Compliance6 min read

Student Data Privacy and AI: What Schools Need to Know (FERPA)

FERPA protects student records. Pasting a name, grade or IEP into a consumer AI can conflict with it. De-identify the record first.

By Pierre de ONYRI

Here is the short answer. Schools can use AI, but not with student records in the clear. FERPA (the Family Educational Rights and Privacy Act) protects the privacy of student education records. It covers grades, transcripts and discipline notes. It also covers special-education data, like an IEP (Individualized Education Program). And it covers personally identifiable information (PII), such as a student's name. Pasting a student's record into a consumer AI tool can conflict with FERPA. A tool a teacher signs up for alone usually does not meet the law's bar. The fix is simple. De-identify the record first, then let the AI work on the structure.

What FERPA covers

FERPA is a US federal law. The US Department of Education enforces it. It applies to schools and agencies that receive federal education funding. It gives parents and eligible students rights over education records. And it limits how a school shares the personal information in those records.

A student record holds a lot. A student's first and last name is a direct identifier. But PII goes further. It also covers indirect identifiers, like grade level or year of birth. Put enough of these together, and a student becomes identifiable. So even a record with the name stripped can still count as PII.

The 'school official' problem

FERPA does not flatly ban outside tools. A school can share PII from a record without parental consent, in specific cases. One is the 'school official' exception. It lets a school use an outside provider to perform a task its own staff would do. But the conditions are strict.

The provider must be under the school's direct control. That control covers how the records are used and kept. The provider may use the data only for the authorized purpose. It may not re-disclose it or reuse it. A consumer AI app a teacher signs up for alone generally fails this bar. The school has no direct control over it.

COPPA and students under 13

A second law matters for younger students. COPPA (the Children's Online Privacy Protection Act) is enforced by the FTC (the Federal Trade Commission). It applies to online services aimed at children under 13. Those operators must get verifiable parental consent before they collect a child's personal information. The FTC does not force one consent method. It allows several reasonable ones.

In schools, this is often handled at the district level. The FTC has said a school can consent for parents in some cases. But there are limits. The data must serve a school-authorized educational purpose. It may not be used for advertising or other commercial gain. And the FTC advises the district — not one teacher — to make that call.

What schools should do

Good practice here is well documented. Groups like CoSN (the Consortium for School Networking) and the US Department of Education's Privacy Technical Assistance Center (PTAC) give clear advice. The core idea is simple. Vet the tool before staff use it, not after.

  • Keep an inventory of the edtech tools in use across the school.
  • Vet each vendor's privacy and security practices before adoption.
  • Put a written agreement in place, with legal and security input.
  • Prefer vendors that sign a data-protection agreement and stay under the school's control.
  • Avoid ad-hoc tools that staff sign up for on their own.
Common assumptionThe reality
“A consumer AI tool is fine for writing report comments”Pasting a student's record into it can conflict with FERPA
“The teacher can pick the tool”The FTC advises the school or district to decide
“Removing the name makes it safe”Grade level or birth year can still identify a student
“Any signed-up app is a ‘school official’”It must be under the school's direct control to qualify
After the US Department of Education (FERPA), the FTC (COPPA) and CoSN guidance.

The fix: de-identify before AI

AI can still help educators. It can draft feedback, a lesson plan or a parent letter. For that, it needs no real student names. Ask it to work on the structure, not the identity. Keep names, IDs and other direct identifiers out of the prompt.

Two-part diagram: at top, a student record card (with a graduation-cap glyph) whose name, grade and IEP-flag rows are in the clear (amber) travels toward an AI card that receives the exposed record, with an amber high-risk FERPA alert; at bottom, the same record de-identified shows only cobalt tokens, and the AI receives only tokens with a checkmark.
After the US Department of Education (FERPA, 'school official' exception), the FTC (COPPA) and CoSN's student-data guidance.

When you do need a real case, de-identify it first. Remove names and other direct identifiers. Replace each one with a token. The AI reasons about the structure of the record. It never sees the real student. You restore the real details afterwards, on your own device.

  1. 1Spot the identifiers: student names, IDs and other direct details.
  2. 2Replace them with reversible tokens, in your browser.
  3. 3Send only the de-identified text to the AI.
  4. 4Restore the real details in the reply, locally.

That's what ONYRI Sanitize does. The engine detects direct identifiers — names, IDs and more — and replaces them with reversible tokens before sending. Detection and the mapping stay in your browser. Only de-identified text reaches the model. This is risk reduction, not a legal safe harbor. Your school should still set an AI policy and use vetted vendors. But no PII from an education record has to leave the browser to get the AI's help.

Frequently asked questions

Can schools use AI with student records under FERPA?
Yes for general work, no with records in the clear. AI can draft feedback, a plan or a letter with no real names. But pasting a student's education record into a consumer AI tool can conflict with FERPA. Such a tool usually fails the 'school official' exception. De-identify the record first, and set an AI policy at the district level.
Does FERPA ban AI in schools?
No, FERPA does not ban AI. It limits how a school shares PII from education records. Sharing needs consent or a valid exception, like the 'school official' rule. That exception requires the provider to be under the school's direct control. A consumer app a teacher signs up for alone usually does not qualify.
What about students under 13 and COPPA?
COPPA is enforced by the FTC. It requires verifiable parental consent before an online service collects personal information from a child under 13. In schools, a district can often consent for parents. But only for a school-authorized educational purpose, with no commercial use. The FTC advises the district, not one teacher, to decide.

Sources & references

Keep your sensitive data in your browser

ONYRI Sanitize detects and masks your sensitive data before it reaches the AI, then restores the answer — from names to API keys.

Anonymize my prompt

Read next