Who Should See What: A Practical Guide to Access Control in Schools

The Spreadsheet Problem

It usually starts innocently. A school administrator creates a Google Sheet to track student enrollment. It's convenient, easy to share, and free. So other departments get added. Grades go in. Medical records. Unpaid invoices. Emergency contacts. The sheet grows, and so does the list of people with access.

Now the cashier can see medical records. The PE teacher can see unpaid invoices. The part-time substitute who left six months ago still has the link. The parent who was briefly added to check their child's schedule can see everyone else's children, too.

This isn't a hypothetical. It's how most Philippine schools actually operate.

One Link, No Boundaries

The problem with shared spreadsheets isn't the spreadsheet itself—it's that they have no concept of access control. When you share a Google Sheet with "anyone with the link can edit," you're granting identical access to everyone. There's no way to say "Finance can see column G but not column M." There's no role-based visibility. There's no audit trail showing who changed what.

The risks compound quickly:

• A single shared login. Many schools create a generic "registrar account" or "admin account" that multiple staff members use. When a breach occurs — and SchoolBreach.org shows that breaches in Philippine schools are more common than most administrators realize — there's no way to know who was responsible and no way to revoke individual access.
• A forwarded email. A staff member forwards a spreadsheet link to a colleague. That colleague forwards it further. The link doesn't expire. Months later, the data is accessible to people who no longer work at the school.
• A USB drive. Student records downloaded to a USB for convenience—taken home, left on a desk, misplaced. The Data Privacy Act doesn't care that it was an accident.

The solution isn't better spreadsheets. It's a system designed around the principle of least privilege: every person has access to exactly what they need to do their job, and nothing more.

What "Need to Know" Means in a School

Least-privilege access sounds like a technical concept, but it's really just common sense applied to data: people should only see information they need to do their job. Here's what that looks like for each role in a school.

Registrar

The registrar manages enrollment and student records. They need:

• Enrollment records and enrollment history
• Academic records and transcript requests
• Emergency contact information
• Communication and correspondence

What they don't need: medical records (that's the nurse's domain), financial records (that's finance's domain), or disciplinary records from other campuses.

School Nurse

The school nurse manages student health. They need:

• Clinic visit logs and medical history
• Medical records, health conditions, and allergy information
• Emergency contacts and medical authorization forms
• Immunization records

What they don't need: academic grades (not medically relevant), billing information (not their function), or disciplinary records (not their role).

Finance Staff

Finance manages the school's money. They need:

• Tuition invoices and payment records
• Bank reconciliation and transaction records
• Outstanding balances and collection reports
• Family billing contacts

What they don't need: medical records, academic grades, disciplinary history, or anything that isn't financial.

Homeroom Teacher

A teacher needs to serve their students effectively. They need:

• Grades and attendance for their own sections only
• Subject-specific student performance data
• Communications with the families of students in their class

What they don't need: grades for students in other sections, financial records, medical records, or disciplinary records from other teachers.

Parents

Parents are data subjects with rights—but also bounded access. A parent should be able to see:

• Their own child's grades and attendance
• Billing information for their account
• Communications from the school

What they must not see: other students' data, other families' financial records, any staff-only information.

Principal

The principal needs oversight across the school. They need:

• Summary reports and dashboards across departments
• Read access to most records for oversight purposes
• Specific write access for approvals they're responsible for

What they often don't need: the ability to edit every record everywhere. Broad read access for oversight doesn't require broad edit access.

The Pattern

Notice the pattern: every role has a defined scope of data access that matches their function. The nurse doesn't need billing information. The cashier doesn't need medical records. The teacher doesn't need another teacher's students' grades. When systems are designed this way, a breach in one area doesn't expose everything.

The DPA Requires This (It's Not Optional)

Access control isn't a nice-to-have for Philippine schools—it's a legal requirement.

Section 20 of the Data Privacy Act mandates that personal information controllers (which every school is) implement "appropriate organizational, physical, and technical security measures" to protect personal data. The NPC's implementing rules are explicit: access controls are a core component of what "appropriate technical measures" means.

In practice, the NPC evaluates access control through several lenses:

Who can access what, and why? When the NPC conducts a compliance audit, one of the first things they examine is whether your school has documented who has access to personal data and the justification for that access. An auditor will ask: "Can you show us your access control matrix?"

Is access limited to what's necessary? The Data Privacy Act's proportionality principle requires that data processing be "adequate, relevant, suitable, necessary, and not excessive in relation to a declared and specified purpose." Giving the PE teacher access to billing records is excessive—and potentially non-compliant.

What happens when staff leave? The NPC expects that access is revoked promptly when an employee's role changes or they leave the organization. Former staff retaining access to student data is a compliance violation and a breach waiting to happen.

Can you prove your controls work? Policies alone aren't enough. The NPC expects audit logs, access reviews, and technical enforcement—not just a policy document that says "only authorized staff should access student data."

Schools that can't demonstrate functional access controls face real consequences: notices of non-compliance, fines, and—in cases of willful or negligent breaches—criminal liability for responsible officers.

Common Access Control Mistakes

Most schools know they should have access controls. Most schools also have these problems:

Shared Logins

"The registrar account" is accessed by three people. When a student record is changed incorrectly, no one knows who made the change. When an NPC complaint is filed about unauthorized access, there's no audit trail. Shared logins eliminate accountability entirely.

The fix: every person who accesses student data needs their own authenticated account. No exceptions.

Admin Access "Just in Case"

It's tempting to give everyone administrator-level access because "they might need it someday." This is the technical equivalent of giving every staff member a master key to every room in the school. In practice, most people never need most of what they have access to—but the risk is always present.

The fix: start with no access and add only what each role requires. This is the least-privilege principle in practice.

No Deprovisioning When Staff Leave

A teacher resigns in April. Their account remains active until October, when someone finally notices. In those six months, they could have accessed student records from home—and there would be no way to know.

Deprovisioning (removing access when someone leaves) should happen on the day of departure, not eventually. Every day of delay is a compliance risk.

No Separation Between Viewing and Editing

Viewing and editing are different levels of access with very different risk profiles. A principal who can view grades for oversight purposes has a different risk footprint than a principal who can edit grades for any student. Most schools grant edit access by default when read access would be sufficient.

The fix: design your access model to differentiate between read, write, and export permissions. People who only need to see data shouldn't be able to change it.

How Ocean Helps

Ocean was designed from the ground up with access control as a core architectural feature—not an afterthought.

64 Granular Permissions

Ocean's permission system includes 64 distinct permissions across its fixed roles—not a coarse-grained "admin/teacher/parent" model, but a carefully designed matrix built bottom-up from what each role actually needs. Each permission reflects a specific action: view clinic records, edit enrollment data, export financial reports, approve grade changes.

These permissions are assigned to roles, and roles are assigned to users. The cashier gets the finance role with billing permissions. The nurse gets the clinic role with medical permissions. Never the reverse.

Multi-Role Support

Real schools have complex staffing. A department head who also teaches has legitimate needs in both roles. Ocean supports multi-role assignments: a user can hold both the "Teacher" and "Department Head" roles simultaneously, receiving the union of both roles' permissions—and nothing more. There's no "just give them admin access because they have two roles" shortcut.

User/Profile Separation

Ocean's architecture separates authentication identity (the user account that logs in) from personal profile data (names, contact information, medical records). Even if someone gains access to authentication data, they don't automatically see personal information—these are stored and governed separately.

This means a technical breach of the authentication system doesn't automatically compromise the personal data of students and staff.

Field-Level Restrictions

Not all fields in a record carry equal risk. A student's name and grade level are relatively low-sensitivity. Their medical diagnosis, bank account details, and home address are high-sensitivity.

Ocean enforces field-level restrictions at the database level. Medical records—clinic visits, health conditions, diagnoses—are only accessible to users with clinic permissions. Financial data—bank accounts, payment details, reconciliation records—requires finance-specific permissions. These restrictions are enforced technically, not just by policy. A user without the right permission literally cannot retrieve the field, regardless of how they query the system.

One-Click Deprovisioning

When a staff member leaves, their Ocean account can be deactivated immediately—one action, instant effect. Their login credentials stop working. Any active sessions are terminated. Their data access is revoked across all modules simultaneously.

Critically, the audit trail is preserved. Even after deprovisioning, the system retains a complete record of everything that user accessed, changed, or exported during their tenure. If a question arises months later about what a former employee did, the answer is available.

Complete Audit Trail

Sensitive access events in Ocean are logged: who accessed what record, what action they took, when, and from which IP address. The system uses configurable verbosity levels so schools can balance thoroughness with performance—with sensitive data like clinic and financial records always logged at the highest detail. This isn't just useful for post-incident investigation—it's the evidence the NPC expects you to have.

When an auditor asks "Can you show us your access control matrix?"—Ocean can produce it. When they ask "Who accessed this student's medical record in February?"—Ocean can answer. When they ask "What did this user access before they left?"—Ocean can show them.

The spreadsheet era made it easy to share everything with everyone. That convenience came at the cost of privacy, accountability, and compliance. Modern school management systems don't have to make that trade-off.

Least-privilege access means every person at your school can do their job effectively—with exactly the data they need, and no more. When something goes wrong, you know who was involved. When someone leaves, their access disappears immediately. And when the NPC asks to see your access control matrix, you can show them one.

Ready to see what role-based access control looks like in practice? Book a demo and we'll walk through Ocean's permission system for your school's specific roles.

Sources

1. 1.Republic Act No. 10173 (2012). Data Privacy Act of 2012, Section 20: Security of Personal Data. Mandates that personal information controllers implement "appropriate organizational, physical and technical security measures" to protect personal data against natural dangers as well as human dangers including accidental loss or unlawful destruction, unlawful access, fraudulent misuse, unlawful destruction, alteration and contamination. Data Privacy Act of 2012
2. 2.National Privacy Commission. (2016). NPC Circular No. 16-02: Security of Personal Data in Government Agencies. While directed at government agencies, establishes the technical and organizational security measures expected of all personal information controllers in the Philippines, including access controls, user authentication, and audit logging requirements that also apply to private educational institutions. NPC Circular No. 16-02
3. 3.National Privacy Commission. (2017). NPC Advisory No. 2017-01: Privacy Notice. Establishes requirements for informing data subjects about how their data is accessed and by whom, reinforcing the principle that access must be limited to declared and specified purposes. NPC Advisory No. 2017-01
4. 4.National Institute of Standards and Technology. (2020). NIST Special Publication 800-53 Rev. 5: Security and Privacy Controls for Information Systems and Organizations. The international standard for access control in information systems, including AC-2 (Account Management), AC-3 (Access Enforcement), AC-6 (Least Privilege), and AC-7 (Unsuccessful Logon Attempts). NIST SP 800-53
5. 5.National Privacy Commission. (2022). NPC Circular No. 2022-01: Registration of Data Processing Systems. Requires personal information controllers to document their data processing systems, including access controls and the categories of users with access, as part of registration compliance. NPC Circular No. 2022-01