Somewhere in every school district and independent school there is a data governance policy that covers student records, defines who can access what, and was reviewed by counsel before the board approved it. It exists.
And then there is what actually happens: a teacher texts a parent from a personal phone to discuss a behavioral incident. A counselor uses a consumer messaging app to coordinate with a colleague about a student in crisis. A principal emails a photograph of a student’s disciplinary record to an administrator’s personal Gmail because the district system was down. An attendance coordinator maintains a spreadsheet of student contact information in a personal cloud storage account because it’s easier to access from home.
No one is acting in bad faith. Each of them is solving a real problem with the tools available. That's exactly the point: when the official tools aren't fast enough, flexible enough, or accessible enough for the situations staff actually face, people find ones that are.
The shadow layer doesn't exist because staff are careless with student data. It exists because the official communications environment wasn't built for the moments that matter most.
The Gap Between Policy and Practice
The compliance exposure is real, but it's a symptom. The underlying problem is that staff reach for personal tools when official ones create friction at exactly the wrong moment.
The informal layer doesn't appear in any technology inventory, isn't covered by any vendor agreement, and can't be audited because there's nothing to audit. Compliance reviews examine only the systems the institution knows about. That's the gap, and it's why 67% of education IT decision-makers identify privacy and compliance concerns as a critical barrier to modernization.
That figure is usually read as a reason to act, but another reading suggests that compliance concern is also a reason institutions freeze. Examining data flows means mapping what’s actually happening, not just what the policy says should happen. For institutions that haven’t done that mapping, the examination itself is the challenging part.
The risk is not hypothetical. When staff regularly use consumer tools to communicate about students, that data is moving through channels with no institutional oversight, no retention policy, and no vendor commitments about how it's handled. The exposure is real, and it's a direct consequence of official tools that don't meet the demands of the job.
The answer isn't a stricter policy. It's a communications environment that staff will actually use — one that's fast enough, flexible enough, and accessible enough that the workaround stops being worth it.
The risk extends beyond data. The same infrastructure staff are routing around is often the infrastructure that needs to satisfy Kari's Act and RAY BAUM's Act requirements. Consumer apps and personal devices don't transmit dispatchable location data. They don't trigger on-site notification. When a situation escalates and a staff member is working outside the institutional system, the communications environment fails on two fronts at once: it can't be audited afterward, and it didn't perform in the moment.
Why Compliance Anxiety Can Make the Problem Worse
There's a counterintuitive dynamic worth examining: compliance concern sometimes becomes a reason not to modernize rather than a reason to act. Mapping data flows means examining what's actually happening, and that examination surfaces questions the current environment has never had to answer. It's easier, in the short term, to leave things in place.
But deferring modernization to avoid scrutiny isn't protecting the institution from compliance exposure. It's deferring the moment when that exposure becomes visible.
The institutions that manage this well start with a simple data flow audit: where does student and family data actually travel, including through the informal layer, and which of those flows can we govern? That's the only way to close the gap.
How to Make the Case to Leadership
Most IT directors already have a sense of where the gaps are. The harder part is making them visible to leadership in a way that leads to action.
For IT directors preparing to bring this to a superintendent or board, the most useful thing is not a compliance report, but a clear picture of what's actually happening. Three questions tend to make that picture hard to ignore:
- What are staff actually using? Not what's in the technology inventory — what people are actually using to communicate about students and families, including tools IT didn't deploy. Asking staff directly is the fastest way to find out, and the answers are usually illuminating.
- Which of those tools have executed data processing agreements? For institutionally procured platforms, probably yes. For consumer apps on personal devices, almost certainly no. That gap is the compliance exposure, and it's concrete enough to put in front of a board.
- When did we last audit both our data flows and our E911 posture? Kari's Act and RAY BAUM's Act compliance lives in the same infrastructure question as everything else. If the answer is "we're not sure," that's the starting point, before any vendor conversation, before any new policy, before any modernization discussion.
The goal isn't to surface problems for their own sake. It's to give leadership an accurate picture of where the institution actually stands — so the conversation that follows is about solutions, not surprises.
Mitel works with K–12 districts and independent schools on communications architectures that bring the informal layer back under institutional control — giving staff the tools they actually need for sensitive, real-time communication, through channels the institution can govern, audit, and stand behind. That includes MLTS deployments built to support compliance with Kari's Act and RAY BAUM's Act requirements, so the infrastructure that handles daily communication is the same one that performs when stakes are highest.