Ability OT, PT and SLP Therapy

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Ability OT, PT and SLP Therapy, PLLC provides Occupational Therapy (OT), Physical Therapy (PT), and Speech Therapy (SLP) for the NYC Board of Education. We provide these services at our office and schools in our contracted areas. The goal of these services is to assist each child reach their highest level of abilities in order to excel in the school environment.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally-hosted solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Ability OT, PT and SLP Therapy safeguards all personal identifiable information by maintaining a locked file cabinet where hardcopies of paperwork are stored. Most personal information, including session notes, is uploaded directly to the NYC BOE system (SESIS). Each provider maintains their log-in credentials to this system. PII from the NYCDOE are either transmitted to our agency via password protected transmittals or secured access to SESIS. Our office computer does not utilize any cloud based software or storage. All data is kept on site. The computer is protected by virus security software and a firewall to protect against the possibility of unauthorized access to our system. 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Aim High Children’s Services

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. As a NYC DOE contracted provider of Special Education and related services as well as early childcare, Aim High will receive PII in the course of providing services to students.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Google Workspace.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Aim High employs robust administrative, operational, and technical safeguards to protect Protected Information:

• Administrative:
  • Access controls: Only authorized personnel with a legitimate need-to-know have access to Protected Information.
  • Regular data backups: We conduct regular backups of Protected Information to ensure data recoverability in case of incidents.
• Operational:
  • Aim High implements access control to the physical facilities where PII is stored. Rooms and cabinets where files are kept have locks and are only opened when authorized personnel are on site.
  • Third-party vendor management: We only with third-party vendors with clear data security and privacy commitments that meet or exceed industry security and privacy standards.
• Technical:
  • Data encryption: We password protect PII in storage and in transit.
  • Secure network infrastructure: We employ firewalls, intrusion detection systems, and other security controls to protect our network infrastructure.
  • Vulnerability management: We regularly scan our systems for vulnerabilities and promptly patch them.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

All My Children Daycare & Nursery School

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Start Date: 09/01/2017

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. All My Children Daycare and Nursery School provides qualified therapists to support the student’s individual education plan. These services include speech therapy, occupational therapy, and physical therapy.

Our primary responsibility is to provide therapists capable of meeting the geographic specifications of CPSE (Committee on Preschool Special Education) students.

PII is necessary for assessment and evaluation to develop tailored therapy plans, treatment planning to address specific goals, effective service delivery based on individual needs, ongoing progress monitoring for adjustments, compliance with regulations and reporting requirements, and facilitating communication and collaboration among stakeholders involved in the student’s therapy and education.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Dragon Software.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

• PII is securely stored electronically, accessible only via password-protected devices with timed sessions.
• Our administrative office maintains high security, limiting access to the related services coordinator. All physical data is kept securely locked.
• Robust security measures include Malwarebytes protection on company computers, password-protected email systems, and firewall defense against threats.
• Access to admin accounts is restrict to IT personnel, with unique passwords managed through active directory security policies.
• Established and maintained clear and comprehensive policies and procedures for the handling, processing, and storage of PII.
• Keep all software and systems up to date with the latest security patches and updates to protect against known vulnerabilities.
• Established and enforced data retention policies to ensure that data is only kept for as long as necessary and securely disposed of when no longer needed. 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

American Sign Language

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 9/1/2017 – 8/31/2025

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. For all NYC DOE Deaf students who require interpretation services, ASLI provides American Sign Language (ASL) interpreters on-site who interpret from English to ASL and from ASL to English. Interpreters assist students with required communication services to learn and participate in school. PII is needed to identify the students that require services, communicate to and on behalf of specific students, provide subject specific assistance, and determine if students requiring services are in attendance.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Microsoft Excel.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. ASLI uses several administrative, operational and technical safeguards and practices to protect the Protected Information.

• Only the staff that requires access to PI is given such access.
• All of ASLI’s PI data is stored in a secure password protected encrypted database. ASLI’s database that contains necessary PII is encrypted at rest (EAR) and in transit via an SSL connection. Student data is not transmitted over email. Services are only provided at DOE sites and never stored in a physical form. That data is sequestered in a separate database with separate login credentials from the non-DOE systems. Software updates are managed by a third-party company that specializes in IT support and does not have access to DOE data, it simply manages the security of the machine.
• Every time DOE data is accessed, users must enter their username and password and a log record is created. Passwords are not stored in the clear and must follow NIST’s most recent guidelines.
• Each person that has access to PI as part of their duties for ASLI, such as interpreters and coordination staff is trained on best privacy and security practices and agrees to follow them.
• Staff agrees to keep covered PII confidential, only collect and use covered PII for legitimate educational purposes, to inform the DOE if the covered PII is breached or disclosed without authorization, and plan for its return and disposal one no longer needed.
• ASLI agrees to have the appropriate safeguards, policies, and practices in place to protect the data.

More specifically, ASLI agrees to the following:

• Have reasonable administrative, technical and physical safeguards in place to protect covered PII when it is stored or transferred. These technologies, safeguards, and practices will align with the NIST Cybersecurity Frameworks and include encryption, firewalls, and password protection.
• Use encryption to protect personally identifiable information in its custody while in motion or at rest.
• Train staff in applicable laws, policies, and safeguards associated with industry standards and best practices.
• Limit access to covered PII to only those employees or contractors who need access to the data in order to provide the contracted services. 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Apex Therapeutic Services

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Apex Therapeutic Services, a healthcare firm, is dedicated to enhancing the educational experience of diverse-needs students for the Department of Education. The services include Occupational Therapy, Physical Therapy, Speech-Language Pathology, and Paraprofessional support. All services align with Individualized Education Program goals, emphasizing data tracking in the Special Education Student Information System. Apex conducts assessments, including OT, PT, Speech-Language Pathology, Psychiatric, Audiology, and Social Work assessments, ensuring a holistic approach to student wellbeing. Committed to excellence, Apex's mission centers on providing tailored, high-quality services to empower students in achieving their educational milestones.

PII (Personally Identifiable Information) is essential as it facilitates the creation of individualized user accounts, enabling personalized tracking of student progress within our educational programs. Additionally, PII is crucial for facilitating effective communication between teachers and parents regarding the students' academic achievements and areas of improvement. PII plays a key role in monitoring and analyzing student progress, allowing us to tailor educational pathways and recommend appropriate follow-up courses based on individual learning needs.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Dropbox.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

• Administrative Safeguards:
  • Policies and Procedures: APEX Therapeutic Services establishes and maintains clear and comprehensive policies and procedures for the handling, processing, and storage of PII.
  • Access Controls: Implement access controls and permissions to ensure that only authorized personnel have access to PII, and access is granted based on the principle of least privilege.
• Technical Safeguards:
  • Encryption: Utilize encryption mechanisms to protect the confidentiality of PII during storage, transmission, and processing.
  • Firewalls and Intrusion Detection Systems: Employ robust firewalls and intrusion detection systems to monitor and control network traffic, preventing unauthorized access and potential security breaches.
• Physical Safeguards:
  • Access Controls to Physical Facilities: Restrict physical access to areas where PII is stored or processed to authorized personnel only. Implement security measures such as key cards, biometric authentication, or security personnel.
  • Secure Storage: Store physical documents containing PII in locked cabinets or rooms, ensuring that unauthorized individuals cannot access sensitive information. 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Apple Blossom Occupational Therapy

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Apple Blossom Occupational Therapy Services is contracted with NYCDOE to provide Occupational Therapy services to children, who have been mandated occupational therapy on their Individualized Education Plan. The PII is provided by NYC DOE to the agency in order to perform the duties with the student, communicate with the family and when applicable provide homecare. IEP or Individualized Education Plan is a legal document.

The Entity may receive the following protected information or PII:

• Patient Name, Parents Name
• Patient Date of Birth & Address
• Individualized Education Plan
• Pertinent Medical History if provided by DOE.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Microsoft 265, Google Workspaces, and using an Entity-owned and/or internally-hosted solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Apple Blossom takes security and protection of PII data as an important business function:

• Strong Password Policies: The Processor enforces strong password policies, ensuring that all accounts managed by the Processor, especially those with access to Protected Information, have secure passwords and multi-factor authentication, whenever available. These secure passwords are encrypted and stored in Password managers and only accessed by authorized personnel.
• Use of Secure Communication Channels: Protected Information is communicated through secure channels, such as encrypted email or secure file-sharing services, to reduce the risk of unauthorized access during transmission.
• Regular Software Updates: The Processor ensures that all software and applications, especially those handling Protected Information, are regularly updated to patch vulnerabilities and improve overall security.
• Access Controls: Access controls are implemented to restrict access to Protected Information on a need-to-know basis. Employees only have access to information necessary for their roles. 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Bright Start Speech Pathology and Language PC

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 9/1/2023 – 8/31/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Bright Start Speech Pathology and Language PC provides speech therapy to NYC DOE preschool and school aged students. PII is used to provide necessary instruction, and allow staff to monitor and communicate with parents about student progress. PII is used to advise on parental carry over and follow up. PII is necessary to monitor attendance/enrollment in program.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Google Drive.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

• Bright Start retains all electronic and/or paper records and/or forms containing student information in a secure environment that precludes access by unauthorized persons, and which provides protection from unauthorized access. All electronic records are on password protected PCs. Paper records are secured in lockable file cabinets.
• Our reception area is fully secured, and Office access is controlled.
• Patient data is never under any circumstances shared with or disclosed to a third party.
• Bright Start Speech limits access to material under its control to employees performing services on a strictly need to know basis.
• Quarterly training is held with all staff to reinforce IS and data security requirements.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Chatty Child Speech Occupational and Physical Therapy

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 9/1/2023 – 8/31/2025.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Chatty Child provides high quality pediatric speech and language, and occupational therapy services for ages 3-21 years old. PII is necessary to provide an effective plan of care for individuals and their families. We use this information to plan goals, and track progress. This occurs at our office.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Google Cloud services.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The principal or designated administrator oversees the security of PII. Only these persons are allowed to enter any PII into third-party security and storage provider. Individual therapists are only permitted to access relevant files to their personal caseload.

• All employees must complete data privacy training specific to student data privacy.
• All computers are password protected.
• Individual therapists are only permitted to access PII relevant to their personal caseload.
• Data is entered into a password protected cloud-based system that employs current industry standards. Only authorized individuals have access to cloud-based services. Passwords are changed every 90 days for each staff member with access.
• All data is encrypted in transit and storage.
• All office doors are locked with key access only to cleared individuals. Paper files are kept locked and secured with limited access.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Children at Play Early Intervention Center

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 7/1/2021 – 6/30/2026.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Children At Play Early Intervention Center (CAP) provides special education 4410 full day preschool 12:1:2 class and 8:1:2 class, along with special instruction, counseling, speech, occupational and physical therapies are provided as per each child’s IEP. CAP provides SEIT services where special education providers provide individual or group teaching sessions to children in approved IEP locations as per each child’s IEP. CAP performs approved CPSE evaluations (Psychological, Educational, Social History, Observations, Speech, Occupational Therapy, and Physical Therapy).  Teachers, therapists, and admin in these programs will need access to students PII in order to provide services, review IEPs, enroll students in these programs, and bill for services. CAP will only use PII for purposes agreed upon within the DOE nondisclosure agreement.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Box and IEP Tracker. Paper charts are always kept in a locked cabinet. Access is by request only.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Children At Play Early Intervention Center (CAP) ensures access to our cloud-based solutions are only granted to active employees and revokes access to terminated employees. All employees must change passwords at least 2 times per year. Access is granted on a tiered basis, employees only have access to student information that is necessary to complete their job functions. At the end of each school year, the previous years students are archived and only accessed by administrative staff as needed. The files are retained for the amount of time necessary as per the DOE. Administrative staff periodically reviews the users who have access to our cloud-based solutions to ensure the roster of employee access is accurate. Students in our preschool program have paper charts. Those charts are in a locked cabinet at all times, and only accessible to the list of teachers, therapists and administrators listed on the cabinets. The list is periodically updated as needed. The key for the cabinet is in a locked safe box that only the directors have access to.  Children At Play Early Intervention Center employees, officers and administrators are trained on confidentiality and compliance upon hire and every year thereafter. They are trained on the importance of keeping student information confidential, not to give out information to any other parties, to not use identifiable information such as last names, SS numbers, addresses etc. when referring to a student. Trainings on data privacy are given once a year. 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

City Sounds of New York – Speech Language Development Center

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The City Sounds of New York provides special education therapy and assessment services for the students of NYCDOE, including speech language pathology, occupational therapy and physical therapy services. PII is needed for therapy and evaluation purposes.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., P.S> Medical Systems, EWeb Billing Platform and Microsoft based cloud service.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. City Sounds of New York controls user access and identity management of our users to make sure authorized employees have access, we also use data encryption methodologies to make sure data is protected and encrypted. Access to specific shared drives will be granted only after filling out a request form and approval from the manager. SharePoint sites and Teams containing this information are only available to our members with valid CSNY credentials protected by MFA. External data sharing is blocked and USB access and file sharing are disabled company wide. 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Comprehensive Psychological Services

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Comprehensive Psychological Services, PC provides Related Services to special education students as prescribed in their Individualized Education Program (IEP); this includes, but not limited to, Counseling services. PII is required to identify students, provide necessary special education services, and monitor progress. PII is also necessary to delivery appropriate medical care.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Microsoft 365, Acronis, Knack.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Comprehensive Psychological Services, PC has established standards for Data Privacy and Security as detailed in an annually reviewed Plan which is implemented and overseen by senior management and IT Professionals, and includes securing, protecting, and encrypting student PII and includes:

• Network/Server security including protection controls and security for access; virus/malware protections; backup procedures, and vulnerability audits.
• Workstation Security measures to ensure confidentiality, integrity and control of availability of sensitive information to authorized users only
• Encryption with proven, standard algorithms
• Policies for data destruction
• Administrative and Operational safeguards

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Comprehensive Resources

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Comprehensive Resources, Inc. provides Related Services to special education students as prescribed in their Individualized Education Program (IEP); this includes, but not limited to, Occupational Therapy (OT) services, Physical Therapy (PT) services, and Speech Pathology (SP) services, and nursing services. PII is required to identify students, provide necessary special education services, and monitor progress. PII is also necessary to delivery appropriate medical care.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Microsoft 365, Acronis, Knack.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Comprehensive Resources, Inc. has established standards for Data Privacy and Security as detailed in an annually reviewed Plan which is implemented and overseen by senior management and IT Professionals, and includes securing, protecting, and encrypting student PII and includes:

• Network/Server security including protection controls and security for access; virus/malware protections; backup procedures, and vulnerability audits.
• Workstation Security measures to ensure confidentiality, integrity and control of availability of sensitive information to authorized users only
• Encryption with proven, standard algorithms
• Policies for data destruction
• Administrative and Operational safeguards

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

DRJK

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Per our agency’s contract with the New York City Department of Education, we need to keep track of the time of sessions rendered audit and billing purposes. DRJK LLC (DRJK) is an agency that provides occupational and speech therapy services to pediatric clients with a variety of developmental and/or learning disabilities. DRJK has a contract with the New York City Department of Education to provide therapy services in local schools to CPSE (ages 3-5) and CSE (ages 5+) students across the five boroughs of New York City.

PII is used to allow our speech/occupational therapist providers to enter their billing and ensure the students mandates are in-line with the students Individualized Educational Plan (IEP).

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., eWebstaffing System.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. eWebStaffing System follows Family Education Rights and Privacy Act (FERPA) and New York Education laws, such as secure physical access to systems and data storage locations, implementation of technology and policies for access control, data encryption, and secure transmission of ePHI.

• Safeguards and Practices
  • Administrative Safeguards: The system implements strict access controls, regular staff training, and robust data management policies.
• NYC BOE – Non Disclosure / Data Processing Agreement
  • Operational Safeguards: Procedures are established for data handling, transfer, and storage, ensuring minimal risk of unauthorized access or data breaches.
  • Technical Safeguards: Safeguards are being followed, such as advanced encryption, firewall protection, intrusion detection systems, and regular security updates to protect
• Protected Information
  • All of our staff, employees, providers and employees of the third party contractor and its assignees who have access to Protected Information are required to sign our agency’s handbook that outlines all our policies and procedures on an annual basis. This handbook includes training on the federal and state laws governing confidentiality of such data prior to receiving access. Including reference to Family Education Rights and Privacy Act (FERPA), New York Education Law § 3012-c (1) and New York State Education Law § 2-d.
  • Employee handbook with all security policies and procedures must be reviewed by all personnel that have access to PII.
  • All personnel must complete annual training.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Dynamic Solutions Pediatric Physical and Occupational Therapy

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. We provide related services, including physical and occupational therapy for preschool students as mandated by their IEP. We receive IEP documents from the DOE, notes, and emails from other related service providers, doctors, or professionals. We also receive information from parents and families concerning their children's medical health and personal information about family and other persons involved in their child’s life. We require children’s past history and current status and function in order to apply skilled physical and occupational therapy intervention.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and

written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Fusion Web Clinic, and using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. We have cyber security in place with Norton. We also use separate work emails for Dynamic Solutions employees only with HIPAA-compliant email. Furthermore, our electronic medical records are protected by Fusion encrypted security. We have locked file cabinets in the office for any paper records. Our administrative manager is responsible for training all staff in our safeguards and providing them with Fusion profiles and accounts and emails with passwords. She provides training in person at the start of every new employment or subcontractor for each therapist.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Emilia’s Kids

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Emilia’s Kids provides evaluations and related services to NYC BOE students. Evaluations and services include but are not limited to the following: speech therapy, occupational therapy and physical therapy. Our therapists go into the schools and community to provide these educational support services to students approved by the DOE. Emilia’s Kids requires PII to provide services to these students such as: Name, DOB, Identification Number, IEP, Mandates Services and parents names and email addresses. We need this info to be able to provide the correct student with the legally mandated services and associated goals on their IEP. Services are individually prescribed.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Google Workspace.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Emilia’s Kids uses Google Workspace Business. We require all users to enroll in two factor authorization to log into an individual account/google drive. We also allow Passkeys to enable employees to securely sign into their Google Account using fingerprint, face, screen lock, or hardware security key.

On all company laptops, there is an Advanced Protection Program with a Security Key. A security key is a verification method that allows our staff to securely sign in. Advanced Protection allows only Google apps and verifies third-party apps to access our Google Account data.

All staff receive training on how to mitigate data privacy and security risks to protect our students information. 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

FUN Therapy OT

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. We provide Speech, Occupational and physical therapy services to CPSE & CSE students. PII is provided to allow for providing speech, Occupational and Physical Therapy services, it is provided to contact to initiate related services, provide related services, goals for related services, session notes for related services.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Safeguards put in place to protect protected information and/or personally identifiable information include only allowing access to information to licensed professionals adhering to ethical standards in compliance with NYS licensing standards. All protected information is:

• Double locked with password protection or physical locks
• Use of Firewall and anti virus software on all company devices
• Best practices with clean desk policy.
• Lock screen activated for 1 minute on all company’s devices
• Shredder on site for all documents.
• Email password protection
• Privacy training
• Ethical Standards for licensed professionals on maintain confidentiality and security
• Written Policy Procedures for privacy
• Use of Department of Education program for maintaining records with password protection
• Release of PII to authorized personnel only, authorization required
• Limited use and storage of PII to only required documents. 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Gotham Per Diem

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 7/1/2023 – 6/30/2025

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Gotham Per Diem, Inc. provides nursing services to students and we need PII in order to accurately identify students and their medical needs.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

• Gotham adheres to industry standards and safeguards protecting physical and digital data. These standards are subjected to monthly IT and Management review.
• All data is physically secured and encrypted on all mobile devices.
• Industry standard third-party applications are used for transit data including Office 365/Barracuda/Palo Alto. Patching and updating all hardware and Software are completed weekly or on an as needed basis.
• Email and web whitelisting standards are deployed.
• Dual authentication password protection along with strong and timely password updates are mandated.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Horizon Healthcare Staffing Corp

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 9/1/2017 – 8/31/2025

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Horizon Healthcare Staffing Corp. is a temporary staffing company and has been providing temporary staffing services under contract with the NYC DOE since 1995. We are currently providing Registered Nurses and Paraprofessional staff to staff school health offices, and to work with students on a 1:1 basis. PII is needed to identify students that need services of Registered Nurses and Paraprofessionals to provide health services and 1-to-1 educational support.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and

written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., BlueSky Medical Staffing Software.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Horizon Healthcare Staffing is dedicated to safeguarding the privacy and confidentiality of the personal and sensitive information entrusted to us by the NYC DOE and parents of the students for whom we provide services.

Horizon Healthcare Staffing Corp. employs a comprehensive approach to safeguard Personally Identifiable Information (PII) in adherence to FERPA regulations. Administratively, the organization has established rigorous security policies and procedures, delineating clear roles and responsibilities for employees in handling PII. Regular training sessions are conducted to educate staff on the importance of confidentiality and compliance with data protection regulations. Access controls are tightly managed by our Information Technology staff, with authorized personnel granted access based on their specific roles.

Horizon Healthcare Staffing Corp employs encryption technologies for both data in transit and at rest, ensuring that sensitive information remains protected from unauthorized access. Access control systems, including multi-factor authentication, are implemented to verify and restrict user access, with regular reviews and updates to permissions. Robust audit trails and monitoring systems track all interactions with PII, allowing for prompt detection and investigation of any anomalies. Encrypted email standards are used to transmit sensitive information securely. Physically, Horizon Healthcare ensures the security of data centers housing servers and storage facilities by employing access controls, surveillance systems, and restricted entry. 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Infinite Services

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The Office of Related Services partners with contract agencies (vendors) to provide Related Services to special education students as prescribed in their Individualized Education Program (IEP); this includes, but not limited to, Occupational Therapy (OT) services, Physical Therapy (PT) services, Counseling Services, Special Education Teacher Support Services (SETTS) and Speech Pathology (SP) services.

Infinite Services employs and manages therapist to provide the above services. In order to provide and document the services indicated in students' IEPS, the vendor needs access to the Special Education Student Information System (SESIS) to include students records and PII information. They will also interact with students and document services provided by entering data/notes into SESIS as well as maintain their own notes for historical treatment reference.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Data is stored in a privileged system which is designed with the least privileged access. The data is encrypted at rest and in transit. All backups are encrypted. MFA is required to access the system. Physical security and video surveillance of the IT assets is in place. 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Kids In Shape Physical Therapy

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 9/1/2023 – 9/1/2025

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Kids In Shape provides center based Physical and Occupational Therapy services to students with disabilities. In doing so, personnel have access and collect sensitive student and parents information i.e. names, address, phone numbers, BOE student ID numbers. These data is kept in medical charts that are locked in file cabinets located in a locked medical records room.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. PII for all students are filed in medical charts that are kept in locked file cabinets in a locked medical records room. Only the manager has a key to access the room and cabinets.

All personnel collecting this information are trained twice a year on the importance of safe collection and filing of the information.

In case of a security or privacy breach of PII or confidential information, the manager will inform the responsible person at the NYC BOE, in writing , and within 24 hours of such an incident, and provide specifics of the incident. 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Legendary Speech Pathology (also called Legendary Therapy)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Legendary Therapy provides services and assessments to students throughout NYC. These services include Speech Therapy, Occupational Therapy, Physical Therapy, Hearing Education Services, Sign Language Interpretation and Counseling.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and

written discretion in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., ServerPronto.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. At Legendary Therapy, we have various safeguards, including technical and physical measures.

We have established data governance policies and conduct regular employee training sessions to ensure data privacy. Also, we have a well-prepared incident response plan to handle any potential breaches.

On the security front, our top priority is the utilization of encryption/protected protocols, firewalls, and intrusion detection systems. These measures are specifically designed to enhance the security of PII. We prioritize setting up controls and verification methods to allow only approved people to access essential data.

Regarding physical security, we strictly regulate access to our data centers. We have implemented strict security measures for devices and facilities storing PII. This includes restricted access and various security protocols that prevent unauthorized entry into sensitive areas.

At Legendary Therapy, we regularly conduct risk assessments to eliminate any potential privacy or security risks associated with data. Compliance with regulations is paramount as we continuously strive to enhance our security practices. We remain vigilant by identifying vulnerabilities and keeping up to date with evolving compliance standards.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Levcare

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 9/1/2023 – 8/31/2024.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Levcare is a related services agency. We provide speech and occupational therapy for school age and preschool children. We need the child’s IEP along with relevant reports for the child which have some of the child’s PII on them in order to provide the therapy.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. At Levcare all paper and electronic records containing student information is stored in a secure environment which precludes access by unauthorized persons, and which provides protection from unauthorized access. Student records are stored in metal file cabinets which are locked at all times only to be access by the director when necessary. In general access to students records are limited to the director and the therapist providing the service to that specific child. 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Medicredo

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The nursing service is being provided to NYC DOE students. PII is necessary to identify students for treatment.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All students related information is kept in the binders which is accessible by the nurses only and kept in the secure location. All data files are protected in the locked cabinets in the medical office on DOE sites that could be accessed by the nurses only. The cabinet keys are kept in secure place in school. No documents are removed from the school’s medical office. No data is stored or transferred electronically. All data is maintained in a physical form. All students information on 504 forms will be used only for the medical treatment.

Employee best practices:

• Nurses are trained not to disclose information to anyone without receipt of proper authorization.
• Only minimally required data is ever shared.
• Medicerdo limits access of data only to the employees who require it to complete their jobs.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Mid Island Therapy Associates (also called All About Kids)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Mid Island Therapy Associates, LLC d/b/a/ All About Kids (hereafter referred to as “All About Kids”, “AAK”, &/or “Processor”) provides to the NYC Department of Education the following Preschool (CPSE) &/or School Age (CSE) Related Services to Special Education students as prescribed in their Individualized Education Program (IEP), including but not limited to:

• Occupational Therapy (OT) Services
• Physical Therapy (PT) Services
• Speech/Language Pathology (SP) Services
• Counseling Services (CSE students only)

  In addition, All About Kids is contracted with the NYC Dept. of Education to provide Preschool (CPSE) students with Special Education Itinerant Services (SEIT) as prescribed in the students’ Individualized Education Program (IEP), Coordination of Services, and Multidisciplinary Evaluations (MDE).

All About Kids is also contracted by NYC Dept. of Education to provide the following Assessments (Evaluations) for School Age (CSE) students:

• Speech/Language Therapy Assessments
• Occupational Therapy Assessments
• Physical Therapy Assessments
• Psycho-Educational Assessments
• Central Auditory Processing Disorder Assessments
• Audiological Assessments
• Functional Behavioral Assessments
• Social History Assessments

Data received by All About Kids (AAK) will be used only to perform AAK's obligations pursuant to the Agreement between AAK & the New York City Department of Education District for the purpose of providing educational/related services and/or evaluations to students and for no other purpose.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. “All About Kids’ records are retained &/or destroyed only in accordance with all applicable Municipal, NY State, & Federal laws, rules, regulations, & guidelines including but not limited to the NYS Dept. of Health, the NYS Education Dept., the NYC Dept. of Education, and the NY State Medicaid Program.”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Office 365, OneDrive SharePoint, Claims; and using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. AAK limits internal access to Educational Records to authorized individuals with legitimate educational interest only and access is controlled, monitored, and recorded by a supervisor. AAK complies with all District policies and state, federal, local laws, rules, and regulations and requirements related to confidentiality of student records. All Electronic Data is stored in accordance with commercial best practices, including appropriate administrative, physical, and technical safeguards to secure data from unauthorized access, disclosure, alteration, or use including but not limited to: anti-virus protection, spyware protection, firewalls, passwords & user names, and access is logged in and out and monitored by IT Systems. All employee access accounts are disabled upon termination from employment. Additionally, access to AAK's software & databases containing PII is made available to only authorized/necessary employees or authorized contractor, partners & vendors who have signed a Confidentiality Agreements with AAK. 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Miracle Care

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Miracle Care Inc. is contracted with the NYC DOE to provide related services such as, speech therapy, physical therapy and occupational therapy as well as speech and language evaluations. In order for Miracle Care Inc., to perform related services and speech evaluations it is necessary to access certain covered PII data, such as students age, language and social history, IEP’s and student evaluations etc. in order to assess and treat speech and language deficiencies.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., eWebStaffing a sophisticated, web-based management tool is utilized to streamline service coordination and only specific PII such as, Student name, OSIS ID, DOB and school name. Actual student reports such IEP’s and evaluations those are stored locally in our office.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Miracle Care Inc. has implemented an effective confidentiality plan to secure the confidentiality of student specific data. All personally identifiable student obtained by or furnished to the contractor, are kept strictly confidential and are not disclosed to any third party without the express written permission of the parent or legal guardian. The same applies to any reports or studies containing personally identifiable information prepared or assembled by Miracle Care Inc.

Access to student records is restricted to a limited number of individuals only on a need-to-know basis. The following safeguards are utilized to protect personally identifiable student information while in  motion and at rest; encryption, firewalls and password protection.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Netcare

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Netcare, Inc. provides Related Services to special education students as prescribed in their Individualized Education Program (IEP); this includes, but not limited to, Occupational Therapy and Speech Therapy services. PII is required to identify students, provide necessary special education services, and monitor progress. PII is also necessary to delivery appropriate medical care.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Microsoft 365, Acronis, Knack.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Netcare, Inc. has established standards for Data Privacy and Security as detailed in an annually reviewed Plan which is implemented and overseen by senior management and IT Professionals, and includes securing, protecting, and encrypting student PII and includes:

• Network/Server security including protection controls and security for access; virus/malware protections; backup procedures, and vulnerability audits.
• Workstation Security measures to ensure confidentiality, integrity and control of availability of sensitive information to authorized users only
• Encryption with proven, standard algorithms
• Policies for data destruction
• Administrative and Operational safeguards

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

New York Therapy Placement Services

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Student data will be used for the purpose of providing special education services and assessments to students.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Unified Technologies.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Internal employees who have a need to access child records to perform their job duties are given password protected access to the data servers. Any field employees requiring access to electronic child record files must be pre-authorized to be on our network. The network requires a two-step login process in which the user first must log in to our Virtual Private Network (VPN). Once accepted by the VPN, users then log in again to access the network. Both internal and field users on the network are required to change passwords every 90 days, and past passwords may not be repeated.

Data Security and Encryption Practices - NYTPS Hosted Network System

Summary

• All Servers are Encrypted at the Storage level - while at rest, via VMware Encryption protocols.
• All Server Communication is encrypted at the network level - while in transit, via VMware Encryption protocols.
• All Communication is encrypted at the client connection level - while in transit, via OpenVPN Encryption protocols

Data Encryption Standards

All hosted servers for NYTPS are housed on a fully redundant, high availability VMware based server and storage system. The VMWare 7.x system includes vSphere Virtual Machine Encryption that supports encryption of virtual machine files, virtual disk files, and core dump files. Two types of keys are used for encryption:

• The ESXi host generates and uses internal keys to encrypt virtual machines and disks. These keys are used as data encryption keys (DEKs) and are XTS-AES-256 keys.
• vCenter Server requests keys from the KMS. These keys are used as the key encryption key (KEK) and are AES-256 keys. vCenter Server stores only the ID of each KEK, but not the key itself.
• ESXi uses the KEK to encrypt the internal keys and stores the encrypted internal key on disk. ESXi does not store the KEK on disk. If a host reboots, vCenter Server requests the KEK with the corresponding ID from the KMS and makes it available to ESXi. ESXi can then decrypt the internal keys as needed.

Servers are all encrypted using these standards at the VM level. These servers include the Database server, the file server, and the terminal servers where people remotely login to the box. All data transfers in this encrypted envelope.

All Servers systems (Database, File Storage, Remote Desktop) are contained in a fully encrypted environment using VMware 7.x. All communications between these services happens via either the internal encrypted network in the host sessions or though the client VPN (See Below).

Client Encryption

All clients connect to the remote server environment via a VPN client that supports AES-256- GCM (OpenVPN 2.4+) standards. In addition, all computing sessions transfer RDP protocols which have their encryption using TLS MS standards. All data is encrypted entering/leaving the datacenter via this VPN tunnel.

The NYTPS network system uses a domain-based Microsoft network protected by firewall security measures. All data is stored on either a file server or database server with Active Directory, to authenticate and authorize users and manage all security-related aspects of the domain. Each user has a unique ID and password. Passwords follow NIST guidelines for strong passwords and are set to be changed every 90 days for network access. Access to our member database is controlled by an additional separate login ID.

All access to the network and database is based on role level access. User accounts are defined by job function and access to network resources are given based on that role. All network accounts are reviewed and deactivated upon employee termination.

NYTPS policy requires that all emails containing personally identifiable information (Pl/) must be encrypted using established Microsoft 365 encryption protocol.

Backups are stored on an in-house system using data password encryption on the drives. Backups are stored in an alternate office location. Windows Systems are updated with all security patches on a bi-weekly basis. All computer devices run Microsoft 365 Office applications with multi-factor authentication. Application updates are applied by vendor standards. All desktops and servers have anti-virus (MDR) and Endpoint Detection and Response (EDR) that update centrally on a daily basis. Server systems have MSBPA (Microsoft Best Practice Analyzer) run on them before going into production and at least annually thereafter.

Remote access to the network is accessed via a VPN based solution. Only users with a job role need are granted access to data remotely.

New York Therapy follows the voluntary standards and guidelines of the NIST Framework Version 1.1 to help manage its cybersecurity risk.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

NPORT Registered Nursing, Physical and Occupational Therapy and Speech-language Pathology Services

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. NPORT Registered Nursing, Physical and Occupational Therapy and Speech-Language Pathology Services, PLLC OBA NPORT is a professional limited liability company that is licensed to provide therapy and nursing services in New York State. NPORT combined with its predecessor VTA has a 40+ year history of supplying highly qualified therapists, and over a 20-year history of supplying nurses to various healthcare providers in the New York market. Additionally, NPORT is Joint Commission Certified for Healthcare Staffing. We therefore possess the human, organizational, technical, and professional resources required to effectively manage the provision of efficient, appropriate, and reliable therapy and nursing services for the NYC DOE.

As a current vendor, NPORT provides clinical staff to the NYC DOE which includes Registered Nurses, Occupational Therapist, Physical Therapist, and Speech Language Pathologist. Nurses provide services inside the schools and/or on trips. Occupational Therapist, Physical Therapist, and Speech Language Pathologist provide services through the related services agreement or RSAs in the schools. NPORT uses PII to fulfill its legal obligations and the duties under the services agreement with the DOE, which includes licensed clinical services, billing for the licensed clinical services, and payments.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: “retain only that PII that is necessary for NPORT to continue its proper management, administration, or to carry out its legal responsibilities. NPORT will return to NYC DOE or, if agreed to by NYC DOE, destroy or return the remaining PII that NPORT still maintains in any form as long as legally permissible.”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. “All Confidential Information will be stored on Box.com which uses safeguarding protocols such as encryption, unique usernames, unique passwords, and limited access.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All Confidential Information is transported and stored using industry standard data encryption, access is limited by job function and the data is retained only as long as required. NPORT uses multiple safeguards to make sure that PII is protected, while data privacy and security risks are mitigated.

Administrative Safeguards include but are not limited to the following: systematic controls that provide role-based access to PII based on job title; reporting and escalations of inappropriate access or breaches of PII; and trainings on NPORT's privacy and information security program; including contractor agreements.

Technical safeguards include but are not limited to the following: employees must lock computer screens when away from desks; employees must clear PII from computer screens when not being actually used; computer passwords must be made as strong as possible and kept confidential; use of encryption; use of multifactor authentication.

Physical Safeguards include but are not limited to all papers containing PII to be discarded must be placed in the shred bin which is to be emptied on an as needed basis; desktops and laptops must be cleared of materials containing PII when not in use and at end of the business day; drawers and cabinets must be locked; all documents containing PII must be locked in desk drawers unless being used for appropriate purposes; all documents with PII must be promptly removed from faxes, printers and photocopiers; storage rooms containing PII materials are to be locked when authorized members of the workforce are not present.

The Privacy Officer will periodically assess and update the safeguard procedures established by the Policy.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Open Lines Speech and Communication

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 9/7/2023 – 6/26/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Open Lines Speech and Communication, P.C. provides speech-language assessments and treatment to NYCDOE students in schools, in homes, and at our office. We are provided with PII by NYCDOE systems (e.g., SESIS), NYCDOE administrators, learning specialists, teachers, and parents/guardians. Speech-language pathology involves everything from medically-necessary speech therapy to literacy development so PII is required in order for us to provide these services.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Open Lines does not store any data locally. PII will primarily be stored on NYCDOE systems (e.g., SESIS). However, we also use a HIPAA/HITECH-compliant cloud computing provided by Google Enterprise Workspace and TheraPlatform (a HIPAA/HITECH-compliant EMR). Open Lines holds a HIPAA Business Associate Agreement (BAA) with Google and a BAA TheraPlatform.

Our HIPAA-compliant Google Enterprise Workspace is accessed via SSL/TSL encryption. All documents are encrypted in transit and at rest with 256-bit Advanced Encryption Standard (AES-256) encryption. All internal emails sent between @openlines.com email addresses are encrypted with AES-256 bit encryption.

TheraPlatform is utilized via an SSL connection with 2048-bit SSL with AES-256 bit encryption. TheraPlatform encrypts all database backups. TheraPlatform's server drives are encrypted with a data key using the industry-standard AES-256 algorithm. In addition, TheraPlatform implements high availability architecture and a web application firewall. TheraPlatform has detailed logging and auditing in place. All data is encrypted both at rest and in transmission. TheraPlatform's database is encrypted using AES-256 bit encryption.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Open Lines actively monitors its office network for cybersecurity breaches. Open Lines maintains a cybersecurity protection contract with SecurityMetrics, a global leader of data security and compliance solutions with more than 20 years of experience with data security and compliance. SecurityMetrics employees hold certifications like Certified Information Systems Security Professional (CISSP), PCI Forensic Investigator (PFI), Qualified Security Assessor (QSA), Approved Scanning Vendor (ASV), Payment Application Qualified Security Assessor (PA-QSA), and Point-to-Point Encryption Qualified Security Assessor (P2PE QSA).

SecurityMetrics installed and implemented the Open Lines local area network (LAN) firewall. SecurityMetrics runs regular External Vulnerability Assessment Scans on the Open Lines LAN. The SecurityMetrics scan engine is regularly updated and identifies external network vulnerabilities such as misconfigured firewalls, malware hazards, and remote access vulnerabilities. This extremely high level of cybersecurity keeps Open Lines compliant with all FERPA, PCI DSS, and HIPAA/HITECH regulations.

Open Lines does not store any data locally and does not maintain any internal servers. Open Lines strictly transmits and stores data on military-grade encrypted servers hosted by Google and AWS (TheraPlatform). Open Lines protects all data in motion via its SecurityMetrics-protected LAN.

In addition to following industry standard cybersecurity precautions for data at rest and in motion, Open Lines trains its staff to follow best practices for data in use. This includes but is not limited to: requiring all Open Lines staff to use strong passwords that are unique to each system, ensuring no third-party can see their screen when working with PII on a device, ensuring devices are locked, and password protected when not in use, and not discussing student PII with an NYCDOE employee, parent/guardian, teacher, learning specialist, or other person who is authorized to access the student’s PII within earshot of a third-party.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Pathways OT Therapeutic Wellness

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 9/1/2023 – 8/31/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Pathways OT Therapeutic Wellness provides occupational therapy and physical therapy to pediatric clients aged 3-18 years old. Occupational therapists strengthen the development of fine motor skills, sensorimotor processing, and self-regulation skills, visual perceptual skills and visual motor coordination. Physical therapists work to help the child improve their motor development, coordination, balance, flexibility, strength, and endurance to engage in everyday activities.

PII is used to support the Processor in completing special education workflow processes from referral through IEP development, placement, and related services. PII is also used to secure RSAs (Related Service Authorization) and other legal documents which authorize the Processor to provide Occupational Therapy and Physical Therapy to the students. Furthermore, PII is used by therapists for clinical documentation such as session notes, progress reports and IEP documents.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Google Cloud and Google Drive; and using Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Pathways trains all employees and contractors on data privacy and security best practices and monitors their compliance. We employ technical safeguards by securing software and programming to access, store, and process PII. We uses software with embedded encryption to manage PII both at rest and in transit. All PII is stored and backed up in compliance to NYC DOE’s data privacy and security requirements and standards. Pathways also utilizes physical safeguards including locking and securing office doors, file cabinets, and desktop computers and anywhere PII is stored or accessed. Security cameras are installed to monitor the entry and exit of staff and visitors.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Premium Therapy Speech Services

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 9/1/2023 – 8/31/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Premium Therapy Speech Services, P.C. is a DOE vendor that has been awarded contracts to provide Speech and Language Therapy to preschool and school-age students in English and Spanish.

The Department of Education shares PII with our Agency through transmittals, Individual Contracts, and Related Service Agreements (RSAs) so that the students can receive speech therapy services as mandated by their Individualized Education Program (IEP).

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Therapy EMR & Practice Management Software by ClinicSource.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The safeguards the company uses are HIPPA compliance ERMs system, encrypted password protected transmittal of information, the use of state-of-the-art antivirus systems, and locked cabinets that are not accessible by unauthorized users. 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Quality Evaluation & Psychology, Occupational, Physical & Speech Therapy Consulting Services

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Processor is an agency that contracts with the DOE to assess school students in various disciplines via testing to determine if special education services are needed, as well as to provide said services to special needs students should the DOE deem such services necessary. Professionals in fields such as Psychology, Neuropsychology, Occupational Therapy, Physical Therapy, Speech and Language Pathology, Social Work, and Mental Health Counseling receive access to PII so that, as evaluators, they can accurately assess the special education needs of students and so that, as therapists, they can provide the appropriate therapy that is mandated by the DOE. Therapy services provided include: mental health counseling, speech therapy, occupational therapy, and physical therapy.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. PII is stored on in-house computers in a private building that is only accessible to employees of the company.  This company is the sole company located on the premises. Employees must have a key to enter the building premises.  Said on-site computers are each password protected by the relevant employee, thus preventing others from accessing the computer that stores the PII. Physical documents containing PII are stored under lock and key, including locked file cabinets and rooms that are individually locked. Computers contain up-to-date antivirus and firewall software. 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

RCM Health Care Services

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 2017 - 2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. RCM Health Care Services, a division of RCM Technologies (USA) Inc., has been involved in staffing, executive search, and placement since 1975. In this time, we have built a formidable database of clients and employees, becoming one of the leading healthcare providers in the country. We specialize in temporary and permanent placement at every level in the healthcare field. We continually strive to offer our clients unparalleled healthcare professionals and solutions to meet the changing demands of the industry.

RCM has been providing healthcare staff to the New York City Public Schools for over 20 years, holding current contracts for Related Services (Occupational Therapy, Physical Therapy, Speech Therapy, Paraprofessional), General Nursing Services (Registered Nursing), and Assessments (Therapy and Psychology).

We require gathering PII information (student names, home addresses, schools, treatment mandates, etc.) from our Department of Education liaisons via SESIS, and inputting that directly into our internal system eWeb for secure tracking and relay of information to our clinical healthcare providers to provide services.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., eWeb Staffing.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. RCM has an array of venders that help secure the Environment. Vendors such as Proofpoint protect all emails coming in and out of the organization. CrowdStrike Complete protects all RCM endpoints from Malware and Monitors User accounts. Cisco Umbrella protects the web traffic; Cisco ASA Firewalls with Firepower IPS/IDS monitor all network and VPN traffic. Microsoft O365 Compliance Manager enables policies for PII, and HIPAA to protect sensitive emails Data from leaving the organization. Emails containing any sensitive information will be automatically encrypted. Microsoft Sentinel (SIEM) monitors and collects all logs for all RCM assets. All RCM Data and Client Data is encrypted (AES256)at Rest and in Transit. Role based access for users and continuous training help protect the users and RCM Data. ISO 27001 Certification and requirements enforce Password Policies and Physical access controls to all RCM offices and assets such as lock doors, cabinet, keycard readers, clear desk policy and cameras. 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Salveo Healthcare Solutions

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Salveo Healthcare Solutions, Inc. will access PII for the purpose of providing specialized educational and therapeutic services for NYC DOE students. This access enables us and our providers to tailor our services to each student’s unique needs, ensuring effective support in their educational and developmental progress.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor. “PII will be securely stored and hosted on Microsoft OneDrive, ensuring compliance with industry-standard protocols and data protection measures.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Salveo Healthcare Solutions, Inc. employs strict administrative, technical, and physical safeguards to protect PII. This includes controlled access, encryption, regular security training, data backup, and incident response protocols to mitigate privacy and security risks. 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Sensory Freeway Therapy Services OT, PT and SLP

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 9/2023 – 8/2025

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Sensory Freeway Therapy Services OT, PT, and SLP, PLLC provides occupational, physical, and speech therapy services to the preschool and school-aged students at BOE facilities and at SFTS facilities. PII is used to access record related service delivery, track student progress, and report progress. PII is used to communicate with teachers and parents about student progress and schedule appointments.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE or a successor contractor at the NYC DOE’s option and written discretion in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All information is accessed through DOE portal and all data is entered only into a password-protected cloud-based database SESIS provided by DOE that employs current industry security standards. Any data transmissions with student information are encrypted and password protected.     

Any hard copy documents containing confidential information are kept in a designated fireproof locked cabinet. The expired documents are shredded using the medical shredding service on a monthly basis. Access to the offices and cabinets is limited to authorized personnel and requires administrators’ approval.

Facility allows access only during office hours and is otherwise locked. Only authorized Sensory Freeway staff is allowed to enter the facility after checking in with the front office manager. All other access requires director’s in-person approval and direct supervision while on the premises. SFTS employs firewalls and antivirus protection of all hardware.

SFTS has incident security response plan in place for data beaches and incidents of unauthorized disclosure.

All STFS staff and subcontractors are trained in relevant data privacy protocols and requirements.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Sensory Street Pediatric Occupational Therapy

Type of Entity: Professional Corporation (Pediatric Private Practice)

Contract / Agreement Term: 9/1/2023 – 6/31/2025

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. SSPOT provides essential occupational therapy services to students under the Department of Education (DOE). In order to deliver tailored and effective interventions, we require access to Personally Identifiable Information (PII) for specific purposes:

The access to student Individualized Education Program (IEP) information is vital for tailoring therapy sessions to individual needs, while session notes enable progress tracking and record maintenance. Report generation is crucial for offering comprehensive insights into a student's development and communicating pertinent information to DOE personnel. Access to Personally Identifiable Information (PII) facilitates seamless communication with DOE, fostering collaborative efforts for the students' well-being.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII.

• Secure Deletion of Student Information from WebPT: Student information, including names and parent contact details, will undergo a secure deactivation and deletion process within the WebPT system.
• Return of Physical Documents: Physical documents, such as student sign-in attendance sheets, notes, and reports, will be promptly returned to the Related Service Department or the specified address provided by the NYC DOE for document return. This ensures a secure and efficient return process for all relevant physical records.
• Secure Deletion and/or Destruction of Remaining PII: For any remaining PII not transferred and stored within WebPT, secure deletion and/or destruction processes will be implemented. Notably, none of the documents from SESIS are stored in WebPT, affirming the absence of  sensitive documents within the WebPT system.
• Compliance with Agreed Standards: All data transition and destruction activities will comply with the agreed standards set forth by the NYC DOE and relevant data protection regulations.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., WebPT.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

• Limited Access: Patient files for intake purposes will only be accessible to selected individuals with specific responsibilities.
• User Authentication: Each authorized party will have a unique password, ensuring accountability and tracking of system use. 
• Document Handling Protocols: Strict protocols are established to ensure the safe handling of charts and sensitive information.
• Secure Storage: Documents are stored in a locked file cabinet, accessible only by authorized personnel with designated keys.
• Restricted Office Access: Access to the office area where documents are stored is restricted to staff members, ensuring a controlled and secure environment.

These measures at the administrative and operational levels exemplify our commitment to protecting Protected Information under the contract, promoting confidentiality, and minimizing risks associated with data handling.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

SHC Services, Inc. (also called Supplemental Health Care)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 9/2017 – 9/2025.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Supplemental Health Care (SHC) is a leading healthcare staffing provider to schools and healthcare facilities throughout the United States. SHC provides nursing services for school age students and preschool students. SHC will receive student PII in order for SHC to assign qualified nurses to provide health care for student and also for SHC to provide invoices with NYC DOE required information.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. SHC policies and procedures at the administrative level detail information handling best practices. All personnel are informed of SHC’s data security policies. Physical protections include that paper records and servers are secured and access-controlled. Technically, PII will be transferred through encrypted email only and will be deleted as soon it is no longer required. PII required by NYC DOE for billing will be stored in our on-prem Database.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Sign Language Resources

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 9/1023 – 8/31/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. As a vendor for the NYC BOE, SLR’s exclusive role is to provide the provision of Sign Language interpreter services to the schools and students assigned to our company. SLR is a Sign Language interpreter service provider with over 30+ years of experience. As part of the services provided to the DOE, SLR has developed an effective program for recruiting, hiring, and managing the placement of full-time Sign Language interpreters in classrooms throughout the boroughs. SLR School liaisons visit each assigned school to evaluate the needs of the deaf students with regards to interpreting, make recommendations of appropriate matches of providers with students, troubleshoot problems that may arise, and help to evaluate each provider’s performance. There is also a full time interpreter coordinator who manages the flow of information that is needed between the providers and the agency.

PII is provided to SLR to enable us to manage the billing aspect of services, the ability to match interpreters and students, communicate with each school, assign SLR supervisors to work with the interpreters and student assigned to one another and ensure everything is being managed smoothly and seamlessly as possible.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Google Apps for business.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. SLR ensures all programs we utilize support all necessary protections to mitigate data privacy and any security risks. This includes:

• Daily monitoring for any suspicious activities
• Strict password policies and use mutli-factor authentication with all programs used by staff.
• Monitoring and technical safeguards provided by cloud service provider.
• Minimal end user data retained.
• We ensure our vendors meet the same standards of practice and safeguards.
• Limited access to PII to staff with authorization.
• Best practices and data use policies for all staff. 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

South Shore Speech Pathology

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 9/2023 – 9/2025

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. South Shore Speech Pathology provides speech, occupational and physical therapy services to preschool and school age students. Our speech language pathologists address articulation/phonological delays, receptive/expressive language delays, fluency/stuttering disorders and auditory processing delays. Our speech pathologists have experience working with various developmental and neurological diagnoses. Our occupational therapists address fine motor skills, postural control, prewriting and handwriting, sensory processing, visual perception, motor planning and activities of daily living. Our physical therapists address gross motor skills, motor planning, coordination, strength, and balance.

Shore Speech Pathology requires access to PII in order to provide therapeutic services on behalf of the NYC DOE in accordance with the student’s Individualized Education Plan. PII is necessary to complete a profile on each student including their medical, educational, and clinical history.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

• All documents that possess student information and records are filed in locked file cabinets that can only be accessed by authorized personnel on an as needed basis. Documents are strictly prohibited from leaving the office. 
• All computers are password secured.
• All computers have protective software including firewall
• Data is encrypted at rest and in transit.
• All service providers are instructed to only discuss student information with necessary parties
• Custodial parent or guardian must sign a release form to allow their provider to speak with any outside entities and/or persons. 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

TheraCare Nurses Registry

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 9/1/2018 – 8/31/2025

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. TheraCare provides temporary school nurse services and need access to student PII to view health records, physician directives, prescriptions, etc. in order to render safe and effective health services.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. “TheraCare will comply with any applicable record retention requirements pursuant to this contract; thereafter, we shall securely delete and/or destroy PII.”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

• Administrative: TheraCare’s Policy & Procedure 4.2.21 mandates that all staff and providers ensure the privacy of all personally identifiable information (PII) including who has access to child records, how records may be accessed; strict requirements for the disclosure & release of PII, and secure electronic transmission of PII through encryption. It mandates the training and annual refresher by all staff and providers of said policies. TheraCare requires its third party contractors who may have access to PII within the scope of their services, to abide by the same policies.
• Technical: SSL certificates; regular penetration testing, monitoring and auditing
• Physical Safeguards: unique user accounts for all TheraCare staff & providers; strong password policy; encryption of outgoing emails containing PII. 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Therapeutic Resources Physical, Occupational and Speech Therapy Services

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 9/1/2023 – 8/31/2025

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Therapeutic Resources Physical, Occupational, and Speech Therapy Services, LLP will provide occupational, physical, and speech therapy‐related services to school‐age students through the New York City Department of Education (DOE).

We may share PII with healthcare providers at Therapeutic Resources who are involved in providing  these services to students, and they may in turn use that information to treat the student. Providing any of these services or functions on behalf of the DOE, the child’s record, and the PII found in it, includes information that may be provided directly from the DOE and/or may be collected directly from parents.

Additionally, we access PII through electronic transmittals in Provider Assignments, Related Services Authorizations, and Preschool Independent Agreements to secure authorization to treat the students. We also have access to PII via students’ individualized education programs (IEPs), Encounter Attendance (SESIS and COGNOS), and when billing in the Vendor Portal.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., PS Medical Solutions is the cloud service provider and the cloud service solution is EwebStaffing.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. We are committed to safeguarding the Personally Identifiable Information (PII) we receive. We impose standards to maintain the confidentiality of PII and we use physical, technical, and administrative safeguards to protect it. Our policies prohibit the unlawful disclosure of PII. We share it externally only where federal and state law allows or requires it. Internally, it is our policy to limit the access, use, and disclosure of PII to be in line with the job duties of our staff, as well as applicable law. Disclosure of this description on NYC DOE’s website will not compromise the security of the data or the Entity’s security practices and protocols. 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Therapy Pros

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 9/1/2017 – 8/31/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. We provide speech, Occupational Therapy, Physical Therapy and counseling services to preschool and school age students. PII is needed to track student progress, schedule student services, communicate with families regarding student progress and identify any student's needs.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

• A plan between Therapy Pros LLP and subcontractors to safeguard students' data has been set forth.
• All physical records are kept locked, fireproof file cabinets. Access to these records is limited.
• All computer files pertaining to any students are password protected and only designated personnel have access to these files.
• Providers must comply with the Acceptable Use Policy in using the Therapy Pros resources. Access privileges will be granted in accordance with the user's job responsibilities.
• Accounts will be removed, and access will be denied for all those who have left the agency or moved to another position.
• Providers must comply with all other related Therapy Pros policies and are trained on these policies during onboarding.
• All providers receive data privacy training.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Unique Nurses Registry

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Unique Nurses Registry provides school nursing services for the office of school health. Our agency staffs short term and short term extended registered nurses to schools within the Department of education. The type of nursing that we provide is in school nursing, one to one in-school nursing, and one to one transportation nursing services.

Our entity will receive PII when we are ask by the office of school health to provide one to one nursing services and transportation nursing services. The office of school health will send an encrypted e-mail, followed by a security code to access the encrypted e-mail. That e-mail will include PII that we will use to get in contact with the students parent. Parents will send PII on medical forms to the agency via fax. Student PII will also be sent once a month to the Office of school health via e mail for attendance provided by covering nurses.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. “PII data in paper form will be stored In a locked file cabinet with access limited to management and nursing supervisors. Digital PII (including word, excel, and Pdf) will be stored on a password protected hard drive with access limited to management.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Limited employees will receive PII from the office of school health from an encrypted e­mail, followed by a security code to access the encrypted e-mail. That e-mail will include PII that we will use to get in contact with the students parent. Parents will send PII on medical forms to the agency via fax. PII will be in the physical paper form and digital form(PDF). Both forms of PII will be stored in a locked file cabinet with access limited to management and nursing supervisors, digital PII will be password protected on a hard drive with access limited to management. Each employee will sign a privacy agreement that they must adhere to. Failure to comply will result in termination and a pursuant to legal action.

Nurses will only receive student PII over the phone for one to one and transportation students only. That information will only be provided to the covering nurse of that particular assignment. The medical forms that the nurse is required to follow for nursing care will be provided by the parents as well as in the school medical room. Each agency nurse is given a FERPA law guidelines during orientation, the nurses must adhere to the FERPA law guidelines. If the guidelines are violated, it can result in termination or legal action. Nurses are to adhere to New York States Code of Professional Conduct 29.1, 29.2 &29.14 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

United Staffing Solutions

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 9/1/2023 – 8/31/2025

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. United Staffing Solutions provides Registered Nurses and Paraprofessionals to the NYC. PII is collected to ensure accurate matching of qualified professionals to a child’s medical needs, including disabilities, medication administration or medical history to ensure the treatment possible.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. United Staffing Solutions will ensure PII will be protected and mitigate data privacy and security risks by using the Policies and Procedures we have in place. United Staffing Solutions employs administrative safeguards through annual staff training and restricted access to PII. Technical safeguards include robust encryption for electronic records, secure login credentials and regular system audits. Physical safeguards involve controlled access to offices and filing systems. 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Voces Speech Services

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. As a speech language pathologist, the exclusive purpose is to provide services to school age children based on their Individualized Education Plans and therefore VOCES Speech services PLLC needs access to PII for communication and coordination.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Implement administrative, technical, and physical safeguards to protect PII, including securing access controls, encryption and regular monitoring for data security risks.

Voces Speech Services, PLLC employs a comprehensive approach to safeguard Protected Personally Identifiable Information (PII).

Administrative safeguards involve strict access controls, ensuring only authorized personnel can access sensitive data stored in a locked cabinet.

Technical measures include firewalls installed into the computer programs and encryption protocols to protect PII during storage and transmission. The technology used for notes will be password-protected. Passwords will not be shared and changed every 90 days. Specific computers to access all documents will only be used for that purpose and will not be used to access other sites. This will be controlled by a firewall and blocking of outside sites.

Physical safeguards are implemented through secure storage practices, such as keeping physical documents in a locked cabinet within a secured and locked room and only the provider will have access to. All documents no longer needed will be shredded. Regular monitoring procedures are in place to promptly identify and address potential data security risks.

This multi-faceted strategy ensures the protection of PII without compromising security practices, and specific details have been provided to address each aspect of the question. 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

White Glove Community Care

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 9/1/2022 – 8/31/2023

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. White Glove Community Care shall provide caregivers in the form of paraprofessional/Home Health Aides, Registered Nurses, Occupation/Speech Therapist, and/or Licensed Practical Nurses to provide safety and care to individuals identified by the NYS BOE to require services per contract.

White Glove Community Care will need access to the students' names, DOB, ID number to achieve educational purposes (safely identify the students, accurate staffing) in accordance with the state and federal law and each student's information will be collected, protected, and disclosed only as necessary.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. WGCC will provide ongoing oversight of staff members to ensure continued appropriateness for access. Oversight will include:

• Data stored electronically on password protected hard drives, as well as off-site in cloud storage.
• Limited accessibility to PII as employees' roles dictate.
• Screen protection.
• Encryption of PII.
• Monitoring of continued appropriateness for access to data.
• Oversight for the identification of any unauthorized use or disclosure of PHI and any willful infraction of privacy and security policies.
• Ensuring that terminated employees, or employees that are determined unacceptable to have access to data are denied continued access to student data.
• Student data is disposed of by cross-shredding. When the agency re-uses media for the purposes of a cyclic data backup, the data is destroyed when it is written over by current data.
• The Security/Compliance Official will ensure the appropriate disposition of data and document any non-routine destruction of student data.
• WGCC will identify an individual responsible for tracking the location and movement for hardware and electronic media. Such person will maintain records of what was moved, when and by whom.
• Chief Compliance Officer shall maintain up-to-date policies regarding PII and attend and inform staff of any changes to PII standards and regulations on an on-going basis.

WGCC will identify an individual responsible for tracking the location and movement for hardware and electronic media.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Yvonne Tarzia Morano, OTR/L

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 9/1/2023 – 8/31/2024.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Yvonne Tarzia Morano, OTR/L provides occupational and physical therapy to NYC pre- school and school aged children. PII is used to provide necessary instruction, and allow staff to monitor and communicate with parents about student progress. PII is used to advise on parental carry over and follow up. PII is necessary to monitor attendance/enrollment in program.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Google Drive.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

• Yvonne Tarzia Morano OTR/L retains all records in a secure environment that precludes access by unauthorized persons, and which provides protection from unauthorized access.
• Records are password protected and/or physically secured.
• Office access is controlled.
• Limits access to material is on a strictly need to know basis.
• Quarterly training is held with all staff to reinforce Information Security and data security requirements. 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”