For immediate release: May 4, 2025
For more information: Leonie Haimson, leonie@classsizematters.org; 917-435-9329
The audit from the State Comptroller’s office released today confirms what many NYC advocates have long known: the privacy policies and practices of the NYC Dept. of Education are sloppy, irresponsible and show a lack of concern for keeping students’ personal information safe from breach and misuse. This makes DOE’s insistent push to rapidly expand the use of Artificial Intelligence tools in our schools unwarranted, given how these tools represent an even greater risk to student privacy and safety.
Even more troubling is the DOE contemptuous response to the auditors’ findings and recommendations to improve their processes, dismissing nearly each one as unfounded. Altogether, the audit’s findings reinforce the lack of trust felt by many in DOE’s competence and caring when it comes to protecting student privacy.
The audit’s findings put in question the AI guidance’s assurances on DOE’s ability to keep student data safe
In the recent DOE AI guidance, they repeat over and over that student privacy is rigorously protected through a vetting process called ERMA (Enterprise Request Management Application). Yet the findings in this audit show that DOE’s privacy processes are inherently defective. The DOE’s lack of responsiveness and willingness to improve their privacy policies provide yet more evidence that their rush to expand the use of AI in our schools is reckless. AI products represent a special risk to student privacy as many data-mine personal data to improve their products, which violates the state student privacy law, Ed Law 2D, the NY State Student Privacy law passed by the legislature in 2014.
The audit’s findings, as well as repeated data breaches of NYC student data and its illegal use for commercial purposes reveal the inadequacy of the DOE’s privacy vetting process. As a member of the Chancellor’s AI Working Group, I along with other members proposed additional safeguards. These included independent privacy impact assessments, data security audits, and tests for algorithmic bias that should be required for any educational product using AI. DOE rejected all these recommendations. Additional problems with the recently released AI guidance, including DOE’s refusal to rigorously comply with the state privacy law, are described in our critique here.
The findings confirm DOE’s failure to properly control and safeguard personal student information
The auditors discovered that DOE maintains no central records as to which vendors and other third parties have access to student personal information, and that they maintain no written policies covering data classification, risk assessment, or backup and recovery, as required by the NIST data security framework specified by Ed Law 2D.
In their response, DOE officials claim that this conclusion is false, and that they are “able to determine which SIS or other applications that consume student data are in use by a given school or office.” Yet just last week, on April 28, 2026, the DOE privacy office confirmed in an email to a parent that “at this time, there is no Central list of every educational technology tool used by each school.”
Moreover, according to Ed Law 2D, it is every parent’s right to know which vendors have access to their children’s data, and to receive a copy of the data held by those vendors within 45 days of their request. Yet this right is chronically violated by DOE officials, and when parents do receive data files from their vendors, the files can be empty of information.
There are more than 700 companies and other third parties that have access to personal student data according to the DOE website, though the number of the ed tech programs used is likely greater, as some vendors provide schools with more than one product. The number of products collecting and processing student data has steadily increased each year, and is even now even more rapidly growing, as DOE adds new products with AI functionality to be used in classrooms throughout the city.
Delays in recognizing and reporting breaches
Because DOE officials do not know which schools use which products, they are unable to ensure that when data breaches occur, they are able to inform affected families within the legally required timeline or identify which data elements may have been exposed.
The auditors reported that there were at least 141 breaches of NYC personal student data between January 5, 2023 through February 27, 2025, and in 48% of cases, the DOE reported them to NYSED past the legal deadline of 10 days. In at least one case, it took over 460 days. DOE also missed the 60 day deadline to inform parents that their children’s data had been breached in at least 11% of the time. [Note: 60 days is in itself too long; NY law requires breach notification by private businesses and state agencies within 30 days.]
The Illuminate breach and problems with their privacy agreement
Some privacy vendor agreements are never even posted online in violation of the law - like that of Illuminate, which exposed the data of more than a million NYC current and former students in 2022, and yet whose privacy agreement was posted online only after the breach occurred. Even then, the agreement hinted that the data was not always encrypted, contrary to the requirements of the law, which turned out to be the case.
The Illuminate example also shows that DOE does not independently investigate breaches but instead relies on the unreliable reporting of vendors concerning the number and identity of students affected. After the data of more than 800,000 current and former NYC students was breached by Illuminate between late December 2021 and early January 2022, their families were not notified by DOE until March 25, 2022.
Even worse, in May 2024, more than two years after the breach, a second round of notifications to families revealed that about 380,000 more students and former students also had their information exposed. This was also seven months after Illuminate had informed DOE of the additional students involved – far exceeding the 60 day deadline in the law, according to the information on the DOE website, which states that they started looking into this matter only after being told by Illuminate that more students were affected in October 2023. This put additional students and former students at risk of identity theft and more, and unable to promptly acquire the insurance and credit monitoring offered by the vendor for free.
The PowerSchool breach and problems with their privacy agreement
After the massive nationwide breach of the PowerSchool student information system occurred in late December 2024, parents throughout the country and elsewhere in the state were informed of the breach in early January 2025. Yet at that time, DOE told a reporter they were still looking into whether any NYC schools or students were affected.
In fact, DOE refused to confirm which schools were involved even after Daily News reported on their names on February 6, 2025, from information relayed by the State Education Department. Only after the Daily News reported on this did parents whose children attended these schools receive emails saying DOE was still looking into this matter. It was not until April 2025 that DOE confirmed to parents that their children’s data had been breached, long past the 60-day deadline in the law.
To this day, the DOE has refused to post the names of the NYC schools affected by the PowerSchool breach on the webpage that reports on data security incidents, despite guidance from the NYSED that they should do so promptly, to alert the thousands of former students whose data was also exposed and put at risk of identity theft and worse.
As the former NYSED Chief Privacy Officer Louise de Candia wrote on Feb.3, 2025, “ There is no doubt in my mind that PowerSchool violated Education Law Section 2-d and Part 121 of the regulations which require compliance with NIST CSF as well as reasonable administrative, technical and physical safeguards to protect the security, confidentiality and integrity of PII.”
And yet DOE continues to allow NYC schools to use as many as 16 other privacy-invasive PowerSchool products, including Naviance, which is employed in many if not most New York high schools for college guidance purposes. This is despite the fact that in 2022, it was reported that Naviance targeted ads for colleges on its student-facing platform disguised as objective recommendations and was shown to allow colleges to discriminate by race by targeting ads only to white students.
More recently, it was announced that PowerSchool had agreed to settle a class action lawsuit alleging that the Naviance platform contained ad tracking technology that transmitted a wide range of student data to Google, Microsoft and a company called Heap, including their names, ID numbers, graduation years, demographic information, photographs and survey responses, as well as their private communications with teachers. This would violate not only state privacy laws but also the federal wiretapping statute. Even now, the DOE has refused to tell parents or students about the Naviance agreement or inform them they can apply for a portion of the $17.25 million settlement.
The fact that the Illuminate and PowerSchool breaches exposed the data of many thousands of NYC students who had long graduated or otherwise left the system also shows that the data minimization and deletion by vendors required by Ed Lawa 2D is not enforced by DOE. More background here.
To make things worse, the PowerSchool privacy agreement still posted on the DOE website is clearly non-compliant with the law, as it says that the company will only conform to the privacy requirements in federal and state law or in their contract with DOE when it is “commercially reasonable.”
Other problems highlighted in the audit and the DOE’s official response
The Comptroller’s office also found significant weaknesses in DOE’s technical data security controls that should be corrected, including “issues with system monitoring, unsupported systems, and firewalls.” Understandably, the auditors only communicated the details of these security weaknesses to DOE in a separate confidential report. In their response, DOE makes no commitment to address these technical problems, but instead says that they would address them separately, within the confidential report.
In its response, DOE claims to have made “several improvements to its privacy practices and policies,” including updating the Chancellor’s Regulation A-820 to “restrict the use of “directory information.”
In fact, the recent amendment to the Chancellor’s Regulation weakened the protections for student data, by redefining a wide and essentially unlimited range of personal student information, including but not limited to their names, addresses, telephone numbers, email addresses, photographs, grade level, participation in activities and sports, and more, as directory data that can be shared with third parties, even when they are not providing services to schools. Only an unreliable parent opt out process was provided to prevent these disclosures from occurring.
Finally, the auditors also revealed that DOE officials took an inordinate time to respond to their requests; and that documentation requests took over five months to fulfill, while requests for meetings took two months to schedule.
Leonie Haimson is the co-chair of the Parent Coalition for Student Privacy, a member of the NYSED Data Privacy Advisory Committee, the Chancellor’s Data Privacy Working Group and the Chancellor’s AI Working Group
###
