Int. No.
By Council Member Dinowitz
A Local Law to amend the administrative code of the city of New York, in relation to quarterly reporting on data breaches of algorithmic tools in schools
Be it enacted by the Council as follows:
Section 1. Title 21-A of the administrative code of the city of New York is amended by adding a new chapter 44 to read as follows:
CHAPTER 44
REPORTING ON ALGORITHMIC DATA BREACHES IN SCHOOLS
§ 21-1016 Definitions. For the purposes of this chapter, the following terms have the following meanings:
Algorithmic tool. The term “algorithmic tool” means any technology or computerized process that is derived from machine learning, artificial intelligence, predictive analytics, or other similar methods of data analysis.
Breach. The term “breach” means the unauthorized acquisition, access, use, or disclosure of protected data by or to a person not authorized to acquire, access, use, or receive such data.
Education records. The term “education records” means records directly related to a student and maintained by the department, or other person authorized by the department to provide an institutional service or function.
Identifying information. The term “identifying information” has the same meaning as set forth in section 23-1201.
Personnel records. The term “personnel records” means confidential records of the department relating to the annual professional performance review of teachers or principals.
Privacy audit. The term “privacy audit” means an official assessment by the chancellor, or person authorized by the chancellor, to assess an algorithmic tool for compliance with federal, state, and local laws or regulations regarding protected data.
Protected data. The term “protected data” means student data, personnel records, and education records.
School. The term “school” means a school of the city school district of the city of New York that contains any combination of grades from and including kindergarten through grade 12
Student data. The term “student data” means a student’s or such student’s family member’s name, personal and indirect identifiers, and other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty.
§ 21-1017 Data safety policies. a. The chancellor shall publish on the department’s website an overview of department policies and procedures for conducting privacy audits, including any procedures for conducting such audits before and after initially approving an algorithmic tool for use by the department; informing individuals affected by a breach of an algorithmic tool; and suspending or restricting the use of an algorithmic tool by the department following such a breach.
b. The chancellor shall update such publication to reflect changes to existing department policies and procedures, as needed.
§ 21-1018 Quarterly report on breaches of algorithmic tools. a. Reporting. No later than October 31, 2026, and by the last day of the month following each calendar quarter thereafter, the chancellor shall submit to the mayor and the speaker of the council, and shall post conspicuously on the department’s website, a report regarding each breach of an algorithmic tool used by the department. Such report shall include the total number of such breaches that occurred during the reporting period; the total number of such breaches, including where that number is 0, that occurred during each of the 4 prior reporting periods, where such information is available; and the breach data reported pursuant to subdivision b of this section.
b. Breach data. 1. Each quarterly report required pursuant to subdivision a of this section shall include a table in which each separate row references a unique algorithmic tool used by the department that experienced a breach during the reporting period. Each row shall include the following information relating to each such algorithmic tool, as well as any additional information the chancellor deems appropriate, set forth in separate columns:
(a) The name or commercial name of the algorithmic tool;
(b) The date when the chancellor approved the algorithmic tool for use by the department;
(c) The total number of breaches of the algorithmic tool during the reporting period, during each of the 4 prior reporting periods, and since the algorithmic tool was approved by the chancellor for use by the department, where such information is available;
(d) An indication of whether or not the chancellor has suspended or restricted the use of the algorithmic tool by the department, and if so, the date of such suspension or restriction; and
(e) The date of the most recent privacy audit of the algorithmic tool that was conducted by the chancellor, or by another person authorized by the chancellor to conduct such an audit.
2. Each quarterly report required pursuant to subdivision a of this section shall include a table in which each separate row references a unique breach of an algorithmic tool that occurred during the reporting period. Each such row shall include the following information relating to each such breach, as well as any additional information the chancellor deems appropriate, set forth in separate columns:
(a) The date and time at which the breach occurred;
(b) The date and time at which the chancellor discovered, or was made aware of, the breach;
(c) The name or commercial name of the algorithmic tool that experienced the breach;
(d) The date when the chancellor, or another individual authorized by the chancellor, finished notifying all individuals whose protected data was acquired, accessed, used, or disclosed in the breach, and whose notification is required under federal, state, or local law;
(e) The number of individuals whose protected data was acquired, accessed, used, or disclosed in the breach, or an estimate thereof;
(f) The type and nature of the protected data acquired, accessed, used, or disclosed in the breach, including whether the breach involved student data, personnel records, or education records; and
(g) The status of any investigation into the breach, if known.
c. The reports required by paragraphs 1 and 2 of subdivision b of this section shall include a data dictionary.
§ 21-1019 Reporting privacy. a. Except as otherwise expressly provided in this section, no report required by section 21-1018 shall contain identifying information.
b. No information that is otherwise required to be reported pursuant to this chapter shall be reported in a manner that would violate any applicable provision of federal, state, or local law relating to the privacy of student information or that would interfere with law enforcement investigations or otherwise conflict with the interests of law enforcement. If a category contains between 1 and 5 students, or contains an amount that would allow another category that contains between 1 and 5 students to be deduced, the number shall be replaced with a symbol. A category that contains 0 shall be reported as 0, unless such reporting would violate any applicable provision of federal, state, or local law relating to the privacy of student information.
§ 2. This local law takes effect 120 days after it becomes law.
ALK
LS #24401, 24403
6/12/2026 4:28 PM