Data Privacy and Security Compliance Process

New York City Public Schools (NYCPS) takes the privacy of information about its students and staff seriously. Several federal and state laws (such as FERPA and New York State Education Law 2-d), and local regulations (such as Chancellor’s Regulation A-820) protect the privacy of children's education records and personally identifiable information (PII). These laws and regulations also protect certain staff information, specifically principals, assistant principals, and teachers’ annual professional performance review (APPR) data.

NYCPS has a standardized data privacy and security compliance process for vetting any outside parties who access (i.e. view), collect, receive, or store student PII and staff APPR data from NYCPS. This compliance process applies to contracted and non-contracted vendors, and outside parties that offer products and services for free.

NYCPS schools and program offices are not permitted to use products or services that access (i.e., view) or receive/store student PII and staff APPR data until the product completes the data privacy and security compliance process. Schools and program offices cannot use products that access or receive/store student PII and staff APPR data while the products are services are in the process of completing the compliance process.

Starting the Compliance Process (For NYCPS to Complete)

Schools and program offices initiate the data privacy and security compliance process in the Enterprise Request Management Application (ERMA). Only schools and program offices can initiate the compliance process. Vendors are not responsible for or able to initiate a request in ERMA.

Schools and program offices can learn more about how to check a vendor’s compliance status and how to initiate an ERMA request on the ERMA InfoHub page. The ERMA InfoHub page features several resources, including an ERMA User Guide, ERMA FAQ, and instructional videos. These resources can only be accessed with a NYCPS login and password.

Note: Only principals, superintendents, SPOCs, and Central division executives can submit new requests in ERMA. However, all DOE staff can check a vendor’s compliance status. 

Completing the Compliance Process (For Vendors to Complete)

From a vendor’s perspective, the compliance process consists of up to four parts:

  1. Complete a vendor assessment in the platform OneTrust (all vendors)​
  2. Complete a data processing agreement (all vendors)​
  3. Undergo an IT Security Review (required for vendors who provide software/web/mobile products)​
  4. Undergo OTI’s Cloud Review (required for vendors that provide cloud-based software/web/mobile products)

When a NYCPS school or program office initiates a request in ERMA, vendors will receive an email from ThirdPartyCompliance@schools.nyc.gov with the ERMA reference number and an overview of the data privacy and security compliance process. Vendors will separately receive an email from OneTrust with instructions for how to login and complete the assessments.

1. Vendor Assessment in OneTrust

All vendors are required to complete a new vendor assessment in OneTrust.

The new vendor assessment in OneTrust allows NYCPS to evaluate third-party vendors by identifying, tracking, and managing potential risks related to privacy, security, and compliance. ​

The OneTrust new vendor assessment is made up of eight (8) sections. The assessment asks questions about a vendor’s general organization and contact information, the type of NYCPS data they will access and whether they will just view or also store the information, whether the vendor uses AI technologies and if those technologies process NYCPS data, and information about the vendor’s IT security practices and use of cloud services. The questionnaire is adaptive and will display supporting documentation for vendors to download and complete based on their responses.

Vendors should complete and submit the assessment in OneTrust as soon as possible.

2. Data Processing Agreement (DPA)

All vendors are required to complete a data processing agreement.

When completing the vendor assessment in OneTrust, all vendors will see and be asked to download and complete a DPA (this is the last question in the privacy section). The DPA will reflect the type of data the vendor will access and if the vendor will just access or also store the information.

In the data sharing agreement, vendors must:

  • Agree to comply with New York State Education Law 2-d and implementing regulations (such as Chancellor’s Regulation A-820). Some key provisions to note are that vendors must agree to:
    • Collect and disclose PII only as necessary and only for educational purposes.
    • Not sell, use, or disclose covered PII for marketing, advertising, or other commercial purposes.
    • Minimize the collection, processing and transmission of covered PII.
    • Have reasonable administrative, technical and physical safeguards in place to protect covered PII when it is stored or transferred.
    • Not maintain copies of covered PII once it is no longer needed for agreed upon educational purpose.
    • Train staff in applicable laws, policies, and safeguards associated with industry standards and best practices.
    • Notify the DOE of any breach or unauthorized release of Covered PII in the most expedient way possible and without unreasonable delay
  • Describe the appropriate safeguards, policies, and practices in place to protect student PII and staff APPR data.
  • Describe use of AI technologies and how those technologies or features process, use, or store NYCPS data.
  • Provide family-facing information about why they need student information and how the information is protected. These responses are posted on NYCPS’s family website.

Tips for completing the data processing agreement are:

  • Desired changes should be communicated in a redlined document (MS Word version) with comments for the Legal team's review.
  • The final document must be signed, dated, and notarized. Vendors can wait to do this until the privacy team approves the DPA.
  • Complete and include all necessary attachments. For most DPAs, this includes:
    • Attachment A – “Services Description” – provide a brief description of the products or services provided.
    • Attachment B – “Processor Data Privacy and Security Plan” – you may either attach your pre-existing Data Security Plan and respond to each of the eight prompts with references to the relevant section(s) or provide written responses to the eight prompts directly in the Attachment. 
    • Attachment C – “Parent Bill of Rights” – provide a response to all 11 questions. Your responses will be made public on the NYCPS website, following New York State Education Law 2-d, for the benefit of parents, students, and the public who want to know more about the data security practices of our vendors. Make sure your answers are public-facing and use minimal technical jargon. Do not refer to other documents (such as the DPA or your data privacy and security plan).
    • Attachment D – “Third Party Information Security Requirements” – review and include. 
    • Attachment E – “Certificate of Records Disposal” – leave blank but include. 

Vendors must email completed agreements to ContractorDataSharing@schools.nyc.gov for the privacy team's review.

3. IT Security Review

Any vendor whose proprietary software, website, mobile application, etc. is used by NYCPS as part of their services must undergo an IT security review.

The NYCPS IT Security team evaluates a vendor’s responses to the IT Security section in OneTrust and evaluates the answers against NYC Information Security Policies and other standards (e.g., ISO 27001, NIST). The NYCPS IT Security team will ask some vendors to complete an additional security questionnaire (also through OneTrust) and provide supporting artifacts to substantiate and validate the responses provided.

4. OTI Cloud Review

Vendors that provide cloud-based software to NYCPS as part of their services must complete the cloud review form.

"The cloud" refers to servers that are accessed over the internet, and the software and databases that run on those servers. Any software that delivers computing services via the internet (like Google Drive) is considered cloud-based software and will require the cloud review form.

Vendors offering cloud-based software must download and complete the Cloud Review Form in OneTrust and send it to the NYCPS Cloud Team (CloudReview@schools.nyc.gov). The Cloud Team works with the NYC Office of Technology and Innovation (OTI) for review. 

Timeline

The full compliance process takes about three months after NYCPS receives the vendor’s completed OneTrust questionnaire and documents. The timeline depends largely on how quickly the vendor responds. 

To avoid delays, vendors should submit the OneTrustall questionnaire as soon as possible. Vendor should complete the related steps—such as the Data Processing Agreement (DPA), security review, and cloud review—at the same time, not one after another. 

For questions about specific parts of the process, vendors should contact the appropriate team directly. For general questions, email thirdpartycompliance@schools.nyc.gov

Artificial Intelligence (AI) Policies for Vendors

NYCPS requires vendors to adhere to additional AI-related standards that build on existing policies.

  1. Any AI technologies must be disclosed, and will be held to the same standards:
    • When going through the data privacy and security compliance process, vendors must disclose any use of AI technologies in their products and services. 
    • If a vendor has already gone through the data privacy and security compliance process, they must alert NYCPS of any AI features added to the existing product.
    • The addition of AI features may require a revised data processing agreement.
    • Data processing agreements will be updated to include measures specific to the types of data being handled by a vendor. For example, vendors may not use PII or confidential information from NYCPS to train AI models.
  2. Intellectual property rights related to AI systems, including algorithms, models, and data, must be clearly defined and any proprietary AI technologies must be disclosed and licensed appropriately. 
  3. All GenAI systems must be transparent in their decision-making processes, providing clear and understandable explanations for outcomes. Vendors must provide mechanisms for users to review and challenge AI decisions as requested by NYCPS. 
    • Vendors must take reasonable measures to mitigate the presence of bias in AI products and disclose those measures to NYCPS. NYCPS reserves the right to request an audit report containing information on the tool’s training data and bias mitigation measures that are in place.

Vendors should also be aware of and ensure their services conform with the NYCPS Guidance on Artificial Intelligence (AI).

Additional AI Guidance for NYCPS Staff

In addition to ensuring AI tools themselves are compliant with ERMA standards for privacy, security, and confidentiality, schools and central staff must remain vigilant custodians of student data as users of these tools.

For example, schools and students should be mindful of the fact that information they share with generative AI tools may be retained and used by chatbots (which are a form of AI); some GenAI chatbots retain the information that is entered to train their data models. This means that any information entered could become public, or pose a threat should that information become available to a fourth party. For these reasons, school staff must not enter sensitive information or PII into generative AI tools not approved in ERMA.

The ERMA process is an essential part of NYCPS's efforts to ensure software products and tools have the necessary safeguards in place to mitigate data security risks and comply with relevant privacy laws.

  1. PII and other confidential or sensitive information should not be shared with any software or product, including AI tools, that have not been approved in ERMA. Only vendors appearing in ERMA have gone through the required privacy and data security compliance processes for external vendors.
  2. AI exists in software products, which must continue to go through NYCPS processes. Consistent with current policy, schools may not use third-party software products–including those that use AI–that have not been vetted by NYCPS Legal/Privacy and DIIT for compliance with data privacy and software security standards (ERMA). As part of the ERMA process, the Office of Technology & Innovation (OTI) reviews data storage systems to ensure they comply with all standards. 
  3. AI tools may have specific age restrictions and parental consent requirements: Before encouraging students to use commercially available GenAI tools, even if tools are approved in ERMA, school staff should follow tool-specific age restrictions and comply with any requirements for parental consent.

NYCPS staff should review and conform with the NYCPS Guidance on Artificial Intelligence (AI).

Guidance on Copyrighted Material

Staff and students should refrain from entering any copyrighted information, such as published texts, curriculum, images, music, or proprietary content, into GenAI tools unless explicit permission has been granted or the material is in the public domain. AI systems, particularly generative AI, can retain, reproduce, or even alter the content they process, leading to potential violations of copyright law. Unauthorized use of copyrighted material can result in legal consequences for both the individual and the school district. 

When in doubt, it is always safer to avoid inputting such content into GenAI systems or to seek guidance from the NYCPS Legal or IT departments. In addition to avoiding inputting copyrighted information, staff and schools should avoid using unattributed copyrighted material contained in GenAI outputs. Review the content and source when assessing outputs for copyrighted material.