Teacher Resources · Data Safety & Compliance
Keeping Student
Data Safe When You Use AI
A quick, visual guide to the laws and the core habits that keep you and your students protected. The rule of thumb is simple: the AI never needs to know who the student is.
01 · The Golden Rule
Never put identifiable student data into a public AI tool.
Once student information is typed into a public chatbot, you no longer control where it goes or how it's used. De-identify it, or don't share it at all.
02 · What's safe to share
Sort it before you share it
Safe to share
The AI doesn't need to know who anyone is
- Fully de-identified student work
- Your own lesson plans & materials
- Published or public texts
- Hypothetical or made-up examples
- Aggregate, non-identifiable patterns
Never share
Identifiable or sensitive information should be kept out
- Student names
- Photos or video of students
- Student ID numbers
- Grades tied to a name
- IEP / 504 & special-ed records
- Health or medical information
- Contact information, including email, address, and phone numbers
- Disciplinary records
03 · The 10-second check
“Can I put this in?”
04 · The laws that apply
Four rules already on the books
FERPA
Family Educational Rights & Privacy Act
Protects student education records and the personal info inside them.
A public AI tool is not an authorized “school official,” which means pasting in identifiable records constitutes an unauthorized disclosure.
COPPA
Children’s Online Privacy Protection Act
Protects the personal information of children under 13 online.
Students under 13 need verifiable parental (or properly delegated school) consent before using a tool that collects their data.
PPRA
Protection of Pupil Rights Amendment
Governs surveys and collection of protected-category student information.
Don’t use AI to gather sensitive student info (beliefs, health, family) without the required notice and consent.
STATE LAW
Student Data Privacy Acts
Most states, including Maryland, add their own student-data protections.
They require a signed vendor contract / DPA and prohibit selling student data or using it for targeted ads. Check your state & district.
05 · Before you use AI
Five steps, every time
- 1
De-identify first
Strip names, IDs, and anything that could re-identify a student before it goes in.
- 2
Check district policy
Read your AI / data policy and approved-tools list before using any tool.
- 3
Vet the vendor
Signed DPA, does not train on your data, and a clear retention & deletion policy.
- 4
Get consent when required
Parental consent for under-13s; opt-in before sharing any student records.
- 5
Use district / enterprise accounts
Never personal logins. Turn chat history and model-training OFF.
06 · Vetting a new tool
Don't adopt a tool until…
Pre-adoption checklist
- A signed Data Privacy Agreement (DPA) is in place
- The vendor does not train its models on your data
- There is a clear data retention & deletion policy
- The tool is FERPA- and COPPA-compliant
- It is age-appropriate for your students
07 · Stop and ask first
Three moments to pause
AI deciding alone
Grades, discipline, or placement should never rest on AI output by itself.
Any special-ed record
IEPs, 504s, and evaluations are extra-protected. Don’t put them in, ever.
The “email test”
If you’d hesitate to put it in an email, don’t put it in an AI tool.
When in doubt, leave it out.
Your district's AI and data-privacy policy always comes first. When a situation isn't covered here, ask before you act; your data-privacy or technology lead is always there to help.
This page is general guidance for educators, not legal advice. Your district and state policies govern what you may do with student data.