AK12 Logo


Too Much Access: The FERPA Compliance Gap

John Jennings
John Jennings - Student Data Evangelist

Student information systems are at the heart of every 21st century school district's technology infrastructure. But with the amount of information being stored there, it's imperative to have an understanding of how best to keep that data protected.

The SIS helps districts stay organized, provides educators with access to important information, and facilitates the collection and sharing of data mandated by state and federal agencies. However, as many districts have found out, if you don't follow the strict guidelines put in place for the safety of your students, you can quickly find yourself in hot water.

As more state-mandated audit failures are made public, the most commonly cited error is allowing school staff with “no legitimate educational interest” in a particular student to view that student's information.

In short, if your teachers, coaches, and support staff can log in to your SIS and view every student in a given school (or any number of students that are not assigned to them during the time period in question), your security configurations are probably not compliant with FERPA



 
 

What "Legitimate Educational Interest" Means

Let's start with the basics. The relevant clause in FERPA permits school officials to access a student's personally identifiable information if they have a legitimate educational interest in that information. Since this clause is so broad and can be interpreted a number of different ways, districts are required to clarify both terms in an annual notification of FERPA rights to their students and families. 

In general, the term "school official" in a K-12 district will apply to instructors, administrators, health staff, counselors, attorneys, clerical staff, committee members, disciplinary boards, and individuals that the school has outsourced services to. As for "legitimate educational interest," the requirement would generally include any school official who needs to review a student's record "in order to fulfill his or her professional responsibility." 


 

What You Can Do to Remain Compliant

Given the (relatively loose) framework, it's important to note that FERPA still puts the burden on school districts to protect educational records against unauthorized access. Because of this, the number one practice we recommend to districts is to limit access to student data to the minimal amount of information required by school officials to do their jobs, and only during the specific timeframe in which a need for access can be justified.

This is often an unpopular practice, necessary as it may be. I've spoken to CTOs who have received backlash from their teachers in districts that had become accustomed to universal access and the ability to "peek in" on former students or those who have not yet crossed their paths. The best defense for leadership teams is usually a good offense – take an opportunity to proactively hammer home the importance of FERPA and how it applies to district staff at all levels. Most will understand the prioritization of compliance over convenience, even if they're not initially happy about it.


 

The "Role" of Technology Providers

As a starting point, any security configurations and account management strategies associated with your SIS should be role-based. This approach will limit the visibility of data to only what is essential for any individual to fulfill his or her responsibilities. Role-based security also cuts down on the amount of manual tinkering you'll need to do when new employees are added or someone moves to a new position/location within the district.

You also have a right to expect transparency from your vendors. Privacy and security, aside from being moral imperatives, are also good business. Ask your providers to be clear about how much access they have to your data and what were the root causes of any historical breaches on their system. The only way to prevent history from repeating itself is to learn from the mistakes others have made in the past. 

For more information on the importance of a defined account management strategy, please read our New Year's Resolution article from earlier this year. 




For more information on Skyward's commitment to helping you protect your students' data, read the white paper here or contact us today. 


Pledge


 

Comments

Comments
Avatar
John Jennings
Hi Liliya. I'm not quite sure what you mean by 'change login.' If you wouldn't mind sending us an email about what you're trying to do (content@skyward.com), we can certainly try to help.
9/22/2015 4:44:42 PM
 
Liliya Bigler
we want to change login, but we not have this function
9/22/2015 4:23:48 PM
 
Subscribe
 Security code


Check out these recent articles!

Get to the Heart of Disruptive Behavior Libraries: The New Epicenters of Technology Is Email Dying?


 
.  .  .  .  .  .  .

SITE MAP     LATEST NEWS     UPCOMING EVENTS     CAREERS     CONTACT US

K-12    |     Municipalities    |     Support  

Our technology is developed and supported in the USA

PRIVACY POLICY    |     © 1999-2016 SKYWARD, INC. ALL RIGHTS RESERVED