NEW YORK — NYC public schools suffer from glaring omissions in student data privacy policies, a new audit by State Comptroller Tom DiNapoli found, raising fresh concerns about the embrace of artificial intelligence in the classroom.

For example, auditors found the city’s school system doesn’t have written policies on risk assessment and data backups, or keep a full list of all applications used by local schools. More than a quarter of school employees skip annual cybersecurity trainings, according to the comptroller’s office — and if a breach does occur, local education officials may fail to report the incident or notify families in a timely manner.

“Protecting student data is paramount,” DiNapoli said in a statement. “My auditors found NYCPS needs to take additional actions to better secure the privacy and security of student data, including reporting breaches or notifying affected parties within the required time frames.”

In 141 breaches and inadvertent data releases between 2023 and 2025, the comptroller’s office found officials delayed reporting 48% of incidents to the New York State Education Department, and held up notifying families about 11% of the time. Delayed notifications ranged from 1 to 460 days.

DiNapoli issued the audit amid growing resistance to AI — and education technology in general — in public schools across the five boroughs.

Schools Chancellor Kamar Samuels in March provided teachers and principals with initial guidance on AI in the classroom, with a full playbook due next month. The guidance sparked protests and got more parents and teachers involved in a local movement against AI.

The response led Samuels to pump the breaks on a controversial plan to open the city’s first AI-focused high school. While officials have declined to release the data, the proposal’s backers estimate that close to 1,000 students applied. Concerned students, parents and teachers railed against AI last week during a seven-hour education panel meeting.

“The audit from the State Comptroller’s office released today confirms what many NYC advocates have long known: the privacy policies and practices of the NYC Dept. of Education are sloppy, irresponsible and show a lack of concern for keeping students’ personal information safe from breach and misuse,” said Leonie Haimson, co-chair of the Parent Coalition for Student Privacy and member of the AI Moratorium Coalition.

“This makes DOE’s insistent push to rapidly expand the use of Artificial Intelligence tools in our schools unwarranted, given how these tools represent an even greater risk to student privacy and safety.”

When it comes to young people’s safety, there’s reason for unease.

During the 2021-22 school year, more than 1 million local students had their personal information leaked in a breach involving a popular public school vendor, Illuminate Education. In January of last year, cybercriminals struck again, this time targeting the education technology company PowerSchool in what has emerged as the largest breach of American children’s private data.

A rep for the public schools said officials disagreed with some of the audit’s findings, including that they were unable to identify which schools used PowerSchool because of the lack of a centralized list of applications. In the audit, officials also defended their trainings, pointing to reminders and follow-up communications to school employees who miss the annual deadline.

“However, we remain focused on continuous improvement,” said Onika Richards, the spokeswoman, “and will continue strengthening policies, oversight, and training to ensure student information is protected across our schools.”

_____

©2026 New York Daily News. Visit nydailynews.com. Distributed by Tribune Content Agency, LLC.