FERPA & AI Compliance

Overview

The Family Educational Rights and Privacy Act (FERPA) is a United States federal law enacted in 1974 that protects the privacy of student education records. Administered by the Student Privacy Policy Office within the U.S. Department of Education, FERPA applies to all educational institutions and agencies that receive federal funding — which includes virtually every public K-12 school, college, and university in the country. Violations can result in the withdrawal of federal funding, making FERPA compliance a critical priority for educational institutions.

FERPA grants parents and eligible students (those 18 and older or attending postsecondary institutions) specific rights regarding education records. These include the right to inspect and review records, the right to request amendments to inaccurate records, the right to consent to disclosures of personally identifiable information (PII) from education records, and the right to file complaints with the Department of Education. When students reach age 18 or enter postsecondary education, these rights transfer from parents to the student.

For AI applications in education, FERPA creates significant constraints on how student data can be used. Adaptive learning platforms, early warning systems that predict student dropout risk, automated essay scoring systems, and learning analytics dashboards all rely on student data that FERPA protects. Educational institutions must ensure that AI systems processing student records comply with FERPA's consent requirements, disclosure limitations, and record-keeping obligations. The increasing adoption of AI in education has prompted the Department of Education to issue updated guidance on how FERPA applies to ed-tech and AI-driven educational services.

AI-Specific Requirements

FERPA's consent requirements are central to AI compliance in education. Generally, institutions must obtain written consent from parents or eligible students before disclosing personally identifiable information from education records. There are several exceptions, including the "school official" exception (34 CFR 99.31(a)(1)), which allows disclosure to school officials with legitimate educational interests, and the "directory information" exception for basic contact information that the institution has designated as non-sensitive. For AI systems, the school official exception is most commonly invoked when AI vendors process student data on behalf of the institution.

When educational institutions engage AI service providers under the school official exception, they must ensure that the provider performs an institutional service or function, uses PII only for the purposes specified in the agreement, is under the direct control of the institution with respect to the use and maintenance of education records, and complies with FERPA's restrictions on re-disclosure. Critically, the institution remains responsible for ensuring FERPA compliance even when using third-party AI services. This creates strong institutional motivation to maintain control over student data rather than sending it to external cloud AI platforms.

FERPA also requires institutions to maintain records of each request for access to and each disclosure of personally identifiable information from education records. For AI systems that continuously process student data, this record-keeping obligation demands comprehensive logging of data access and usage. The Department of Education's guidance emphasizes that institutions must conduct due diligence on AI vendors, including evaluating their data security practices, data retention policies, and data deletion capabilities. Institutions that fail to maintain adequate oversight of AI vendors risk FERPA violations that could jeopardize their federal funding.

How Ertas Helps

Ertas Data Suite enables educational institutions to keep student data entirely on-premise, eliminating the FERPA complexities that arise when student records are transmitted to external AI service providers. By processing all training data within the institution's own infrastructure, there is no third-party disclosure of education records, no need to invoke the school official exception for an external AI vendor, and no risk of a vendor re-disclosing student PII in violation of FERPA. The air-gapped architecture ensures that student data remains under the institution's direct control at all times.

The PII redaction capabilities in Ertas Data Suite are particularly valuable for educational AI applications. Student names, ID numbers, email addresses, and other personally identifiable information can be automatically detected and masked before data enters the AI training pipeline. This allows institutions to build effective AI models — for adaptive learning, early warning systems, or administrative optimization — without exposing individual student identities in the training process. Data lineage tracking documents every transformation applied to student data, creating the comprehensive records that FERPA's record-keeping requirements demand.

Ertas Studio's Vault provides the access controls that FERPA compliance requires. Only authorized institutional personnel with legitimate educational interests can access student data used for AI development. Encryption at rest protects stored education records from unauthorized access, and comprehensive audit logs record every data access event. When AI projects conclude and student data is no longer needed, the system supports data deletion workflows that institutions can document and verify. This complete lifecycle management ensures that student data is protected from collection through deletion, maintaining FERPA compliance throughout.

Compliance Checklist