ACCORDING to a state audit spanning 2020 to 2025, the New York City Public Schools does not have a clear understanding of the data it collects or the risks it faces, with major gaps in state-required data security policies and weaknesses in how student information is tracked, secured, and managed. The audit identified 141 data security incidents involving breaches of student and staff information from both third-party vendors or internal Education Department systems between January 2023 and February 2025.
It also cites that the Education Department does not maintain a complete inventory of software used across schools, and notes a lack of a centralized tracking system for programs used by each school, exemplified by the PowerSchool breach that affected over 3,000 students and 317 staffers.
Tina Kim, head of the comptroller’s state government accountability division, said, “New York City Public Schools does not have a clear understanding of what third party actually has access to the students’ information.” The audit’s recommendations include implementing a mechanism to ensure breach notifications within required time frames and creating a written data and asset classification policy for all NYCPS systems and data.