Back to Blog
Safety & Compliance February 3, 2026 · 9 min read

FERPA, COPPA, and K-12 Operations: What Districts Need to Know

Student data compliance isn't just about grades and transcripts. Operational platforms that touch student movement and custody have real compliance obligations.

AS

Alex Stanin

CEO, Tool For School

Most districts think of FERPA compliance as an SIS problem. Grades, transcripts, enrollment records — those are education records under FERPA, and protecting them is standard practice. But FERPA's scope is broader than most administrators realize, and operational data — dismissal records, hall pass logs, custody check timestamps — may fall under its protections.

What FERPA Actually Covers

FERPA (the Family Educational Rights and Privacy Act) protects "education records" — which the law defines broadly as records, files, documents, and other materials that contain information directly related to a student and are maintained by an educational agency or institution.

This definition is broad enough to include operational records. A timestamped log showing that Student X was released from classroom 214 at 3:15pm to parent Y is a record that contains information directly related to that student. Whether it constitutes an education record under FERPA depends on the specific facts and how the record is maintained.

The practical implication: operational platforms that generate and store records of student activity should be evaluated for FERPA alignment, not just SIS platforms.

COPPA and Student Age

COPPA (the Children's Online Privacy Protection Act) restricts the collection of personal information from children under 13 without verifiable parental consent. For K-12 operational platforms that interact with students directly — a hall pass app on a student device, for example — COPPA compliance is a procurement requirement, not an afterthought.

Districts evaluating operational vendors should ask specifically: how does this platform handle data from students under 13? What personal information is collected? Where is it stored? How long is it retained? Who has access to it?

The Operational Data Risk Districts Miss

The compliance risk in operational data isn't usually in the data collection — it's in the data storage and access. Dismissal logs, for example, contain:

  • Student name and grade
  • Time of pickup
  • Name and relationship of person who collected the student
  • Whether a custody check was triggered and what it found

This data, if improperly stored, accessed, or retained, creates compliance exposure. If a vendor stores this data on servers without adequate security controls, or if it can be accessed by unauthorized parties, the district is exposed — not the vendor.

Vendor Evaluation Questions

When evaluating any operational vendor that touches student data, districts should ask:

  • Is student data encrypted at rest and in transit?
  • Where are servers located, and who has physical access?
  • What is the data retention policy? When and how is data deleted?
  • Does the vendor have a signed Data Processing Agreement (DPA) available?
  • Is the vendor pursuing or maintaining SOC 2 Type II certification?
  • What is the breach notification process and timeline?

A vendor that can't answer these questions clearly is a vendor that hasn't thought carefully about their compliance obligations — or yours.

Custody Data: The Highest-Risk Category

Within operational data, custody information carries the highest compliance and legal risk. Custody orders are legal documents. The records of how a school enforced (or failed to enforce) a custody order can be subpoenaed in family court proceedings. Improper disclosure of custody information — to a parent who doesn't have rights to it, or to a third party — can constitute a FERPA violation.

Platforms that handle custody data need to implement strict access controls: only staff with a legitimate educational interest should be able to view custody flags, and only for students they're responsible for. Logging access to custody records is not optional — it's the minimum standard for a defensible compliance posture.

The Bottom Line

Compliance in K-12 operations isn't just an IT department concern. Every platform that touches student data, generates student activity records, or enforces custody rules is a compliance surface. Districts that evaluate operational vendors only on feature functionality and price are leaving a meaningful compliance gap unaddressed.

The right question isn't just "does this tool solve our dismissal problem?" It's "does this tool solve our dismissal problem in a way that doesn't create a compliance problem?"

Our Security & Compliance Approach