NYSED Website Privacy Monitoring 10 Easy Pitfalls to Avoid

NYSED Website Privacy Monitoring: 10 Easy Pitfalls to Avoid

In NYS Law 2-D, Compliance by Kendra Webb-Scott

In 2023, NYSED’s Office of Data Privacy & Security monitored the websites of 115 school districts and 5 charter schools, finding that most of these organizations were eager to comply with privacy requirements and provide the necessary information to parents and eligible students.

However, in their enthusiasm, some schools and districts overloaded their websites with excess information by including links to NYSED, the US Department of Education, and others. Best practice is to share the information required by federal and State law with parents and not much else.  There are many privacy requirements, and it can be overwhelming to navigate.

Below is a summary of the 10 most common pitfalls uncovered during NYSED’s Website Privacy Monitoring:

  1. Make sure that your website is both mobile browser and computer browser friendly. For example, try to have .pdf files open in a new browser window instead of being a download. It is more difficult to handle downloads on a mobile device.
  2. Test your website to make sure that a parent can find your privacy and data security information with little or no difficulty. Ask a neighboring district to look for the privacy information on your website. Remember, we’re not playing Where’s Waldo.
  3. In the Parents Bill of Rights (PBOR) link to NYSED’s Privacy Website for the Data Elements. Do not link to a file, the elements could change or the file could be deleted from the server.
  4. List your DPO’s name and contact information on your website.
  5. List a local contact for parent complaints. Parents are free to send NYSED a complaint and we will investigate. Best practice, however, is to have the local EA work with the parent directly. Keep in mind that complaint decisions are published on the NYSED Data Privacy and Security website and reported in the Annual report.
  6. At a minimum, post a list of the 2-D contracts that you have with language that additional information is available by contacting a specific person. Then, be prepared to provide the information without requiring the parent or eligible student to FOIL the supplemental information.
  7. Your FERPA Board Policy and Directory Information Board Policy are not the FERPA Annual Notification. They are policies that require the EA to annually notify parents.
  8. Post your FERPA Annual Notification on your website each year. You must provide it to parents annually anyway. The reason FERPA does not require that it be posted on your webpage is probably because FERPA was passed in 1974 (50 years! Happy Birthday FERPA).
  9. Some quick facts: Education Law 2-D is a law of the State of New York, not the United States. Nor is it a regulation of the US Department of Education. The first CPO was appointed in 2016 and Part 121 was promulgated in January 2020. If your website or any policy has language that indicates anything different, it needs to be updated.
  10. When you borrow forms from another District or NYSED, please remember to change their name to your district’s name.

As we conclude our dive into NYSED website privacy pitfalls, remember these insights are not stumbling blocks but stepping stones toward a secure, transparent online space. Navigating the requirements can be tricky, but IKON is here to help. 

Learn more about our DPO Compliance Support and request a free consultation.