FERPA — the Family Educational Rights and Privacy Act — governs how schools handle student educational records. When you introduce an AI grading tool that processes student writing, FERPA applies. That's not a reason to avoid AI grading. It's a reason to choose tools and practices that meet FERPA's requirements. This guide walks you through exactly what that means.
What FERPA Requires (Plain Language)
FERPA gives parents and eligible students (those 18+) the right to access, review, and request corrections to educational records. It restricts schools from disclosing those records to third parties without consent — with important exceptions for "school officials" with a "legitimate educational interest."
The key question for AI grading: Is an AI grading tool a "school official"? Under FERPA, a vendor or contractor can be treated as a school official if they (a) have a legitimate educational interest in the data, (b) are under the school's direct control regarding data use, and (c) are subject to FERPA's requirements under a formal agreement.
That formal agreement is the Data Processing Agreement (DPA). Schools must have a signed DPA with any vendor that processes student educational records.
The 5 Things a FERPA-Compliant AI Grading Vendor Must Provide
- Signed Data Processing Agreement (DPA): Confirms the vendor treats your student data as FERPA-protected records and operates under your control.
- No data training policy: The vendor may not use student submissions to train its AI models. Your student writing is not their training data.
- Data export capability: You can export all student data at any time.
- Data deletion capability: You can request deletion of specific student records.
- Breach notification: The vendor must notify you promptly if student data is breached.
🛡️ GradingPen provides: A signed DPA for all school accounts, no student data used for AI training, full data export and deletion tools, and encrypted data storage. View our DPA →
What to Check Before Using Any AI Grading Tool
Pre-Adoption FERPA Checklist
- Vendor offers a signed Data Processing Agreement
- Vendor's DPA explicitly addresses FERPA compliance
- Vendor does not use student data to train AI models
- Vendor encrypts data in transit (TLS) and at rest (AES-256 or equivalent)
- Data can be exported by school admin at any time
- Individual student records can be deleted on request
- Vendor has a documented breach notification procedure
- Vendor can be added to your district's approved vendor list
- Vendor's privacy policy is publicly available and current
- You have a process to notify parents if they ask about AI tools used with their student's data
Best Practices for Teachers Using AI Grading Tools
Even with a fully compliant vendor, teachers can take additional steps to minimize privacy risk:
- Anonymize when possible: Upload essays with student numbers instead of names where your workflow allows it.
- Use school accounts only: Never upload student work to personal AI accounts (ChatGPT personal, etc.). Always use school-authorized tools.
- Don't share screenshots: Screenshots of student work shared in personal communications violate FERPA, regardless of AI involvement.
- Minimum necessary data: Only include student information that's necessary for grading. Don't add demographic data, IEPs, or other sensitive records.
What About Student AI Use and FERPA?
When students use AI tools on their own (ChatGPT, Claude, etc.) for homework, FERPA doesn't apply to those tools directly — the students are using them as individuals, not through the school. However, if you're asking students to use specific AI tools as part of class, those tools may need to be on your approved vendor list if they process identifying student data.
The practical rule: if the school is directing students to use a tool and providing it through school accounts, FERPA applies. If students are using consumer tools on their own time, FERPA doesn't apply — but your school's acceptable use policy might.
Documentation: Creating a Paper Trail
If a parent, regulator, or auditor asks about your AI grading practices, you should be able to produce:
- The vendor's DPA, signed by both parties
- Your school or district's AI acceptable use policy
- Any teacher training materials covering data privacy with AI tools
- Export logs showing you can produce student data on request
This documentation isn't just about compliance — it's about building trust with families. When parents ask "what are you doing with my child's essays?" you should have a clear, confident, documented answer.
The Bottom Line
FERPA compliance for AI grading is not complicated — but it requires intentionality. Choose vendors who take it seriously, get a DPA signed before you start, train your teachers on minimal-disclosure practices, and document your decisions. Done right, AI grading is fully compatible with FERPA and can actually improve your compliance posture by centralizing data management and providing export/deletion tools.