FERPA compliance for AI tools

1. FERPA basics in 5 minutes

FERPA (Family Educational Rights and Privacy Act) protects "education records" - information directly related to a student that's maintained by the school.

What FERPA protects

• Grades and transcripts
• Student work (essays, projects, assessments)
• Disciplinary records
• Enrollment information
• Special education records
• Essentially any personally identifiable information about students

What FERPA requires

• Written consent before disclosing education records (with exceptions)
• Parent/student right to inspect records
• Parent/student right to request corrections

The school official exception

Schools can share education records without consent with "school officials" who have "legitimate educational interest." This is how vendors typically access student data - they're designated as school officials under contract.

For this exception to apply, vendors must:

• Perform a function the school would otherwise do itself
• Be under the school's direct control regarding data use
• Not use data for purposes other than the contracted service
• Meet the school's criteria for "school official"

2. Why AI tools are different

Traditional edtech vendors have clear data practices. AI tools introduce new complexity:

Data used for training

Many AI models are trained on user inputs. If a teacher pastes student work into ChatGPT, that content might be used to train future models. This likely constitutes a disclosure beyond "legitimate educational interest."

Unclear retention

Consumer AI tools often retain conversation history indefinitely. Even if you delete your account, data may persist in training sets or backups.

Third-party access

AI platforms often share data with subprocessors (cloud providers, model trainers, analytics services). Each sharing creates another potential disclosure.

Indirect identifiability

Even without names, student work can be identifying. An essay about a personal experience, combined with other information, could identify a specific student.

3. The decision framework

Use this decision tree when evaluating AI tools for FERPA compliance:

Question 1: Will student data be processed?

If the AI tool will never see any student information (including work, grades, or identifiable details), FERPA doesn't apply to that use. Example: Using AI to generate generic lesson plans with no student-specific content.

Question 2: Is there a school official designation?

If student data is involved, the vendor must be designated as a school official. This typically requires:

• A written contract specifying data use limitations
• The vendor performing a service the school would otherwise do
• School control over data use and disclosure

Question 3: Is data use limited to educational purposes?

The vendor can only use data for the contracted educational service. If data is used for:

• Model training → Not compliant without explicit consent
• Product improvement → Likely not compliant
• Third-party sharing beyond service delivery → Not compliant

Question 4: Are retention and deletion appropriate?

Data should only be retained as long as needed for the educational purpose. The school must be able to request deletion.

4. Common scenarios

Scenario A: Teacher uses free ChatGPT to grade essays

FERPA status: Likely non-compliant

Consumer ChatGPT has no education-specific data agreement. Data may be used for training. Student work is an education record. Pasting essays into ChatGPT constitutes disclosure without appropriate safeguards.

Scenario B: School purchases ChatGPT Enterprise with DPA

FERPA status: Potentially compliant

Enterprise versions with appropriate Data Processing Agreements may include training opt-out and education-specific terms. Review the specific agreement carefully.

Scenario C: Student uses AI for homework help at home

FERPA status: Not a school disclosure

If a student voluntarily uses AI on their own device, at home, for their own work, this isn't a school disclosure under FERPA. However, the school's AI policy should address expectations.

Scenario D: Teacher asks AI "how should I help a student who struggles with X"

FERPA status: Depends on details

If the query includes identifiable information (student name, specific circumstances), it's a potential disclosure. If the query is generic and couldn't identify a specific student, it's likely fine.

Scenario E: AI-powered tutoring platform with student accounts

FERPA status: Requires proper agreements

Any platform that collects student data needs a school official designation and appropriate data agreement before deployment.

5. Vendor agreements

Before deploying any AI tool that handles student data, you need appropriate agreements.

What to look for

• School official designation: Explicit statement that vendor is acting as school official
• Purpose limitation: Data used only for the educational service contracted
• Training opt-out: Explicit statement that data won't be used for AI training
• Subprocessor limitations: Restrictions on sharing with third parties
• Retention limits: Data deleted when no longer needed
• Deletion procedures: School can request data deletion
• Security measures: Appropriate protections for student data
• Breach notification: School notified of any data breaches

The Student Data Privacy Consortium

The SDPC maintains standard Data Privacy Agreement templates. Many vendors have signed these. Check the SDPC registry before negotiating custom agreements.

6. Documentation requirements

Maintain documentation to demonstrate compliance:

Annual notification

FERPA requires annual notification to parents about their rights. Include information about how student data is used with technology tools.

Vendor registry

Maintain a list of all vendors who access student data, including:

• Vendor name and contact
• Data accessed
• Agreement type and date
• Review schedule

Evaluation records

Document your evaluation process for new tools. If asked to demonstrate compliance, you'll need evidence of due diligence.

7. Quick reference checklist