Beware: Your SIS might not be protecting student data

Here are some things to look for when reviewing your security practices

Obligatory CYA note: This article is presented as an “insider’s look” at how SIS security works and the common pitfalls associated with the “convenience vs. compliance” dilemma. The author is not a lawyer and the piece should not be misconstrued as legal advice.

When FERPA was signed into law by President Gerald Ford in 1974, “accessibility” meant “the key to the filing cabinet,” and an “information request” was either an in-person conversation or a bundle of paperwork.

Now, nearly 50 years later, the entire context of the law has changed. Educational records have found a new (digital) home. Efficiency and accessibility are basic expectations, and the amount of red tape required to perform basic duties is shrinking all the time.

But how do you balance the need for speed with legal privacy obligations? Student information systems (SISs) have replaced paper as the default location for most educational records, rendering traditional safeguards irrelevant. A recurring security audit is one of the best ways to determine whether “legitimate educational interest” is being skirted in favor of convenience. Here’s what to look for:

The technical background
To adequately understand the challenges faced by school district IT staff, you need to have at least a little background on SIS security settings. Long story short, the way it works is this:

  • The district assigns employees to certain “security groups” within the system, often role-based by default; i.e., principals, teachers, coaches, counselors, various student services roles, etc.
  • Each group is assigned granular view/edit access to the modules, screens, and fields they need to do their jobs.
  • Non-role groups are often needed based on function; i.e., locker assignments, graduation requirements, or discipline. These groups will cover scenarios in which some, but not all, people in different roles may need permissions.
  • Each entity (usually a school campus) will have its own groups, while other groups will have access to the whole district (think district administrators or district-wide student services).

It’s not sexy, but it gets the job done. The point is this: Despite all the worries about centralizing information in one database, the security is granular enough to meet letter-of-the-law FERPA requirements on the technical side. So, we’re all good here, right? Not quite.

Want to share a great resource? Let us know at


We’re Celebrating 25 Years with 25 Giveaways!

Enter Each Day to Win the Daily Gift Card Giveaway

and the Grand Prize drawing for an

Apple iPad!

Visit eSchool News each day through April 1, 2023 to enter the daily $25 Gift Card drawing.
Each daily entry counts as one entry for the grand prize drawing. See details and rules.
Giveaway is open only to legal residents of the fifty (50) United States and Canada who are employed full- or part-time in K-12 education.