FERPA & AI: What is protected?
This post is the second in a series of blogs exploring how FERPA may apply to AI. In today’s post, we’ll provide basic information about FERPA and what it regulates.
The Family Educational Rights and Privacy Act (FERPA) is a federal law that protects the privacy of student education records in both K-12 and higher education institutions. FERPA prohibits education institutions from disclosing personally identifiable information (PII) in education records without consent, unless an exception applies. There are numerous exceptions that allow schools to disclose education records without consent–such as the school official exception and the health and safety exception—but only when specific, legally-required safeguards are in place. These exceptions are vital to the functioning of educational institutions, enabling them to effectively manage student affairs, administer academic programs, and maintain safety on campus.
PII and Education Records
FERPA protects PII in education records maintained by educational agencies and institutions by limiting how student information is disclosed. PII is broadly defined as information that is linked or linkable to a student that would allow a reasonable person in the community to identify the student with reasonable certainty. FERPA’s protections are limited to “education records,” which include only information “directly related to a student” and “maintained by an educational agency or institution” or its agent (34 CFR §99.3). The term “education records” is broad enough that it applies to student data held by third parties acting on behalf of an institution, including data held by edtech vendors.
PII can include both direct and indirect identifiers, because individuals can be identified by their data both directly and indirectly. Direct identifiers are data that directly allow for identification without additional information, such as names, social security numbers, or student ID numbers. Indirect identifiers are data that identify an individual indirectly, such as date of birth, age, gender, or ZIP code. Indirect identifiers are innocuous when viewed alone because a single one of these data points, by itself, cannot be used to definitively identify an individual. However, indirect identifiers may be used to identify an individual when combined, or an identifier is unique.
As technology has become ubiquitous in educational institutions, the amount of PII in education records has also increased. AI systems–which are trained on and continually ingest student data–have further amplified this practice. For example, intelligent tutoring systems may collect extensive data on each student's learning style, progress, and areas of difficulty. AI-driven recruitment and admission systems also analyze vast amounts of personal data to attempt to predict an applicant's success and fit, including demographics, family income, disability status, high school grades, and extracurricular activities. Moreover, in order for algorithms to be effective in the first place, they must typically be trained on historical data from past applicants and students. Institutions must carefully consider how data collected and linked by AI systems is treated to ensure that they are adequately protecting PII as required by FERPA.
It is important to note that de-identified data does not count as PII under FERPA, however, this is much trickier than it sounds. In one of our subsequent blogs, we will be discussing the intersection of FERPA and de-identification.