BreachExpress

Cybersecurity, explained for the rest of us.

Family & Kids Online

What Schools Collect About Your Kids: The Full Data Picture

Margot 'Magic' Thorne@magicthorneJune 4, 202612 min read
Classroom desk with laptop showing student dashboard and attendance records

Your child's school knows more about them than you might expect. Not just grades and attendance, but health records, disciplinary incidents, standardized test scores, biometric identifiers, browsing history on school devices, and behavioral observations logged by teachers. Some of this data lives in district systems for years. Some flows to third-party vendors who provide learning apps, lunch payment systems, or student information platforms.

This article explains what schools collect, where it goes, who can see it, and what legal protections apply. You'll learn what you can control, what you can't, and how to exercise the rights you actually have.

The Core Educational Records

Every school maintains a permanent record for each student. This is the official academic transcript: courses taken, grades earned, credits completed, graduation status. These records follow students through their educational career and are often required for college applications, job applications, and professional licensing. Schools keep permanent records indefinitely.

Beyond the transcript, schools collect temporary records that document day-to-day school life. Attendance records track every absence, tardy, and early dismissal. Discipline records log detentions, suspensions, expulsions, and behavioral incidents. Health records include immunization histories, medication administration logs, nurse visit notes, and accommodations for medical conditions. Contact information for parents and emergency contacts gets updated annually. Special education records document evaluations, individualized education programs (IEPs), and related services.

These core records exist in every district, regardless of technology adoption. They're the administrative foundation of running a school. Most of this data lives in a student information system (SIS), a database that centralizes enrollment, scheduling, grades, and attendance. Common SIS platforms include PowerSchool, Infinite Campus, Skyward, and Aspen. Districts own the data, but the vendor hosts it and provides technical support.

FERPA , the Family Educational Rights and Privacy Act , governs how schools handle education records. Under FERPA, parents have the right to inspect and review all records the school maintains on their child. You can request access in writing, and the school must comply within 45 days. You can also request corrections if you believe records are inaccurate or misleading. If the school refuses, you can request a formal hearing.

FERPA also restricts disclosure. Schools cannot release education records to third parties without written parental consent, with specific exceptions: school officials with a legitimate educational interest, other schools to which the student is transferring, certain government agencies for audit or evaluation purposes, organizations conducting studies on behalf of the school, accrediting bodies, and parties complying with a judicial order or lawfully issued subpoena.

Directory information is the exception. Schools can release basic information like name, address, phone number, email, date of birth, grade level, enrollment dates, participation in school activities, awards received, and photographs without consent. But you can opt out. Schools must notify parents annually of their right to opt out of directory information disclosure. If you opt out, the school cannot release this information to anyone, including military recruiters, college recruiters, and yearbook publishers.

Biometric Data Collection

Some schools collect biometric identifiers: fingerprints, palm prints, facial recognition scans, iris scans, or voiceprints. The most common use case is lunch payment systems. Students scan a finger or palm to access their lunch account instead of entering a PIN or carrying a card. Some districts use facial recognition for building access, attendance tracking, or security monitoring.

Biometric data is uniquely identifying and permanent. You cannot change your fingerprint the way you can change a password. This makes biometric collection more invasive than other forms of student data. Some states regulate biometric collection in schools. Illinois, Texas, and Washington require written parental consent before collecting biometric data from students. Other states have no specific protections.

If your district uses biometric systems, you have the right to ask how the data is stored, who has access, whether it's shared with third parties, and how long it's retained. Many districts offer alternative options for students whose parents decline biometric enrollment, such as PIN codes or ID cards. You can opt your child out of biometric systems without penalty in most cases, though the school may require you to use an alternative method.

Educational Technology and Third-Party Vendors

The shift to digital learning introduced a new layer of data collection. Students use laptops, tablets, and Chromebooks issued by the school. They log into learning management systems like Google Classroom, Canvas, or Schoology. They complete assignments in platforms like Khan Academy, IXL, or Newsela. They take tests through tools like Kami or Edulastic. They communicate through apps like Remind or ClassDojo.

Each of these platforms collects data. At minimum, they collect login credentials, activity logs, and usage patterns. Many collect more: responses to assignments, quiz scores, time spent on tasks, clicks, keystrokes, and browsing history on school devices. Some platforms use this data to generate behavioral insights, flagging students who might be struggling or disengaged.

Schools enter into contracts with these vendors, but the terms vary widely. Some vendors act as "school officials" under FERPA, meaning they can access student data to perform services on behalf of the school. The vendor must use the data only for the agreed-upon educational purpose, must protect it with reasonable security measures, and must delete or return it when the contract ends. Other vendors operate under different legal frameworks, such as state student privacy laws or the Children's Online Privacy Protection Act (COPPA).

COPPA applies to online services directed at children under 13. It requires operators to obtain verifiable parental consent before collecting personal information from children. Schools can provide consent on behalf of parents when the service is used for educational purposes, but the vendor must limit data collection to what's necessary for the service, must not use the data for advertising or marketing, and must delete it when it's no longer needed.

Not all districts vet vendors thoroughly. Some sign contracts without reviewing privacy policies or data security practices. Some allow teachers to adopt tools without district approval, creating shadow IT that bypasses procurement oversight. This means your child might be using a platform that collects far more data than the school realizes, stores it insecurely, or shares it with third parties for purposes unrelated to education.

You can ask your district for a list of all third-party vendors with access to student data. You can request copies of vendor contracts and privacy policies. You can ask how the district evaluates vendors for data security and privacy compliance. Some districts publish this information on their websites. Others require a formal records request.

Device Monitoring and Content Filtering

School-issued devices are not private. Districts monitor student activity on laptops, tablets, and Chromebooks to enforce acceptable use policies, prevent access to inappropriate content, and detect potential safety concerns. This monitoring happens through several mechanisms.

Content filtering blocks access to websites based on categories like violence, pornography, gambling, and social media. The Children's Internet Protection Act (CIPA) requires schools that receive certain federal funding to filter internet access on school networks and devices. Filters log every blocked attempt, creating a record of what students tried to access.

Device management software allows IT administrators to remotely control school-issued devices. They can install or remove apps, enforce security settings, track device location, and view the screen in real time. Google's Admin Console, Apple's Mobile Device Management, and Microsoft Intune are common tools. These platforms log device activity, including apps opened, websites visited, and files accessed.

Some districts deploy monitoring software that analyzes student communications for keywords related to self-harm, violence, bullying, or drug use. Tools like Bark, Gaggle, and GoGuardian scan emails, chat messages, documents, and search queries. When the software flags a concern, it alerts school administrators, who review the content and decide whether to intervene. These alerts sometimes trigger wellness checks, parent notifications, or disciplinary action.

Monitoring extends beyond school hours if the student uses a school-issued device at home. Some districts disable monitoring outside school hours. Others monitor 24/7 on the theory that the device belongs to the school and is subject to district policies at all times. The distinction matters if your child uses the school laptop for personal browsing, social media, or private conversations.

You can ask your district what monitoring tools are in use, what data they collect, who reviews flagged content, and how long monitoring logs are retained. You can ask whether monitoring is active outside school hours and whether your child can disable it when using the device at home. Some districts allow students to sign out of the school account and use a personal account for non-school activities, effectively bypassing monitoring. Others lock the device to the school account.

If your child needs a device for schoolwork but you want to avoid district monitoring, you can provide a personal device and ask the school to allow its use. Not all districts permit this, and some require personal devices to install monitoring software as a condition of connecting to the school network.

Behavioral and Social-Emotional Data

Schools increasingly collect data on student behavior, social-emotional development, and mental health. This data comes from teacher observations, self-reported surveys, disciplinary incidents, counselor notes, and automated behavioral tracking systems.

Behavioral tracking systems like ClassDojo, LiveSchool, and PBIS Rewards allow teachers to assign points or badges for positive behaviors (participating in class, helping peers, staying on task) and deduct points for negative behaviors (talking out of turn, forgetting materials, disrupting class). These systems create a quantified record of student behavior over time, visible to teachers, administrators, parents, and sometimes the student.

Social-emotional learning (SEL) assessments measure skills like self-awareness, self-management, social awareness, relationship skills, and responsible decision-making. Students complete surveys or activities, and the platform generates reports on their social-emotional competencies. Some SEL tools integrate with student information systems, linking behavioral data to academic records.

Mental health screening tools assess students for risk of anxiety, depression, suicidal ideation, or trauma. Some districts administer these screenings universally; others use them selectively based on teacher referrals or behavioral incidents. Screening results may be shared with parents, counselors, and outside mental health providers.

This data is more subjective and interpretive than academic records. A teacher's observation that a student "seems withdrawn" or "struggles with peer relationships" becomes part of the record, even though it reflects the teacher's perception rather than an objective fact. Behavioral point systems can penalize students for traits like fidgeting or asking too many questions, pathologizing normal childhood behavior.

FERPA covers behavioral and social-emotional data if it's maintained by the school as part of the student's education record. You have the right to review it, request corrections, and challenge inaccuracies. But the school is not required to remove a teacher's subjective observation just because you disagree with it. You can add a statement to the record explaining your perspective, which becomes part of the file.

Data Retention and Deletion

Schools do not keep all data forever. Retention periods vary by state law, district policy, and record type. Permanent records like transcripts are kept indefinitely. Temporary records like attendance, discipline, and health information are typically retained for 5 to 7 years after the student leaves the district. Some states mandate specific retention schedules; others leave it to district discretion.

Third-party vendors operate under different rules. Some contracts require vendors to delete student data when the contract ends or when the student graduates. Others allow vendors to retain de-identified data for product improvement or research. De-identified data is stripped of direct identifiers like name and student ID, but it may still include demographic information, usage patterns, and performance metrics.

True anonymization is difficult. Researchers have demonstrated that de-identified datasets can often be re-identified by combining them with other publicly available information. A dataset that includes zip code, birthdate, and gender can often be linked back to a specific individual, even without a name.

You can ask your district how long it retains different types of records and what happens to data when a student leaves the district. You can ask whether vendor contracts require data deletion and whether the district audits vendors for compliance. Some districts conduct annual audits; others rely on vendor self-reporting.

If your child changes schools or graduates, you can request that the district delete temporary records that are no longer required by law. The district may or may not comply, depending on its interpretation of retention requirements and FERPA obligations.

Who Can Access Student Data

Access to student data is supposed to be limited to school officials with a legitimate educational interest. This includes teachers, administrators, counselors, nurses, and support staff who need the data to perform their job duties. It also includes contractors and vendors acting as school officials under FERPA.

In practice, access controls vary. Some districts implement role-based permissions, restricting each user to the minimum data necessary for their role. A teacher can see grades and attendance for their own students but not for students in other classes. A counselor can see academic and behavioral records but not health records. A nurse can see health records but not disciplinary records.

Other districts grant broad access. Every teacher can see every student's full record. Every administrator can see everything. This increases the risk of unauthorized disclosure, either through curiosity, gossip, or accidental exposure.

Law enforcement can access student records under specific circumstances. If police have a lawfully issued subpoena or court order, the school must comply. FERPA allows schools to disclose records without a subpoena in emergencies involving health or safety, though the school must document the emergency and the disclosure. Some districts have school resource officers (SROs) stationed on campus. SROs are law enforcement, not school officials, and do not have automatic access to education records under FERPA. But districts sometimes grant SROs access anyway, either through data-sharing agreements or by treating them as school officials.

Immigration authorities do not have automatic access to student records. Schools cannot share information about a student's immigration status or citizenship with ICE without a subpoena, court order, or written parental consent. Some districts adopt sanctuary policies, refusing to cooperate with immigration enforcement beyond what the law requires.

If your district shares data with law enforcement, you can ask under what circumstances, whether parental notification is required, and whether the district maintains logs of law enforcement requests. Some districts publish transparency reports detailing the number and type of law enforcement requests they receive.

State Student Privacy Laws

FERPA is a federal baseline, but many states have enacted additional student privacy protections. These laws vary widely in scope and strength.

California's Student Online Personal Information Protection Act (SOPIPA) prohibits operators of online services from selling student data, using it for targeted advertising, or building profiles for non-educational purposes. It requires operators to implement reasonable security practices and to delete data upon request.

New York's Education Law Section 2-d requires school districts to maintain a publicly accessible list of all third-party contractors with access to student data, including links to their privacy policies. It mandates data security and privacy standards for vendors and requires annual compliance reporting.

Illinois's Student Online Personal Protection Act (SOPPA) requires vendors to enter into written agreements with schools specifying data collection, use, and retention practices. It prohibits vendors from selling student data or using it for targeted advertising.

Other states have similar laws, each with different requirements. Some apply only to online services; others cover all third-party vendors. Some require parental consent for certain types of data collection; others rely on school consent under FERPA.

You can check whether your state has a student privacy law by searching "[your state] student privacy law" or consulting resources from organizations like the Future of Privacy Forum or the Electronic Privacy Information Center (EPIC). If your state has a law, you can use it to request information about vendor contracts, data-sharing agreements, and security practices.

What You Can Control

You have more control over some types of data collection than others. Here's what you can typically opt out of and what you cannot.

You can opt out of:

  • Directory information disclosure
  • Biometric data collection (in states that require consent)
  • Participation in surveys that ask about political beliefs, mental health, sexual behavior, family income, or other sensitive topics (under the Protection of Pupil Rights Amendment)
  • Some third-party educational technology tools, if they're optional rather than required for coursework

You cannot opt out of:

  • Core educational records like grades, attendance, and standardized test scores
  • Data collection required by state or federal law (such as special education evaluations or Title I reporting)
  • Use of third-party tools that are mandatory for coursework
  • Device monitoring on school-issued devices

To exercise your rights, start by requesting a copy of your district's student privacy policy. This document should explain what data the district collects, how it's used, who has access, and what rights you have. If the policy is vague or incomplete, you can submit a formal records request under your state's open records law, asking for vendor contracts, data-sharing agreements, and privacy impact assessments.

You can also request an annual review of your child's education records. FERPA requires schools to provide access within 45 days. Use this opportunity to check for inaccuracies, outdated information, or records that should have been deleted. If you find errors, submit a written request for correction. If the school refuses, request a hearing.

If your district uses a third-party tool that concerns you, ask whether it's required or optional. If it's optional, you can decline consent and ask for an alternative assignment. If it's required, you can ask to review the vendor's privacy policy and data security practices. You can also ask whether the district has evaluated the tool for compliance with FERPA, COPPA, and state privacy laws.

Some districts are responsive to parental concerns. Others are not. If you encounter resistance, consider organizing with other parents. A group request carries more weight than an individual complaint. You can also raise concerns at school board meetings, where public comment is typically allowed.

The Analogy That Fits

In Seinfeld, Kramer once described a personal filing system where every scrap of information about every person he met got stored in a mental Rolodex, cross-referenced and retrievable at will. Jerry found this both impressive and unsettling, because Kramer wasn't just remembering facts; he was building profiles, connecting dots, and using the information in ways the original sources never intended.

Schools do something similar, but at scale. Every interaction, every grade, every disciplinary incident, every clicked link, every flagged keyword gets logged, stored, and cross-referenced. The data isn't just sitting in a file cabinet gathering dust. It's being analyzed, aggregated, and used to make decisions about your child's education, behavior, and future opportunities. And just like Kramer's mental Rolodex, the system works whether or not the subjects are comfortable with it.

The difference is that Kramer's system lived in his head. School data lives in databases controlled by districts, vendors, and sometimes law enforcement. You can't opt out of being remembered, but you can ask what's being remembered and push back when the system overreaches.

What Happens When Data Gets Breached

School districts are not immune to data breaches. Student information systems, learning platforms, and vendor databases all present attack surfaces. When a breach occurs, the exposed data can include names, addresses, Social Security numbers, grades, disciplinary records, health information, and login credentials.

Breaches happen through several mechanisms. Phishing attacks trick district employees into revealing credentials. Ransomware encrypts district systems and demands payment for decryption. Misconfigured databases expose data to the public internet. Vendors suffer breaches that cascade to their school clients. Insider threats occur when employees access or disclose data without authorization.

Under FERPA, schools must notify parents when a breach compromises personally identifiable information. Some state laws impose additional notification requirements, specifying timelines and content. But notification is reactive. By the time you learn about a breach, the data has already been exposed.

You can reduce risk by asking your district what security measures are in place. Does the district encrypt student data at rest and in transit? Does it require vendors to meet specific security standards? Does it conduct regular security audits? Does it have an incident response plan? Does it carry cyber liability insurance?

If your district suffers a breach, you can request details about what data was exposed, how the breach occurred, and what steps the district is taking to prevent future incidents. You can also monitor your child's credit report for signs of identity theft, though credit monitoring for minors is complicated because children typically don't have credit files until they apply for their first loan or credit card.

How to Talk to Your Child About School Data Collection

Your child may not realize how much data the school collects or how it's used. Depending on their age, they may not understand the concept of data collection at all. Here's how to approach the conversation.

For younger children (elementary school), keep it simple. Explain that the school keeps track of things like attendance, grades, and behavior to help teachers know how they're doing. Emphasize that this is normal and not something to worry about, but also explain that some information is private and shouldn't be shared with everyone.

For older children (middle and high school), you can go deeper. Explain that the school collects data not just for grades and attendance, but also through the devices and apps they use. Talk about the fact that their browsing history on school devices is visible to the school, and that some apps track how long they spend on tasks or flag certain keywords in their messages.

Encourage them to think critically about what they share online, even in school contexts. A message sent through Google Classroom or a document stored in their school account is not private in the way a conversation with a friend might be. Explain that school monitoring is designed to keep them safe, but that it also means they should be thoughtful about what they write and search for on school devices.

If your child is concerned about monitoring, validate their feelings. It's reasonable to feel uncomfortable knowing that someone might be watching what you do online. At the same time, explain the school's perspective: monitoring helps catch bullying, self-harm, and other serious issues before they escalate. The goal is not to invade privacy but to intervene when necessary.

You can also discuss what happens to data after they leave school. Explain that some records follow them for years, while others get deleted. Encourage them to think about how their digital footprint might affect them in the future, even in contexts that feel private now.

The Bottom Line

Schools collect a vast amount of data on students: academic records, attendance, discipline, health information, biometric identifiers, device activity, behavioral observations, and social-emotional assessments. Much of this data is necessary for education. Some of it is not. The line between useful record-keeping and invasive surveillance is blurry and contested.

You have rights under FERPA to access your child's records, request corrections, and control directory information disclosure. You may have additional rights under state law, depending on where you live. You can ask questions, request information, and push back when data collection feels excessive or unjustified.

But you cannot opt out of the system entirely. Schools need data to function. The question is not whether they should collect data, but how much, for what purposes, with what safeguards, and with what transparency. Those are questions you can influence, both individually and collectively, by staying informed and advocating for policies that protect student privacy while supporting education.

Parent reviewing digital school records on tablet at kitchen table
→ Filed under
student privacyschool dataFERPAeducational technologyparental rightschildren's data
ShareXLinkedInFacebook

Frequently asked questions

Schools collect academic records (grades, test scores, transcripts), attendance and discipline records, health information (immunizations, medications, nurse visits), contact information for families, and increasingly biometric data like fingerprints for lunch systems or facial recognition for building access. Many districts also track online activity through school-issued devices and learning platforms.
Under FERPA, schools can share directory information (name, photo, grade level, activities) without consent unless you opt out. They can also share data with educational technology vendors under 'school official' exceptions, though the vendor must use it only for educational purposes. Schools cannot sell student data or share it for marketing without explicit consent.
Yes. FERPA gives parents the right to inspect and review all education records the school maintains on their child. You can request access in writing, and the school must comply within 45 days. This includes grades, test scores, discipline records, health information, and notes from teachers or counselors.
Retention periods vary by state and record type. Most states require schools to keep permanent records (transcripts, graduation records) indefinitely. Temporary records like attendance, discipline reports, and health information are typically kept for 5-7 years after a student leaves the district. Some data from third-party apps may be deleted sooner, depending on vendor contracts.
You can opt out of directory information sharing and some biometric systems, but you cannot opt out of core educational records like grades and attendance. For third-party educational technology, your ability to opt out depends on whether the tool is required for coursework. If it's optional, you can refuse consent; if it's mandatory, the school can require participation as part of the educational program.

You might also like

Parent configuring privacy settings on a smartphone before giving it to a child
Family & Kids Online

Setting Up a Phone for a Kid: Step-by-Step Security and Privacy Configuration

Configure a child's phone with the right privacy settings, parental controls, and security boundaries before handing it over. Here's what to enable, what to lock down, and why each step matters.

12 min · Margot 'Magic' Thorne · May 16

Parent and teenager looking at phone screen together, conversation about social media safety
Family & Kids Online

Is TikTok Safe for Kids? The Mechanism Behind Social Media Risk

TikTok, Instagram, and Snapchat expose kids to algorithmic manipulation, data harvesting, and predatory contact. Here's how the platforms work and what parents can control.

12 min · Margot 'Magic' Thorne · May 20

Parent and child reviewing phone settings together at kitchen table
Family & Kids Online

When to Give a Kid Their First Phone: A Step-by-Step Decision Framework

Age isn't the only factor. Here's how to assess readiness, set boundaries, and configure a phone for a child's first device—before you hand it over.

11 min · Margot 'Magic' Thorne · May 13