Oliver Page
Case study
October 31, 2025
What to Know About the Illinois School Student Records Act (ISSRA) starts with understanding that this state law protects student privacy by controlling how schools collect, maintain, and share student information. If you're managing student data in Illinois schools, here's what you need to know right now:
Key ISSRA Protections at a Glance:
In Illinois, laws protect the privacy of student education records. These laws ensure that personal information—from grades to health records—stays safe and private. The Illinois School Student Records Act (ISSRA) works alongside the federal Family Educational Rights and Privacy Act (FERPA) to create a strong framework for student data protection.
For K-12 IT directors, ISSRA compliance isn't just a legal requirement. It's a critical piece of your cybersecurity strategy. When staff don't understand record handling rules, data breaches become more likely. A single phishing email that compromises student records can trigger ISSRA violations, federal investigations, and loss of funding.
The Act covers everything from who can access records to how long you must keep them. It defines what information schools can share publicly as "directory information" and what requires explicit parental consent. It also establishes clear procedures for parents to challenge inaccurate information and sets strict timelines for schools to respond to records requests.
Understanding ISSRA helps you protect your district from compliance violations while building a culture of data privacy. The following sections break down the Act's requirements in practical terms—what records you must maintain, who can access them, how long to keep them, and what happens if something wrong.
Quick look at What to Know About the Illinois School Student Records Act (ISSRA):
The Illinois School Student Records Act (ISSRA) exists for one essential reason: to protect student privacy in a world where data moves fast and breaches happen faster. Officially codified as 105 ILCS 10/, this state law sets the ground rules for how Illinois public schools collect, store, access, and share student information.
Think of ISSRA as the protective barrier between your students' personal information and the outside world. It defines exactly what counts as a "school student record," who gets to see it, and under what circumstances information can be shared. The law doesn't just say "be careful with data"—it creates specific, enforceable requirements that keep student information secure.
Every Illinois school must designate an official records custodian. This person serves as the guardian of all student records, responsible for their maintenance, security, and proper handling. If you're a K-12 IT director, you're likely working closely with this custodian to ensure digital records stay as protected as physical ones.
Here's something many schools overlook: ISSRA requires a detailed record of release for every single time student records are accessed or shared. This log tracks who accessed the information, when they accessed it, and why. It's not bureaucratic busywork—it's your accountability trail when questions arise about data handling.
For the complete legal text and all amendments, you can reference the Official Government Website of the Illinois General Assembly.
Understanding What to Know About the Illinois School Student Records Act (ISSRA) means grasping one critical distinction: the difference between permanent and temporary records. These aren't just filing categories—they determine how long you must keep information and who can access it.
Permanent records contain the essential information that follows a student throughout their educational and professional life. Illinois law requires schools to maintain these records for at least 60 years after a student transfers, graduates, or permanently withdraws. That's right—60 years. Your current kindergarteners' permanent records will outlast most careers.
What goes in a permanent record? The basics that define a student's academic journey: their name, address, birth date and birthplace, gender, and parent contact information. You'll also find their academic transcript showing courses studied, grades earned, credits awarded, and graduation date, along with their unique student identifier. Attendance records and the health record required for enrollment belong here too. High school State assessment test scores are permanent record material, as is the record of release documenting when permanent record information was shared. Some schools also include honors, awards, and participation in school-sponsored activities here, though these can alternatively live in temporary records.
Temporary records tell a more detailed story of a student's time at your school, but they're not forever files. These must be kept for at least 5 years after the student leaves your district.
Temporary records include the record of release for temporary information and State assessment scores from elementary grades (K-8). You'll also find completed home language survey forms and information about serious disciplinary infractions involving drugs, weapons, or bodily harm that led to expulsion or suspension. Any information from the Abused and Neglected Child Reporting Act goes here, along with biometric information your school may have collected.
The temporary file also holds health-related information beyond the basic enrollment record, accident reports, and family background information. Intelligence, aptitude, and psychological test scores belong here, as do achievement test results and extracurricular participation records (if not in the permanent file). Teacher anecdotal records, other disciplinary information, and special education records including IEPs and Section 504 plans are all temporary record materials. Finally, any verified reports or information from non-educational persons, agencies, or organizations rounds out the temporary file.
The Illinois State Board of Education provides additional guidance to help schools correctly categorize and manage both record types.
ISSRA casts a wide net when defining what counts as a "School Student Record." If it's any writing or recorded information that identifies a specific student, maintained by your school or at its direction, it's a student record. Doesn't matter if it's on paper, stored digitally, or saved on someone's laptop—if it identifies a student and your school controls it, ISSRA's protections apply.
This includes all Personally Identifiable Information (PII)—any data that can directly or indirectly identify an individual student. In our connected world, that covers more than you might think.
But here's where it gets interesting. Not everything related to students falls under ISSRA's strict record-keeping rules. The law specifically excludes certain types of information.
Exclusive-use employee notes are personal writings that a teacher or staff member keeps solely for their own use. These don't count as official student records—unless the employee shares them with anyone else or formally incorporates them into the student's file. Once shared, they become official records. The key is that these notes must be destroyed when the student graduates or withdraws.
Law enforcement records maintained by school resource officers or security professionals generally operate under different rules. Security camera footage, for example, isn't automatically a student record unless it's specifically used for disciplinary actions or IEP compliance purposes.
Confidential communications between students and certain professionals—physicians, psychologists, or social workers—receive additional protection under other Illinois laws. These privileged communications have their own privacy framework beyond ISSRA.
And let's talk about biometric data, because this is where many schools stumble. If you're using fingerprint scanners for lunch purchases or attendance tracking, ISSRA (along with other sections of the Illinois School Code) requires specific handling. You need parental consent before collecting biometric information, strict security measures while storing it, and proper destruction protocols when it's no longer needed. This isn't optional—it's the law.
The bottom line? If you're collecting, storing, or sharing any information that identifies a student, assume it's protected until you've verified otherwise. When in doubt, treat it as a student record. That approach keeps you compliant and your students' information secure.
When it comes to What to Know About the Illinois School Student Records Act (ISSRA), understanding your rights as a parent—or as a student—is absolutely essential. ISSRA gives you real power over your child's educational records, and these aren't just theoretical rights. They're practical tools you can use to ensure information about your child is accurate, private, and only shared with your permission.
Here's something important to remember: all the rights we're about to discuss belong to parents until a specific moment. Once a student turns 18, graduates from high school, gets married, or enters military service, these rights transfer exclusively to the student. Until then, you're in the driver's seat.
The process for accessing records is refreshingly straightforward. As a parent, you have the right to inspect and copy both permanent and temporary records for your child. Students themselves can inspect and copy their permanent records. You simply submit a written request to your school's official records custodian—that person we mentioned earlier who's responsible for maintaining all student records.
Schools can't drag their feet on this. When you submit a request, the school must respond within 10 business days. That's not a suggestion—it's a legal requirement. In rare cases where fulfilling your request would be unduly burdensome or interfere with school operations, they can extend this by an additional 5 business days, but that's the absolute limit.
There's also good news about copying fees. While schools can charge for making copies, the fee can't exceed 35 cents per page. And if you genuinely can't afford even that modest cost, the school cannot deny you copies of your child's records. Access to information shouldn't depend on your ability to pay.
Looking at records is one thing. Controlling who else gets to see them is another—and it's just as important. This is where What to Know About the Illinois School Student Records Act (ISSRA) really shines in protecting your family's privacy.
The golden rule is simple: schools need your written consent before releasing your child's records to anyone else. Not a phone call, not a verbal okay—written permission. This consent needs to be specific and dated, spelling out exactly which records will be released, why they're being released, and who will receive them. No blanket permissions here.
Now, you've probably seen your child's name in a school play program or heard it announced at an awards ceremony. That's perfectly fine because of something called "directory information." This is basic information that schools can release without your permission—things like your child's name, address, grade level, birth date and place, participation in school activities, awards received, and dates of attendance.
But here's the key: you can opt out of directory information sharing. Schools must notify you annually about what they consider directory information and give you about 10 days to say "no thanks" in writing. If privacy is important to you, don't skip this notification. One thing that can never be considered directory information? Your child's social security number or unique student identifier. Those are always protected.
If you're ever confused about these rights or believe a school has violated them, it might be worth your time to contact an Illinois education attorney who specializes in education law.
Let's face it—mistakes happen. A teacher might record an absence incorrectly. An old disciplinary note might contain inaccurate details. Information that's no longer relevant might still be sitting in your child's file. The good news is that you don't have to accept errors or inappropriate information in your child's records.
Under What to Know About the Illinois School Student Records Act (ISSRA), you have the right to challenge any entry you believe is inaccurate, irrelevant, or improper. This isn't just a courtesy—it's your legal right. Maybe you've finded that a disciplinary incident was recorded incorrectly, or there's information in the file that simply doesn't belong there. You can request that it be amended or removed.
There are a few things you can't challenge, though. Academic grades are off-limits—if you disagree with a grade, that's a separate process. You also can't challenge the contact information for the official records custodian or references to expulsions and out-of-school suspensions that were properly documented at the time of a student transfer.
The challenge process starts informally. Request a meeting with the school to discuss your concerns. Often, these conversations resolve the issue quickly—maybe it was just a clerical error that everyone agrees should be fixed. If the informal conference doesn't work out, you can request a formal hearing.
A formal hearing is more structured. You can present evidence, bring witnesses, and question the school's witnesses. You can even bring a lawyer if you want legal representation. The hearing officer will listen to both sides and make a decision. If they agree with you, the school must amend the record. Problem solved.
But what if the hearing officer sides with the school? You still have options. You have the right to insert a written statement into the record explaining your position. This statement becomes a permanent part of the file, and whenever that disputed information is shared with someone, your statement goes along with it. Future readers get both sides of the story, which is only fair.
This challenge process matters because student records follow kids through their educational journey and sometimes beyond. An inaccurate disciplinary record could affect college applications. Incorrect information about special education services could impact future educational planning. Taking the time to ensure records are accurate isn't being difficult—it's being a good advocate for your child.
Understanding What to Know About the Illinois School Student Records Act (ISSRA) means recognizing that it doesn't exist in isolation. Student privacy protection in Illinois schools actually involves a web of interconnecting laws—federal regulations like FERPA, state laws like SOPPA, and ISSRA itself all working together. These overlapping protections create multiple layers of security for student data, which is particularly important in today's digital learning environment where educational technology tools collect vast amounts of information.
Think of it this way: ISSRA sets the foundation for how Illinois schools handle physical and digital student records, FERPA provides the federal baseline that applies nationwide, and SOPPA addresses the specific challenges of online learning platforms and ed-tech vendors. Where these laws overlap, schools benefit from stronger protections. Where they differ, you typically need to follow the stricter requirement.
This interconnected framework becomes especially critical when we consider how much student data flows through digital systems today. From learning management platforms to attendance apps, educational technology is now central to K-12 operations. Ensuring robust student data security isn't just about locking file cabinets anymore—it's about understanding how these laws apply to cloud storage, third-party vendors, and the countless digital touchpoints in modern education.
The Family Educational Rights and Privacy Act (FERPA) is the federal law that governs student education records across the entire United States. If your school receives federal funding (which nearly all public schools do), you must comply with FERPA. But here's where it gets interesting: ISSRA often provides more specific guidance and sometimes stricter protections than its federal counterpart.
Both laws share the same core mission—protecting student privacy and giving parents control over their children's records. They both require written consent before releasing records to third parties (with specific exceptions), and they both give parents the right to inspect and challenge records. However, the details matter, and that's where ISSRA and FERPA diverge in meaningful ways.
Scope and coverage represent the first major difference. FERPA applies to all educational institutions receiving federal funds, from kindergarten through university. ISSRA, meanwhile, focuses specifically on Illinois K-12 public schools and certain private schools. This narrower focus allows ISSRA to address issues unique to elementary and secondary education.
Record types and retention show another distinction. ISSRA explicitly divides student records into permanent records (kept for 60 years) and temporary records (kept for 5 years), with detailed lists of what belongs in each category. FERPA doesn't make this distinction—it simply refers to "education records" as a broad category. This specificity in ISSRA makes compliance clearer for Illinois schools.
Enforcement and penalties differ significantly between the two laws. FERPA violations can result in the loss of federal funding for your entire district—a severe consequence that, in practice, rarely happens. ISSRA violations, on the other hand, can lead to individual penalties including fines and even misdemeanor charges for willful violations. This means ISSRA has more direct, personal accountability.
Specific rights and procedures also vary. ISSRA requires schools to respond to records requests within 10 business days, while FERPA requires a response within a "reasonable time" (typically interpreted as 45 days). ISSRA also mandates that schools maintain a detailed "record of release" for every disclosure, which must be kept with the student's records. FERPA requires disclosure logs too, but ISSRA's requirements are more explicit.
One concept that appears in both laws but deserves special attention is legitimate educational interest. Both ISSRA and FERPA allow school officials to access student records without parental consent if they have a legitimate educational interest. This means teachers, counselors, and administrators can access the information they need to do their jobs effectively. However, "need to know" is the guiding principle—just because someone works at the school doesn't mean they have blanket access to all student records.
The Student Online Personal Protection Act (SOPPA) entered the picture in 2019 to address a gap that neither ISSRA nor FERPA fully covered: what happens when schools use third-party educational technology companies that collect student data? As online learning tools proliferated, it became clear that student information was flowing to vendors in ways the older laws hadn't anticipated.
SOPPA specifically regulates how ed-tech companies can collect, use, and share student data. It prohibits these vendors from selling student information, using it for targeted advertising, or creating profiles for non-educational purposes. This is crucial because while ISSRA controls how your school handles records, SOPPA extends those protections to the technology vendors you contract with.
Here's where the interplay between ISSRA and SOPPA becomes important for your daily operations. When you select a learning management system, assessment platform, or any digital tool that will handle student information, SOPPA requires that vendor to sign a written agreement outlining how they'll protect student data. These agreements must specify that the vendor won't use the data for advertising, won't sell it, and will delete it when the contract ends or when you request deletion.
ISSRA still governs the records your school maintains directly, but SOPPA ensures that when those records touch a third-party system, the same privacy principles follow. Think of it as extending your ISSRA obligations to your vendors. If an ed-tech company experiences a data breach, both SOPPA and ISSRA come into play regarding notification requirements and potential violations.
The connection to COPPA (the Children's Online Privacy Protection Act) adds another layer here. COPPA is a federal law that restricts how websites and online services can collect personal information from children under 13. When you're evaluating educational technology for younger students, you're navigating ISSRA, FERPA, SOPPA, and COPPA simultaneously. The good news? They all push in the same direction—toward stronger privacy protections.
This multi-law landscape might seem overwhelming, but it actually provides comprehensive protection. ISSRA handles your school's record-keeping obligations. FERPA sets the federal baseline. SOPPA extends protections to your technology vendors. Together, they create a framework where student data privacy is protected at every touchpoint. Your job is understanding where each law applies and ensuring your policies address all of them. For help navigating these complex requirements and bolstering your cybersecurity posture, partner with CyberNut. You can also take the first step in securing your district by requesting a free phishing audit to identify critical vulnerabilities among your staff.
Oliver Page
Some more Insigths
Back
.png)
.png)
.png)
.png)
.png)
