As a K-12 school, there are many benefits to consolidating your school’s data systems – breaking down data silos across teams, communicating more effectively with students and parents, and providing a seamless experience for serving your students. 

Another benefit of consolidating to a single platform is to increase data security. By consolidating this information from various sources, you can set data policies and better protect your data. 

Importance of a Student Data Privacy Plan

Education agencies, districts, and schools are prime targets for cyberattacks because of the type and amount of personal data maintained in their systems. According to the US Department of Education, the Family Education Rights and Privacy Act (FERPA) does not require specific security controls; however, institutions must secure student records and are limited in what information they can request and maintain. Security threats can pose a specific and dangerous risk to student privacy and oftentimes these organizations are a bigger target.

Unfortunately, breaches of data are common and can lead to multiple violations and create additional risk of identity theft and fraud. The good news is having a formal policy in place doesn’t have to be complicated or time consuming to ensure your student’s information is protected. 

5 Ways to Secure Your School’s Data

1 – Make Admins and Users Aware of Data Security’s Importance

Ensure all users understand what student data is stored in the platforms they use, what data they have access to, and what information they are allowed to disclose. When your team understands how valuable your student data is, they are more likely to consistently maintain basic security best practices. 

Keep in mind that laws and regulations may vary by state and your system Administrators should have a clear understanding of what your institution, team, and/or district is responsible for. EdTech Magazine released an informative piece on K-12 data security in April of 2022 that identifies a number of laws that pertain to handling cloud-based student data nationwide. The Protection of Pupil Rights Amendment (PPRA) is another law that dictates the handling of student records and gives parents the right to limit information schools may obtain.

2 – Know Where Student and School Data Are Stored

In addition to understanding what student data exists, your team should know where that information lives, how it’s collected, if it is shared between locations or platforms, and how it’s maintained. A simple process map or visual can be utilized to explain where and how data should be stored and should be periodically maintained. This can serve as a organization-wide resource that drastically cuts down on security mishaps.

3 – Identify Vulnerabilities

As mentioned above, a process map visualizing the location of student data and records as well as how they are managed can be a way to quickly identify gaps and where additional security points, such as password verifications or data encryption, should be added. 

The process of creating this process map can also be used as a way to start these important conversations about shared data across different teams within your organization. Through these discussions, your teams can work together to identify areas for improvement and implement them.

4 – Implement Data Privacy Procedures and Provide Resources

Basic security and data hygiene procedures can go a long way. Examples include setting up multi-factor authentication, password retention policies, having a secure platform for saving passwords, not sharing sensitive information via email, and more.

Provide examples or images of what constitutes a suspicious email, dangerous link, spam email, etc. Step by step directions for data handling, accompanied by visuals, also leaves less room for error. These and other resources like primary contacts, a data security best practices one-pager, your formal data security policy and other data security documentation should be stored in a resource library or centrally shared location. 

Have a documented and shared action plan ready should a data breach take place. Something as simple as listing who to contact and how can cut down on the amount of time your student’s data is vulnerable. 

Lastly, have a clear owner of your data policies and procedures. This person or team will be responsible for maintaining changes, sharing documentation, as well as consistently auditing policies and procedures for accuracy and relevance. 

5 – Utilize Native Salesforce Security Features

Salesforce is built with security in mind and just by using Salesforce, you benefit from native security features like org-wide sharing, permission sets, profiles and sharing rules. Salesforce even has a native FERPA checkbox so your team can quickly identify data points that are subject to FERPA requirements. Here are more features that are listed on the K-12 Architecture Kit Security Model Considerations page of Salesforce’s help center: 

  • Identify the data access requirements for users in your various departments. Create profiles for the roles in those areas, and permission sets to grant permissions to roles or individual users.
  • Create a role hierarchy to give users above another user in the hierarchy the same level of access to records owned by or shared with users below.
  • Set field-level security to control who can access and edit certain fields on specific records.
  • Create sharing rules to open up record access to other users besides the record owners.
  • Set up authentication and authorization methods to control who sees what data, when, and from which locations and devices.

Other Salesforce Security Enhancements and Practices

Shield Platform Encryption is an option provided by Salesforce for schools who require additional access controls for sensitive data. This solution encrypts data at rest, meaning that data is encrypted when it’s stored in Salesforce. 

Everyday security monitoring like login and field history reviews, setup change audits, and Transaction Security actions are effective best practices created by Salesforce for Salesforce orgs. 

Real-Time Monitoring requires Salesforce Shield or Salesforce Event Monitoring add-on subscriptions. With this offering teams have the ability of near real-time monitoring and reporting with timestamped event logs and triggers. 


Your student’s data security is important and we understand you have a lot to consider when planning policies and resources. If you’re a Salesforce user, please keep the Salesforce Security guide handy and consider having the Data Security Trailhead module part of your team’s onboarding and training. We’re here to answer your questions about student data security and provide additional insight. Connect with us through the form at the bottom of this page or by emailing us at

Ready to power up with technology?