Privacy Shield overview
See how Privacy Shield masks and excludes student PII before syncing with vendor applications
Privacy Shield protects sensitive student and staff data when your district syncs roster information with vendor applications. Instead of sharing raw PII, SchoolDay masks or removes sensitive attributes before they ever reach the vendor.

Important: Privacy Shield is turned on by default for new vendor applications, but it only protects attributes that you mark as sensitive. If you have not marked any attributes, no masking is applied even when the toggle is on.
How it works
Privacy Shield sits between your SIS and the vendor application. Masking is applied at import time and enforced on every subsequent sync.
- District Admin sets sensitive data in SchoolDay.
- District Admin initiates a data sharing request with a Vendor application with an enabled Privacy Shield feature.
- Privacy Shield checks sensitive data and dynamically masks or excludes it from the sync.
- The application vendor validates the request and confirms that they have access to the required data.
- District Admin runs data import from data source/SIS. This masks imported sensitive data according to the masking rules.
- SchoolDay shares masked imported data with the application.
- SchoolDay continues to enforce these rules each time district data is accessed by the vendor application.
What happens to sensitive data
When you share roster data with a vendor app, Privacy Shield intercepts sensitive attributes and applies one of two protections:
- Masking — replaces the original value with a placeholder (for example, Smith becomes S-ggl'abcdefg). The record is still shared, but the vendor cannot read the real value.
- Exclusion — removes the attribute from sync entirely. The vendor does not receive it at all.
Which protection applies depends on a combination of your district's settings and the vendor's data requirements.
|
District marks attribute as sensitive |
Vendor configuration |
Result |
|---|---|---|
|
Yes |
Masking enabled |
Shared but masked |
|
Yes |
Masking disabled |
Excluded from sync |
|
Yes |
Marked as required |
Shared as-is (cannot be excluded) |
|
No |
Any |
Shared as-is |
Note: If a vendor marks a field as required, it cannot be excluded from sync, regardless of your sensitive data settings. To verify which fields a vendor requires, check the application's requirements or contact SchoolDay Support.
Example: how Privacy Shield applies during first activation
The following example shows a district administrator activating a vendor application for the first time. Privacy Shield is enabled by default (toggle on). The Attributes section shows how settings are applied to each field.
/privacy-pii-shield_request_attributes.png?width=670&height=675&name=privacy-pii-shield_request_attributes.png)
Based on the configuration shown:
- Last Name (1) — sensitive, masking enabled by vendor. Shared but masked.
- First Name (2) — sensitive, required by vendor, masking enabled by vendor. Shared but masked.
- Birth Date (3) — not sensitive, masking enabled by vendor. Shared as-is.
- Middle Name (4) — sensitive, not required by vendor. Not shared.
- Username (5) — sensitive, required by vendor. Shared as-is.
- Email Address (6) — sensitive, required by vendor. Shared as-is.
- Primary School (7) — not sensitive, not required by vendor. Shared as-is.
Privacy Shield levels
Each vendor application is automatically assigned a Privacy Shield level based on which attributes your district masks and what the vendor supports. See Privacy Shield levels for the full breakdown.
Who can see the original data
Only District Admins can view original (unmasked) values. Vendor applications always receive masked or excluded data. Once data leaves SchoolDay in masked form, it cannot be unmasked by the vendor or any external party.
Next steps
- Mark sensitive data attributes
- Apply Privacy Shield to a data sync
- Privacy Shield levels