Objective

To determine if the New York City Public Schools (NYCPS) consistently followed all laws and regulations regarding the privacy and security of students’ data. The audit covered the period from March 2020 through September 2025.

About the Program

NYCPS, previously known as the New York City Department of Education, is the largest school district in the United States. NYCPS is considered one district for State Education Department (SED) reporting purposes. In school year 2024–25, there were approximately 1,600 schools and over 900,000 students within NYCPS. NYCPS uses Automate the Schools (ATS) as its main student information system (SIS), which standardizes and automates the collecting and reporting of student data. In total, ATS holds approximately 5 million records collected since it was implemented in 1984.

NYCPS maintains and uses students’ personally identifiable information¹ (PII) for a variety of educational purposes. NYCPS is responsible for safeguarding student data and ensuring the confidentiality, integrity, and availability of its information systems. NYCPS is required to comply with federal privacy laws, including the Family Educational Rights and Privacy Act (FERPA). FERPA affords parents the right to have access to their children’s education records, the right to seek to have the records amended, and the right to have some control over the disclosure of PII from the education records.

NYCPS must also comply with section 2-d of the New York State Education Law (Law) and Part 121 of the Regulations of the Commissioner of Education (Part 121). The Law requires the Commissioner of Education to establish standards for data security and privacy policies. In accordance with the Law, Part 121 further strengthens data privacy and security by requiring schools to adopt and publish a data security and privacy policy that implements the requirements of Part 121 and aligns with the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) 1.1 by October 2020. NIST CSF is a comprehensive framework designed to help organizations of all sizes and sectors—including industry, government, academia, and non-profit—to manage and reduce their cybersecurity risks.

Key Findings

NYCPS can take steps to increase controls over the privacy and security of student data and strengthen its overall security posture. Specifically, we found:

• NYCPS’ policy does not fully align with NIST CSF. We found that certain fundamental areas related to data privacy and security are not covered or described in NYCPS’ policy. Furthermore, in some instances, not only is this information not published on its website, but NYCPS does not have an existing policy. For example, NYCPS does not have written policies covering the areas of data classification, risk assessment, and backup and recovery.
• NYCPS does not always report breaches or notify affected parties within the required time frames. We reviewed 141 breaches or unauthorized data releases from January 5, 2023 through February 27, 2025 that NYCPS reported to SED.
  • We found NYCPS delayed reporting 48% (67 of 141) of breaches to SED and delayed notifying affected individuals and families about 11% (16 of 141) of breaches.
• NYCPS does not have a documented data classification policy. NYCPS officials stated they have their own data classification process and classify information as either confidential or protected. Officials also stated that student information and teacher evaluation data are classified as protected information, and any other sensitive non-public information is classified as confidential information—with protected information being a subset of confidential information. However, this is not a written policy. In the case of an information security incident, NYCPS may be unable to identify in a timely manner what, if any, sensitive and/or critical data was involved and may have been compromised.
• NYCPS does not maintain a comprehensive list of all applications used by each school. We surveyed all schools to determine if any schools used an electronic SIS other than the two central office systems. Of the 524 responding schools, 218 (42%) stated they used at least 70 different SIS applications, reflecting a decentralized and uncoordinated application usage. Without an accurate inventory of all software applications being used at each school, NYCPS does not have a clear understanding of its environment, the type of information being stored in these applications, and the various risks associated with the data.
• Part 121 requires all employees with access to PII to complete training on their data privacy and security responsibilities on an annual basis. Although NYCPS requires all employees to take the training, we found that in 2024, only 73% (117,763 of 161,337) of employees completed the training. However, NYCPS does not review the list of employees who have completed the training to verify that those who have access to PII have, in fact, completed the training.
• We identified weaknesses in technical controls that need to be corrected to ensure the selected NYCPS information systems and their associated data are not at risk.
• Throughout the audit, the audit team had difficulties obtaining information and setting up meetings with NYCPS, with some documentation requests taking over 5 months to fulfill, and meeting requests taking 2 months to be scheduled, despite repeated requests.

Key Recommendations

• Using the applicable NIST CSF, identify gaps or enhancements to improve overall security posture as required.
• Develop a mechanism to ensure that NYCPS always issues notifications of breaches or unauthorized release of PII within required time frames.
• Complete a written data and asset classification policy that applies to all current NYCPS systems and data and complete a data classification of all NYCPS data.
• Develop a mechanism to ensure all student information systems used at schools are accounted for.
• Implement a monitoring process that ensures all employees with access to PII complete data privacy and security training annually.
• Implement the recommendations detailed in the confidential draft report to strengthen technical controls over the selected systems reviewed.
• Improve the timeliness of cooperation with authorized State oversight inquiries to ensure transparent and accountable agency operations.

1 PII is any information that permits the identity of an individual to be directly or indirectly inferred, including any information that is linked or linkable to an individual, including but not limited to, the name or address of a student, parent, or a family member; a personal identifier, such as a student number; date of birth; or other information that, alone or in combination with other information, could identify a student.