A state law that went into effect this year includes new requirements to help parents keep tabs on their children’s personal data. But New York City has largely fallen short of following the rules, lagging on a mandate to publicly share a “Parent Bill of Rights” for each vendor that has access to protected student information.
After a state lawmaker pointed out this week the city’s lack of follow through, officials are now promising swift action, but advocates remain concerned about privacy safeguards. The stakes feel especially high as much of school is now happening online and classrooms are using various digital platforms to deliver lessons.
Manhattan state Senator Brad Hoylman questioned why the city has not posted the bill of rights that is supposed to spell out how parents can access their child’s information and challenge the accuracy of the data, as well as when records are supposed to be destroyed.
“Parents must know that their children’s personal information is safe from breach or abuse, and that all their rights under the law are ensured,” Hoylman wrote this week to schools Chancellor Richard Carranza.
The city promised to post a batch of documents publicly “by the end of next week,” according to Sarah Casasnovas, a spokesperson for the city education department.
“They will be posted on a rolling basis,” she wrote in an email.
Local education advocates surveyed parents and tallied a list of programs recommended by the education department and teachers union, and they came up with more than 100 digital apps, websites, and platforms. They include ClassDojo, Epic, iReady, and Flipgrid — programs that have become ubiquitous in many schools with the switch to online learning in the face of the coronavirus pandemic.
Reviews of the publicly available privacy policies for some of the programs being used in New York City classrooms are poorly rated, according to Common Sense Media, a nonprofit review organization. Some programs allow targeted advertising to be displayed, while others have questionable encryption policies, or allow data to be transferred to third-parties, according to the organization’s reviews.
It’s possible that the companies have separate contracts with New York City that require more data protections. But Leonie Haimson, who co-chairs a national advocacy group called the Parent Coalition for Student Privacy, says that it’s impossible to know whether the programs comply with state law because the city department of education, or DOE, has not publicly posted the contracts or the required bill of rights.
“We have no idea what’s happening with the data that is flowing out of kids’ iPads and computers,” Haimson said. “We don’t know whether the contracts are protective of student privacy or not. We don’t really know if anyone at DOE is paying attention to this issue in a way they should be.”
Casasnovas, the education department spokesperson, said that the city vets its vendors to ensure student data is safe, including through a 250-question survey about security protocols and up to a half-dozen interviews.
Other platforms including Google Classrooms are centrally managed by the education department alongside the vendor “to ensure all recommended security policies are enforced centrally to protect student privacy,” she said.
So far, the education department has a bill of rights posted for only three contracts — all of which govern in-school COVID testing.
The information posted raised concerns for Hoylman, who asked for clarification about when those companies are required to delete student data. The city’s contracts, for instance, reference federal regulations they say supersede the state’s stricter requirements for destroying student information. He also wanted to know whether any data being stored could be stripped in some way to protect the identities of individual students.
Casasnovas said that the companies have agreed to “robust” privacy and security protections.
“COVID testing vendors are obligated to follow laws and regulations that apply in the context of medical testing and lab results, including federal legal requirements for retaining such data,” she wrote in an email.