Research

American Institutes for Research (AIR) (for Study of Deeper Learning)

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement Term: 1/18/2023 – 4/30/2025

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. For the Study of Deeper Learning, we examine the impact of attending a deeper learning network school on student outcomes, as well as relationships between opportunities for deeper learning and student outcomes. For these analyses, students are the unit of analysis. It is for this reason that we have requested student-level data. These data will not include student identifying information such as name or date of birth. However, student names and date of birth were collected from consent forms distributed to participating schools in the 2012-13 school year. We only have identifying information for students whose parents provided consent to participate in the study. This information is used to locate study participants and invite them to participate in a follow-up study. The study also administered a teacher survey in spring 2013, and so data also include individual teacher-level survey data collected by AIR.

Type of PII that the Entity will receive/access: Student PII and Staff PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Student-level data will be destroyed within five years of the completion of the study, which is currently scheduled to end on 11/30/2024. Student-level data will be maintained for five years to assist with the completion of manuscripts for scholarly journals and to allow for the possibility of securing additional funding to continue the Study of Deeper Learning.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. AIR has established in the Microsoft Azure Commercial Cloud its Secure Project Portal – Restricted Desktop (SPP-R), an enterprise-grade information enclave protected by a Next-Generation Firewall and comprised of hardened servers and infrastructure configured and maintained by AIR staff. This environment includes strong encryption in transit and at rest, rigorous access controls, and other security measures developed to meet the requirements of NIST 800-171 for Controlled Unclassified Information (CUI). All PII for this project will be stored and processed in SPP-R.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

Have a risk management strategy to identify and detect data security incidents;
Have data security protocols and procedures in place to protect data assets;
Have a security incident monitoring system in place to identify cybersecurity events;
Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

Applied Curiosity Research (for Fast Track to College & Career Program Evaluation: Final Report)

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement Term: 10/25/2022 – 10/1/2025

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. Applied Curiosity Research is evaluating the efficacy of the Fast Track to College & Career (FTCC) pilot program taking place at 11 NYC DOE schools. FTCC was funded by the US Department of Education Perkins Innovation Grant to improve outcomes of students in participating NYC DOE Career and Technical Education (CTE) high schools by offering courses and activities aligned to their career pathway through CUNY’s College Now (CN) program. The program is designed to improve the transition of students from secondary education to postsecondary education by redesigning the high school experience to include dual enrollment courses as early as the 10th grade, and continuing through a structured sequence of college credit and work-based learning activities in 11th and 12th grade. We are requesting student scrambled data from the 11 FTCC schools and 13 control schools so we can compare outcomes and determine the impact of the program. We will need to limit our analysis to CTE-eligible students that entered 10th grade in 2019-2020 at one of 11 FTCC or 13 control schools.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor and using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

Have a risk management strategy to identify and detect data security incidents;
Have data security protocols and procedures in place to protect data assets;
Have a security incident monitoring system in place to identify cybersecurity events;
Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

Change Impact (Extended School Day/School Violence Prevention Evaluation 2022-23)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 9/1/2022 – 8/31/2023

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. This study will support continuous improvement of these NYSED-funded ESD/SVP programs. The evaluation report includes findings and recommendations for improvement to strengthen student services, which ultimately aims to improve student academic, social/emotional, and physical development outcomes.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

Have a risk management strategy to identify and detect data security incidents;
Have data security protocols and procedures in place to protect data assets;
Have a security incident monitoring system in place to identify cybersecurity events;
Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

College Access: Research and Action (CARA)

Type of Entity: Research or Evaluation Institution or University

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. The mission of College Access: Research and Action (CARA) is to ensure first-generation-to- college, students of color, and low-income students in underserved New York City communities have the knowledge and support necessary to enroll in and graduate from college. CARA’s programs help transform the culture of schools by training a wide range of youth and adult staff to support students to and through college. CARA is dedicated to producing rigorous program evaluation and meaningful research to inform public policy regarding the post-secondary access, matriculation, persistence, and graduation of students attending under-resourced New York City Department of Education (NYC DoE) high schools. CARA has worked in over 100 NYC high schools since the 2010-11 school year. To evaluate the effectiveness of our programs, we are requesting access to data for these schools and their comparisons beginning in the 2009-10 school year to the most recent school year available. We plan to address the following questions: 1. Does attendance at a high school that receives CARA programming affect students’ college matriculation, type of college attended, and college persistence as compared to students who do not receive CARA services? Do these school-level effects hold after controlling for student-level characteristics? 2. Do CARA programs vary in their effect on students’ post-secondary outcomes? 3. Do program effects vary by student subgroups of race, gender, income, and parents' education level?

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor and using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

Have a risk management strategy to identify and detect data security incidents;
Have data security protocols and procedures in place to protect data assets;
Have a security incident monitoring system in place to identify cybersecurity events;
Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

Columbia University (for The Impact of Bias in School Choice)

Type of Entity: Research or Evaluation Institution or University

Contract/Agreement Term: 11/8/2022 – 11/8/2024

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. Evaluation of the outcome of the current procedure for matching students to public high schools in NYC, with the goal of understanding its strengths and weaknesses and eventually propose suggestions for improvement.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

Have a risk management strategy to identify and detect data security incidents;
Have data security protocols and procedures in place to protect data assets;
Have a security incident monitoring system in place to identify cybersecurity events;
Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

Columbia University, Teacher's College (for Segregation Between and Within New York City Middle Schools)

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement Term: 7/6/2023 – 5/31/2025

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. This study examines the extent of between- and within-school segregation in NYC middle schools in each of the 32 CSDs, prior to and following the removal of academic screens for admissions. The study relies on administrative data on individual students to describe between- and within-school social and academic segregation.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

Have a risk management strategy to identify and detect data security incidents;
Have data security protocols and procedures in place to protect data assets;
Have a security incident monitoring system in place to identify cybersecurity events;
Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

CUNY

The exclusive purposes for which Protected Information will be used: The course and exam data provided by the DOE will serve as applicants’ official high school transcripts and be used to evaluate applicants’ admissibility to the CUNY colleges to which they have applied. CUNY will use the biographical data provided by the DOE to match the academic records provided by the DOE to CUNY applications.

CUNY will use immunization records provided by the DOE as proof of students’ immunization status, as required for college enrollment.

CUNY will use the research dataset solely for research projects designed to improve instruction or program administration at CUNY colleges.

How you will ensure that the subcontractors, persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements: Access to the biographical, course, and exam data files will be limited to the staff of CUNY’s University Application Processing Center, who are informed of their responsibilities for handling personally identifiable data in writing and required to sign data use and access agreements.

Access to the Research Data Set will be limited to employees of CUNY’s research offices, who are informed of their responsibilities for handling personally identifiable data in writing and required to sign data use and access agreements.

In addition, all employees in these offices must acknowledge, by signature, receiving a copy of the University’s Policy on Acceptable Use of Computer Resources and IT Security Policies.

When the agreement expires and what happens to Protected Information upon expiration of the agreement: This agreement expires on December 31, 2028. CUNY can purge DOE data if requested by the DOE due to the expiration or termination of the Memorandum of Understanding.

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, CUNY will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient.

Where the Protected Information will be stored (described in such a manner as to protect data security), and the security protections taken to ensure such data will be protected, including whether such data will be encrypted: Data provided by the DOE will be stored and protected in a manner consistent with other CUNY confidential, personally identifiable, and protected health data. Common security controls include firewall, intrusion prevention, limited authorized access, and data center physical security. The data is encrypted during transmission.

DAH Consulting, Inc.

The exclusive purposes for which PISI will be used: Evaluation of 21st CCLC program at schools identified.

How you will ensure that the subcontractors, persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements: All employees, persons, etc. have an NDA with DAH which indicates that they will abide by data protection and security guidelines established by the organization.

When the agreement expires and what happens to PISI upon expiration of the agreement: After 5 years when study ends we will destroy research records remembering to protect participants' confidentiality throughout the process. Paper records will be shredded and recycled, instead of carelessly tossed in the garbage. Records stored on computer hard drive should then be erased using commercial software applications designed to remove all data from the storage device.

[NYC DOE additional information: The current agreement became effective starting on December 4, 2018 and remains effective through the period during DAH Consulting, Inc. possesses or otherwise is in control of covered protected information and no later than December 4, 2025.]

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. [NYC DOE additional information: such requests, including requests for copies of student data, may be sent to studentprivacy@schools.nyc.gov.]

Where the PISI will be stored (described in such a manner as to protect data security), and the security protection taken to ensure such data will be protected, including whether such data will be encrypted: We intend to use minimal-identifier data as often as possible and minimize risk by maximizing work "within network".

Other controls will be to manage release of identifier-data at source/ identification of a "Gatekeeper" and tracking data releases using an approval process and documenting and creating logs.

We will also remove all personally identifying information from data, replacing identifiers with a new unlinked, identifier, which cannot be associated with an individual study participant.

NYC DOE Additional Information: Certain portions of this response have been redacted to protect the privacy and/or security of data and/or technology infrastructure.

Glass Frog Solutions (for Evaluating the Impact of the School of Interactive Arts on Students' AP Computer Science Principles Participation and Scores)

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement Term: 1/20/2023 – 12/31/2026

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. We are conducting a program evaluation of the School of Interactive Arts (SIA) program, which received a federal Education Innovation & Research (EIR) grant to implement and evaluate the program in NYC public schools. The goal of the program is to use a curriculum based in video game design to increase students' interest in computer science. The program partners with schools offering the AP Computer Science Principles course, and the SIA program works to encourage students to take additional computer science coursework and eventually take the AP Computer Science Principles exam. The long-term goal of the SIA program is to increase access to computer science majors and careers for students belonging to under-represented groups. The evaluation will assess whether the program was successful in encouraging students to take the AP Computer Science Principles course and ultimately pass the AP Computer Science Principles exam. We will draw on students' deidentified course and test score data to determine whether the program met these goals.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

Have a risk management strategy to identify and detect data security incidents;
Have data security protocols and procedures in place to protect data assets;
Have a security incident monitoring system in place to identify cybersecurity events;
Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

Laurus Grant-Writing & Evaluation Services (for 21st Century Community Learning Centers Year 5)

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement Term: 8/23/2022 – 8/23/2024

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. Laurus is serving as the evaluator of the 21st Century Community Learning Centers program grants awarded to NYC Community Schools Districts 4, 10, 12 and 24, as well as those grants awarded to the following community-based organizations: New York Edge, Partnership with Children, Academics in Motion (AIM) and PowerPlay NYC. These grants mandate that an “outside” evaluator assess data to determine if the program has any effects on students that participate; this data includes attendance records and academic results such as report card grades and assessment results. The data we are requesting is de-identified – we only have to report general findings and trends – we never report on individual participants or reveal any identifying information.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

Have a risk management strategy to identify and detect data security incidents;
Have data security protocols and procedures in place to protect data assets;
Have a security incident monitoring system in place to identify cybersecurity events;
Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

Massachusetts Institute of Technology (MIT) (for "The Comprehensive Data Request for MIT SEII” & “Peer Exposure Effects on School Preferences” & “How School Accountability Affects School Choice” & ‘Pipelines and Equity in Gifted and Talented Programs”)

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement Term: 2/22/2022 – 2/27/2028

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII.

NYCDOE uses a matching algorithm designed by Abdulkadiroglu, Pathak, and Roth to match students to schools according to preferences and priorities. The adoption of centralized assignment has enabled improved school impact evaluations. Led by Parag Pathak, MIT's Blueprint Labs has developed pioneering new methods to enable an analyst to fully exploit all randomization generated by centralized assignment. We are pursuing several lines of inquiry related to this work in New York City.

We plan to study how exposure to a diverse set of peers in early stages of education affects school preferences at later stages. A student’s peers at school may leave an indelible mark on how they see themselves, how they see others, and their social preferences. We therefore plan to evaluate whether attending a school with more diverse peers influences a student and her family’s preference to enroll in a more diverse school in the future, as measured by the child and her family’s choices of school in later years, and to understand the mechanisms driving these patterns of school choice.

We are conducting observational research on student educational records. We aim to investigate the interplay between the design of school accountability systems, families’ information about schools and school choice. We require the PII to evaluate the effects of the introduction and later removal of letter grades from school reports on patterns of school applications, enrollment and student achievement, by comparing changes in demand for schools before, during and after the removal of letter grades.

The overall purpose of our research is to, first, evaluate the impact of elementary school gifted and talented programs on subsequent educational experiences, particularly for low-income and racial minority students, and second, to assess potential gifted and talented implementation policies for addressing pipeline issues in selective schooling programs. To do this, we will use the random variation generated by gifted and talented program assignment rules to estimate the effect of admission and attendance to these programs on the types of schools that students attend in the future. In addition, we will consider the effects of various program policies – such as Diversity in Admissions policies, program expansion, and the use of tests in admissions – on the diversity of the groups of students in the programs and whether the students who enroll in the programs are those who will benefit the most. We will therefore be able to assess the potential of gifted and talented programs to address pipeline issues in NYC schools, and how this is impacted by program admissions policies.

Type of PII that the Entity will receive/access: Student PII and Staff PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

Have a risk management strategy to identify and detect data security incidents;
Have data security protocols and procedures in place to protect data assets;
Have a security incident monitoring system in place to identify cybersecurity events;
Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

MDRC (for Impact Evaluation of Academic Language Interventions)

Type of Entity: Research or Evaluation Institution or University

Contract/Agreement Term: 9/25/2015 – 12/31/2022

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. Data will be analyzed for the Impact Evaluation of Academic Language Intervention, a research study which began in 2015 to assess the impact of an academic language program on student language and reading skills. This study is funded by the U.S. Department of Education (Contract No. ED-IES 15-C-0050) and led by MDRC, a nonprofit research organization.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: For the final phase of the evaluation, the study team will create a de-identified student-level restricted-access file for use only by qualified researchers for approved research projects, as required by the study funders (ED). The restricted-access file will include student-level data collected for the study, including student records.

To reduce disclosure risk, the study team will remove all direct identifiers from the restricted-access file, including the names of states, districts, schools, and students, physical addresses, and contact information. District, school, and student names will be replaced with randomly generated ID variables. We will also remove original and calculated variables that are not useful for research purposes. After creating the deidentified student-level file, the study team will securely delete the underlying identifiable student-level data.

MDRC will submit the restricted-access file to the data archive maintained by the Department of Education’s Institute of Education Sciences (IES). The restricted-access file will be available only to qualified researchers who agree to the confidentiality and data security requirements established by the U.S. Department of Education. Once IES has accepted the restricted-access file, MDRC will destroy all other files received from the DOE, as well as crosswalks that link actual IDs to the randomly constructed ID, by deleting the data from our secure servers.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

Have a risk management strategy to identify and detect data security incidents;
Have data security protocols and procedures in place to protect data assets;
Have a security incident monitoring system in place to identify cybersecurity events;
Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

MDRC (for Examining Effects of Social-Emotional Learning on Outcomes Through High School and Beyond: A Follow-Up Study of INSIGHTS)

Type of Entity: Research or Evaluation Institution or University

Contract/Agreement Term: 2/28/2023 – 6/30/2028

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. The aim of the proposed study is to conduct a long-term efficacy follow-up of INSIGHTS into Children’s Temperament (INSIGHTS). Findings from the original cluster randomized trial of INSIGHTS implemented in kindergarten and first grade in schools serving students from low-income families (2008 – 2012) revealed positive short-term treatment impacts on children’s literacy, math, sustained attention, and behavioral skills. Follow-up data demonstrated sustained impacts on target outcomes through sixth grade. Although these medium-term impacts are promising, questions remain about whether INSIGHTS does continue to benefit children as they move through adolescence, as well as the mechanisms through which the program generates long-term outcomes, the students who benefit the most from the intervention, and the implementation and school-level factors that are critical to promoting sustained impacts. The proposed study will estimate long-term effects of INSIGHTS on students’ academic, social-emotional, and behavioral outcomes from 7th to 12th grade and during the transition to college. The study will explore how INSIGHTS promoted long-term outcomes, for whom, and under what circumstances. Findings will provide information on whether early investments in SEL yield benefits for students through high school and beyond.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

Have a risk management strategy to identify and detect data security incidents;
Have data security protocols and procedures in place to protect data assets;
Have a security incident monitoring system in place to identify cybersecurity events;
Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

Metis Associates (for Evaluation of New York City's Summer Rising 2022 Program and Evaluation of New York City’s Summer Rising 2023 Program)

Type of Entity: Commercial Enterprise

Contract / Agreement Term:

Evaluation of New York City's Summer Rising 2022 Program: 8/25/2022 – 6/30/2023
Evaluation of New York City’s Summer Rising 2023 Program: 8/22/2023 – 8/23/2024

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. The purpose of this research study is (1) to characterize the Summer Rising participants, (2) to determine whether the program is reaching its intended audience, and (3) to determine if programming is having an effect/impact on academic outcomes. PII data are required to match and control for possible covariates between participants and comparisons, as well as to characterize the population served by the program.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

Have a risk management strategy to identify and detect data security incidents;
Have data security protocols and procedures in place to protect data assets;
Have a security incident monitoring system in place to identify cybersecurity events;
Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

Metis Associates (for Evaluation of NYCPS High-Impact Tutoring Initiative)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 6/20/2023 – 8/31/2023

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. The evaluation requires student-level data without direct identifiers to be used to describe participants in the program to help the program staff better understand what students are receiving services.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

Have a risk management strategy to identify and detect data security incidents;
Have data security protocols and procedures in place to protect data assets;
Have a security incident monitoring system in place to identify cybersecurity events;
Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

Metis Associates (for projects in 2023-2024)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 3/1/2023 – 7/1/2024 for the following research projects:

Community Change Inc. 21st Century Community Learning Centers Program
The Center for Educational Innovation’s Education through Art (AAEDD)
Evaluation of the United Community School Program
Evaluation of the UFT Full-Service Community Schools (FSCS) Program Grant
The Center for Family Life in Sunset Park (CFL)
Education through Music (ETM)
Lehman Urban Transformative Education in STEM Project

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII.

Community Change Inc. (CCI) 21st Century Community Learning Centers (21st CCLC) is a New York State funded initiative that will use student level data to determine whether the project is meeting its objectives and performance targets, and will include student demographics, attendance, behavioral incidents, report card/transcript data, graduation data, and standardized assessment results.

The Center for Educational Innovation (CEI) Assistance for Arts Education Development and Dissemination (AAEDD) is a United States Department of Education funded grant that will use student demographic, assessment, attendance, and SEL data in a rigorous comparative quasi-experimental design (QED) to determine initiative impacts.

The evaluation of the United Federation of Teacher’s United Community Schools (UCS) initiative will use student demographics, attendance, behavioral incidents, and standardized assessment results in a rigorous comparative quasi-experimental design (QED) to determine initiative impacts.

The federally funded Full-Service Community Schools (FSCS) program grant includes three of the United Federation of Teacher’s United Community Schools (UCS) and will use student demographics, attendance, behavioral incidents, and standardized assessment results to determine the effects that funding has had on student outcomes.

The evaluation of the Center for Family Life in Sunset Park (CFL) includes programming at six neighborhood public schools and will utilize student demographic, attendance, and achievement data to determine whether its program offerings are associated with positive outcomes.

The evaluation of Education through Music (ETM) will utilize student demographic, attendance, achievement, and SEL data in a rigorous comparative quasi-experimental design (QED) to determine initiative impacts.

The Lehman College Urban Transformative Education in STEM (LUTE-STEM) project will use student demographic, attendance, and academic assessments to determine whether the program is positively associated with student outcomes.

Type of PII that the Entity will receive/access: Student PII and Staff PII

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Upon expiration or termination of the Agreement, the Organization shall securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor and using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

Have a risk management strategy to identify and detect data security incidents;
Have data security protocols and procedures in place to protect data assets;
Have a security incident monitoring system in place to identify cybersecurity events;
Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

New York University (NYU) (for The School Choice Policy Research Center – Improving Policy, Implementation, and Outcomes for Disadvantaged Students)

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement Term: 5/24/2022 – 5/24/2025

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. The study examines the impact of transportation options on school choice and student outcomes.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

Have a risk management strategy to identify and detect data security incidents;
Have data security protocols and procedures in place to protect data assets;
Have a security incident monitoring system in place to identify cybersecurity events;
Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

New York University (NYU) (for Strengthening School Readiness through Pre-K for All: A University-District Partnership)

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement Term: 1/24/2023 – 8/31/2027

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. We are requesting individual level student data detailed earlier, and the NYC DOE considers all student-level data to be PII. In addition, we are requesting for a document linking the DOE-created random ID (in the de-identified dataset) to the child's name, making the data identifiable for the participants’ who consented to the data and records release question on the consent form.

We are requesting for a document linking the DOE-created random ID (in the de-identified dataset) to the staff members’ name and email address (or DOE “external account” for NYCEEC staff), making the data identifiable for the participants’ who consented to the data and records release question on the staff consent form.

Type of PII that the Entity will receive/access: Student PII and Staff PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies. As stated in the consent form, the research team will store identifiable information (e.g., names and contact information) for future follow-up research purposes by the NYU research team for four years following the completion of this study. After this, data consisting of participant identifiers and documentation connecting participants to personal information will be deleted. This data includes consent forms and any other materials that contain personal identifiers, and the file that links participant research IDs to name/DOB. The identifiable electronic data will be permanently deleted by research staff with access to the password protected server, and trash will be cleared. In-person research staff will retrieve hard copy data from locked storage space and shred.

De-identified data (data without and identifiers like names and contact information) will be kept indefinitely.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution. After downloading the data via the DOE’s secure FTP server or the Research Alliance for NYC School’s secure FTP server, identifiable electronic data will be stored on secure, encrypted server space allocated by NYU Steinhardt. Data will be accessible only to NYU research staff involved in this project via their NYU username and password. The server is only accessible to NYU staff who are granted access by their unique NYU ID. Login requires staff to enter their NYU account password and multi-factor authentication. The server is also only accessible using NYU’s network.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

Have a risk management strategy to identify and detect data security incidents;
Have data security protocols and procedures in place to protect data assets;
Have a security incident monitoring system in place to identify cybersecurity events;
Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

New York University (NYU) (for NYU College & Career Lab: Long-Term Academic Achievement Outcomes)

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement Term: 2/8/2023 – 2/8/2025

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. We are evaluating the academic achievements students that apply to the CCL program. To address the issue of examining long-term academic outcomes, we plan to use DOE updated administrative data from the Research Alliance for New York City Schools (RANYCS) and measure it against the NYS Report Card data to calculate impacts on medium-term effects, such as middle school test scores, attendance, and participation in New York City’s high school application system (the largest choice-system in the nation), to longer-term effects such as high school course-taking, graduation, and transition into university. The use of administrative data that is collected by NYC DOE will provide the opportunity for early reporting on student outcomes.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

Have a risk management strategy to identify and detect data security incidents;
Have data security protocols and procedures in place to protect data assets;
Have a security incident monitoring system in place to identify cybersecurity events;
Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

The Ohio State University (for Effects of Neighborhood Characteristics and Commute Times on High School Students' Academic Outcomes)

The exclusive purposes for which Protected Information will be used: The Protected Information will be used solely to conduct a rigorous, statistical analysis designed to inform constituents and policy-makers associated with NYC public schools as well as a broader audience of policy-focused social scientists.

How you will ensure that the subcontractors, persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements: Only individuals mentioned in the application to the NYCDOE will have access to the education data. All individuals have read through the data use agreements, and have agreed to follow all security protocols.

When the agreement expires and what happens to Protected Information upon expiration of the agreement: We will remove the Protected Information provided to us by NYC’s DOE by having an Ohio State University IT specialist securely shred the hard-drive on which the data are stored, following a standard University protocol for removing confidential data.

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient.

Where the Protected Information will be stored (described in such a manner as to protect data security), and the security protections taken to ensure such data will be protected, including whether such data will be encrypted: The Protected Information will be stored on a computer owned by the Department of Economics at Ohio State University. The computer will be stored in a locked, private office accessed only by the researchers named on this project and the Department’s IT specialist, and will have the following security features:

Windows 10 Enterprise with latest patch set. Patch schedule is bi-weekly.
Network single user login enforced by Active Directory.
Remote access protected by gateway with 2-Factor authorization. (Duo Mobile), Data copy between clients is restricted.
180 Day Password change policy enforced by central Identity Management Minimum standards: 8 Char including 3 of Uppercase. Lowercase, Numerals, or Special characters. Dictionary words are prohibited. User accounts can be remotely disabled.
15 Minute inactivity lockout.
Full disk encryption using Bitlocker
Malware/Virus on-access, and scanning protection using managed Falcon Prevent (Crowdstrike).
Network traffic protection and restriction via host and perimeter firewall.
System log collection and visualization via Splunk.
Clients scanned regularly for vulnerabilities using Nessus.
Hard drive shredded by college service at completion of project.

Research Alliance for New York City Schools (for Evaluation of Practice Makes Perfect Summer Program in New York City: COVID Update)

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement Term: 7/1/2023 – 6/30/2024

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. This project will evaluate the impact of a large virtual summer learning program offered by the Practice Makes Perfect (PMP) organization to NYC public school students during the “COVID summer” of 2020. PMP’s broader mission is to address summer learning loss through academic enrichment, tutoring, and mentoring. In 2020, PMP provided an online summer program at no charge to approximately 5,000 NYC students. PMP worked with the research team to randomly invite participants from the more than 10,000 who applied. This random assignment will facilitate a rigorous impact evaluation of the offer to participate. The research team will estimate the impact of the program on students’ short and longer-term academic outcomes..

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies. As the service provider, Practice Makes Perfect will maintain possession of its original list of applicants and participants (which includes PII). The analytic database created using a fuzzy match between the PMP applicant list and NYCDOE data will be destroyed at the end of the project in accordance with the signed NDA. The project will be considered complete after publication of the team’s final report. Note that RANYCS standing data is governed by a separate agreement between the NYCDOE and RANYCS.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

Have a risk management strategy to identify and detect data security incidents;
Have data security protocols and procedures in place to protect data assets;
Have a security incident monitoring system in place to identify cybersecurity events;
Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

RAND Corporation (for Evaluation of the Long-Term Effects of Retention under New York City’s Student Promotion Policy)

Type of Entity: Not-for-Profit

Contract / Agreement Term: 11/14/2022 – 11/14/2024

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. The data will be used exclusively for the evaluation of the long-term effects of student grade retention under New York City's student promotion policy in effect between the 2003-2004 and 2011-2012 school years.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

Have a risk management strategy to identify and detect data security incidents;
Have data security protocols and procedures in place to protect data assets;
Have a security incident monitoring system in place to identify cybersecurity events;
Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

Research Triangle Institute (RTI) (for High School and Beyond 2022, HS&B:22)

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement Term: 9/15/2022 – 7/31/2026

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. The High School and Beyond 2022 (HS&B:22) study will be the sixth in a series of longitudinal studies at the high school level conducted by the National Center for Education Statistics (NCES), within the U.S. Department of Education. These studies play a critical role in education, providing a rich variety of data to answer questions about how students’ backgrounds and school experiences affect education and life outcomes. HS&B:22 is being conducted by RTI International under contract to NCES.

To identify which students will be invited to participate in HS&B:22, RTI will request a roster of students enrolled in ninth grade during the 2022-2023 in each participating school.

We will request a complete roster of all ninth-grade students, including key student characteristics, such as: name; ID number; month and year of birth; grade level; sex; race/ethnicity; and English Language Learner (ELL) status. As part of the roster collection, RTI will also request the following information for each student: student’s math teacher and math course information; and student’s parent and/or guardian name and contact information.

We will work with districts/schools that are unable to provide all of the information to obtain the key information allowable and needed for sampling. We will provide a sample template and instructions to upload rosters to the secure NCES website.

Type of PII that the Entity will receive/access: Student PII and Staff PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Student data are subject to strict protections that are adhered to by NCES and its contractor organizations. Unused roster information will be securely destroyed when no longer needed for the purposes specified in 34 CFR § 99.35. Due to the longitudinal nature of HS&B:22, sampled students are followed over an extended period of time (possibly into college and beyond).

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. NCES has a secure data transfer system, which uses SSL technology, allowing the transfer of encrypted data over the Internet. The NCES secure server will be used for all administrative data sources. All data transfers will be encrypted. HS&B:22 data files and systems that contain PII or direct identifiers will reside in RTI’s sophisticated FIPS Moderate VDI. This network operates as a separate structure within the overall RTI computing infrastructure to provide additional security for data and to encrypt all network traffic with Federal Information Processing Standards (FIPS) 140-2 verified encryption tools. RTI uses Microsoft SQL servers to store non-sensitive project information. User-level access to these servers for authorized users is controlled with the same credentials needed for network and file access within each of the RTI networks.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

Have a risk management strategy to identify and detect data security incidents;
Have data security protocols and procedures in place to protect data assets;
Have a security incident monitoring system in place to identify cybersecurity events;
Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

Theo Pippins (for Academic Acceleration Sprint Analysis)

Type of Entity: Sole proprietor

Contract / Agreement Term: 5/1/2023 – 11/15/2023

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. Theo Pippins will support data analysis for the Academic Acceleration sprint. Tasks include, but are not limited to: developing/revising research questions; supporting the creation of data collection tools; assisting with data collection efforts; leading data cleaning and analysis using platform usage data, screener data, and state exam data; summarizing demographic characteristics of school communities; identifying trends, patterns, or relationships between interventions and test results; and preparing data visualizations.

Type of PII that the Entity will receive/access: Student PII and Staff PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by Organization.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

Have a risk management strategy to identify and detect data security incidents;
Have data security protocols and procedures in place to protect data assets;
Have a security incident monitoring system in place to identify cybersecurity events;
Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

University of Chicago (for “The Evolution of the Charter School Sector”)

Type of Entity: Community Based Organization or Not-for-Profit

Contract/Agreement Term: 9/29/2022 – 9/29/2025

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. I will be examining the evolution of the charter school sector in NYC and how quality has changed as the sector has expanded. My measure of quality will be calculated using student level test scores, which is why I need access to PII.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

Have a risk management strategy to identify and detect data security incidents;
Have data security protocols and procedures in place to protect data assets;
Have a security incident monitoring system in place to identify cybersecurity events;
Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

University of Connecticut (for Understanding the Impacts of School Preference on High School Students)

The exclusive purposes for which PISI will be used: The PISI will be used to examine the impact of school choice on student academic and non-academic outcomes. As differences in admission mechanism may impact student behavior once they attend school, these date will be used to identity difference.

How you will ensure that the subcontractors, persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements: Data will not be shared with, nor available to, any persons, subcontractors, or entities, with the exception of Morgaen Donaldson, the Associate Dean of Research at the Neag School of Education in her roles as the dissertation advisor to the PI.

When the agreement expires and what happens to PISI upon expiration of the agreement: This agreement will expire on 9/10/2023, and upon its expiration all data will be deleted from the enterprise file server at UConn.

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. There will be no original data collection as part of this project – all data are administrative and collected by the NYCDOE.

Where the PISI will be stored (described in such a manner as to protect data security), and the security protections taken to ensure such data will be protected, including whether such data will be encrypted: All data will be stored on the UConn Enterprise File Server system. The specific folder for this project will only be accessible to the PI and the dissertation advisor, Dr. Morgaen Donaldson, Associate Dean of Research at the Naeg School of Education. Data will be encrypted both in motion and at rest using SSL and Bitlocker, respectively.

University of Kentucky (for Professional Development for Culturally Relevant Pedagogy in K-12 Computer Science)

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement Term: 9/1/2022 – 6/30/2023

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. Our objective is to understand the usefulness of professional development (PD) for teachers' implementation of culturally relevant practices in their computer science (CS) classrooms. More specifically, we aim to examine how, if at all, the knowledge and dispositions of teachers who participated in the “Exploring Equity in Computer Science” (EECS) professional development series have changed over time. Individual-level teacher records (i.e., teachers' responses to "exit tickets") will help us complete this study. Zitsi Mirakhur is conducting this study on behalf and at the request of the CS4All team.

Type of PII that the Entity will receive/access: Staff PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

Have a risk management strategy to identify and detect data security incidents;
Have data security protocols and procedures in place to protect data assets;
Have a security incident monitoring system in place to identify cybersecurity events;
Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

University of Michigan (for Family Preferences and Curricular Differentiation of NYC High Schools)

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement Term: 1/9/2023 – 1/9/2025

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. My objective is to study family preferences over the “theme” or academic focus of NYC high schools. There are two broader questions that I am interested in exploring, both focused on the implications of offering and explicitly categorizing academically-themed programs.

The first question is whether different preferences over academic theme by race, gender, income, or achievement lead to differential sorting into schools along these lines, and whether this sorting increases or decreases segregation. Observing the decisions each student makes on which schools to apply to, how to rank them, and whether to enroll, combined with school characteristics data, will enable me to infer how students weight various school characteristics in their decision. I will also be able to investigate how these preferences vary by student demographics.

The second question is whether students have better outcomes when they are matched to a school with their preferred academic theme, relative to schools of a different theme. I need individual-level data on student applications and outcomes to identify a student’s preferred school theme from their application, determine whether it matches the theme of the school they enroll, and link this information to their high school outcomes.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

Have a risk management strategy to identify and detect data security incidents;
Have data security protocols and procedures in place to protect data assets;
Have a security incident monitoring system in place to identify cybersecurity events;
Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

University of Pennsylvania, Graduate School of Education (for Influence of Gifted and Talented Programs in New York City)

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement Term: 4/1/2022 – 12/31/2022

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. The largest school district in the country, the New York City Department of Education, is unmatched in its scale and density. The ecosystem of schools and students in NYC has created a unique opportunity for student enrollment, where families apply for student’s admission to pre-K, Grades K-5, middle, and high school programs throughout the city. While students often prefer, and do have the priority, to attend the district where they live, the influence of address diminishes greatly as students get older, and in some cases, much earlier. Pathways of students throughout their educational progression is a real policy interest for education researchers, and a crucial concern for efficacy and equity goals at the Department of Education. A specific feature of the enrollment process is gifted and talented (GT) enrollment. With about 80 programs in the city, compared to the almost 800 available elementary schools, GT programs are present in a minority of schools, reach a minority of students, and yet remain the focus of a major ongoing policy debate. One policy concern is that low-income and minority students are vastly under-represented in GT programs. In New York City public schools, just 14 percent of students in the GT program are black or Hispanic, compared with 60 percent of the entire student body. Opponents suggest removing the programs completely, and supporters propose expanding the programs in more low-income schools, as well as changing the identification of giftedness to increase exposure. In this study, we are interested in two questions. First, we will pursue a descriptive analysis of the change in GT options over a ten-year period in New York City, namely how those who apply and are accepted to the programs have been influenced by changing policy measures. We hope to extend this to a broader discussion of the supply and demand mismatch in the GT option, by coupling student level data with changes in malleable admissions criteria. Second, what is the influence of a GT program on a student who was accepted into the program, a student who was not accepted into the program, and a non-GT student who is in the same school as a GT program? The random allotment of the gifted classroom to some schools and not others provides an opportunity for this kind of natural experiment. Specifically, does the presence or absence of the GT classroom in a school affect student level outcomes in that school?

The purpose for collecting PII information on students, such as student level data of school name (DBN), student attendance, ELA standardized scores, and Math standardized scores, for 10 years, from the grades K-8, is so that we can track the paths of students in gifted programs, and those who were not selected into these programs, over time. Information at the student level helps to get at student level effects, in addition to school level effects that have been previously explored.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; and using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

Have a risk management strategy to identify and detect data security incidents;
Have data security protocols and procedures in place to protect data assets;
Have a security incident monitoring system in place to identify cybersecurity events;
Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

Yale University (for Belief and Preference Identification in School Choice)

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement Term: 3/23/2021 – 3/1/2026

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. We intend to estimate and quantify the roles of students’ preferences and information about the schools, and beliefs about assignment chances, with regards to NYC’s centralized high school assignments. Student-level data is necessary to estimate the distribution of students’ preferences, information, and beliefs, and to link student-level characteristics to their application behavior and assignment outcomes.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

Have a risk management strategy to identify and detect data security incidents;
Have data security protocols and procedures in place to protect data assets;
Have a security incident monitoring system in place to identify cybersecurity events;
Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

Research

American Institutes for Research (AIR) (for Study of Deeper Learning)

Applied Curiosity Research (for Fast Track to College & Career Program Evaluation: Final Report)

Change Impact (Extended School Day/School Violence Prevention Evaluation 2022-23)

College Access: Research and Action (CARA)

Columbia University (for The Impact of Bias in School Choice)

Columbia University, Teacher's College (for Segregation Between and Within New York City Middle Schools)

CUNY

DAH Consulting, Inc.

Glass Frog Solutions (for Evaluating the Impact of the School of Interactive Arts on Students' AP Computer Science Principles Participation and Scores)

Laurus Grant-Writing & Evaluation Services (for 21st Century Community Learning Centers Year 5)

Massachusetts Institute of Technology (MIT) (for "The Comprehensive Data Request for MIT SEII” & “Peer Exposure Effects on School Preferences” & “How School Accountability Affects School Choice” & ‘Pipelines and Equity in Gifted and Talented Programs”)

MDRC (for Impact Evaluation of Academic Language Interventions)

MDRC (for Examining Effects of Social-Emotional Learning on Outcomes Through High School and Beyond: A Follow-Up Study of INSIGHTS)

Metis Associates (for Evaluation of New York City's Summer Rising 2022 Program and Evaluation of New York City’s Summer Rising 2023 Program)

Metis Associates (for Evaluation of NYCPS High-Impact Tutoring Initiative)

Metis Associates (for projects in 2023-2024)

New York University (NYU) (for The School Choice Policy Research Center – Improving Policy, Implementation, and Outcomes for Disadvantaged Students)

New York University (NYU) (for Strengthening School Readiness through Pre-K for All: A University-District Partnership)

New York University (NYU) (for NYU College & Career Lab: Long-Term Academic Achievement Outcomes)

The Ohio State University (for Effects of Neighborhood Characteristics and Commute Times on High School Students' Academic Outcomes)

Research Alliance for New York City Schools (for Evaluation of Practice Makes Perfect Summer Program in New York City: COVID Update)

RAND Corporation (for Evaluation of the Long-Term Effects of Retention under New York City’s Student Promotion Policy)

Research Triangle Institute (RTI) (for High School and Beyond 2022, HS&B:22)

Theo Pippins (for Academic Acceleration Sprint Analysis)

University of Chicago (for “The Evolution of the Charter School Sector”)

University of Connecticut (for Understanding the Impacts of School Preference on High School Students)

University of Kentucky (for Professional Development for Culturally Relevant Pedagogy in K-12 Computer Science)

University of Michigan (for Family Preferences and Curricular Differentiation of NYC High Schools)

University of Pennsylvania, Graduate School of Education (for Influence of Gifted and Talented Programs in New York City)

Yale University (for Belief and Preference Identification in School Choice)

Related Links

Free Student Meals

Transportation

Enrollment

Learning

School Life

Connect with NYC DOE