-test scores via Star Assessments. The purpose is to understand if the summer program influenced literacy scores, overall. To conduct this, we will first clean the data for anomalies and high/low outliers. Grade equivalent scores are generated by Star, and will be used to calculate the difference from first and last tests. This calculation is done at the individual level and then averaged. Averages will be calculated for the overall program and various groups (examples: school site, grade, pretest benchmark category, days between tests, etc.) Once BellXcel has compiled summary findings, we plan to review them with the Scholastic team. Scholastic will not have access to any individual level data, only the aggregate results.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

Brown University, Annenberg Institute (for Understanding the Impacts of Gifted and Talented Programs)

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement Term: 02/03/2025 – 05/31/2029

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. Dr. Christopher Cleveland is studying the trends in elementary GT applications, enrollment, and outcomes and needs PII to understand the demographics and characteristics of students who are applying to GT.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

Center for Innovation through Data Intelligence (CIDI) (for YouthNPower Direct Cash Transfer Pilot Evaluation)

Type of Entity: Government Agency

Contract / Agreement Term: 11/30/23 – 5/31/2026

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. The outcome evaluation of the youth receiving cash assistance will use a quasi-experimental design which will include a stratified sample of youth who have aged out of foster care. One group of youth will obtain the cash assistance lottery and will be matched, via propensity score, with a group of similar non-program youth based upon the following characteristics: age, race, ethnicity, gender, time in foster care, aged-out status, type of maltreatment, and type of care. Subsequently, we will compare the outcomes of the two groups. PII will be required to match program and non-program youth to Administration of Children's Services, Department of Corrections, Department of Homeless Services, Department of Education, Human Resources Administration, Department of Labor, Statewide Planning and Research Cooperative System, and Department of Youth and Community Development data to assess the impact of the intervention on their outcomes.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

Center for Innovation through Data Intelligence (CIDI) (for Tracking Education and Labor Outcomes of High School Age Foster Youth)

Type of Entity: Government Agency

Contract / Agreement Term: 07/08/2024 – 08/30/2026

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. The project will examine trends over time in high school graduation, college enrollment, and employment outcomes of those who had foster care involvement at some point during their high school years. Analyses will also examine whether trends over time differ for youth with different foster care characteristics.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

Center for Innovation through Data Intelligence (CIDI) (for Every Child and Family is Known Pilot Evaluation)

Type of Entity: Government Agency

Contract / Agreement Term: 10/11/2024 – 10/11/2026

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. The purpose of the research is to conduct an independent evaluation of New York City’s Children’s Cabinet’s Every Child and Family is Known (ECFIK) pilot program. ECFIK provides approximately 500 students and their families who live in NYC Department of Homeless Services (DHS) shelters and attend one of the selected 66 Bronx pilot schools with a personalized navigator, a “Caring Adult”. These “caring adults” are school staff members who regularly engage with students and their families to improve student educational outcomes and facilitate access to resources and support. The proposed research project will employ both quantitative and qualitative methods to evaluate the impact of the ECFIK program. This will include using administrative data to measure the participating student educational outcomes, compared to students in DHS shelters in other Bronx schools. PII is needed to match records to other administrative data for the evaluation of the pilot program.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

Center for Innovation through Data Intelligence (CIDI) (for Middle School Students in Temporary Housing Pilot Program Evaluation)

Type of Entity: Government Agency

Contract / Agreement Term: 01/27/2025 – 01/27/2027

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. The objectives of the pilot program are: (1) to better understand the needs of students and families in temporary housing, and (2) to connect them with the services and supports they need. These services that will improve student educational outcomes and social emotional well-being, as well as family housing and income stability. CIDI will implement a descriptive and pre-post evaluation to gauge whether the program met these objectives. PII will be used to link the students' DOE records to programmatic data and DHS shelter data. Parental consent will be obtained.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

Change Impact (for Sunnyside Community Services 21st CCLC Evaluation – Literacy)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 04/24/2025 – 12/31/2025

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. Change Impact will measure the degree to which the program is successful at achieving its objectives to provide a high-quality after-school program that ultimately helps youth attain the educational, social, and behavioral changes needed to increase student achievement and safety. Based on a principal request, we will need to match student data to run analyses and comparisons to inform the evaluation. PII will support the matching process. We are equipped to store and transfer data securely, and to delete this data once the analysis is complete.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. SharePoint.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

Chapin Hall Center for Children (for Evaluation of the NYC ACS Fair Futures Initiative)

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement Term: 11/04/2022 – 05/31/2025, extended to 10/30/2030

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. We are conducting an outcome evaluation of the Fair Futures Initiative at the request of the New York City Administration of Children’s Services. The Fair Futures model envisions that comprehensive and targeted support provided to youth in foster care by coaches, tutors, and specialists will increase the likelihood that those youth will reach different goals corresponding to their developmental stages, ultimately leading to successful transition into adulthood. The fundamental goal of Fair Futures is to improve the education, employment, housing, and permanency outcomes for youth in foster care in NYC. To understand the contribution of Fair Futures to youths’ outcomes, we will apply a human capital framework, in which both protective factors (including Fair Futures) and risk factors have an influence on human capital accumulation and therefore determine outcomes in multiple domains, including education. This study design requires us to connect a youth’s protective and risk factors and intermediate and long-term outcomes across multiple domains with that youth using personal identifiers.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

Charles River Media (for S.P.I.R.E. Research Study 2024-2025)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 12/5/2024 – 06/30/2027

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. S.P.I.R.E has intensive, sequential multisensory instruction for nonreaders, struggling readers, and students with dyslexia. This quasi-experimental efficacy study is designed to address six research questions using quantitative and qualitative data sources to document the implementation and provide evidence of the effectiveness of S.P.I.R.E. The requested student data will be used to measure the impact of the SPIRE lessons on literacy achievement for students in Tier 3 intervention in the treatment schools. SPIRE is already being used at many schools in the district, so this study will increase the proportion of elementary students and bring the opportunity to middle school students who need support with foundational reading skills. The data will be used to describe the sample in terms of demographic profile and beginning-of-year literacy skills. The change of literacy skills will be measured by district-administered assessments, averaged and analyzed using rigorous statistical modeling.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. Google Drive.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

Columbia Business School, Columbia University (for Measuring the Instructional Potential of Paraprofessionals in NYC Public Schools)

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement Term: 08/26/2024 – 08/26/2026

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. This research will assess the characteristics of the population of paraprofessionals working in NYC public schools, how these characteristics compare to full-time teachers of record, and the correlation between paraprofessionals' characteristics and their employment and performance outcomes. This analysis requires individual level data on pedagogues and the students to whom they provide instruction. Ultimately, these analyses can inform the DOE about the potential to reinforce its instructional workforce through strategic use of high performing paraprofessionals.

Type of PII that the Entity will receive/access: Student PII and Staff PII

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: PII data will be return to the DOE if requested (e.g. if significant cleaning/formatting has made the data more useful to NYC DOE staff). It will be deleted unless the DOE explicitly provides for the data to be used in another approved research project.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

Cornell University, on behalf of Nikhil Garg (for How Do Students Decide Which Schools to Apply to)

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement Term: 7/20/2023 – 6/1/2028

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. We are conducting research on how students and families navigate the high school application process. To conduct this research, we would like to analyze individual-level school preference data to identify patterns and limitations in how students choose which schools to list.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor (e.g. Microsoft Azure) and using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

City of University of New York (CUNY)

The exclusive purposes for which Protected Information will be used: The course and exam data provided by the DOE will serve as applicants’ official high school transcripts and be used to evaluate applicants’ admissibility to the CUNY colleges to which they have applied. CUNY will use the biographical data provided by the DOE to match the academic records provided by the DOE to CUNY applications.

CUNY will use immunization records provided by the DOE as proof of students’ immunization status, as required for college enrollment.

CUNY will use the research dataset solely for research projects designed to improve instruction or program administration at CUNY colleges.

How you will ensure that the subcontractors, persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements: Access to the biographical, course, and exam data files will be limited to the staff of CUNY’s University Application Processing Center, who are informed of their responsibilities for handling personally identifiable data in writing and required to sign data use and access agreements.

Access to the Research Data Set will be limited to employees of CUNY’s research offices, who are informed of their responsibilities for handling personally identifiable data in writing and required to sign data use and access agreements.

In addition, all employees in these offices must acknowledge, by signature, receiving a copy of the University’s Policy on Acceptable Use of Computer Resources and IT Security Policies.

When the agreement expires and what happens to Protected Information upon expiration of the agreement: This agreement expires on December 31, 2028. CUNY can purge DOE data if requested by the DOE due to the expiration or termination of the Memorandum of Understanding.

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, CUNY will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient.

Where the Protected Information will be stored (described in such a manner as to protect data security), and the security protections taken to ensure such data will be protected, including whether such data will be encrypted: Data provided by the DOE will be stored and protected in a manner consistent with other CUNY confidential, personally identifiable, and protected health data. Common security controls include firewall, intrusion prevention, limited authorized access, and data center physical security. The data is encrypted during transmission.

Curriculum Associates (for 2023 New York State Testing Program (NYSTP) and i-Ready Diagnostic Linking Study)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 06/04/2024 – 08/29/2025

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. The purpose of this study is to examine the relationship between the i-Ready Diagnostic interim assessment and the New York State Testing Program summative assessment. This study will provide important validity evidence for the i-Ready Diagnostic in New York. This is important because the i-Ready Diagnostic is used as an interim assessment by school districts across the state; providing external validity, via correlations with the state summative, is an important part of the validity argument for an interim assessment. The intended outcomes of this study may also prove useful for New York educators. By providing i-Ready Diagnostic scores that correspond to New York State Testing Program performance levels, educators could use the outcome of this study to translate their interim assessment scores onto the summative scale (i.e., projecting NYSTP outcomes from i-Ready scores).

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

DAH Consulting, Inc. (for 21st CCLC Program)

The exclusive purposes for which PISI will be used: Evaluation of 21st CCLC program at schools identified.

How you will ensure that the subcontractors, persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements: All employees, persons, etc. have an NDA with DAH which indicates that they will abide by data protection and security guidelines established by the organization. 

When the agreement expires and what happens to PISI upon expiration of the agreement: After 5 years when study ends we will destroy research records remembering to protect participants' confidentiality throughout the process. Paper records will be shredded and recycled, instead of carelessly tossed in the garbage. Records stored on computer hard drive should then be erased using commercial software applications designed to remove all data from the storage device.

[NYC DOE additional information: The current agreement became effective starting on December 4, 2018 and remains effective through the period during DAH Consulting, Inc. possesses or otherwise is in control of covered protected information and no later than December 4, 2025.]

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. [NYC DOE additional information: such requests, including requests for copies of student data, may be sent to studentprivacy@schools.nyc.gov.]

Where the PISI will be stored (described in such a manner as to protect data security), and the security protection taken to ensure such data will be protected, including whether such data will be encrypted: We intend to use minimal-identifier data as often as possible and minimize risk by maximizing work "within network".

Other controls will be to manage release of identifier-data at source/ identification of a "Gatekeeper" and tracking data releases using an approval process and documenting and creating logs.

We will also remove all personally identifying information from data, replacing identifiers with a new unlinked, identifier, which cannot be associated with an individual study participant.

NYC DOE Additional Information: Certain portions of this response have been redacted to protect the privacy and/or security of data and/or technology infrastructure.

Double Line (for Bill & Melinda Gate Foundation Networks for School Improvement)

Type of Entity: Commercial Enterprise

Contract / Agreement End Date: 8/30/2026

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. The Bill and Melinda Gates Foundation’s Networks for School Improvement (NSI) portfolio supports organizations that bring groups of middle and high schools together to advance high school graduation and college success rates for their Black and Latino students and students experiencing poverty. The Foundation works with Double Line to collect de-identified student level data directly from NYC DOE and shares the data (in aggregate form) with the NSI partners and the Foundation in order to help with Target Setting and overall grant reporting. De-identified student level data will be used to measure the effectiveness of the Project in achieving its overall goal of improving outcomes for Black, Latino and low-income students.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

Duke University (for School Assignment by Match Quality and School Choice and Housing Market)

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement Term: 4/25/2024 – 4/25/2026

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. The data will be used for two ongoing projects, titled “School Assignment by Match Quality” (2335) and “School Choice and the Housing Market” (2360).

Standard assignment systems implement district policies by sorting applicant into coarse priority groups based on criteria such a siblings’ enrollment status, family income. However, these systems do not account for finer policy objectives, such as reducing total commuting time to schools, matching students and schools based on fitness of the match, assigning more children to their higher ranked choices while respecting other policies implemented via priorities.

We develop novel assignments systems that will empower school districts with the ability to consider and implement such broader policy objectives. We aim to assess the performance of our solution empirically with the NYC data.

The housing market plays a role in access to schools. Even when parents are allowed to choose schools outside of their neighborhoods, their schooling options are closely tied to their residential choices: families prefer schools near their homes, and schools' prioritize applicants from the neighborhood. We use NYC data to evaluate the impact of residential choice in a unified framework of school choice and housing market.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

Education Analytics (for Technical Support and Data Analysis for Teacher Performance Review)

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 07/01/2024 – 06/30/2029

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. The purpose of requesting PII is to inform the current study researching the properties of different models for measuring the productivity of schools. The models being investigated use assessment scores as an outcome variable to identify the impact of schools. Additionally, the research will explore newly introduced assessments (e.g., i-Ready, NWEA MAP Growth, Acadience) in order to develop a sufficient system-wide understanding of where NYC students are in relation to learning goals and to inform subsequent instruction.

Type of PII that the Entity will receive/access: Student PII and Staff PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

Education Development Center (for Equitable Computer Science Implementation in all NYC Schools)

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 10/20/2023 – 09/30/2024, extended to 09/30/2026

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. Education Development Center (EDC) and the New York City Department of Education (NYCDOE) are engaged in a research–practice partnership (RPP) to enhance and study the implementation of high school Advanced Placement (AP) Computer Science Principles (CSP) courses, particularly in low-performing NYC schools. The work of the RPP responds to a persistent problem of practice in NYC schools—the successful implementation of AP CSP in low-performing schools. The intended outcomes of this work are improved student enrollment and attendance in AP CSP, increased student CS knowledge, and greater percentage of students taking and passing the AP CSP exam, in particular, for female, Black, and Latinx students. PII data will be used to look at trends in these outcomes over time for NYC schools and provide guidance for NYCDOE efforts as they target support for schools offering AP CSP.

Type of PII that the Entity will receive/access: Student PII and Staff PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

Education Development Center and The Opportunity Network (for Longitudinal Evaluation of The Opportunity Network Fellows Program)

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 06/12/2024 – 06/12/2029

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. OppNet ignites the drive, curiosity, and agency of underrepresented students on their paths to and through college and into careers, powered by our commitment to access and community. The Fellows Program supports 1000+ NYC students from their 10th grade summer through to college graduation and job placement graduate school entrance. Additionally, OppNet drives local and national impact through CareerFluency® Partnerships, our capacity-building program for schools and youth-serving organizations in NYC and nationally looking to accelerate their young people’s college and career goals. Many of these Partner organizations are NYC schools and CBO’s serving NYC students. The primary aim of the study is to understand the effects of Fellows Program participation on four key outcomes: high school graduation, post-secondary enrollment, post-secondary persistence, and degree attainment. Fellows’ achievement will be assessed against a matched sample of similar non-Fellows. OppNet has to date never been able to assess the Program’s impact against a true counterfactual. Our evaluation will benefit the NYC educational community because the findings that result from the data requested will be directly used to improve Fellows Program interventions and our work with our NYC-area Partner schools and CBO’s.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor and using an Organization-owned and/or internally hosted-solution; and using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

Education Development Center (for MATH FOR ALL: Broadening and Sustaining Effective Teacher Professional Development to Support Rigorous Personalized Mathematics Instruction for High-Need Students in Grades K–5)

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement Term: 06/20/2024 – 06/20/2026

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. Math for All research project is a research-based professional development program that is embedded in mathematics content and focused on how students learn this content will enhance teacher knowledge, skills, and classroom practices, helping them become better equipped to respond to student needs, and ultimately improving students’ mathematics achievement outcomes. To assess the impact of the Math for All program on students mathematics achievement, we conducted a treatment-control comparison study. In order to analyze the data and assess the impact of Math for All PD, we need student direct identifiers to ensure that we know which students belong in which teachers’ classrooms. This will allow us to run use a multilevel analytic model to account for the nested nature of the data (i.e., students are grouped in teachers/classrooms, which in turn are nested in schools).

Type of PII that the Entity will receive/access: Student PII and Staff PII

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

Education Development Center (for Mission US)

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement Term: 12/5/2024 – 08/31/2025

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. The research will gather evidence on the effectiveness of a supplemental digital U.S. history curriculum, Mission US, created and tested in NYC by CUNY historians and WNET, and now being used by hundreds of New York City teachers at both the middle and high school levels.

The purpose of the study is to determine whether implementing 3months of Mission US games and curriculum impacts student learning outcomes, including historical content knowledge, ability to analyze and interpret historical documents, and motivation to study history, and if these improvements are mediated by historical empathy.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. Box.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

Glass Frog Solutions (for Evaluating the Impact of the School of Interactive Arts on Students' AP Computer Science Principles Participation and Scores)

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement Term: 1/20/2023 – 12/31/2026

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. We are conducting a program evaluation of the School of Interactive Arts (SIA) program, which received a federal Education Innovation & Research (EIR) grant to implement and evaluate the program in NYC public schools. The goal of the program is to use a curriculum based in video game design to increase students' interest in computer science. The program partners with schools offering the AP Computer Science Principles course, and the SIA program works to encourage students to take additional computer science coursework and eventually take the AP Computer Science Principles exam. The long-term goal of the SIA program is to increase access to computer science majors and careers for students belonging to under-represented groups. The evaluation will assess whether the program was successful in encouraging students to take the AP Computer Science Principles course and ultimately pass the AP Computer Science Principles exam. We will draw on students' deidentified course and test score data to determine whether the program met these goals.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology. 

Glass Frog Solutions (for Estimating the Impact of GO Project NYC on Student Attendance and Academic Performance)

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement Term: 10/13/2023 – 12/31/2028

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. This data request is part of an ongoing evaluation of GO Project's impact on student outcomes. GO Project partners with NYC schools to provide supplemental services to students with special education classifications and/or who are performing below their peers. Their goal is to help students become proficient and eventually excel at school. We want to use data from the NYC DOE to determine how GO Project students are faring, relative to their peers districtwide, on outcomes including attendance, academic performance, and eventually on-time graduation. We will compare outcomes among GO Project students to outcomes among students districtwide, which we will obtain from publicly available datasets. Both GO Project and their partners want to ensure that students are making progress and that the investment is having an impact on students' short- and long-term outcomes. This will enable both schools and GO Project to determine how they allocate resources going forward.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

Good Shepherd Services (for Postsecondary Enrollment in Good Shepherd Transfer Schools)

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement Term: 04/15/2025 – 06/30/2027

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. Good Shepherd Services (GSS) has recently been awarded a two-year Robin Hood Transfer School grant to support over 500 NYCPS youth at three GSS transfer schools to graduate at higher rates and put themselves on a path to a fulfilling and sustainable livelihood after high school. As part of our grant agreement, the funder is requesting that we report annually on college enrollment and persistence data available through the National Student Clearinghouse report for all graduates at these schools, beginning with the Classes of 2022-23 as a two-year baseline, and continuing to the Class of 2026. The purpose of this study is therefore: to monitor college enrollment and persistence for all graduates at three GSS transfer schools during the course of the Robin Hood grant, disaggregated for those receiving different grant-funded services (career connected learning opportunities, alumni engagement support).

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

President and Fellows of Harvard College (for The Impact of Suspension on Student Outcomes and the Racial Achievement Gap)

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement Term: 7/1/2023 – 7/1/2026

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. This research studies the effect of a 2012 policy reform in New York City public middle schools that eliminated suspensions for non-violent, disorderly behavior. Using anonymized student data (PII), we estimate the causal effect of reducing suspensions on student test scores and measures of school culture.

Type of PII that the Entity will receive/access: Student PII and Staff PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

Knology Ltd and New Visions for Public Schools (for Building Secondary Educator and Administrator Leadership for Multilingual Learners)

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 12/9/2024 – 08/31/2026

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. We are conducting the evaluation for the Building Secondary Educator and Administrator Leadership for Multilingual Learners (B-SEAL) professional development program, funded by the U.S. Department of Education (Award #T365Z210122). The program involves graduate-level coursework leading to a certification in TESOL or Bilingual Education for 2-5 teachers per school, and encourages change in school-level practices to support multilingual learners through the involvement of school leadership. Teachers participating in the program apply what they have learned and receive coaching over the course of a practicum year at their school. The goal of the program is to support multilingual learners in developing English language literacy, which we will assess through student NYSESLAT performance as well as feedback from teacher surveys and school leader interviews. We will test whether students with one or more teachers participating in B-SEAL show greater gains in English proficiency as measured by NYSESLAT compared to others in their school, and whether schools participating in B-SEAL showed increased NYSESLAT performance overall compared to the year before B-SEAL participation.

Type of PII that the Entity will receive/access: Student PII and Staff PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. Google Cloud Services.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

L&G Research and Evaluation Consulting (for Evaluation of NYCPS’ Early College Pathways Program Models)

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement Term: 06/17/2024 – 06/17/2026

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. The purpose of accessing Personally Identifiable Information (PII) is to analyze student-level data related to program participation, academic performance, college readiness, postsecondary outcomes, and demographic information. This analysis aims to assess the impact, effectiveness, equity, and overall success of early college credit programs in meeting the needs of NYCPS students and families. The evaluation seeks to inform program improvement, policy decisions, and educational practices to enhance student outcomes and college readiness within the NYCPS system.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

L&G Research and Evaluation Consulting (For The Evaluation of the 21st Century Community Learning Centers Program)

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement Term: 01/02/2025 – 01/02/2027

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. We are conducting an outcome evaluation of 21st Century Community Learning Centers to determine the extent to which NYC DOE schools that are recipients of the Grant achieve the following program objectives:

1. At least 45% of students who regularly attend programming will demonstrate a 5 point increase in their ELA, Math, and Science report card grades between the first and last marking periods.

2. At least 65% of students who regularly attend the program will exhibit improved school engagement between the current and previous school years as measured by a significant increase in their school day attendance.

3. At least 45% of students who regularly attend will achieve proficiency levels of 3 and 4 on NYS exams.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

Massachusetts Institute of Technology (MIT) (for “The Comprehensive Data Request for MIT SEII” & “Peer Exposure Effects on School Preferences” & “How School Accountability Affects School Choice” & ‘Pipelines and Equity in Gifted and Talented Programs” & “Effects of School Choice on Enrollment” & “High School Admissions Reform: Impacts on School Composition and Student Achievement” & “Assessing Families’ Responses to Accurate and Equitable Measures of School Quality” & “Who Benefits from Long Commutes to School?” & “The Effects of Advanced High School Coursework on College Field of Study”)

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement Term: 2/22/2022 – 08/21/2028

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. NYCDOE uses a matching algorithm designed by Abdulkadiroglu, Pathak, and Roth to match students to schools according to preferences and priorities. The adoption of centralized assignment has enabled improved school impact evaluations. Led by Parag Pathak, MIT's Blueprint Labs has developed pioneering new methods to enable an analyst to fully exploit all randomization generated by centralized assignment. We are pursuing several lines of inquiry related to this work in New York City.

Type of PII that the Entity will receive/access: Student PII and Staff PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

 

Massachusetts Institute of Technology (MIT) (for The Impact of NYC Charter and Traditional Public Schools on Student Short- and Long-Term Outcomes)

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement Term: 11/1/2024 – 12/31/2029

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. The purpose of this study is to examine the impact of NYC school options on students’ test scores, high school graduation, college attendance, adult earnings, and other outcomes. Specifically, we will test the effectiveness of NYC charter and traditional public schools, on student academic and non-academic outcomes, how school performance varies over time, and what practices drive school effectiveness. To accomplish these objectives, we will collect school-level admissions lottery records from each participating charter school or their charter management organization, and merge these to the NYCPS student educational outcome database. So, it will be necessary to use direct student identifiers (i.e., unscrambled student IDs, student name, DOB, address) to match charter records to NYCPS records. Further, we would like to use individual-level student data to classify students into different groups of interest within schools (e.g., low income, racial minority groups, as well as controls) to observe any causal impacts across groups.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

Mathematica (for Evaluation of the Networks for School Improvement Initiative)

Type of Entity: Commercial Enterprise and Research or Evaluation Institution or University

Contract / Agreement Term: 03/05/2025 – 12/31/2026

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. This study evaluates the Bill & Melinda Gates Foundation’s Networks for School Improvement (NSI) initiative. To implement an NSI, an intermediary forms a network of schools that use continuous improvement to address pressing challenges with keeping students on-track for high school graduation and postsecondary enrollment.

The evaluation will provide evidence on how schools can use continuous improvement to advance high school graduation and college success. The findings will describe the nature of school networks, the ways in which schools implement continuous improvement, and aspects of the work that are most important for improving student outcomes.

The evaluation of the NSI initiative will address three research questions, and de-identified student administrative data are needed to answer the third research question: 1. How do intermediaries design and implement effect school networks? What characteristics, strategies, and contexts create more effective networks? How do networks and intermediaries evolve over time? 2. How do schools effectively implement continuous improvement activities? How does continuous improvement lead to changes in school and educator practices? 3. What is the effect of the NSI initiative on outcomes for students who are Black, Latino, or experiencing poverty? What factors or conditions are related to effects on student outcomes?

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

MDRC (for Examining Effects of Social-Emotional Learning on Outcomes Through High School and Beyond: A Follow-Up Study of INSIGHTS)

Type of Entity: Research or Evaluation Institution or University

Contract/Agreement Term: 2/28/2023 – 6/30/2028

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. The aim of the proposed study is to conduct a long-term efficacy follow-up of INSIGHTS into Children’s Temperament (INSIGHTS). Findings from the original cluster randomized trial of INSIGHTS implemented in kindergarten and first grade in schools serving students from low-income families (2008 – 2012) revealed positive short-term treatment impacts on children’s literacy, math, sustained attention, and behavioral skills. Follow-up data demonstrated sustained impacts on target outcomes through sixth grade. Although these medium-term impacts are promising, questions remain about whether INSIGHTS does continue to benefit children as they move through adolescence, as well as the mechanisms through which the program generates long-term outcomes, the students who benefit the most from the intervention, and the implementation and school-level factors that are critical to promoting sustained impacts. The proposed study will estimate long-term effects of INSIGHTS on students’ academic, social-emotional, and behavioral outcomes from 7th to 12th grade and during the transition to college. The study will explore how INSIGHTS promoted long-term outcomes, for whom, and under what circumstances. Findings will provide information on whether early investments in SEL yield benefits for students through high school and beyond.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

MDRC (for New York City Small Schools of Choice)

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement Term: 1/25/2024 – 6/30/2027

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. Beginning in 2002, the New York City Department of Education (NYCDOE) closed many large, comprehensive high schools with a history of low performance and created hundreds of new small secondary schools. These schools were required to implement curricula and school structures that promoted academic rigor, knowledge relevant to the real world, and personalized relationships, and they received funding and policy supports from NYCDOE and community partners. Because these small schools are located in the communities they intended to serve, do not screen students based on their prior academic achievement, and thus represent a realistic small school option for many students who previously did not have one, MDRC researchers call these new schools Small Schools of Choice (SSCs).

MDRC will use NYCDOE data to examine how SSCs affected students’ secondary and postsecondary education outcomes, such as high school graduation and postsecondary degree attainment. We will also study which components of SSCs had the most influence on student outcomes, as well as whether certain groups of students were more likely to benefit from enrolling in SSCs. To meet these research goals, we plan to compile data on study students for at least six years past high school graduation (a benchmark which has become the standard among major postsecondary databases, such as NCES). We will also use earlier years of data to study how students’ prior academic achievement affects the effectiveness of SSCs.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor (i.e. Amazon Web Services GovCloud).

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

MDRC (for CTE ADVISE: Advising Tools in Secondary Education)

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement Term: 03/06/2025 – 12/31/2029

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. **Variables used to conduct matching and comparison include demographics (gender, race, IEP and ELL status, as well as variables collected through the baseline survey).

This evaluation is an impact, implementation and cost study, that uses a school level three-arm random assignment design in which schools are randomly assigned to receive software packages that are designed to provide career advise to high school students. The study will address the following research questions using administrative data collected from districts and schools:

Do the programs have an effect on student’s persistence in CTE course taking?

Do the programs have effects on student engagement with school and progression toward graduation?

To answer these questions, the research team will conduct a propensity score matching analyses using student records data from the schools originally assigned to the treatment and control conditions. The student records data will be leveraged to explore the effect of any tool exposure, compared to no exposure.

The student records data will not be shared with anyone outside of the MDRC research team.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

Metis Associates (for Evaluation of NYCPS High-Impact Tutoring Initiative)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 5/8/2024  – 4/30/2027

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. The evaluation of the NYCPS High Impact Tutoring initiative is designed to gather information about the implementation and impacts of the program, which provides high impact tutoring services to students in grades K-9. One aspect the evaluation will examine is which students are being served by the initiative and how participation varies by student demographics. The PII will be used to produce propensity scores which will then be used to develop 1:1 matches to non-participating students citywide.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

Metis Associates (for “Education Through Art,” “Evaluation of United Community School Program,” “Evaluation of the Lehman College LUTE-STEM Teacher Residency Program,” & “Evaluation of Girls Inc NYC”)

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement Term: 01/22/2025 – 12/31/2027

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. Education through Arts (ETA) is a federally funded arts integration project that is being implemented in NYCDOE’s District 75. It is the no-cost extension year currently. The project has objectives for both teachers and for participating grade 3-5 students. PII is needed for students in order to determine whether the project has met its student outcome objectives. Specifically, Education through Arts (ETA) aims to determine whether participating students show greater improvement than similarly situated non-participating comparison students with regard to ELA and math achievement and social-emotional skills. In order to examine differences between the growth of participating and comparison students in these areas, we need to collect and analyze longitudinal data. This will help the project to establish any relationship between project participation and academic and SEL outcomes.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

National Education Equity Lab (for Exploratory Study of the Impact of the National Education Equity Lab College-in-High School Model in NYC Schools)

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 8/9/2023 – 8/9/2025

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. The purpose of the proposed study is to gather exploratory evidence regarding the Ed Equity Lab participating student population, their backgrounds as well as their postsecondary outcomes. Student demographic data is required to describe the population of students engaged in Ed Equity Lab courses, while it is also required to control for pre-existing differences between students when trying to estimate the program’s impact on students’ postsecondary outcomes. All reporting of results will be done at the aggregate program level. There will be no reporting of individual level results or data.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

New York City Department of Social Services (for Intergenerational Poverty Study: Supporting Positive Educational Trajectories)

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement Term: 09/19/2024 – 12/31/2028

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. The Intergenerational Poverty Study led by the NYC Department of Social Services follows approximately 230,000 individuals who were born between 1988 and 1996 and received cash assistance in NYC during childhood, examining factors associated with positive outcomes in their transition to adulthood. The proposed study will include an analysis of the patterns in childhood benefit receipt and homeless shelter stays coupled with key educational metrics from the DOE to identify factors associated with educational success and challenges among low-income students. Findings will be used to shape programming at multiple levels of the DOE system (e.g., individual students as well as school based interventions). We are asking for individual data (not direct identifiers) to conduct robust analyses of student characteristics associated with secondary achievement while controlling for family, school, and neighborhood variables.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

New York University (NYU) (for The School Choice Policy Research Center – Improving Policy, Implementation, and Outcomes for Disadvantaged Students)

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement Term: 5/24/2022 – 5/24/2025, extended to 08/31/2028

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. The study examines the impact of transportation options on school choice and student outcomes.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology. 

New York University (NYU) (for Strengthening School Readiness through Pre-K for All: A University-District Partnership)

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement Term: 1/24/2023 – 8/31/2027

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. We are requesting individual level student data detailed earlier, and the NYC DOE considers all student-level data to be PII. In addition, we are requesting for a document linking the DOE-created random ID (in the de-identified dataset) to the child's name, making the data identifiable for the participants’ who consented to the data and records release question on the consent form.

We are requesting for a document linking the DOE-created random ID (in the de-identified dataset) to the staff members’ name and email address (or DOE “external account” for NYCEEC staff), making the data identifiable for the participants’ who consented to the data and records release question on the staff consent form.

Type of PII that the Entity will receive/access: Student PII and Staff PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies. As stated in the consent form, the research team will store identifiable information (e.g., names and contact information) for future follow-up research purposes by the NYU research team for four years following the completion of this study. After this, data consisting of participant identifiers and documentation connecting participants to personal information will be deleted. This data includes consent forms and any other materials that contain personal identifiers, and the file that links participant research IDs to name/DOB. The identifiable electronic data will be permanently deleted by research staff with access to the password protected server, and trash will be cleared. In-person research staff will retrieve hard copy data from locked storage space and shred.

De-identified data (data without and identifiers like names and contact information) will be kept indefinitely.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution. After downloading the data via the DOE’s secure FTP server or the Research Alliance for NYC School’s secure FTP server, identifiable electronic data will be stored on secure, encrypted server space allocated by NYU Steinhardt. Data will be accessible only to NYU research staff involved in this project via their NYU username and password. The server is only accessible to NYU staff who are granted access by their unique NYU ID. Login requires staff to enter their NYU account password and multi-factor authentication. The server is also only accessible using NYU’s network.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology. 

New York University (NYU) (for NYC Partnership for Math Equity Project)

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement Term: 3/20/2023 – 6/30/2025, extended to 12/31/2025

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. The goal of this study is to understand whether and how exposure to supplemental collaborative math activities enhances students' conceptual understanding of math, particularly for Black and Latinx students and students experiencing poverty. Amplify Desmos Classroom ("the platform") is a platform for learning and teaching mathematics and other subjects. The platform encourages diverse expression of student mathematical knowledge and extensive collaboration among students and between teachers and students. Teachers are able to determine the pacing of lessons, when to bring students together for discussion, what questions to pose, and what anonymized examples of student work to highlight to the class. The Amplify Desmos math curriculum is based on Illustrative Mathematics. For the Math Equity Partnership, a set of lessons aligned to the New York State Foundational Standards for grades 6-8 will be made available to teachers in approximately 50 schools. Teachers will implement these lessons during the 2023-24 school year in a variety of ways, including small-group and whole-class instruction, to provide students access to grade-level math content within an interactive and collaborative digital environment. Teachers will receive onboarding, ongoing virtual and in-person coaching, and micro-professional learning experiences (PLEs) embedded within the platform. We will conduct a mixed-methods exploratory study to understand how teachers use the supplemental lessons to support students' ability to articulate important math concepts and to foster a sense of joy, math belonging, and positive math identities. We hope to understand the range of ways teachers employ the supplemental lessons and how and whether the lessons support culturally responsive and sustaining math instruction, a core goal of NYC Public Schools' vision for mathematics.

Our research design involves teacher-level and student-level data generated and recorded on the Amplify Desmos online learning platform. Our understanding is that data generated and recorded on the Amplify Desmos platform is considered educational record data under FERPA. We understand that as an organization directly contracted by NYCPS to conduct studies on its behalf, PRE qualifies for an exemption to FERPA disclosure rules under 34 CFR § 99.31.

PRE has subcontracted with the Research Alliance for NYC Schools (RANYCS) to handle identifiable administrative and platform data. Upon NYCPS approval, Amplify will securely transfer student-level and teacher-level platform data to RANYCS. RANYCS will create a matched dataset including administrative data, following all data security procedures. PRE will submit data requests to NYCPS through the regular process and, upon execution of a non-disclosure agreement, receive de-identified data sets from RANYCS. Amplify has data-sharing agreements and an ERMA in place with NYCPS. PRE’s ERMA is in progress.

Type of PII that the Entity will receive/access: Student PII and Staff PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

New York University (NYU) (for Families' School Preferences and Principals' Perceptions of Competition in NYC)

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement Term: 11/4/2024 – 07/31/2026

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. Our study involves the construction of preference-based measures of school competition in the high school admissions process. These measures require access to individual student high school applications, demographic, and test score data. Per NYC DOE policy, all individual-level data are considered PII.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies. The investigators plan to use data files currently held by the Research Alliance for New York City Schools. The RANYCS has agreed to host the data for this project (see attached letter from Cheri Fancsali). We will delete and/or destroy PII data files constructed for the project upon expiration or termination of the Agreement. (This includes responses to our proposed principal survey). However, raw data files held by RANYCS will be maintained by them under their ongoing data use agreement.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

New York University (NYU) (for Pedagogical Responsibilities and Practices in Mathematics Curricular Change)

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement Term: 01/30/2025 – 06/30/2027

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. This research project examines how math teachers collaborate when they are implementing a new math curriculum, how they understand their ethical responsibilities in implementing it, and how collaboration changes their classroom instruction. To study this, we are observing math teachers in their collaborative meetings and also in their classrooms. When we observe classrooms, we will see handwritten student work. Taking photographs of this handwritten student work will help us understand what teachers are basing their in-the-moment instructional decisions on. We will not keep original photographs with student handwriting in them; we will use researchers' handwriting or digital text to reproduce the student work and then delete the original photographs within one week.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. Box.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

New York University (NYU) (for Exploring the Effects of Heterogeneous Grouping on English Learners’ Language, Reading Comprehension, and Social Network Development)

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement Term: 01/31/2025 – 09/15/2028

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. This study investigates the effects of heterogeneous vs. homogeneous grouping for multilingual learners and their peers in fourth and fifth grade. Students were individually randomly assigned to either homogeneous or heterogeneous small groups and are receiving the CLAVES language and literacy intervention. Outcomes include reading comprehension, targeted language skills, and social network development. This data request is to describe the sample relative to the population of NYC Schools students and to collect data that can serve as pretest covariates and moderators. We also propose to collect additional outcome data when they are available (spring, 2023 ELA and NYSESLAT test scores).

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor and using an Organization-owned and/or internally hosted-solution; i.e. NYU Box.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

New York University (NYU) (for Reading and Math Screeners in NYC: A Descriptive Analysis of Student Trajectories)

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement Term: 03/21/2025 – 10/15/2025

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. We hope to conduct descriptive and exploratory analyses to deepen NYCPS leaders’ understanding of the literacy and math progress of students at or below the 16th percentile on our citywide academic screeners, with particular attention to those scheduled for Tier 2 or 3 reading or math intervention programs. In particular, we plan to explore reading screeners, interventions, and progress for K-5 students, and math screeners, interventions, and progress, for grades 6-8. These descriptive analyses include exploring: 1) who is most likely to fall below the 16th percentile? 2) Which groups of students seem to be impacted most by the screeners and interventions? 3) How much do students who are screened and assigned to receive an intervention improve on average in both math and reading? 4) Which assessments seem to lead to the best improvements on student outcomes?

Type of PII that the Entity will receive/access: Student PII and Staff PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

New York University (NYU) and Syracuse University (for Evaluation of American Museum of Natural History's Teacher Education Programs)

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement Term: 04/1/2025 – 12/31/2029

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. This data will be used to analyze the impact of AMNH teacher training programs on student achievement. We have received this data for the past 10 years and AMNH programs have a relationship with DOE to provide professional development in science.

Type of PII that the Entity will receive/access: Student PII and Staff PII

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

New York University (for NEST Longitudinal Study)

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement Term: 05/23/2025 – 06/30/2028

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. We will be conducting a longitudinal study that tracks Nest/Horizon students 3 years post-high school. The survey will include items from the Autistic Success survey, demographic questions, and survey questions from the National Longitudinal Transition Survey -2 on employment, education, housing, and community engagement, as well as items created for this project. The survey will also include items from NYCPS' annual survey of Nest and Horizon students. By combining items into a single survey, we are reducing burden on schools, staff and students. We will access school records for the graduates through the Research Alliance's archive of data from the NYCPS. This includes Individual student level school records from NYCPS - which includes a unique ID that we can use to match across data sources. It also includes student demographic data (gender, race/ethnicity), IEP status, graduation status, and is connected to national student clearinghouse and CUNY college enrollment and attainment data. Survey data stripped of students' names will be provided back to NYCPS through a secure file transfer to use for program improvement purposes.

Type of PII that the Entity will receive/access: Student PII and Staff PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

New York University (NYU) (for A Quasi-Experimental Study of Geodes)

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement Term: 07/23/2025 – 01/30/2026

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. We propose to examine students’ Acadience scores (BOY;MOY;EOY) in first grade classrooms which are using the Geodes materials in 2024-2025 compared to students’ Acadience scores (same 3 time periods) from the previous year (2023-2024). We hypothesize that students’ growth in reading fluency and comprehension will be significantly greater in 2024-2025 as a result of these curriculum materials.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Box.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

RAND Corporation (for An Experimental Evaluation of the Efficacy of Virtual Enterprises)

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement Term: 09/6/2024 – 06/30/2030

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. RAND has been provided with a grant by the U.S. Department of Education to study the efficacy of the Virtual Enterprises program. RAND is collecting primary data and secondary data to gather evidence on the implementation of the Virtual Enterprises program, the career readiness and work-based learning experiences of students, student academic outcomes, and costs.

Student-level administrative data is essential to the study because it will provide us with comprehensive information on the demographics, course enrollment, academic achievement, and etc. for students in the district. Evidence from the study will provide NYC DOE District with critical evidence on its students and programs to inform the effective delivery of career and technical education.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

Research Triangle Institute (RTI) (for High School and Beyond 2022, HS&B:22)

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement Term: 9/15/2022 – 7/31/2026

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. The High School and Beyond 2022 (HS&B:22) study will be the sixth in a series of longitudinal studies at the high school level conducted by the National Center for Education Statistics (NCES), within the U.S. Department of Education. These studies play a critical role in education, providing a rich variety of data to answer questions about how students’ backgrounds and school experiences affect education and life outcomes. HS&B:22 is being conducted by RTI International under contract to NCES.

To identify which students will be invited to participate in HS&B:22, RTI will request a roster of students enrolled in ninth grade during the 2022-2023 in each participating school.

We will request a complete roster of all ninth-grade students, including key student characteristics, such as: name; ID number; month and year of birth; grade level; sex; race/ethnicity; and English Language Learner (ELL) status. As part of the roster collection, RTI will also request the following information for each student: student’s math teacher and math course information; and student’s parent and/or guardian name and contact information.

We will work with districts/schools that are unable to provide all of the information to obtain the key information allowable and needed for sampling. We will provide a sample template and instructions to upload rosters to the secure NCES website.

Type of PII that the Entity will receive/access: Student PII and Staff PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Student data are subject to strict protections that are adhered to by NCES and its contractor organizations. Unused roster information will be securely destroyed when no longer needed for the purposes specified in 34 CFR § 99.35. Due to the longitudinal nature of HS&B:22, sampled students are followed over an extended period of time (possibly into college and beyond).

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. NCES has a secure data transfer system, which uses SSL technology, allowing the transfer of encrypted data over the Internet. The NCES secure server will be used for all administrative data sources. All data transfers will be encrypted. HS&B:22 data files and systems that contain PII or direct identifiers will reside in RTI’s sophisticated FIPS Moderate VDI. This network operates as a separate structure within the overall RTI computing infrastructure to provide additional security for data and to encrypt all network traffic with Federal Information Processing Standards (FIPS) 140-2 verified encryption tools. RTI uses Microsoft SQL servers to store non-sensitive project information. User-level access to these servers for authorized users is controlled with the same credentials needed for network and file access within each of the RTI networks.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology. 

Social Science Research Council (for Data2Go.NYC)

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 01/08/2025 – 06/30/2025, extended to 06/30/2026

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. Data2Go.NYC is an online tool that allows users to visualize where people in need are, what resources are available to assist them, where gaps exist, and how different factors interact to shape the choices and opportunities available to them. Data2Go.NYC brings together federal, state, and local data on human need, resources, and outcomes for New York City in a single curated source that is easily accessible to policymakers, advocates, foundations and philanthropists, community organizations, the media, and the general public.

In previous iterations, we have featured on-time high school graduation by student residential community district. We are working on a Data2Go.NYC update and would like to include updated on-time high school graduation by student Neighborhood Tabulation Area (NTA) in addition to by community district. Additionally, we plan to visualize other key academic indicators and outcomes, including student attendance and student test scores, also aggregated to the neighborhood-level based on student address of residence. In aggregating by student residential neighborhood rather than school, we hope to illuminate educational disparities that may otherwise be obscured by school choice policies.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

Syracuse University (for The School Choice Policy Research Center - Improving Policy, Implementation, and Outcomes for Disadvantaged Students)

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement Term: 04/01/2025 – 08/31/2028

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. The study examines the impact of transportation options on school choice and student outcomes.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

Teachers College, Columbia University (for Evaluating Robin Hood's Accelerating Student Success and Learning + Technology Fund Initiatives)

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement Term: 9/15/2023 – 9/15/2025

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. This data request is part of two related mixed-methods studies exploring three theories on how external school support organizations can build schools’ capacity to increase student learning. The Robin Hood Foundation funded external support organizations to provide NYC schools with services in alignment with each of the following three types of capacity building: first, increasing human capital by providing tutors for students; second, increasing human capital by providing teachers with professional development; and third, increasing technical capacity by providing teachers with high-quality instructional materials. The goal of the study is to understand the impacts of the Initiative-funded approaches and to determine where and how they work well in order to promote learning, improvement, and uptake of effective practices across NYC districts, schools, and support organizations. To do this, we will seek to answer the following research questions:

  • Do students who experience these Robin Hood-funded interventions gain more literacy and/or math skills compared to students who do not?
  • How do these effects differ across student characteristics, school contexts, intervention type, and implementation strategy?
  • How do schools (including school leaders, teachers, families, and RH partners) develop, implement, and experience these interventions?
  • How are these experiences related to impact?

The qualitative components of the study have been approved by the New York City Institutional Review Board under protocols 4066 and 4728.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

The Regents of the University of California, Berkeley Campus (for Understanding the Relationship Between Student-Teacher Ethnoracial Match and College Enrollment and Persistence in New York City)

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement Term: through 09/30/2029

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. Limited evidence exists on whether having a teacher of the same race or ethnicity or a teacher of color in particular high school courses (e.g., English, math, science) predicts college course-taking and major in the related discipline. The potential relationship between student-teacher demographic match and college outcomes is particularly important to examine in two areas: first, in advanced course-taking (i.e., Advanced Placement (AP) and dual enrollment courses (DE)), and second, in the STEM disciplines. A second gap filled by this project is the relative lack of research on the connections between student-teacher demographic matching in high school and college outcomes in urban settings. Large urban districts are where the disparity between the racial composition of students and teachers is most severe: while nationwide approximately 50% of the nation’s students are of color, compared to 18% of the educator workforce (NCES, 2016), in large urban districts such as New York City, more than 85% of students are of color, compared to only 40% of the city’s teachers (Layton, 2015). The PII will allow us to link high school students to teachers and then look at their postsecondary outcomes.

Type of PII that the Entity will receive/access: Student PII and Staff PII

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

University of Chicago (for The Evolution of the Charter School Sector)

Type of Entity: Community Based Organization or Not-for-Profit

Contract/Agreement Term: 9/29/2022 – 9/29/2025

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. I will be examining the evolution of the charter school sector in NYC and how quality has changed as the sector has expanded. My measure of quality will be calculated using student level test scores, which is why I need access to PII.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

University of Michigan (for Family Preferences and Curricular Differentiation of NYC High Schools)

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement Term: 1/9/2023 – 1/9/2025, extended to 12/16/2026

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. My objective is to study family preferences over the “theme” or academic focus of NYC high schools. There are two broader questions that I am interested in exploring, both focused on the implications of offering and explicitly categorizing academically-themed programs.

The first question is whether different preferences over academic theme by race, gender, income, or achievement lead to differential sorting into schools along these lines, and whether this sorting increases or decreases segregation. Observing the decisions each student makes on which schools to apply to, how to rank them, and whether to enroll, combined with school characteristics data, will enable me to infer how students weight various school characteristics in their decision. I will also be able to investigate how these preferences vary by student demographics.

The second question is whether students have better outcomes when they are matched to a school with their preferred academic theme, relative to schools of a different theme. I need individual-level data on student applications and outcomes to identify a student’s preferred school theme from their application, determine whether it matches the theme of the school they enroll, and link this information to their high school outcomes.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology. 

University of Pennsylvania (for Summer Youth Employment Programs)

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement Term: 03/21/2023 – 03/21/2026

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. Summer Youth Employment Programs (SYEPs) are programs, usually city-run and often decades old, which provide youth with paid work during the summer. These programs have been shown to have significant positive impact on important youth outcomes including criminality, incarceration, and mortality. However, previous work has not found consistent evidence of educational benefits of the programs. For example, while two studies found that the NYC’s SYEP generates small improvements in education outcomes (Leos- Urbel, 2014; Schwartz et al., 2015), a similar study did not replicate these results (Valentine et al., 2017). Evidence on school outcomes from other cities is also quite mixed (Davis and Heller 2017; Heller 2014; Modestino and Paulsen 2019). This research will evaluate whether a minor, inexpensive programmatic change could improve education outcomes for youth participants of SYEPs. We will evaluate how offering NYC SYEP participants personalized "letters of recommendation" (i.e., letters with supervisor feedback that can be shown to potential teachers or guidance counselors, included in college applications, or shown to future employers) affects their education outcomes. In addition, we will produce an updated evaluation of the effect that NYC SYEP has on education outcomes, since existing evaluations examine the program as it was implemented about a decade ago. Education outcomes obtained from the NYC Department of Education will be used to complete these evaluations.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

University of Pennsylvania (for Evaluating Priority Design in New York City High School Admissions)

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement Term: 11/22/2024 – 12/31/2028

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. This study will use natural randomization of students to schools in the NYC centralized school choice match to investigate how the value-added, defined as the benefit that students receive from attending a particular school rather than an alternative in terms of improved academic outcomes, varies across different types of schools based on students' observable characteristics, including middle school GPA, standardized test scores, and free/reduced lunch status.

The study requires student level enrollment history and academic achievement to determine how school value-added depends on students' previous academic achievement. Demographic information will be used as controls in the statistical analysis, and to test for heterogeneity in value-added based on observable characteristics.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

University of Pennsylvania (for The Demographic Composition of New York City’s Gifted and Talented Program and Community Factors Associated with Program Participation; Measuring the Empirical Effects of the G&T program on Attendance and Academic Scores; Overlapped but Overlooked: Assessing Covariate Imbalance in Estimating Gifted and Talented Program Effects for Underserved Student Populations)

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement Term: 05/28/2025 – 06/01/2029

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. This study examines how the demographic makeup of New York City's Gifted and Talented (G&T) program has evolved in response to policy changes over the past decade. Drawing on a decade of administrative data from NYC public schools, we investigate how these policy shifts have influenced participation rates by race, ethnicity, and socioeconomic status. We also assess how pandemic disruptions impacted G&T participation, particularly among historically underrepresented student groups. The reason for accessing student-level data is to aggregate students by demographics in the G&T program. This level of data gives us more fine-grained statistics with which to compare if the proportion of students in each ethnicity group was increasing or decreasing over time. By analyzing individual-level data, we can identify subtle shifts in representation that might be obscured in more generalized datasets and better isolate the effects of specific policy changes on different student populations. This research aims to inform ongoing discussions about creating more equitable identification processes for advanced academic programs. By analyzing the outcomes of different admissions approaches, our findings will help inform future policy decisions regarding how to identify and support gifted students while promoting educational equity across diverse communities.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Dropbox.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

University of Wisconsin – Madison (for Sorting, Commuting, and School Choice)

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement Term: 8/20/2023 – 8/20/2025

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. The purpose of the study is to understand how families’ school application behavior is determined by where they live as well as how potential reforms on the school admissions rule determine where they live.

Thus, we request (1) students’ geocoded home address at the Census block level, (2) students’ school application list, and (3) de-identified id through we can merge home address and application.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

Wellspring Consulting (for EC Student Outcomes Assessment)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 11/4/2024 – 11/4/2026

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. The data will be analyzed at the school level and by student academic profile. Outcomes from this analysis will be used to create a set of benchmarks that can be used for program management purposes across EC schools by school, grade level, and/or student profiles. The benchmarks will be used by the CUNY K-16 Initiatives Team and NYCPS Office of Student Pathways in regular work with EC schools.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

Westat (for Early Childhood Longitudinal Study, Kindergarten Class of 2023-24 (ECLSK:2024))

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement Term: 11/15/2023 – 11/15/2028

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. Early Childhood Longitudinal Study, Kindergarten Class, 2023-24 (ECLSK:2024) is a national study focusing on children’s development from birth through elementary school. Through child cognitive assessments, child height/weight assessments (select schools), and parent, teacher, and administrator surveys, ECLS-K:2024 will provide educators, families, researchers, and policymakers with important information that can be used to improve children’s educational experiences. ECLS-K:2024 is conducted by the National Center for Education Statistics of the U.S. Department of Education. Westat is the contractor responsible for the ECLS-K: 2024 sample design and data collection. As part of ECLS-K:2024, districts and schools are randomly selected for participation. Within participating schools, kindergarten students are randomly selected to participate. To select students, Westat will request kindergarten roster data for selected schools in early spring 2024. Parents of selected students will be invited to provide consent for their child to participate. For consented students Westat will request additional data to facilitate assessment administration, including the kindergarten type and time of day, home language, whether the child has an IEP, whether the child requires any testing accommodations, and teacher name and classroom of selected students.

Type of PII that the Entity will receive/access: Student PII and Staff PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor and using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

Westat (For NYC Men Teach Evaluation)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 04/7/2025 – 12/31/2029

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. The data we are requesting is for a subsample of NYC Men Teach participants and will include names and email addresses. The purpose of the request is to collect the information needed to administer a survey on participant experiences with the program.

Type of PII that the Entity will receive/access: Staff PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

Yale University (for Belief and Preference Identification in School Choice)

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement Term: 3/23/2021 – 3/1/2026

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. We intend to estimate and quantify the roles of students’ preferences and information about the schools, and beliefs about assignment chances, with regards to NYC’s centralized high school assignments. Student-level data is necessary to estimate the distribution of students’ preferences, information, and beliefs, and to link student-level characteristics to their application behavior and assignment outcomes.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology. 

Youth Communication (for Evaluation of SEL and CRE Programming on Student Outcomes and School Culture/Climate)

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement Term: 12/10/2024 – 12/31/2025

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. Youth Communication is conducting a program evaluation for its SEL curriculum. The curriculum was used in one high school across grades 9 to 12 in Manhattan during the 2022-2023 school year; we are seeking data for the treatment school as well as comparison/control schools. We are analyzing school culture and climate improvement outcomes as well as social-emotional learning, academic achievement, and behavioral incidents using a pre/post analysis for students in the treatment school and those in the control schools. The data we are requesting includes attendance, Regents scores, course grades, 9th grade credit accumulation, graduation rates, and disciplinary data. We will also use publicly available data from the school culture and climate survey given annually to students and teachers. We will disaggregate and analyze data along lines of race, gender, age/grade, and socio-economic status. The results of this study will be provided to schools and DOE offices that are evaluating our SEL programs for future use. Highlights of the analysis will also be published on our website.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

Zearn (for Impact of Zearn Math on Student Achievement in New York City)

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 11/17/2023 – 11/17/2025

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. Student PII is used to match students to Zearn usage data and create comparable groups of consistent Zearn Math users and non-users, based on similar starting math and ELA assessment scores, grade, and a multitude of demographic factors. This facilitates the quasi-experimental method of Coarsened Exact Matching (CEM) that Zearn will use for this analysis, which enables the analysis to isolate the impact of Zearn Math on differences in students’ academic growth.Zearn seeks to partner with NYCDOE to analyze the effect of Zearn Math lesson completion on student achievement in math as measured by the New York State ELA and Mathematics Test assessments, as well as the iReady and MAP interim assessment tests. The analysis will assess the effect of Zearn Math on student math achievement, overall and by subgroup, using changes in scale scores and mobility between achievement levels. For this efficacy analysis, Zearn will use the quasi-experimental method of Coarsened Exact Matching (CEM) to create comparable groups of consistent Zearn Math users and non-users, based on similar starting math and ELA assessment scores, grade, and a multitude of demographic factors, in order to isolate the impact of Zearn Math on differences in students’ academic growth.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.