Asset Notebook Warehouse SecurityAccess PDC-final PDC Upcoming AdjustedSection AttendanceType ClosedSection Comment CurrentOpening DiscardScore DroppedAssignment DroppedSection InProgress MissingScore NoCount NotConnected OpenConflicts OpenSection RetainGrade ScheduledClass ScoreClarifier TransferGrade Unused VerticalSplit StudyHallScheduler SaveStyle SaveRun RunReport Rounded Link FoodMenu Diploma ClassMessage ChangeSection Bus Books Book Attachments RestrictedAccess Unpublish Publish Number0 Lightbulb GradPlanReq AVID Levels Headstart Military Number9 Number8 Number7 Number6 Number5 Number4 Number3 Number2 Number1 LetterZ LetterY LetterX LetterW LetterV LetterU LetterT LetterS LetterR LetterQ LetterP LetterO LetterN LetterM LetterL LetterK LetterJ LetterI LetterH LetterG LetterF LetterE LetterD LetterC LetterB LetterA Exclamation Ellipsis Cart-new Guidance History Unsubscribe Timespan ApproveDeny Noncritical PendingChanges CartLoad CartUnload ClearLeft nextArrow IHP Keyboard Email Unlink NSE AtRisk LEP Substitute Hourglass AddPlusLines QueuePeople Release Currency Percentage Comma IncreaseDecimal DecreaseDecimal ReleaseCompleteLater WOOF-Tile Out-Tile In-tile Break-Tile SwitchJobs-Tile TOOF-Tile Stethoscope ClipboardPencil CourseRequest Contact EmergencyContact AddPage ChangeLog Paintbrush Hide DeselectAll SelectAll UpdateBack UpdateAccounting Reselect Unschedule RollbackBudget AdvanceBudget Adjust AdjustDrop NSFCheck Private Rebuild Build AddHeader2 DontSave Draggable Stop GraduationRequirements Password Aggregate SpecialEducation Section504 PartiallyEnrolledDropped Import ReplaceReport InsertImage DropClass ScheduleChanges PartiallyEnrolled Activate Deactivate Split StudentProfile Impersonate TestScores AddCourseRequest AutoSchedule ReplaceSection Selection Revert Export DesignReport AddMainSection AccountReceivable Transparent Twitter Uncompress Underline Undo Unlock Update Upload User Utilities Vendor VerticalBottomAlign VerticalCenterAlign VerticalTopAlign View ViewCourseList Void Warning Workflow YearEnd AccountPayable ActivityAccess AddCourseList AddNote AddPlus AdminAccess AdvancedSecurity Analytics ApplySchemaChange ArrowDown ArrowLeft ArrowRight ArrowTriangleDown ArrowTriangleLeft ArrowTriangleRight ArrowTriangleUp ArrowUp Attendance BatchAndConfirm Bold BorderBottom BorderColor BorderLeft BorderRight BorderTop Breadcrumb Budgeting Calculate Camera Cancel Cart CenterAlign Check CheckBox CheckBoxPartial CheckBoxUnchecked CheckmarkConfirm ChevronDown ChevronLeft ChevronRight ChevronUp Clear ClearFilter Clone Close ClosedFolderAlt ClosedGrading Collapse CollapseAll ColumnHeight Columns ColumnWidth Community Compress Conflict Consolidate Curriculum Customization Date Default Delete Demographics DialogPrompt Discipline District Dock DockClose Download DropDate Edit Education ELogoColor Employee EmployeeAccess Enrollment Error Excel Expand ExpandAll Facebook Family FamilyAccess Fee FileSettings FileUtility Filter FontBackgroundColor FontColor FoodService Globe GooglePlus GradeBook Health Help Home Image In Info inlineEdit Italicize LeftAlign Legend Lock Lunch MainMenu ManageFiles MassAssignClose MassAssignOpen MassChange MenuCollapsed MenuExpanded MissingAssignment Money NewStudent NewStudentImport NewWindow NoImage Number OneToMany OpenFolderAlt Out Override PaddingBottom PaddingLeft PaddingRight PaddingTop PageBreak PagerArrowBackward PagerArrowForward Pause Payroll Position PrintAvailable ProcessInBackground Purchasing Queue Redo RemoveAllStudents RemoveCurrentStudent RemoveDocument Reorder ReportCard Reporting Reports RequestEdits Resume RightAlign RowAction RowOpen Save SaveAndBack SaveAndForward ScheduleBuilder School Search SecuritySmall Select Separator Settings Signature SignIn SignOut Speedometer SportsLink StarOutline StarShortcutMenu StarTenPoints StateReporting StudentAccess StudentGrades StudentSchedule StudentViewAll SubReport SuperUser TeacherAccess Text Ticket TileBrowse Time TimeOff Transfer Account

Too Much Access: The FERPA Compliance Gap

What does the "legitimate educational interest" clause of FERPA have to do with your SIS? Here's how you can avoid the kind of audit failures that have plagued school districts throughout the country.

John Jennings

Managing Editor

Student information systems are at the heart of every 21st century school district's technology infrastructure. But with the amount of information being stored there, it's imperative to have an understanding of how best to keep that data protected.

The SIS helps districts stay organized, provides educators with access to important information, and facilitates the collection and sharing of data mandated by state and federal agencies. However, as many districts have found out, if you don't follow the strict guidelines put in place for the safety of your students, you can quickly find yourself in hot water.

As more state-mandated audit failures are made public, the most commonly cited error is allowing school staff with “no legitimate educational interest” in a particular student to view that student's information.

In short, if your teachers, coaches, and support staff can log in to your SIS and view every student in a given school (or any number of students that are not assigned to them during the time period in question), your security configurations are probably not compliant with FERPA


What "Legitimate Educational Interest" Means

Let's start with the basics. The relevant clause in FERPA permits school officials to access a student's personally identifiable information if they have a legitimate educational interest in that information. Since this clause is so broad and can be interpreted a number of different ways, districts are required to clarify both terms in an annual notification of FERPA rights to their students and families. 

In general, the term "school official" in a K-12 district will apply to instructors, administrators, health staff, counselors, attorneys, clerical staff, committee members, disciplinary boards, and individuals that the school has outsourced services to. As for "legitimate educational interest," the requirement would generally include any school official who needs to review a student's record "in order to fulfill his or her professional responsibility." 


What You Can Do to Remain Compliant

Given the (relatively loose) framework, it's important to note that FERPA still puts the burden on school districts to protect educational records against unauthorized access. Because of this, the number one practice we recommend to districts is to limit access to student data to the minimal amount of information required by school officials to do their jobs, and only during the specific timeframe in which a need for access can be justified.

This is often an unpopular practice, necessary as it may be. I've spoken to CTOs who have received backlash from their teachers in districts that had become accustomed to universal access and the ability to "peek in" on former students or those who have not yet crossed their paths. The best defense for leadership teams is usually a good offense – take an opportunity to proactively hammer home the importance of FERPA and how it applies to district staff at all levels. Most will understand the prioritization of compliance over convenience, even if they're not initially happy about it.


The "Role" of Technology Providers

As a starting point, any security configurations and account management strategies associated with your SIS should be role-based. This approach will limit the visibility of data to only what is essential for any individual to fulfill his or her responsibilities. Role-based security also cuts down on the amount of manual tinkering you'll need to do when new employees are added or someone moves to a new position/location within the district.

You also have a right to expect transparency from your vendors. Privacy and security, aside from being moral imperatives, are also good business. Ask your providers to be clear about how much access they have to your data and what were the root causes of any historical breaches on their system. The only way to prevent history from repeating itself is to learn from the mistakes others have made in the past. 



Recent articles