A blistering state audit says New York City Public Schools have been dropping the ball on protecting students’ personal information, with hundreds of reported incidents and long delays before families were told anything was wrong. Auditors say the system is missing key written policies, relies on weak technical controls and lets individual schools run their own apps in ways that make it tough to track where sensitive data is actually stored. All of this lands just as the district rolls out its first wave of classroom AI guidance, which privacy advocates say only raises the stakes for locking down vendors and data safeguards.
State audit calls for major repairs
The Office of the State Comptroller concluded the system “can take steps to increase controls over the privacy and security of student data” and urged tighter oversight along with clearer policies. According to the Office of the State Comptroller, auditors reviewed NYCPS practices from March 2020 through September 2025 and found gaps that slow down incident response when things go wrong.
141 incidents and some families left waiting
The audit identified 141 breaches or unauthorized data releases reported to the state between Jan. 5, 2023 and Feb. 27, 2025, and found that city officials were late reporting 48% of those incidents to the State Education Department. Notification delays “ranged from 1 to 460 days,” and families were notified late in 11% of the cases, according to the Office of the State Comptroller. Auditors also found that only 73% of employees finished the required 2024 cybersecurity training and that NYCPS still lacks written policies on data classification, backups and risk assessment.
Illuminate, PowerSchool and the AI scramble
The comptroller’s findings land on top of already high-profile vendor problems. The DOE’s incident log states that the 2022 Illuminate Education breach affected roughly 800,000 current and former students, and that a late December 2024 PowerSchool incident forced the district to figure out which schools and students were impacted. Those details are laid out by New York City Public Schools. At the same time, Chancellor Kamar Samuels issued preliminary guidance on AI in March and said the district will build a fuller AI playbook this spring with community input, on a timeline that makes data protections an immediate policy priority, New York City Public Schools said.
Parents and advocates say trust has taken a hit
“The DOE’s privacy policies and practices are sloppy, irresponsible and show a lack of concern for keeping students' personal information safe,” Leonie Haimson, co-chair of the Parent Coalition for Student Privacy, told the New York Daily News. In a statement to the same outlet, DOE spokesperson Onika Richards said officials disagreed with some of the audit’s findings and would continue “strengthening policies, oversight, and training,” the New York Daily News reported.
Legal rules leave little room for foot-dragging
State law requires educational agencies to report breaches to the State Education Department’s Chief Privacy Officer and to notify affected families within specific timeframes. Agencies must notify the Chief Privacy Officer within 10 calendar days and notify affected individuals within 60 calendar days unless doing so would interfere with law enforcement, according to the New York State Education Department. The department’s FAQ on Part 121 and Ed Law §2-d explains those requirements and outlines the role of local Data Protection Officers in coordinating notifications.
What comes next for the nation’s largest school system
The audit lays out a to-do list: formal data classification, a full inventory of school-level apps, clearer backup and recovery plans, and mechanisms that ensure breach reports go out on time. Auditors say the district should adopt those fixes. The DOE says it will keep working on policy, oversight and training while it finishes the AI playbook the city expects to complete in the coming weeks, and reporting has noted that the fuller playbook is expected in June. GovTech covered the AI guidance rollout and the timeline for a more comprehensive playbook.
