Research

American Institute for Research

1. The exclusive purposes for which PISI will be used: The PISI data collection will allow us to match student across data sets and to assess the impact of BARR on the three primary outcomes: (1) credit accumulation in core courses, (2) standardized assessment reading achievement, and (3) standardized assessment mathematics achievement. AIR will estimate program impacts using three-level hierarchical models, with students nested within schools, nested within regions. Each impact model will include student-level background characteristics (e.g., prior test score, gender, race, ELL status, special education status, free and reduced-price lunch eligibility), a treatment indicator, school level characteristics, and a set of regional dummy variables to account for the randomization blocks.
2. How you will ensure that the subcontractors, persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements: All staff who will be working with data related to human subjects will have passed IRB certification. To protect confidential data, any identifiable variables, raw data, or derived variables will be stored on a secure data management site hosted by AIR. Access to this site will be limited to staff assigned to the project.
3. When the agreement expires and what happens to PISI upon expiration of the agreement: After the study time period is complete, all data will be securely erased from hard drives using the PGP Whole Disk Encryption Shredder, that meets DoD 5220.22-M standards. If applicable, hard copy media will be destroyed by a cross cut or diamond cut shredder shall be used to ensure proper destruction beyond reconstruction/recognition. The AIR shredding service (containers are located in common work areas), may be used for high bulk requirements. Hard drives that include sensitive data that are designated for re-use by IT are sanitized as per NIST SP 800-88 Rev I. A "Certificate of Media Sanitization" will be provided to the project or client upon request.
   • NYC DOE additional information: The current agreement became effective starting on February 1, 2019 and remains effective through the period during which American Institute for Research possesses or otherwise is in control of covered protected information.
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Participants have access to the AIR evaluation team at any time to discuss challenges and/or accuracy of the data that is collected. A meeting will be scheduled with the participant and the AIR evaluation team to discuss concerns regarding data collected and reported as needed. Lastly, all participants are given the option to decline to participate in the study.
   • NYC DOE additional information: such requests, including requests for copies of student data, may be sent to studentprivacy@schools.nyc.gov
5. Where the PISI will be stored (described in such a manner as to protect data security), and the security protection taken to ensure such data will be protected, including whether such data will be encrypted: The requested PISI data will be stored on a secured server managed by the AIR evaluation team.

American Institute for Research 2

1. The exclusive purposes for which PISI will be used: The data requested here will be used in our analyses to understand factors that influence the impact of the TeacherRead intervention and will be reported through articles in peer-reviewed journals and research briefs. Specifically, HLMs will be used to compare the relative impacts of the TeacherRead conditions and the control condition on children's language/literacy skills long-term (end of K school year). For K language and literacy outcomes, we will estimate the TeacherRead impact at posttest by analyzing residualized gain. Note: We will need kindergarten placement of each study child to gather children's language/literacy skill data at the end of the K year. 
2. How you will ensure that the subcontractors, persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements: All project staff are briefed on the data security plan for the project and their responsibility to report data breaches or suspicious activities. AIR data users who access data in Azure are required to utilize two-factor authentication after confirmation of authentication using a strong 12-character password that meets AIR's password complexity requirement. AIR's company-issued laptops also have PGP AES encryption.
3. When the agreement expires and what happens to PISI upon expiration of the agreement: Data will be archived to conform to AIR policy. Unless otherwise directed, hard-copy data will be shredded and destroyed 3 years after the life of the project; electronic records will be maintained for 10 years beyond the life of the project to comply with the grant requirement of the Institute of Education Sciences.
   • NYC DOE additional information: The current agreement became effective starting on February 18, 2020 and remains effective through the period during which American Institute for Research possesses or otherwise is in control of covered protected information.
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: N/A - there is no student-specific data. Personally identifiable data will be stripped from any data collection materials so that only a study ID is used to identify participants. A crosswalk linking study IDs and personally identifiable information will be stored securely and separate from the data. Data will only be reported in the aggregate.
   • NYC DOE additional information: such requests, including requests for copies of student data, may be sent to studentprivacy@schools.nyc.gov
5. Where the PISI will be stored (described in such a manner as to protect data security), and the security protection taken to ensure such data will be protected, including whether such data will be encrypted: Electronic project files will be stored in an AIR managed secure data portal hosted in the FedRAMP-certified Azure cloud. The AIR Project Director manages permissions to the file folders, in coordination with the IT Department, limiting access to project personnel with the "need to know." Permissions are updated quarterly per AIR’s corporate policy.

Association to Benefit Children

1. The exclusive purposes for which PISI will be used: To produce an aggregate annual report for ABC's project for the APR.
2. How you will ensure that the subcontractors, persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements: Data are not shared.
3. When the agreement expires and what happens to PISI upon expiration of the agreement: The data are destroyed.
   • NYC DOE additional information: The current agreement became effective starting on June 17, 2019 and remains effective until June 17, 2021, or through the period during which Association to Benefit Children possesses or otherwise is in control of covered protected information.
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient.
   • NYC DOE additional information: such requests, including requests for copies of student data, may be sent to studentprivacy@schools.nyc.gov
5. Where the PISI will be stored (described in such a manner as to protect data security), and the security protection taken to ensure such data will be protected, including whether such data will be encrypted:
   • Data Privacy Plan
     • Upon receipt of any data related to the project, ABC password protects the file
     • Participant identifying information are never shared
     • Each participant is identified by a unique number instead of names.
   • Data Security Plan
     • All of ABC's electronic data are stored on a file server.
     • Access on ABC's network is only through password-protected accounts.
     • The console for the server and every workstation is password protected.
     • The workstations automatically lock when not actively used and must be unlocked with the user's password.

Columbia University

1. The exclusive purposes for which PISI will be used: The data will be used to conduct a quantitative evaluation of the tutoring program administered by the Columbia University Tutoring and Learning Center. The intended audience for the findings are the Bill & Melinda Gates Foundation (program funder), other academics and universities planning to develop similar college/university-led Kl2 tutoring programs, and education practitioners interested in learning more about tutoring best practices.
2. How you will ensure that the subcontractors, persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements: TLC staff with access to the data have been trained in data protection and security issues. 
3. When the agreement expires and what happens to P1Sl upon expiration of the agreement: Data that might be used in subsequent analyses or publications related to the project will be maintained in the secure locations below. Any other data will be deleted.
   • NYC DOE additional information: The current agreement became effective starting on January 25, 2019 and expired on January 25, 2021.
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient.
   • NYC DOE additional information: such requests, including requests for copies of student data, may be sent to studentprivacy@schools.nyc.gov
5. Where the PlSI will be stored (described in such a manner as to protect data security), and the security protection taken to ensure such data will be protected, including whether such data will be encrypted: 
   • DIGITAL RECORDS: When we receive student record data for tutored students and the non-tutored matched sample from the NYC Department of Education, we will immediately uploaded these data to the SDE for storage and analysis. Ultimately, we will create a de-identified data set from these data using Stata. Data for the tutored students will be identified when we receive them, so we will created a coded spreadsheet with a link to the identifiers for these students. However, data for the non-tutored control group students will be de-identified when we receive them.
     • Student record data (including behavioral and free/reduced lunch status data) will be transmitted secure FTP server that will be set up for our research team by the NYCDOE per our request. Once received by our research team, the data will be stored on the Columbia University Secure Data Enclave (SDE). To protect students' confidentiality, their names and student ID numbers will be deleted from their educational records upon receipt from the DOE and replaced with a researcher assigned identification number. Only research personnel approved by the Columbia IRB and the NYCDOE IRB will have access to these data and the SDE.
     • We will store tutored students attendance data from tutoring sessions and their contact information provided on the attached Parent Permission Forms (or the attached Contact Info Survey) on Course Works for easy and secure access to this information. Only approved research personnel will be permitted to upload this information to Course Works and access the Course Works site.
   • AUDIO RECORDINGS OF INTERVIEWS: At the end of each group and individual interview, the research team will upload the audio recordings from the recording device to an encrypted USB drive and immediately delete the recordings from the recording device. The encrypted USB drive will then be hand delivered to the Columbia University Secure Data Enclave (SDE) administrator so that the recordings can be uploaded to the SDE for transcription and analysis. These audio files will be kept indefinitely. 
   • CONSENT/ASSENT/PERMISSION FORMS: The consent, assent, and parent permission forms require that study participants (or their parents) print their names, which is a direct identifier. All hard copies of these forms will be stored in a locked file cabinet in a locked office at the Columbia University Tutoring and Learning Center headquarters. Only project staff listed on this protocol will have access to this locked file cabinet and these forms. These forms will be kept indefinitely.
   • STUDENT AND TUTORS SURVEYS: Surveys do NOT require students or tutors to print their names of other identify information. This surveys are completely anonymous. All hard copies of these surveys will be stored in a locked file cabinet in a locked office at the Columbia University Tutoring and Learning Center headquarters. Only project staff listed on this protocol will have access to this locked file cabinet and these forms. These forms will be kept indefinitely.
   • SECURING HARD COPIES BEFORE AND DURING TRANSPORT: Researchers will store hard copies of all study documents in a locked file tote during study procedures and during transport back to the Columbia University Tutoring and Learning Center headquarters.

DAH Consulting, Inc.

1. The exclusive purposes for which PISI will be used: Evaluation of 21st CCLC program at schools identified.
2. How you will ensure that the subcontractors, persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements: All employees, persons, etc. have an NDA with DAH which indicates that they will abide by data protection and security guidelines established by the organization.
3. When the agreement expires and what happens to PISI upon expiration of the agreement: After 5 years when study ends we will destroy research records remembering to protect participants' confidentiality throughout the process. Paper records will be shredded and recycled, instead of carelessly tossed in the garbage. Records stored on computer hard drive should then be erased using commercial software applications designed to remove all data from the storage device.
   • NYC DOE additional information: The current agreement became effective starting on December 4, 2018 and remains effective through the period during DAH Consulting, Inc. possesses or otherwise is in control of covered protected information and no later than December 4, 2025.
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient.
   • NYC DOE additional information: such requests, including requests for copies of student data, may be sent to studentprivacy@schools.nyc.gov
5. Where the PISI will be stored (described in such a manner as to protect data security), and the security protection taken to ensure such data will be protected, including whether such data will be encrypted: We intend to use minimal-identifier data as often as possible and minimize risk by maximizing work "within network".

Other controls will be to manage release of identifier-data at source/ identification of a "Gatekeeper" and tracking data releases using an approval process and documenting and creating logs.

We will also remove all personally identifying information from data, replacing identifiers with a new unlinked, identifier, which cannot be associated with an individual study participant.

NYC DOE Additional Information: Certain portions of this response have been redacted to protect the privacy and/or security of data and/or technology infrastructure.

ExpandED Schools

1. The exclusive purposes for which PISI will be used: ExpandED Schools will link together data from various data sources (test scores, report card grades, attendance, m1d demographics). We will then strip the data file of all student-identifiers before conducting analyses. All state-mandated analyses are reported in the aggregate. ExpandED Schools will conduct descriptive analysis of the proportion of students within the individual programs hitting each of the 2 IC targets outlined previously (i.e. what proportion are proficient in Math or ELA, what proportion have met the required attendance rate), as well as an examination of whether there have been positive changes in academic and social emotional outcomes based on self-report survey data. Ratings from the Out-of-School Time Observation Tool will be shared with after-school programs along with a narrative report that provides qualitative observations and recommendations from the site visit. Intended audiences include program managers, site coordinators, CBO and School staff members, NYSED, and 21st CCLC state evaluator.
2. How you will ensure that the subcontractors, persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements: All data that is sent to external partners or entities will be de-identified and aggregated at the program or school level.
3. When the agreement expires and what happens to PISI upon expiration of the agreement: After seven years, data will be destroyed. All electronic data files will be purged while all paper files will be shredded using ExpandED Schools' secure data shredding system.
   • NYC DOE additional information: The current agreement became effective starting on December 4, 2018 and remains effective through the period during which ExpandED Schools possesses or otherwise is in control of covered protected information, not to exceed seven years.
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient.
   • NYC DOE additional information: such requests, including requests for copies of student data, may be sent to studentprivacy@schools.nyc.gov
5. Where the PISI will be stored (described in such a manner as to protect data security), and the security protection taken to ensure such data will be protected, including whether such data will be encrypted: Hard copy data will be stored in locked cabinets. Digital data is stored on our secure servers and in secure electronic files.

ExpandED Schools 2

1. The exclusive purposes for which PISI will be used: All data collected and used as part of the 21CCLC program is for the purposes of program evaluation and continuous improvement. Analysis of data allows for the targeting of individualized supports to sites. Unit-level data are never shared; results are always presented in aggregate. Data is always suppressed for groups where the sample size is less than five (5) individuals.
2. How you will ensure that the subcontractors, persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements: ExpandED Schools will not share data that is provided by the NYC DOE with parties outside of the organization. For data not under the purview of this NDA (e.g. student-level afterschool program attendance data housed in DYCD online), our process is to enter into a Memorandum of Understanding with the organization that clearly outlines the data regulations required.
3. When the agreement expires and what happens to PISI upon expiration of the agreement: After five years of receipt of data, they will be destroyed/wiped clean from our server.
   • NYC DOE additional information: The current agreement became effective starting on July 2, 2020 and remains effective through the period during which ExpandED possesses or otherwise is in control of covered protected information.
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient.
   • NYC DOE additional information: such requests, including requests for copies of student data, may be sent to studentprivacy@schools.nyc.gov
5. Where the PISI will be stored (described in such a manner as to protect data security), and the security protection taken to ensure such data will be protected, including whether such data will be encrypted: All protected information collected by ExpandED is stored in the United States on ExpandED’s servers. Further, data is only accessible to members of the ExpandED Research Team. As stated previously, unit-level data are never shared; results are always presented in aggregate. Data is always suppressed for groups where the sample size is less than five (5) individuals. All data is stored electronically on ExpandED’s servers. All communication to the file server is encrypted.

Fordham University

1. The exclusive purposes for which PISI will be used: The data requested will be used exclusively for research purposes to investigate linkages between sleep and academic outcomes among participants in our study. All data will be de-identified for analyses and data will be reported in the aggregate. At no point will an individual child's data be shared in an identifiable manner.
2. How you will ensure that the subcontractors, persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements: All members of our research team have successfully completed the CITI human subjects training and understand the importance of keeping the data confidential. The principal investigator and the lab manager monitor data protection regularly.
3. When the agreement expires and what happens to PISI upon expiration of the agreement: Data will be destroyed upon expiration of the agreement.
   • NYC DOE additional information: The current agreement became effective starting on January 24, 2019 and remains effective through the period during which Fordham University possesses or otherwise is in control of covered protected information.
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient.
   • NYC DOE additional information: such requests, including requests for copies of student data, may be sent to studentprivacy@schools.nyc.gov
5. Where the PISI will be stored (described in such a manner as to protect data security), and the security protection taken to ensure such data will be protected, including whether such data will be encrypted: The data are stored in a secure network as part of Fordham University's institutional network. Only members of our research team have access to the data files and access is routinely monitored and updated as personnel changes occur among the research team.

Impact Development & Assessment

1. The exclusive purposes for which PISI will be used: To manage the data that is used to assess the effectiveness of the HMI OST program, and make program adjustments and maintain successes accordingly. PISI are transformed into code numbers, which are connected to data, so there is no threat of identifiable data being linked to data. Where permissible, and through separate agreements, findings may be shared as part of grant submissions or aggregated results in academic publications or conferences to help improve the field. In those cases, all identifying information will be removed.
2. How you will ensure that the subcontractors, persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements: They will complete training and provide signed documentation indicating that they will act in alignment with the ethics of the IRB, Impact and the BOE regarding PISI and all data.
3. When the agreement expires and what happens to PISI upon expiration of the agreement: These data will be deleted and therefore destroyed.
   • NYC DOE additional information: The current agreement became effective starting on December 4, 2018 and remains effective through the period during which Impact Development & Assessment possesses or otherwise is in control of covered protected information.
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the recipient will work with the NYC BOE in processing challenges to the accuracy of student data in the custody of the recipient.
   • NYC DOE additional information: such requests, including requests for copies of student data, may be sent to studentprivacy@schools.nyc.gov
5. Where the PISI will be stored (described in such a manner as to protect data security), and the security protection taken to ensure such data will be protected, including whether such data will be encrypted: These data will be stored in a secure cloud-based storage system that is password protected. Only the research team will have access to these files. Materials will be kept for three years after study completion, and then may be destroyed. Each participant will be linked with a code. The document with participant information will be stored in a password protected file on the recipient's password protected computer.

Impact Development & Assessment 2

1. The exclusive purposes for which PISI will be used: To manage the data that is used to assess the effectiveness of the l-lI\11 OST program, and make program adjustments and maintain successes accordingly. PISI are transformed into code numbers, which are connected to data, so there is no threat of identifiable data being linked to data. Where permissible, and through separate agreements, findings may be shared as part of grant submissions or aggregated results in academic publications or conferences to help improve the field. In those cases, all identifying information will be removed. 
2. How you will ensure that the subcontractors, persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements: They will complete training and provide signed documentation indicating that they will act in alignment with the ethics of the IRB, Impact and the BOE regarding PISI and all data.
3. When the agreement expires and what happens to PISI upon expiration of the agreement: These data will be deleted and therefore destroyed.
   • NYC DOE additional information: The current agreement became effective starting on June 17, 2019 and remains effective through the period during which Impact Development & Assessment possesses or otherwise is in control of covered protected information.
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the recipient will work with the NYC BOE in processing challenges to the accuracy of student data in the custody of the recipient.
   • NYC DOE additional information: such requests, including requests for copies of student data, may be sent to studentprivacy@schools.nyc.gov
5. Where the PISI will be stored (described in such a manner as to protect data security), and the security protection taken to ensure such data will be protected, including whether such data will be encrypted: These data will be stored in a secure storage facility on-site at the Impact office. Since all Impact staff are IRB certified, they are equipped to handle data ethically. Only the research team will have access to these files. Materials will be kept for three years after study completion, and then may be destroyed. Each participant will be linked with a code. The document with participant information will be stored in a password protected file on the recipient's password protected computer.

L&G Research and Evaluation

1. The exclusive purposes for which PISI will be used: PISI will be used to conduct an outcome evaluation to determine the extent to which 21st CCLC. Programming impacted students’ academic performance as measured by report card grades, test scores, and school day attendance. Recipients of the Round 7 21st CCLC grant are required to report the results of this outcome evaluation annually to New York State Education Department.
2. How you will ensure that the subcontractors, persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements: L&G Research and Evaluation Consulting, Inc. (L&G) will not share any raw student datasets or identifiable data received from NYC DOE with any entity. The data will be analyzed and reported in aggregate only. L&G will abide by all protection and security requirements by ensuring that data is received on an FTP server that enables full encryption.
3. When the agreement expires and what happens to P1Sl upon expiration of the agreement: The data will be destroyed after being kept for three years. All files downloaded to password-protected computers and SPSS or STATA databases will be permanently deleted using an overwrite utility that makes the file unrecoverable. Any paper copies of data will be shredded with a professional grade shredder. We will also submit the Certificate Records of Disposal.
   • NYC DOE additional information: The current agreement became effective starting on June 22, 2020 and remains effective through the period during which L&G Research and Evaluation possesses or otherwise is in control of covered protected information.
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. Pursuant to its contractual obligations, L&G Research and Evaluation Consulting, Inc. will work with the NYC DOE, in processing challenges to the accuracy of any student data that is collected following protocol established for handling such challenges.
   • NYC DOE additional information: such requests, including requests for copies of student data, may be sent to studentprivacy@schools.nyc.gov
5. Where the PISI will be stored (described in such a manner as to protect data security), and the security protection taken to ensure such data will be protected, including whether such data will be encrypted: We are requesting that all student data is transferred to L&G via a secure FTP site, Filezilla Pro solution, which enables full encryption. The datasets will then be downloaded to password protected computers only accessible by the L&G research staff. In order to further protect students' anonymity students will be assigned a unique identification number so that all identifiers (OSIS number, date of birth, names, etc.) can be removed from datasets stored on computers.

L&G Research and Evaluation 2

1. The exclusive purposes for which PISI will be used: PISI will be used to conduct an outcome evaluation to determine the extent to which 21st CCLC
   • Programming impacted students’ academic performance as measured by report card grades, test scores, and school day attendance. Recipients of the Round 7 21st CCLC grant are required to report the results of this outcome evaluation annually to New York State Education Department.
2. How you will ensure that the subcontractors, persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements: L&G Research and Evaluation Consulting, Inc. (L&G) will not share any raw student datasets or identifiable data received from NYC DOE with any entity. The data will be analyzed and reported in aggregate only. L&G will abide by all protection and security requirements by ensuring that data is received on an FTP server that enables full encryption.
3. When the agreement expires and what happens to P1Sl upon expiration of the agreement: The data will be destroyed after being kept for three years. All files downloaded to password-protected computers and SPSS or STATA databases will be permanently deleted using an overwrite utility that makes the file unrecoverable. Any paper copies of data will be shredded with a professional grade shredder. We will also submit the Certificate Records of Disposal.
   • NYC DOE additional information: The current agreement became effective starting on June 22, 2020 and remains effective through the period during which L&G Research and Evaluation possesses or otherwise is in control of covered protected information.
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient.
   • Pursuant to its contractual obligations, L&G Research and Evaluation Consulting, Inc. will work with the NYC DOE, in processing challenges to the accuracy of any student data that is collected following protocol established for handling such challenges.
   • NYC DOE additional information: such requests, including requests for copies of student data, may be sent to studentprivacy@schools.nyc.gov
5. Where the PlSI will be stored (described in such a manner as to protect data security), and the security protection taken to ensure such data will be protected, including whether such data will be encrypted: We are requesting that all student data is transferred to L&G via a secure FTP site, Filezilla Pro solution, which enables full encryption. The datasets will then be downloaded to password protected computers only accessible by the L&G research staff. In order to further protect students' anonymity students will be assigned a unique identification number so that all identifiers (OSIS number, date of birth, names, etc.) can be removed from datasets stored on computers.

Laurus Grant-Writing and Evaluation Services

1. The exclusive purposes for which PISI will be used: PISI will be used to conduct an outcome evaluation to determine the extent to which 21st CCLC. Programming impacted students’ academic performance as measured by report card grades, test scores, and school day attendance. Recipients of the Round 7 21st CCLC grant are required to report the results of this outcome evaluation annually to New York State Education Department.
2. How you will ensure that the subcontractors, persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements: L&G Research and Evaluation Consulting, Inc. (L&G) will not share any raw student datasets or identifiable data received from NYC DOE with any entity. The data will be analyzed and reported in aggregate only. L&G will abide by all protection and security requirements by ensuring that data is received on an FTP server that enables full encryption.
3. When the agreement expires and what happens to PISl upon expiration of the agreement: The data will be destroyed after being kept for three years. All files downloaded to password-protected computers and SPSS or STATA databases will be permanently deleted using an overwrite utility that makes the file unrecoverable. Any paper copies of data will be shredded with a professional grade shredder. We will also submit the Certificate Records of Disposal.
   • NYC DOE additional information: The current agreement became effective starting on June 22, 2020 and remains effective through the period during which L&G Research and Evaluation possesses or otherwise is in control of covered protected information.
4. I f and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. Pursuant to its contractual obligations, L&G Research and Evaluation Consulting, Inc. will work with the NYC DOE, in processing challenges to the accuracy of any student data that is collected following protocol established for handling such challenges.
   • NYC DOE additional information: such requests, including requests for copies of student data, may be sent to studentprivacy@schools.nyc.gov
5. Where the PISI will be stored (described in such a manner as to protect data security), and the security protection taken to ensure such data will be protected, including whether such data will be encrypted: We are requesting that all student data is transferred to L&G via a secure FTP site, Filezilla Pro solution, which enables full encryption. The datasets will then be downloaded to password protected computers only accessible by the L&G research staff. In order to further protect students' anonymity students will be assigned a unique identification number so that all identifiers (OSIS number, date of birth, names, etc.) can be removed from datasets stored on computers.

Massachusetts Institute of Technology

1. The exclusive purposes for which PISI will be used: Using PISI, we will evaluate the implementation and consequences of the NYCDOE school assignment mechanism. We will additionally explore the effects of alternative assignment schemes on various outcomes (e.g., diversity).
2. How you will ensure that the subcontractors, persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements: All researchers are under the supervision of Principal Investigator Parag Pathak. All researchers have completed CITJ human subjects research training and are familiar with the data security protocols for this project.
3. When the agreement expires and what happens to PISI upon expiration of the agreement: All PISI will be destroyed when the research is completed or when the agreement is terminated, whichever is first. Where allowed, SEII will keep aggregate data indefinitely to permit replication of the research results. An IT administrator will securely wipe all data following industry best practices. After files are destroyed, SEII will return any required affidavit(s) of destruction to the data provider.
   • NYC DOE additional information: The current agreement became effective starting on September 11, 2019 and remains effective until September 11, 2021, or through the period during which The Massachusetts Institute of Technology possesses or otherwise is in control of covered protected information.
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient.
   • NYC DOE additional information: such requests, including requests for copies of student data, may be sent to studentprivacy@schools.nyc.gov
5. Where the PISI will be stored (described in such a manner as to protect data security), and the security protection taken to ensure such data will be protected, including whether such data will be encrypted: Data will be stored in a secure computing environment managed by MIT Economics. Access to the data is restricted to authorized members of the research team. MIT's program manager or assistant director grant access to the data after adding them to the project IRB protocol. Researchers are prohibited to download PISI-containing datasets to their personal desktops. All data will be encrypted using industry standard algorithms.

Mathematica Policy Research

1. The exclusive purposes for which PISI will be used: The YCC grant program is authorized under Section 414(c) of the American Competitiveness and Workforce Improvement Act of 1998, as amended (29 USC 2916a). As a condition of receiving a YCC grant, each YCC grantee must participate and fully cooperate in the YCC evaluation by providing the independent evaluation contractor, Mathematica, with information on and access to program records, student records, and information on YCC participants collected as part of DOL performance measurement. In addition, DOE has reserved the right to award a follow-on contract for Mathematica to continue to track employment and post-secondary outcomes for students in YCC grantee school districts to determine long-term outcomes of the program ("YCC Follow-On Evaluation"). PISI will be used as required for the YCC evaluation and the YCC Follow-on Evaluation.
2. How you will ensure that the subcontractors, persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements: To safeguard the confidentiality and integrity of all information and data received, to place limitations on its use, and to maintain compliance with all privacy laws, Mathematica requires all evaluation staff to comply with the data security and confidentiality requirements set forth in the Memorandum of Understanding and Non-Disclosure Agreement. In addition, Mathematica will limit access to PISI to members of the study team performing duties necessary for the YCC evaluation and YCC follow-on evaluation.
3. When the agreement expires and what happens to PISI upon expiration of the agreement: The agreement expires when the PISI received are no longer needed for the YCC evaluation and YCC follow-on evaluation, the latter of which is anticipated to end in 2030, unless terminated earlier or extended by agreement of Mathematica and NYC DOE. When the agreement expires, Mathematica will destroy all confidential data obtained under the agreement and will confirm the destruction in writing. All files containing confidential data will be erased or overwritten using Eraser software.
   • NYC DOE additional information: The current agreement became effective starting on November 1, 2018 and remains effective through the period during which Mathematica Policy Research possesses or otherwise is in control of covered protected information.
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its obligations under its Non-Disclosure Agreement, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient.
   • NYC DOE additional information: such requests, including requests for copies of student data, may be sent to studentprivacy@schools.nyc.gov
5. Where the PISI will be stored (described in such a manner as to protect data security), and the security protection taken to ensure such data will be protected, including whether such data will be encrypted:  Data will be transmitted using a secure File Transfer Protocol (FTP) site, which is owned and operated by Mathematica Policy Research. Data will be stored on a Mathematica owned and operated project specific, access-controlled network folder. The storage device is encrypted at rest is protected by the Mathematica network firewall. Anti-malware and host-based intrusion detection/prevention are installed on all servers and storage devices.

MDRC

1. The exclusive purposes for which PISI will be used: For the purposes of the Impact Evaluation of Academic Language intervention a research study assessing the impact of an academic language program on student language and reading skills funded by the U.S. Department of Education (Contract No. ED-IES 15-C-0050) and led by MDRC a nonprofit research organization.
2. How you will ensure that the subcontractors, persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements: All data protection and security requirements of this Agreement will be included in contractual vehicles with any subcontractors, persons or entities with which MDRC may share the student data or teacher or principal data.
3. When the agreement expires and what happens to PISI upon expiration of the agreement: After the final report has been finalized, MDRC is required to create a restricted-use file under the terms of its funding agreement with the U.S. Department of Education. The restricted use file will be stripped of all individual, school, and district identifiers and will be available only to qualified researchers who agree to the confidentiality and data security requirements established by the U.S. Department of Education. After this file is created, MDRC will destroy the identifiers.
   • NYC DOE additional information: The current agreement became effective starting on December 6, 2018 and remains effective through the period during which MDRC possesses or otherwise is in control of covered protected information, which will be no later than December 26, 2021.
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient.
   • NYC DOE additional information: such requests, including requests for copies of student data, may be sent to studentprivacy@schools.nyc.gov
5. Where the PISI will be stored (described in such a manner as to protect data security), and the security protection taken to ensure such data will be protected, including whether such data will be encrypted: PISI will be stored in MDRCs secure data environment as described in Attachment B.[NYC Additional Information: Attachment B refers to the section of the written agreement that details data security protocols.]

Measurement Incorporated

1. The exclusive purposes for which PISI will be used: MI uses PISI for performing data analyses required for federal and state reporting on the progress of LIU's NYGEAR UP grant. The PISI allows us to ensure that data are accurate (no duplicate students). PISI (name and DOB) are also collected to verify college enrollment in the 7 year of the grant--a federal requirement. PISI are not identified in reports.
2. How you will ensure that the subcontractors, persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements: All subcontractors to MI are bound by NDA. Data transfer will occur through secure FTP and data will be encrypted.
3. When the agreement expires and what happens to PISI upon expiration of the agreement: The agreement expires December 2021 when the grant ends. PISI and the NYGEAR UP database will be archived in a secure electronic data warehouse for 7 years which is the industry standard timeframe. However, upon the expiry of the agreement, we will ask NYCDOE and LIU for authorization for data disposal.
   • NYC DOE additional information: The current agreement became effective starting on July 7, 2020 and remains effective through the period during which Measurement Incorporated possesses or otherwise is in control of covered protected information.
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYCDOE in processing challenges to the accuracy of student data in the custody of the Recipient.
   • NYC DOE additional information: such requests, including requests for copies of student data, may be sent to studentprivacy@schools.nyc.gov
5. Where the PISI will be stored (described in such a manner as to protect data security), and the security protection taken to ensure such data will be protected, including whether such data will be encrypted: For the duration of the NYGEAR UP grant, PISI are housed in a secure, password-protected data base on the MI server and encryption occurs whenever data are transferred through FTP. There are 15 separate firewalls to provide layered and redundant protection against internal and external threats. They use statful packet inspection, port blocking, proxying, etc. MI regularly deploys software that detects, removes and destroys viruses, and spyware.

Metis Associates

1. The exclusive purposes for which PISI will be used: In order to make meaningful calculations in descriptive and inductive statistics between program participation and school performance, we will need to use personally identifiable student information for some projects.
   • All data will be reported in aggregate. No data will be reported for groups or sub groups with Ns less than five (5) or where identity of individual students may be easily ascertained. Final reports including explanations of methods, analyses, results and interpretations will be submitted to client.
2. How you will ensure that the subcontractors, persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements: Only data analyst will have access to the data collected from the Department of Education. No identifiable individual data will be reported, released or otherwise made public every reasonable precaution will be taken by all personnel to assure that no data are reported or released in a form that enables the identification of individual information, except where the affected individuals and agencies give their express consent to the release or reporting of such information.
3. When the agreement expires and what happens to PISI upon expiration of the agreement: All analytical data files in conjunction with this project will be archived for no more than three (3) years after the conclusion of the study. At the end of the project life, data will either be offered back to the originating agency or destroyed in compliance with the policies of the originating agency.
   • NYC DOE additional information: The current agreement became effective starting on February 12, 2019 and remains effective through the period during which Metis Associates possesses or otherwise is in control of covered protected information, which will be no later than February 12, 2022.
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: To the best of its ability, Metis will work with the DOE to process any challenges to the accuracy of DOE data that have been released to, or are still in Metis's possession.
   • NYC DOE additional information: such requests, including requests for copies of student data, may be sent to studentprivacy@schools.nyc.gov
5. Where the PISI will be stored (described in such a manner as to protect data security), and the security protection taken to ensure such data will be protected, including whether such data will be encrypted: Every reasonable precaution will be taken by all personnel and consultants to assure that no data are reported or released in a form that enables the identification of individual information. To further ensure protection of the rights and welfare of human subjects, a standard data handling procedures that ensure the security and confidentiality of all evaluation data. All data are maintained on a Microsoft SQL Server, and all confidential data files are securely stored using an identification system known only to the firm's senior management. All backup data files when not in use are maintained in a locked facility. Unless consent is specified by the originating agency, raw unit record data are never released to clients, nor are any data that would contain information that could possibly link analysis results to individuals.

Montefiore Medical Center / Albert Einstein College of Medicine

1. The exclusive purposes for which PISI will be used: This data collected on an annual basis will support the evaluation of the wellness efforts aimed at improving fitness and weight management over time. The data requested from the NYC DOE will include: 1) Student ID and Name - data will be used to support data matching efforts: 2) Student Demographic data - data will be used to provide descriptive data on the cohort of students that undergo the health screening including grade, gender, ethnic, and age distribution; 3) FITNESSGRAM DATA - data will provide fitness, BMI and BMI Percentile information of students at baseline and then annually; 4) State Math, Science, Social Studies and ELA scores and GPA dataset data will provide information about school performance; and 5) Student Attendance -data will provide information about school attendance.
2. How you will ensure that the subcontractors, persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements: We will ensure that all hard copy records and consents and electronic data are securely stored to prevent unauthorized access, disclosure, or loss. Data collected from the different sources will be merged into a single de-identified dataset created as an excel file by research staff and will require a login and passcode for access. All subjects will be identified by a Study ID. All requested data is being collected electronically and will only be accessible via login and password access. 
3. When the agreement expires and what happens to PISI upon expiration of the agreement: Data will be stored securely for at least seven years after completion of the project, or publication of the research, whichever comes last. Following the 7-year minimum requisite time for data to be stored following data acquisition and the publication of study findings, all electronic files will be discarded electronically.
   • NYC DOE additional information: The current agreement became effective starting on December 14, 2018 and remains effective through the period during which Montefiore Medical Center / Albert Einstein College of Medicine possesses or otherwise is in control of covered protected information, not to exceed seven years from the end of the study.
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Yes, in this instance I will work with the NYC DOE as needed to process challenges to the accuracy of student data in my custody.
   • NYC DOE additional information: such requests, including requests for copies of student data, may be sent to studentprivacy@schools.nyc.gov
5. Where the PISI will be stored (described in such a manner as to protect data security), and the security protection taken to ensure such data will be protected, including whether such data will be encrypted: All parental consents will be kept in a locked cabinet in the PIs office. All Electronic data will be saved on the PIs computer which is password protected, encrypted, and which has anti-virus controls, firewall configuration, and scheduled and automatic backups to protect against data loss. Transmission of data will occur using the FTP server which is password protected.

New York University

1. The exclusive purposes for which PISI will be used: These data are instrumental to understanding children’s baseline characteristics in our sample. These data will allow us to (1) control for baseline characteristics when we run our impact models (i.e. covariates in our models), (2) describe the sample and test baseline equivalence across treatment and control groups, (3) define key subgroups for subgroup impact analyses, and (4) examine the extent to which Cohorts 1 and 2 differ in terms of student demographic composition. Furthermore, we believe the child level variables we’ve requested will allow us to examine the extent to which the sample is representative of the broader NYC Pre-K for All population as well as characterize our sample in relation to the broader Pre-K literature.
2. How you will ensure that the subcontractors, persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements: First, all of the Authorized Users associated with the Project have been CITI trained, fingerprinted by the NYC DOE, trained in their responsibilities under applicable confidentiality laws, and understand the privacy and data security obligations of the NDA/DUA Agreement. Second, we will limit the number of research personnel with access to the PISI before it is stripped of its identifiers and names are replaced with research IDs. Third, in the event of a breach of confidentiality, Authorized Users know the protocol to immediately advise the BOE at RPSGresearch@schools.nyc.gov and notify the appropriate NYU personnel.
3. When the agreement expires and what happens to PISI upon expiration of the agreement: Once data are downloaded, names and any other identifying information will be replaced with a unique research ID number. The list linking names and research IDs will be kept separate from the data (so that datasets for analysis will be de-identified) and accessible only by research personnel. Four years after all follow-up data collection efforts on these participants have been completed, the list linking names and research IDs will be destroyed.
   • NYC DOE additional information: The current agreement became effective starting on July 28, 2020 and remains effective through the period during which New York University possesses or otherwise is in control of covered protected information. which will be no later than July 27, 2028
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: This item is not applicable to this study because the parties listed above will not have access to student data collected. Any reporting on this data will not include PISI.
   • NYC DOE additional information: such requests, including requests for copies of student data, may be sent to studentprivacy@schools.nyc.gov
5. Where the PISI will be stored (described in such a manner as to protect data security), and the security protection taken to ensure such data will be protected, including whether such data will be encrypted: The Project will designate computers located in the Project’s secure lab space that will have access to the encrypted server space allocated by NYU Steinhardt. Per the DOE IRB’s request, we will not store data on a cloud-based sever (e.g. Box). After downloading the PISI data via the DOE’s secure FTP server or the Research Alliance for NYC School’s secure FTP server (determined at the BOE’s discretion), identifiable electronic data will be stored on the afore mentioned secure, encrypted server space allocated by NYU Steinhardt. PISI will be accessible only to NYU Authorized Users involved in this Project via username and password.

OneSight

1. The exclusive purposes for which PISI will be used: For academic research purposes, OneSight will compile data pre & post clinic and then de-identify the data. The de-identified data will be shared with SUNY for the purposes of analyzing. Analysis will focus on the impact that providing follow-up vision care at school (comprehensive eye exam and glasses if needed) has on academic performance of students referred for care.
2. How you will ensure that the subcontractors, persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements: We will de-identify data prior to sharing with any other entity. SUNY who receives the de-identified data set also has an NDA and will abide by security and privacy protocols. 
3. When the agreement expires and what happens to PISI upon expiration of the agreement: Pursuant to its contractual obligations (section 7), the Recipient will surrender or destroy data.
   • NYC DOE additional information: The current agreement became effective starting on July 16, 2019 and remains effective through the period during which OneSight possesses or otherwise is in control of covered protected information, which will be no later than July 16, 2021.
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient.
   • NYC DOE additional information: such requests, including requests for copies of student data, may be sent to studentprivacy@schools.nyc.gov
5. Where the PISI will be stored (described in such a manner as to protect data security), and the security protection taken to ensure such data will be protected, including whether such data will be encrypted: Pursuant to its contractual obligations (section 6), the Recipient will, at all times, have data stored in password protected or encrypted files and utilizing compliant data storage in accordance with this agreement. Patient/Clinic data will be stored in a HIPAA compliant database, other data will be only accessed by approved research project personnel and will be saved in encrypted/password protected files and/or shared via encrypted/FTP file sharing processes.

Owens Consulting Inc.

1. The exclusive purposes for which PISI will be used: PISI will only be used in aggregated form to conduct statistical analyses and generate descriptive data summaries.
2. How you will ensure that the subcontractors, persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements: All subcontractors, persons or entities employed by Owen Consulting have been trained to work with PISI and have years of experience working with DOE data and are knowledgeable on data protection and security issues. Additionally they signed confidentiality agreements with Owen Consulting Inc.
3. When the agreement expires and what happens to PISI upon expiration of the agreement: All PISI will be deleted once the agreement expires.
   • NYC DOE additional information: The current agreement became effective starting on January 25, 2019 and remains effective through the period during which Owens Consulting Inc. possesses or otherwise is in control of covered protected information.
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with Columbia TLC staff and the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. 
   • NYC DOE additional information: such requests, including requests for copies of student data, may be sent to studentprivacy@schools.nyc.gov
5. Where the PISI will be stored (described in such a manner as to protect data security), and the security protection taken to ensure such data will be protected, including whether such data will be encrypted: PISI stored in a secured FTP site, managed by the NYC DOE, and accessible to only project managers. In addition, PISI imported into Excel or SPSS will be password encrypted and stored on a password-protected computer that is only accessible by individual staff members affiliated with the project.

Owens Consulting Inc. 2

1. The exclusive purposes for which PISI will be used: PISI will only be used in aggregated form to conduct statistical analyses and generate descriptive data summaries.
2. How you will ensure that the subcontractors, persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements: All subcontractors, persons or entities employed by Owen Consulting Inc. have been trained to work with PISI and have years of experience working with DOE data and are knowledgeable on data protection and security issues. Additionally they signed confidentiality agreements with Owen Consulting Inc.
3. When the agreement expires and what happens to PISI upon expiration of the agreement: All PISI will be deleted once the agreement expires.
   • NYC DOE additional information: The current agreement became effective starting on June 12, 2019 and remains effective through the period during which Owens Consulting Inc. possesses or otherwise is in control of covered protected information.
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations the Recipient will work with Zone 126 and the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient.
   • NYC DOE additional information: such requests, including requests for copies of student data, may be sent to studentprivacy@schools.nyc.gov
5. Where the PISI will be stored (described in such a manner as to protect data security), and the security protection taken to ensure such data will be protected, including whether such data will be encrypted: PISI stored in a secured FTP site, managed by the NYC DOE, and accessible to only project managers. In addition, PISI imported into Excel or SPSS will be password encrypted and stored on a password-protected computer that is only accessible by individual staff members affiliated with the project.

Public Works Partners

1. The exclusive purposes for which PISI will be used: PISI will only be used for interim purposes during analysis – to determine arts courses available to students and number of arts teachers at each school – and PISI will not be referenced in the final report.
2. How you will ensure that the subcontractors, persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements: Public Works staff members are required to utilize Public Works' internal server. All access to server and company computers is encrypted and protected with a password and two-factor authentication to prevent unauthorized access. Data will be transmitted only using this server. Provisions will be added to the subcontractor's agreement requiring deletion of the student-level data by August 31, 2019, upon completion of the research project.
3. When the agreement expires and what happens to PISI upon expiration of the agreement: This agreement expires on March 19, 2021. All data will be deleted from Public Works Partners' servers upon completion of the analysis by August 31, 2019, prior to expiration of the agreement.
   • NYC DOE additional information: The current agreement became effective starting on March 19, 2019 and remains effective through the period during which Public Works Partners possesses or otherwise is in control of covered protected information, which will be no later than August 31, 2019.
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient.
   • NYC DOE additional information: such requests, including requests for copies of student data, may be sent to studentprivacy@schools.nyc.gov
5. Where the PISI will be stored (described in such a manner as to protect data security), and the security protection taken to ensure such data will be protected, including whether such data will be encrypted: The data will be stored on Public Works' encrypted server. All access to server and company computers is encrypted and protected with a password and two-factor authentication to prevent unauthorized access. Data will be transmitted only using this server. Provisions will be added to the subcontractor's agreement requiring deletion of the student-level data by August 31st, 2019, upon completion of the research project.

Philliber Research 1

1. The exclusive purposes for which PISI will be used: To produce an aggregate annual report for ABC.
2. How you will ensure that the subcontractors, persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements: Data will not be shared with anyone outside of ABC or Philliber Research & Evaluation.
3. When the agreement expires and what happens to PISI upon expiration of the agreement: The data is destroyed. 
   • NYC DOE additional information: The current agreement became effective starting on December 4, 2018 and remains effective through the period during which Philliber Research possesses or otherwise is in control of covered protected information, which will be no later than September 30, 2022.
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient.
   • NYC DOE additional information: such requests, including requests for copies of student data, may be sent to studentprivacy@schools.nyc.gov
5. Where the PISI will be stored (described in such a manner as to protect data security), and the security protection taken to ensure such data will be protected, including whether such data will be encrypted: Data are stored on a file server.
   • Access is only through password-protected accounts.
   • The console for the server and every workstation is password protected.
   • The workstations automatically lock when not actively used and must be unlocked with the user's password.
   • The server does not have remote-control software.

Personal identifying data are encrypted and the password is available only to the lead evaluator, Scott Herrling.

Philliber maintains user accounts that conform to the following requirements:

• Each user has a unique user-ID and password.
• The passwords are a computer generated mix of numeric, lower case alphabetic, upper case alphabetic, and symbol characters.
• The passwords are changed at regular intervals.
• There are no multi-user passwords.

Philliber will destroy all identifying information when the project is completed in September 2022. There will be no record of who participated in the study and no ability to link any information to individuals.

Philliber Research 2

1. The exclusive purposes for which PISI will be used: We plan to use this to look at comparison data (ex. Girls Inc. Middle School and High School girls who are Black or Hispanic). Aggregated data for the schools in the program will be compared with citywide averages for this subgroup.
2. How you will ensure that the subcontractors, persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements: We only report aggregate data in a program evaluation report.
3. When the agreement expires and what happens to PISI upon expiration of the agreement: There are no hard copies of data, therefore files will be deleted after three years.
   • NYC DOE additional information: The current agreement became effective starting on January 29, 2019 and remains effective through the period during which Philliber Research possesses or otherwise is in control of covered protected information, which will be no later than January 29, 2022.
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient.
   • NYC DOE additional information: such requests, including requests for copies of student data, may be sent to studentprivacy@schools.nyc.gov
5. Where the PISI will be stored (described in such a manner as to protect data security), and the security protection taken to ensure such data will be protected, including whether such data will be encrypted:

Philliber Research & Evaluation has always made a concerted effort to maintain the security of the data we collect and analyze. For almost twenty-five years we have maintained data files about people who are HIV+ or engaged in activities they would not want made known to the public. We have never experienced a breach of security.

PowerMyLearning

1. The exclusive purposes for which PISI will be used: PISI will be used to determine the impact the Family Playlist program has on select students' Math achievement scores.
2. How you will ensure that the subcontractors, persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements: Individual student data will only be accessible to a small number of PowerMyLearning staff directly responsible for the initial matching and analysis of the data. We will ensure that these staff members are aware of data protection and security requirements around storage and use of data. Data will not be shared with other PowerMyLearning staff or external persons such as teachers or principals. The analysis results may be shared externally but will not contain any identifiable information. 
3. When the agreement expires and what happens to PISI upon expiration of the agreement: Identifiable information will be deleted from all servers upon expiration.
   • NYC DOE additional information: The current agreement became effective starting on January 31, 2019 and remains effective through the period during which PowerMyLearning possesses or otherwise is in control of covered protected information.
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient.
   • NYC DOE additional information: such requests, including requests for copies of student data, may be sent to studentprivacy@schools.nyc.gov
5. Where the PISI will be stored (described in such a manner as to protect data security), and the security protection taken to ensure such data will be protected, including whether such data will be encrypted: The data will be stored on a cloud based service (box.com). Every file is maintained and encrypted using AES 256-bit encryption. The files will only be accessed by Power My Learning staff with the appropriate credentials.

RAND Corporation

1. The exclusive purposes for which PISI will be used: PISI will inform our evaluation of the OBD initiative and allow Recipient to test whether the initiative is having a positive impact on student outcomes. Recipient will test the effect of the initiative on measures of student learning, attainment, and socio-emotional skills, using a matched comparison group design.
2. How you will ensure that the subcontractors, persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements: Recipient will not share student, principal, or teacher data with subcontractors.
3. When the agreement expires and what happens to PISI upon expiration of the agreement: Recipient will destroy the data.
   • NYC DOE additional information: The current agreement became effective starting on January 24, 2020 and remains effective through the period during which RAND Corporation possesses or otherwise is in control of covered protected information.
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient.
   • NYC DOE additional information: such requests, including requests for copies of student data, may be sent to studentprivacy@schools.nyc.gov
5. Where the PISI will be stored (described in such a manner as to protect data security), and the security protection taken to ensure such data will be protected, including whether such data will be encrypted: To ensure data security, PISI will be encrypted and stored on password protected, encrypted RAND computers and servers, accessible only to project staff. Recipient will assign each participant a study identifier and maintain a link file. Access to the link file will be restricted to a research team member who de-identifies student data upon receipt. All analysis files will include only study IDs.

SportUp

1. The exclusive purposes for which PISI will be used:
   1. Connect the academic/outcome data to interest-based program participation
   2. Review program participants data 'in-season' vs. 'out of season' (when kids were in afterschool programs vs. outside of program)
   3. Compare academic data between program participants vs. non program participants
   4. Be able to track high school graduation rates for program participants - this will be longitudinal
   5. Continue to develop the family engagement & social/emotional analytics parallel to the demographic, engagement and academic data 
2. How you will ensure that the subcontractors, persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements: No PISI will be shared with any organization or individual outside of UpMetrics. Any data shared through final reports will be de-identified and in aggregate form.
3. When the agreement expires and what happens to PISI upon expiration of the agreement: SportUp will destroy all identifiable data 10 years (important in order to track graduation through high school) after transmission. This includes audio recordings, typed notes, handwritten notes, identifiers and linking files. All physical media including paper and DVD will be shredded. Electronic files will be erased using a secure erase program. Temporary files on personal computers will also be removed.
   • NYC DOE additional information: The current agreement became effective starting on January 14, 2019 and remains effective through the period during which SportUp possesses or otherwise is in control of covered protected information, which will be no later than January 14, 2029.\
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient.
   • NYC DOE additional information: such requests, including requests for copies of student data, may be sent to studentprivacy@schools.nyc.gov
5. Where the PISI will be stored (described in such a manner as to protect data security), and the security protection taken to ensure such data will be protected, including whether such data will be encrypted: All PISI will be transferred and stored in the SportUp SFTP, protected by confidential password and login information. All PISI will be coded by SportUp, and the coded information will only be accessible by SportUp researchers.

The Lower East Side Girls Club

1. The exclusive purposes for which PISI will be used: The research objectives are to determine student eligibility for participation in the Lower
   • Eastside Girls Club's Adolescent Literacy Program as well as determining the academic progress of student participants as funded by the DYCD Office of Literacy and Immigrant Services.
2. How you will ensure that the subcontractors, persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements: The DYCD Office of Literacy and Immigrant Services, as the funding agency for the Lower Eastside Girls Club's Adolescent Literacy Program is the entity that will receive the student data. This office will complete a Non-Disclosure Agreement with the NYC DOE which will ensure that they will abide by data protection and security requirements.
3. When the agreement expires and what happens to PISI upon expiration of the agreement: Upon the expiration of the agreement, the data will be deleted from the desktop hard drive on which it will be stored, and destroyed.
   • NYC DOE additional information: The current agreement became effective starting on February 12, 2019 and remains effective through the period during which The Lower East Side Girls Club possesses or otherwise is in control of covered protected information.
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient.
   • NYC DOE additional information: such requests, including requests for copies of student data, may be sent to studentprivacy@schools.nyc.gov
5. Where the PISI will be stored (described in such a manner as to protect data security), and the security protection taken to ensure such data will be protected, including whether such data will be encrypted: All data will be encrypted and stored in a password-secured file on the password-secured hard drive of one desktop computer at the Lower Eastside Girls Club.

The New Jewish Home

1. The exclusive purposes for which PISI will be used: The exclusive purposes for which PISI will be used for the tracking of outcomes of our participants in order to ensure high school graduation, connection to post-secondary education and employment. 
2. How you will ensure that the subcontractors, persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements: N/A. We do not share data other than student names, school they attend and attendance figures to our independent evaluator. No personal information is shared about the participants enrolled.
3. When the agreement expires and what happens to PISI upon expiration of the agreement: The electronic student data is deleted and paper files are shredded.
   • NYC DOE additional information: The current agreement became effective starting on June 17, 2019 and remains effective until June 17, 2021, or through the period during which The New Jewish Home possesses or otherwise is in control of covered protected information.
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient.
   • NYC DOE additional information: such requests, including requests for copies of student data, may be sent to studentprivacy@schools.nyc.gov
5. Where the PISI will be stored (described in such a manner as to protect data security), and the security protection taken to ensure such data will be protected, including whether such data will be encrypted: The physical PISI files are located in an office with a desk that is locked for security purposes. All electronic files are secured in a drive that is only accessible by The New Jewish Home staff which is protected by a virtual private network (VPN). In addition, emails are encrypted to intended outside recipients.

Through "Websense," an application that monitors any inbound or outgoing messages and searches based upon our stipulated privacy regulations, anything that comes through our network will not be delivered if it does not align with the data privacy and security measures in place.

United Way of New York City (UWNYC)

1. The exclusive purposes for which PISI will be used: UWNYC will use the requested PISI specifically to enable UWNYC and the ReadNYC network of partners to analyze which interventions are the most effective toward boosting student academic achievement. This will help ReadNYC provide the most critical supports to students and parents.
   • UWNYC will use PISI in combination with data about service delivery, such as the number and types of services utilized by ReadNYC participants, with the aim of analyzing which interventions, or combinations of interventions, yield the greatest results for students and parents. We will analyze student reading scores, math scores, attendance, surveys about interest in reading, as well as data on parents' needs for social services, and participation in ReadNYC programs. We will analyze whether multiple intervention combinations result in greater academic gains. In evaluating the impact of our work, we will pay attention to student demographics, to ensure that we are delivering impactful programming to all students regardless of race, ethnicity, gender, or disability status. Attendance data is also significant in understanding the impact school absence has on students who participate in the program.
2. How you will ensure that the subcontractors, persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements: To minimize risk, there will be a secure exchange of information between UWNYC and ReadNYC partners. Only authorized staff will have access to information. All personnel involved in information analysis will be trained in data security, privacy and confidentiality protocols. Although aggregate results from this study will be shared with participants, school districts and stakeholders, no one will be identified by name or recognizable in any way in reports published.
3. When the agreement expires and what happens to PISI upon expiration of the agreement: Our active IRB expires in 2020. However, we anticipate re-applying as our ReadNYC program will continue in the future. UWNYC will destroy and shred ReadNYC data three years after the program's completion or change in methodology.
   • NYC DOE additional information: The current agreement became effective starting on December 20, 2018 and remained effective through December 20, 2020.
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient.
   • NYC DOE additional information: such requests, including requests for copies of student data, may be sent to studentprivacy@schools.nyc.gov
5. Where the PISI will be stored (described in such a manner as to protect data security), and the security protection taken to ensure such data will be protected, including whether such data will be encrypted: UWNYC will maintain all consent/assent forms and sign-in sheets for a period of three years after the program ends. The consent/assent forms will be secured in a locked file cabinet. For each school year, ReadNYC partners or UWNYC will upload registration and participation information into a Microsoft Excel file (ReadNYC tracker). The ReadNYC tracker will be password protected and only to be in folders with access limited to those who have either completed NIH’s “Protecting Human Research Participants” online training or reviewed the detailed materials from the training. Unidentified information from each school year will be collected in a Master Data Spreadsheet, which is a password-protected Microsoft Excel file maintained by UWNYC and access limited to UWNYC employees with above-mentioned credentials. Any student-level data received from or sent to the NYC Department of Education research team will be transferred to UWNYC only via secure FTP file transfer. Access to student level data will be limited to UWNYC employees with above-mentioned credentials.

University of California – Davis Campus

1. The exclusive purposes for which PISI will be used: Data will be used to test the effectiveness of a growth mindset intervention on students' motivation and achievement in school, and for moderation of these effects by demographic characteristics.
2. How you will ensure that the subcontractors, persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements: Any shared data will be completely de-identified with regard to district, school, and individual teacher and student.
3. When the agreement expires and what happens to PISI upon expiration of the agreement: PISI will be destroyed according to the current strictest IRB standards.
   • NYC DOE additional information: The current agreement became effective starting on May 29, 2019 and remains effective through the period during which University of California – Davis Campus possesses or otherwise is in control of covered protected information.
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient.
   • NYC DOE additional information: such requests, including requests for copies of student data, may be sent to studentprivacy@schools.nyc.gov
5. Where the PISI will be stored (described in such a manner as to protect data security), and the security protection taken to ensure such data will be protected, including whether such data will be encrypted: Data will be uploaded to an SSH server on the UC Davis campus via SSH keys. Keys will be generated by the uploader, and the public key will be shared with UC Davis. The private key will never be transmitted or shared. All data received from the department of education will be stored on a highly secure SSH server and only researchers at the University of California, Davis who are working on the project will have access to this server. The server will be accessed through password protected computers. The university forbids the sharing of computer login and password information. Data files will be stored with an unidentifiable identification number.

Youth Studies, Inc.

1. The exclusive purposes for which PISI will be used: Youth Studies, Inc. (YSI’s) proposes to analyze NYCDOE administrative data in connection with its ongoing evaluation of 6 21st Century Community Learning Center (21st CCLC) initiative. These programs are designed to deliver high quality expanded learning opportunities to students attending 11 public elementary, middle, and high schools throughout New York City. These programs specifically target schools and a student population that underachieves academically and faces significant social challenges. The proposed evaluation is designed to achieve the following objectives:
   1. Close monitoring of the implementation of these 21st CCLC Program; this includes tracking the initiative's progress toward meeting quality standards;
   2. Ongoing feedback to program managers and coordinators on the effectiveness of the 21st CCLC program and on steps that can systematically improve effectiveness; and
   3. Assessment of how and to what extent participation in these 21st CCLC Programs leads to improvements in desired participant outcomes, including improved academic achievement (particularly in STEM and English Language Arts), acquisition of prosocial skills, and positive behavioral changes.
2. How you will ensure that the subcontractors, persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements: Access to the requested data will be restricted to current YSI employees. All YSI staff who play any role in cleaning, analyzing, or otherwise handling the requested data will be trained by YSI's President and Research director on the data protection and security requirements relevant to working with NYC DOE administrative data.
   • All electronic data will be securely stored to prevent unauthorized access, disclosure, or loss. Data will be stored on a password-protected external hard drive hat is not connected to any network servers. Access to files stored on the external hard drive will be limited to Youth Studies, Inc. staff. When not in use, the external hard drive will be stored in a locked filing cabinet within YSI's office.
3. When the agreement expires and what happens to PISI upon expiration of the agreement: Data will be destroyed no later than 90 days after the conclusion of the study (March 4, 2020). YSI will use the Secure Empty Trash Mac utility to ensure that all requested NYC DOE administrative data is permanently deleted.
   • NYC DOE additional information: The current agreement became effective starting on June 17, 2019 and remains effective through June 17, 2021.
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient.
   • NYC DOE additional information: such requests, including requests for copies of student data, may be sent to studentprivacy@schools.nyc.gov
5. Where the PISI will be stored (described in such a manner as to protect data security), and the security protection taken to ensure such data will be protected, including whether such data will be encrypted: All electronic data will be securely stored to prevent unauthorized access, disclosure, or loss. Data will be stored on a password-protected external hard drive that is not connected to any network servers. Access to files stored on the external hard drive will be limited to Youth Studies, Inc. staff. When not in use, the external hard drive will be stored in a locked filing cabinet within YSI’s office.
   • NYC DOE additional information: The vendor has confirmed the external hard drives are encrypted.

Zone 126

1. The exclusive purposes for which PISI will be used: PISI will only be used in aggregated form to conduct statistical analyses and generate descriptive data summaries.
2. How you will ensure that the subcontractors, persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements: All subcontractors, persons or entities employed by Zone 126 have been trained to work with PISI and have years of experience working with DOE data and are knowledgeable on data protection and security issues. Additionally they signed confidentiality agreements with Zone 126.
3. When the agreement expires and what happens to PISI upon expiration of the agreement: All PISI will be deleted once the agreement expires.
   • NYC DOE additional information: The current agreement became effective starting on June 12, 2019 and remains effective until June 11, 2021.
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with Owen Consulting Inc. and the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient.
   • NYC DOE additional information: such requests, including requests for copies of student data, may be sent to studentprivacy@schools.nyc.gov
5. Where the PISI will be stored (described in such a manner as to protect data security), and the security protection taken to ensure such data will be protected, including whether such data will be encrypted: PISI stored in a secured FTP site, managed by the NYC DOE, and accessible to only project managers. In addition, PISI imported into Excel or SPSS will be password encrypted and stored on a password-protected computer that is only accessible by individual staff members affiliated with the project.