Federal and state laws and regulations impose requirements on the DOE and certain outside parties to ensure students' personally identifiable information (PII) and certain staff PII (specifically, identifiable annual professional performance review data of principals, assistant principals and teachers) remain confidential and secure. The DOE has a standardized compliance review process for vetting any outside parties (contracted and non-contracted) who receive or access data from the DOE. This compliance process helps ensure that outside parties safeguard any and all protected information pursuant to federal, state, and local regulations.
Effective July 1, 2023, all vendors of third-party software will be required to complete the DOE's compliance process and OTI's cloud review process before conducting business with the DOE. DOE staff may not use software that access or receives student or staff PII if the software vendor has not completed the compliance process. That also means schools cannot use products while they are in the process of completing the compliance process.
This process applies to contracted and non-contracted vendors, as well as outside parties that offer products and services for free.
Requirements for Outside Parties
Outside parties who receive student and certain types of staff PII (together, referred to as “covered PII” on this page) must agree to comply with various requirements under FERPA, New York State Education Law 2-d, and Chancellor's Regulation A-820, in a written agreement (such as a nondisclosure agreement or data processing agreement).
Outside parties must agree to keep covered PII confidential, only collect and use covered PII for legitimate educational purposes, to inform the DOE if the covered PII is breached or disclosed without authorization, and plan for its return and disposal one no longer needed. Outside parties also must agree to have the appropriate safeguards, policies, and practices in place to protect the data, and must submit to a compliance process. These safeguards promote transparency and provide additional protections for the benefit of our families.
More specifically, outside parties must agree to the following:
- Collect and disclose covered PII only as necessary and only for educational purposes.
- Minimize the collection, processing and transmission of covered PII.
- Not sell, use, or disclose covered PII for marketing, advertising, or other commercial purposes.
- Have reasonable administrative, technical and physical safeguards in place to protect covered PII when it is stored or transferred.
- These technologies, safeguards, and practices must align with the NIST Cybersecurity Framework.
- Examples of such safeguards include encryption, firewalls and password protection.
- Outside parties must use encryption to protect personally identifiable information in its custody while in motion or at rest using a standard specified by the US Department of Health and Human Services in the context of HIPAA.
- Train staff in applicable laws, policies, and safeguards associated with industry standards and best practices.
- Limit access to covered PII to only those employees or contractors who need access to the data in order to provide the contracted services.
- Not maintain copies of covered PII once it is no longer needed for agreed upon educational purpose. Outside parties should permanently and securely delete covered PII no later than when the contract ends.
- Not disclose any Covered PII to any other party without the prior written consent of the parent or eligible student, except as required to carry out the contract, or as otherwise required or permitted by law.
- Notify the DOE of any breach or unauthorized release of Covered PII in the most expedient way possible and without unreasonable delay. With respect to such incidents, outside parties must also do the following:
- Cooperate with the DOE and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Covered PII.
- Pay for or promptly reimburse the DOE for the full cost of parental notifications, where a breach or unauthorized release is attributed to the outside party.
- Abide by and attach the DOE's Parents' Bill of Rights for Data Privacy and Security to their written agreement.
- Provide supplemental information for parents about their agreement with the DOE in their written agreement.
Overview of Compliance Process
Effective July 1, 2023, all vendors of third-party software will be required to complete the DOE's compliance process and OTI's cloud review process before conducting business with the DOE. This applies to contracted and non-contracted vendors, as well as outside parties that offer products and services for free. DOE staff may not use software that access or receives student or staff PII if the software vendor has not completed the compliance process. That also means schools cannot use products while they are in the process of completing the compliance process.
The compliance process consists of up to three parts:
- Written agreement
Outside parties who receive Covered PII must agree to comply with New York State Education Law 2-d and its implementing regulations, such as Chancellor's Regulation A-820, in a written agreement. Outside parties also must agree to have the appropriate safeguards, policies, and practices, some of which are described above, in place to protect the data. Requirements of outside parties are described in more detail above.
These safeguards promote transparency and provide additional protections for the benefit of our families. To that end, outside parties are asked to complete four attachments as part of the written agreement:
- Attachment A – a brief description of the product(s) and or service(s) being provided, including a list of required data fields that are necessary for you to provide those product(s) or service(s).
- Attachment B – a copy of your Data Privacy and Security Plan, along with a copy of the DOE Information Security Requirements document. At a minimum, your Data Privacy and Security Plan, must address the following requirements:
- Specify the administrative, operational and technical safeguards and practices Processor has in place to protect the Protected Information that it will receive under the contract;
- Demonstrate that it complies with the requirements of the DOE's Parents' Bill of Rights for Data Privacy and Security;
- Specify how officers or employees of the third-party contractor and its assignees who have access to Protected Information receive or will receive training on the federal and state laws governing confidentiality of such data prior to receiving access;
- Specify if Processor will utilize sub-contractors and how it will manage those relationships and contracts to ensure Protected Information is protected;
- Specify how the Processor will manage data security and privacy incidents that implicate Protected Information including specifying any plans to identify breaches and unauthorized disclosures, and to promptly notify NYC DOE;
- Describe whether, how and when data will be returned to the NYC DOE, transitioned to a successor contractor, at the NYC DOE's option and direction, deleted or destroyed by the third-party contractor when the contract is terminated or expires.
- Attachment C – DOE's Parents' Bill of Rights for Data Privacy and Security, along with responses to each of the supplemental questions presented in the section. These responses will be posted on the Supplemental Information for Parents About DOE Agreements With Outside Entities page.
- Attachment D – should be left blank but must be included.
Schools and program offices should visit the Student Data Privacy and Security Policies InfoHub page for information about the DOE's data privacy and security policies.
- DIIT Security Questionnaire
Outside parties who receive student and certain types of staff PII must complete an Information Security Questionnaire via the Panorays system. Outside parties will have up to 30 days to complete the assessment. Once the assessment is complete, the DOE's Division of Instructional and Information Technology (DIIT) Security team will assess the questionnaire answers and contact the outside party for follow-up and next steps.
- OTI Cloud Review
New York City agencies are required to submit all cloud-based applications through a review of their access and data management architecture to ensure compliance with citywide security and privacy policies.
Schools and/or Central program offices are responsible for initiating the compliance process for outside parties who have access to, receive, or store personally identifiable information. The compliance process applies to contracted and non-contracted vendors, as well as outside parties that offer products and services for free.
Schools and program offices initiate the compliance process by submitting a request in the Enterprise Request Management Application (ERMA). Only principals, superintendents, and Central executives can submit requests, please use your employee login credentials to access ERMA. Visit the ERMA InfoHub page for step-by-step instructions on how to get started.
Updates on the Software Data Privacy and Security Process
Schools and program offices should visit the Software Data Privacy and Security Process page for updates from Chief Operating Officer Emma Vadehra on the expanded vetting process.