On November 20, the Panel for Educational Policy (PEP) will meet to discuss proposed amendments to Chancellor’s Regulation A-820, which governs how student records and personal information are handled. While these changes aim to align with Education Law 2D, they fail to ensure compliance and instead perpetuate harmful data-sharing practices that prioritize convenience over student privacy and safety.
- Unprotected “Directory Information”: The definition of “Directory Information” remains too broad and unprotected, leaving sensitive data at risk of exposure.
- Health records exemption: Certain medical records maintained by schools would be exempt from FERPA and Education Law 2D protections.
- Weak data security: The regulations lack clear standards for securely storing, transmitting, and deleting student data, opening the door to potential breaches.
These are not minor oversights – they reflect a deliberate weakening of privacy protections.
One of the most concerning aspects of the proposed changes is the DOE’s ongoing practice of sharing student data with third-party vendors without parental consent. When the PEP approves contracts with new vendors, private companies gain access to sensitive student information, including:
- Biometric data like fingerprints and photographs
- Behavioral records
- Sensitive demographic details such as gender identity, immigration status, or family history
- Detailed Individualized Education Plans (IEPs), which can include sensitive personal histories
This data is shared without informing parents or students, and there is no opt-out option. It’s a fundamental violation of privacy and dignity.
This data-sharing issue is part of a larger trend toward privatization in public schools. For-profit education technology companies are increasingly replacing skilled educators, often with little input from the community. These contracts cost millions in taxpayer dollars, yet the effectiveness of these services is rarely questioned.
For example, the Creative Curriculum for Pre-K requires teachers to input extensive data, including biometric information, into a proprietary system owned by KKR, a private equity firm. Teachers previously had more autonomy and no data-sharing concerns. The shift raises the question: who benefits from this, and at what cost to students?
Under Mayoral Control, PEP has become a rubber stamp for the mayor’s agenda. Recent moves to limit public input make it easier for large, unexamined contracts to pass. Given the mayor’s current legal challenges, the lack of transparency is particularly concerning. While there are some data protections in place, multiple breaches have shown that these safeguards aren’t enough. Additionally, AI-based curricula that use student data to improve algorithms are a direct violation of privacy laws. Most concerning, the most vulnerable students—Black and brown students, transgender students, and those with disabilities—are at greatest risk from these privacy breaches. Data misuse can contribute to systemic inequities, including the school-to-prison pipeline, and can bring further harm to students in a politically charged environment.
We have raised these concerns with the DOE’s Chief Privacy Officer through public comments and a request for a meeting, but received no response.
We are grateful to Chair Gregory Faulkner, who leads the Panel for Educational Policy, for delaying a vote on the proposed regulations to allow for further public engagement. We hope that DOE officials will heed the call of panel members like Thomas Sheppard, Jessamyn Lee, Adriana Alicea, Naveed Hasan, and Chair Gregory Faulkner, who have previously called for greater scrutiny on both the guidelines that govern data sharing and the contracting and selection process by which private companies are allowed to be entrusted with student data.