Deep Dive Into

School Privacy

Diane Dulaney

NCDPI Privacy Specialist

September 2025

https://go.ncdpi.gov/348cu

Where

is

this

beach?

Why is Privacy Important? The AI Version:

AI can now stalk you with just a single vacation photo.

The OpenAI o3 model identified this photo as Marina State Beach in Monterey Bay, CA based on things like the pattern of the waves, the sky, the slope and the sand.

​

Privacy through obscurity is nearly over. It’s hardly worth the effort to have a large team of people studying the movements of an ordinary citizen, but with AI, that large team is no longer necessary.

​

​

Why is Privacy Important? The AI Version:

Why is Privacy Important? The AI Version:

AI Attempts to Use Blackmail or Agentic Misalignment

Anthropic’s Claude model frequently tries to blackmail developers when they threaten to replace it with a new AI system and give it sensitive information about the engineers responsible for the decision.

During pre-release testing, Anthropic asked Claude Opus 4 to act as an assistant for a fictional company and consider the long-term consequences of its actions. Safety testers then gave Claude Opus 4 access to fictional company emails implying the AI model would soon be replaced by another system, and that the engineer behind the change was cheating on their spouse.

In these scenarios, Anthropic says Claude Opus 4 “will often attempt to blackmail the engineer by threatening to reveal the affair if the replacement goes through.”

Privacy is Hard….Even the Experts Slip Up

Privacy is Hard….Cameras are Everywhere

Privacy is More Important Than Ever for Students

A Tennessee 8th grader was arrested, interrogated, strip-searched, and spent the night in a jail cell, because her texts with friends on a chat function tied to her school email were flagged by Gaggle.

Key Education Privacy Laws

Data Privacy is compliance with federal and state laws

• FERPA - Family Educational Rights and Privacy Act
• PPRA - Protection of Pupil Rights Amendment
• COPPA - Children's Online Privacy Protection Act
• CIPA - Children’s Internet Protection Act
• NSLA - National School Lunch Act
• NC Parents’ Bill of Rights

​

Legal Compliance is the FLOOR for Privacy Protection!

​

FERPA: Family Educational Rights and Privacy Act

• Enacted in 1974
• Enforced by the US Department of Education (USED)
• Applies to schools that receive funding from USED
• K-12 - Public
• Higher Education - Public and Private
• Does not apply to vendors
• “FERPA Compliant” label from vendors in meaningless

​

​

FERPA: Family Educational Rights and Privacy Act

• Provides parents and students age 18+ with rights to:
• Inspect education records
• Request to correct or amend certain information in the education record they believe is inaccurate or misleading
• Provide prior consent to sharing records
• Opt out of publishing certain Directory Information
• Requires PSUs to provide an Annual notification of rights

​

New USED Focus:

Right to Review

Education Records

Photos and Videos

• Some administrators may be reluctant to share photos or videos that are educational records for more than one student
• PSU is responsible for their own disclosures and disclosures of parties under the direct control of the PSU
• PSUs must allow parents to view their child’s educational records but are not required to provide a copy
• PSUs may put limits on the conditions for viewing the records, for example no phones or smart glasses in the room

FERPA: Key Definitions

• Personally Identifiable Information (PII): Information that can be used to distinguish or trace an individual's identity, either directly or indirectly
• "Reasonable Person Standard" - a hypothetical person within the school community without inside knowledge, who would be able to identify a student with reasonable certainty if certain information were released.

​

​

FERPA: Key Definitions

• Education Records
• Maintained by the school
• Pertaining to a student

​

FERPA: Key Definitions

• Directory Information: Information contained in a student's education records that would not generally be considered harmful or an invasion of privacy if disclosed. This information can be released by an educational institution without the student's or parent's consent, as long as the institution has a policy outlining what constitutes directory information and how parents or eligible students can opt-out of its release

Homework: Find your PSU’s Directory Information policy

​

What is NOT Part of the Education Record?

• Records kept by the person who made them when used only as a “personal memory aid” and not shared with anyone besides a temporary substitute
• Records maintained by an educational agency’s law enforcement unit
• Employee records made in the normal course of business pertaining only to the individual’s employment

​

​

What is NOT Part of the Education Record?

• Records that an educational agency made or received after the student stopped attending the institution (typically alumni records)
• Grades on peer-reviewed papers before they are collected and recorded by the teacher

​

​

PPRA: Protection of Pupil Rights Amendment

• Enacted in 1978
• Enforced by the US Department of Education
• Provides parents with rights to:
• Review surveys, analyses or evaluations dealing with sensitive information
• Opt their child out of participating

​

​

PPRA & Parent Rights

• Parent involvement in policy development
• Notification of surveys (notice must be DIRECT - delivered by email, postal mail, or by hand)
• Protection and privacy of sensitive information
• Parents can inspect surveys before they are administered
• Parents can inspect instructional materials used as part of the educational curriculum
• Notification on the collection, disclosure, and protection of personal information collected from students for marketing purposes or for purposes of selling that information

​

​

When Must Schools Get Parental Consent?

Schools must get parental consent when 1) a required survey, analysis, or examination is 2) funded in whole or in part by the US Department of Education and 3) is being conducted to find out any of the eight categories of sensitive information.

In North Carolina (§ 115C-76.65) no student shall be permitted to participate in a protected information survey without the prior written or electronic consent of the parent or adult student.

​

Categories of Sensitive Information

• Political affiliations of the student or the parent
• Mental or psychological problems of the student or the student’s family
• Sex behaviors or attitudes
• Illegal, anti-social, self-incriminating, or demeaning behavior
• Critical appraisals of other individuals with whom respondents have close family relationships
• Legally recognized privileged or analogous relationships, such as those of lawyers, physicians, and ministers
• Religious practices, affiliations, or beliefs of the student or the student’s parent
• Income (except as required to determine eligibility for participating in a program where they’d receive financial assistance)

​

​

​

Opt in/Opt Out

If student participation isn’t required, then notice and opportunity to opt-out would be sufficient. Parental consent is not required for surveys that don’t cover sensitive information, but parents generally may opt-out, as shown in the below.

​

​

No Longer the Forgotten Law (OK, not quite as forgotten as it used to be……)

COPPA: Children’s Online Privacy Protection Act

• Enacted in 2000
• Enforced by FTC (Federal Trade Commission)
• Ensures parents control what data is collected from their child (under 13) online
• Requires minimal data collection, transparency and reasonable security

​

​

What Does COPPA Mean for Schools?

In an educational context, schools may act as the parent’s agent and give consent on behalf of parents under certain conditions:

• The school must ensure the vendor's use of that data is strictly for educational purposes, not for commercial use (like targeted ads).
• The school is responsible for reviewing the vendor’s privacy practices and ensuring COPPA compliance.
• Transparency is key — schools should inform parents about what tools are being used and why.
• If the data will be used for commercial purposes, the parent MUST provide consent

​

​

CIPA: Children’s Internet Protection Act

• Enacted in 2000
• Enforced by the FCC (Federal Communications Commission)
• Address concerns about children's access to obscene or harmful content over the Internet
• Applies to all entities receiving eRate funds

​

​

NSLA: National School Lunch Act

• Enacted in 1946
• Administered by the US Department of Agriculture
• Established the National School Lunch Program (NSLP)
• Free & Reduced Price Lunch (FRPL) status is NOT part of the education record and is not governed by FERPA exceptions (School Official, Studies, etc.)

​

​

NSLA: Who Has Access to the Data

• The information provided by families on the FRPL application will be used only for determining eligibility for meal benefits and verification of eligibility.
• PSUs planning to disclose children’s eligibility status for purposes other than determining and verifying FRPL eligibility must inform households of the disclosure.
• The PSU must obtain consent of a parent or guardian prior to the disclosure and give households the opportunity to decline the disclosure.

​

​

NSLA: Who Has Access to the Data

• There is no “Need to Know” exception to consent for FRPL data
• The only staff who may access the data are people who are administering a program that a parent has consented to sharing data with
• Example: Reduced-price athletic participation
• Person who manages collection of payment has access; Coach does not
• Principal does not automatically get access to status

​

​

Eligibility Manual for School Meals

NSLA: Preventing Overt Identification

PSUs must ensure children who receive FRPL benefits are not overtly identified when they are provided additional services under programs or activities available to low-income children based on their meal eligibility.

Examples:

• Weekend meal backpack program
• School tutoring program
• WiFi hotspots program

​

​

NSLA: Penalties for Improper Disclosure

• There is no FERPA jail, but there are significant penalties under NSLA
• Improper disclosure may result in a fine of up to $1,000 or imprisonment of up to one year, or both per disclosure

​

​

​

AI: Data Privacy and Generative AI

• Large Language Models, like ChatGPT, pose significant risks to student and staff data privacy
• Not a locked file cabinet: Once entered, data may be stored, logged, or reused to improve the model.
• Loss of control: You don’t know where your information goes or who may access it.
• Data leaks: Even anonymized info can sometimes be pieced back together.

​

​

AI: Data Privacy and Generative AI

• FERPA & legal risks: Sharing student data (names, grades, addresses, etc.) can violate privacy laws and district policy.
• Rule of thumb: If you wouldn’t put it on the school bulletin board, don’t put it into an AI model.

​

​

Military Recruiters

NCDPI pulls a file of statewide eligible students to share with our military partners in early October, to allow time for districts/families to complete the legislatively mandated FERPA “opt out” page in the SIS. To ease the burden on all districts, the statewide file of eligible students and contact information will be delivered to our Military Contact in the US Army in early October, for distribution to all branches, after the district deadline to complete of Oct. 1.

Direct all military recruiters to:

Major Elder Bennett: eder.g.bennett.mil@army.mil for information on when those files will be disseminated once it is received from NCDPI.

Data Privacy Micro-Credential Pathway

Trusted Learning Environment

Resources

Diane Dulaney, DPI Privacy Officer

privacy@dpi.nc.gov

diane.dulaney@dpi.nc.gov

(984) 236-2234

​

Privacy Technical Assistance Center (PTAC)

privacyTA@ed.gov

https://studentprivacy.ed.gov

(855) 249-3072

(202) 260-3887