Student Data Privacy and AI: What Schools Need to Know (FERPA)
FERPA protects student records. Pasting a name, grade or IEP into a consumer AI can conflict with it. De-identify the record first.
Here is the short answer. Schools can use AI, but not with student records in the clear. FERPA (the Family Educational Rights and Privacy Act) protects the privacy of student education records. It covers grades, transcripts and discipline notes. It also covers special-education data, like an IEP (Individualized Education Program). And it covers personally identifiable information (PII), such as a student's name. Pasting a student's record into a consumer AI tool can conflict with FERPA. A tool a teacher signs up for alone usually does not meet the law's bar. The fix is simple. De-identify the record first, then let the AI work on the structure.
What FERPA covers
FERPA is a US federal law. The US Department of Education enforces it. It applies to schools and agencies that receive federal education funding. It gives parents and eligible students rights over education records. And it limits how a school shares the personal information in those records.
A student record holds a lot. A student's first and last name is a direct identifier. But PII goes further. It also covers indirect identifiers, like grade level or year of birth. Put enough of these together, and a student becomes identifiable. So even a record with the name stripped can still count as PII.
The 'school official' problem
FERPA does not flatly ban outside tools. A school can share PII from a record without parental consent, in specific cases. One is the 'school official' exception. It lets a school use an outside provider to perform a task its own staff would do. But the conditions are strict.
The provider must be under the school's direct control. That control covers how the records are used and kept. The provider may use the data only for the authorized purpose. It may not re-disclose it or reuse it. A consumer AI app a teacher signs up for alone generally fails this bar. The school has no direct control over it.
COPPA and students under 13
A second law matters for younger students. COPPA (the Children's Online Privacy Protection Act) is enforced by the FTC (the Federal Trade Commission). It applies to online services aimed at children under 13. Those operators must get verifiable parental consent before they collect a child's personal information. The FTC does not force one consent method. It allows several reasonable ones.
In schools, this is often handled at the district level. The FTC has said a school can consent for parents in some cases. But there are limits. The data must serve a school-authorized educational purpose. It may not be used for advertising or other commercial gain. And the FTC advises the district — not one teacher — to make that call.
What schools should do
Good practice here is well documented. Groups like CoSN (the Consortium for School Networking) and the US Department of Education's Privacy Technical Assistance Center (PTAC) give clear advice. The core idea is simple. Vet the tool before staff use it, not after.
- Keep an inventory of the edtech tools in use across the school.
- Vet each vendor's privacy and security practices before adoption.
- Put a written agreement in place, with legal and security input.
- Prefer vendors that sign a data-protection agreement and stay under the school's control.
- Avoid ad-hoc tools that staff sign up for on their own.
| Common assumption | The reality |
|---|---|
| “A consumer AI tool is fine for writing report comments” | Pasting a student's record into it can conflict with FERPA |
| “The teacher can pick the tool” | The FTC advises the school or district to decide |
| “Removing the name makes it safe” | Grade level or birth year can still identify a student |
| “Any signed-up app is a ‘school official’” | It must be under the school's direct control to qualify |
The fix: de-identify before AI
AI can still help educators. It can draft feedback, a lesson plan or a parent letter. For that, it needs no real student names. Ask it to work on the structure, not the identity. Keep names, IDs and other direct identifiers out of the prompt.
When you do need a real case, de-identify it first. Remove names and other direct identifiers. Replace each one with a token. The AI reasons about the structure of the record. It never sees the real student. You restore the real details afterwards, on your own device.
- 1Spot the identifiers: student names, IDs and other direct details.
- 2Replace them with reversible tokens, in your browser.
- 3Send only the de-identified text to the AI.
- 4Restore the real details in the reply, locally.
That's what ONYRI Sanitize does. The engine detects direct identifiers — names, IDs and more — and replaces them with reversible tokens before sending. Detection and the mapping stay in your browser. Only de-identified text reaches the model. This is risk reduction, not a legal safe harbor. Your school should still set an AI policy and use vetted vendors. But no PII from an education record has to leave the browser to get the AI's help.
Frequently asked questions
- Can schools use AI with student records under FERPA?
- Yes for general work, no with records in the clear. AI can draft feedback, a plan or a letter with no real names. But pasting a student's education record into a consumer AI tool can conflict with FERPA. Such a tool usually fails the 'school official' exception. De-identify the record first, and set an AI policy at the district level.
- Does FERPA ban AI in schools?
- No, FERPA does not ban AI. It limits how a school shares PII from education records. Sharing needs consent or a valid exception, like the 'school official' rule. That exception requires the provider to be under the school's direct control. A consumer app a teacher signs up for alone usually does not qualify.
- What about students under 13 and COPPA?
- COPPA is enforced by the FTC. It requires verifiable parental consent before an online service collects personal information from a child under 13. In schools, a district can often consent for parents. But only for a school-authorized educational purpose, with no commercial use. The FTC advises the district, not one teacher, to decide.
Sources & references
- Who is a "school official" under FERPA? (exception conditions, direct control, use restriction) — US Department of Education (Student Privacy Policy Office)
- Complying with COPPA: Frequently Asked Questions (under 13, verifiable parental consent, school consent) — Federal Trade Commission (FTC)
- Student Data Privacy Guidelines & Tools (edtech vendor vetting, agreements, inventory) — CoSN (Consortium for School Networking)
Keep your sensitive data in your browser
ONYRI Sanitize detects and masks your sensitive data before it reaches the AI, then restores the answer — from names to API keys.
Anonymize my prompt