FERPA-Compliant Research: How to Interview Students Safely at Scale

FERPA — the Family Educational Rights and Privacy Act — is the most frequently cited and most frequently misunderstood barrier to student research in higher education. In practice, FERPA restricts how educational institutions disclose education records; it does not prohibit research with students. The vast majority of student interview studies fall entirely outside FERPA’s regulatory scope when designed correctly, because they collect new data directly from consenting participants rather than disclosing existing education records. Understanding this distinction is the key to conducting rigorous, ethical student research at scale without unnecessary compliance paralysis.

This guide explains what FERPA actually requires in research contexts, identifies the specific scenarios where FERPA creates genuine compliance obligations, and provides practical protocols for designing student research that is both legally sound and methodologically rigorous. It also covers GDPR considerations for international students, IRB requirements, and how AI-moderated interview platforms handle compliance infrastructure.

What FERPA Actually Regulates (and What It Does Not)

FERPA (20 U.S.C. 1232g) applies to educational institutions that receive federal funding — which includes virtually all U.S. colleges and universities. The law gives students (or parents, for students under 18) the right to access their education records and restricts institutions from disclosing those records without consent.

The Critical Definition: Education Records

FERPA protects “education records,” defined as records that are (1) directly related to a student and (2) maintained by the educational institution or a party acting for the institution. This includes transcripts, grades, enrollment status, financial aid information, disciplinary records, and similar institutional data.

What FERPA does not cover:

• New data collected directly from students. When a student participates in a research interview and shares their experiences, opinions, and perspectives, the resulting transcript is research data — not an education record. The student’s words about their advising experience are not the same as the institution’s advising records.

• Directory information that the institution has designated as publicly available (name, enrollment status, degree program, etc.), though students can opt out of directory information disclosure.

• De-identified data where all personally identifiable information has been removed and the institution has made a reasonable determination that the student’s identity is not personally identifiable through remaining data elements or in combination with other available information.

• Observations and interactions. A researcher observing student behavior in a public campus space, or a faculty member’s personal observations about a student’s classroom participation, are not education records.

Common Misconceptions

Misconception: “We cannot interview students without FERPA clearance.” Interviewing students is not a disclosure of education records. If you recruit students through public channels (email lists, flyers, course announcements) and they voluntarily participate in research, FERPA is not implicated by the interview itself. Standard informed consent for human subjects research is required, but FERPA-specific consent is not.

Misconception: “Any data about students is protected by FERPA.” FERPA protects education records maintained by the institution. Research data collected directly from students is not an education record unless the institution incorporates it into the student’s official record (which would be unusual for research data).

Misconception: “We need FERPA consent to send students a research recruitment email.” Using student email addresses for research recruitment is a disclosure of directory information. If the institution has designated email addresses as directory information (most have), this disclosure is permitted under FERPA unless the student has opted out. If email is not designated as directory information, the institution can still facilitate recruitment by sending emails on behalf of the researcher without disclosing addresses to the researcher.

Misconception: “Third-party research platforms cannot access student data.” FERPA’s “school official” exception allows institutions to share education records with parties performing institutional functions, provided appropriate agreements are in place. More importantly, an AI interview platform that conducts new research conversations does not need access to education records at all — it collects new data from consenting participants.

When FERPA Does Apply to Student Research

FERPA creates genuine compliance obligations in specific research scenarios.

Scenario 1: Using Education Records to Select Participants

If your research design requires selecting participants based on education record data — interviewing students with GPAs below 2.5, or students who withdrew from specific courses, or students on academic probation — the act of identifying those students involves accessing education records. This requires either FERPA consent from the students whose records are accessed or reliance on a FERPA exception.

The studies exception (34 CFR 99.31(a)(6)). FERPA permits disclosure of education records to organizations conducting studies for or on behalf of the institution to develop, validate, or administer predictive tests; administer student aid programs; or improve instruction. This exception requires a written agreement specifying the study’s purpose, the data to be disclosed, and destruction or return of data upon completion.

The institutional officials exception. Researchers who are employees of the institution performing institutional functions may access education records as “school officials” if the institution has defined this in its FERPA policy.

Practical workaround: self-selection. Rather than identifying eligible students through education records, recruit broadly and let students self-identify eligibility. Instead of pulling a list of students on academic probation, send a recruitment message to all students asking those who “have experienced academic difficulty” to participate. This avoids FERPA entirely while reaching the target population.

Scenario 2: Linking Research Data to Education Records

If your analysis plan involves linking interview transcripts to students’ academic performance, enrollment patterns, or other education record data, the linkage creates a FERPA obligation. The linked dataset contains education records, and its creation, storage, and sharing are subject to FERPA.

Protocol: Obtain explicit FERPA consent for the specific records to be linked, maintain linked data under appropriate security controls, and de-identify the dataset once linkage analysis is complete.

Scenario 3: Sharing Identifiable Research Findings

If research findings include information that could identify specific students — quotes attributed to “the only Native American student in the engineering program,” for example — the disclosure may implicate FERPA if the identifying context derives from education records. Even without direct FERPA application, such disclosure raises ethical concerns that IRB review should address.

Designing FERPA-Clean Student Research

The simplest approach to FERPA compliance is designing research that never touches education records. Here is a protocol that achieves this.

Step 1: Recruit Through Public or Facilitated Channels

Use recruitment methods that do not require accessing education records to identify eligible participants:

• Broad email recruitment through directory information (student email addresses)
• Course announcements where faculty invite participation in class
• Flyers and digital signage in relevant campus locations
• Student organization partnerships where org leaders share recruitment materials
• Social media targeting the institution’s student population
• Panel recruitment through research platforms with their own participant pools

If you need a specific sub-population, use screening questions at the start of the study rather than pre-selecting from education records. “Are you currently a junior or senior in the College of Engineering?” achieves the same targeting as pulling an enrollment list — without the FERPA implications.

Step 2: Obtain Informed Consent (Not FERPA Consent)

Because your study does not involve education records, you do not need FERPA-specific consent. You do need standard research informed consent covering:

• Purpose of the study and how findings will be used
• What participation involves (a 30-minute interview, for example)
• Data handling: how transcripts will be stored, who will access them, how long they will be retained, and how they will be de-identified or destroyed
• Voluntary participation: students can decline or withdraw without consequence
• Confidentiality protections: how the research team will protect participant identity in findings and publications

AI-moderated interview platforms can embed consent collection directly into the research workflow. On User Intuition, participants review and accept consent terms before the conversation begins, creating a documented consent record.

Step 3: Separate Research Data from Education Records

The critical data governance step is ensuring that research data — interview transcripts, analysis files, participant databases — is stored separately from institutional education records and not incorporated into any education record system.

• Store research data on research platforms or research-specific systems, not in the SIS (Student Information System) or LMS
• Do not add research participation status or findings to student records
• If using a participant tracking database, store it on research infrastructure with access limited to the research team

Step 4: De-Identify Transcripts and Analysis

De-identification serves both FERPA and ethical purposes. Even when FERPA does not technically apply, de-identification protects student privacy and aligns with IRB expectations.

Automatic de-identification on AI platforms removes names, specific course numbers, professor names, and other identifying details from transcripts. User Intuition performs automatic de-identification as part of the transcript processing pipeline, reducing the manual burden on research teams.

Contextual de-identification requires human judgment — removing details that are technically generic but identifying in context. “The only wheelchair-accessible dorm” might identify a specific building and the students who live there. Research teams should review de-identified transcripts for contextual identifiers, particularly in small programs or distinctive student populations.

Step 5: Establish Data Retention and Destruction Protocols

Define upfront how long research data will be retained and how it will be destroyed. Best practices:

• Active use period: retain full data during analysis and for a defined period after publication (typically 3-5 years per institutional policy)
• Archive period: retain de-identified data only, with identifying keys destroyed
• Destruction: documented deletion from all systems, including backups

IRB Considerations for Student Interview Research

FERPA and IRB review are separate regulatory frameworks, but most student interview studies require both analysis.

When IRB Review Is Required

Any research involving human subjects conducted by faculty, staff, or students at an institution with a Federalized-Wide Assurance (virtually all research universities) requires IRB review. Student interview research falls squarely within this scope.

Expedited vs. Full Board Review

Most student interview studies qualify for expedited review because they involve no more than minimal risk. The standard for minimal risk is that the probability and magnitude of harm are not greater than those ordinarily encountered in daily life. A 30-minute interview about academic experience meets this standard.

Studies that may require full board review include those involving vulnerable populations (minors, students with documented disabilities), sensitive topics (mental health, substance use, sexual behavior, undocumented status), or designs that create more-than-minimal risk of harm.

IRB Protocol Elements for AI-Moderated Studies

When submitting an IRB protocol for an AI-moderated interview study, address these elements:

• Moderator nature: Explain that interviews are conducted by an AI system, describe how the AI moderates (adaptive questioning, discussion guide adherence), and note that no human moderator is present during the conversation
• Data handling: Detail the platform’s security infrastructure, encryption standards, access controls, and data processing agreements
• Consent process: Describe how consent is collected (embedded in platform workflow), what information is provided, and how withdrawal is handled
• De-identification: Explain automatic and manual de-identification procedures
• Recording and storage: Specify whether conversations are recorded as audio, text, or both; where recordings are stored; and who has access

Most IRBs are now familiar with AI-moderated research and have established review pathways. If your IRB has not previously reviewed this type of study, provide educational materials about the methodology alongside your protocol.

GDPR Considerations for International Students

Institutions with international student populations — particularly students from EU/EEA countries — must consider GDPR alongside FERPA. GDPR applies to the processing of personal data of EU residents, regardless of where the processing occurs.

Key GDPR Requirements for Student Research

Lawful basis for processing. Research with consenting participants typically relies on consent (Article 6(1)(a)) or legitimate interest (Article 6(1)(f)) as the lawful basis. For academic research, the research exemption (Article 89) provides additional flexibility for data processing.

Data minimization. Collect only the personal data necessary for the research purpose. AI-moderated interviews inherently support this — the conversation collects experiential data, not demographic databases.

Right to erasure. GDPR gives participants the right to request deletion of their personal data. Research platforms must support this technically — the ability to identify and delete a specific participant’s data upon request.

Data transfer safeguards. If the research platform processes data outside the EU (most U.S.-based platforms do), appropriate transfer mechanisms must be in place: Standard Contractual Clauses, adequacy decisions, or other approved mechanisms.

Data Protection Impact Assessment (DPIA). Large-scale processing of personal data, particularly sensitive data, may require a DPIA. A student interview study involving 200+ participants should be evaluated for DPIA requirements.

Practical Protocol for Mixed Populations

When your study population includes both domestic and international students:

1. Apply the higher standard. Design your consent, data handling, and de-identification protocols to satisfy GDPR requirements, which are generally stricter than FERPA. This ensures compliance for all participants.

2. Use a platform with dual compliance. User Intuition is FERPA, GDPR, and HIPAA compliant, with data handling infrastructure designed for multi-jurisdictional research. This eliminates the need for separate workflows based on participant nationality.

3. Include GDPR-required information in consent. For EU participants, consent must include the identity of the data controller, the lawful basis for processing, data retention periods, the right to withdraw consent and request erasure, and contact information for data protection inquiries.

4. Document your transfer mechanisms. If data is processed in the United States, document the legal mechanism authorizing the transfer (typically Standard Contractual Clauses in the data processing agreement with your platform provider).

How AI-Moderated Platforms Handle Compliance at Scale

Manual compliance management becomes impractical when conducting dozens or hundreds of student interviews. AI-moderated interview platforms address this through built-in compliance infrastructure.

Consent Management

Consent is collected digitally before the interview begins, creating a timestamped, auditable consent record for each participant. Consent forms are customizable to include institution-specific language, IRB-required disclosures, and jurisdiction-specific information (GDPR for EU participants, for example).

Automatic De-Identification

AI systems can automatically identify and redact personally identifiable information from transcripts: names, specific course sections, professor names, locations, and other identifiers. This reduces the manual review burden and decreases the risk of accidental identification in research outputs.

Encrypted Storage and Access Controls

Research data is encrypted at rest and in transit, with role-based access controls that limit who can view transcripts, analysis, and participant information. The platform’s Intelligence Hub provides a secure environment for storing and analyzing research data without exposing it to unauthorized users.

Data Processing Agreements

Compliant platforms provide data processing agreements (DPAs) that define the platform’s role as a data processor acting on the institution’s instructions, the security measures in place, the platform’s obligations regarding data breach notification, and the data retention and deletion procedures.

Audit Trails

Every action — consent collection, interview completion, transcript access, data export, deletion request — is logged in an audit trail. This documentation supports IRB continuing review, FERPA compliance audits, and GDPR accountability requirements.

A Practical Compliance Checklist

Before launching a student interview study, confirm:

• Recruitment method does not require accessing education records (or appropriate FERPA consent/exception is in place if it does)
• Informed consent covers purpose, participation requirements, data handling, voluntariness, and confidentiality
• IRB approval is obtained (or exemption determination is documented)
• Platform DPA is executed between the institution and the research platform
• De-identification protocol is defined — both automatic (platform-level) and manual (contextual review)
• Data storage is separate from education record systems
• GDPR requirements are addressed if international students are included
• Data retention schedule is defined and communicated to participants
• Withdrawal procedure is documented — how participants can withdraw and have data deleted

Compliance does not have to be a barrier to student research. With the right study design and the right platform, institutions can conduct hundreds of in-depth student interviews that are fully FERPA-compliant, IRB-approved, and GDPR-ready — in a fraction of the time and cost that compliance concerns have historically imposed on student research programs. Platforms like User Intuition were built with education-sector compliance as a core design requirement, not an afterthought.