A district data privacy agreement for an AI social story tool should cover five things: FERPA roles, data ownership, deletion, a ban on training models on student data, and breach notice. If you enter any student-identifying detail, the vendor needs to become a school official under FERPA. In a 2024 survey of 16 school SLPs, OTs, and parents, 94% spend 30 or more minutes per story, so the pull toward fast AI tools is real. The DPA is what makes that legal.
Do you need a DPA at all?
You need one if any student-identifying detail goes into the tool. A signed DPA designates the vendor a school official with a legitimate educational interest, which is how FERPA permits sharing records. With no DPA, you can still use AI, but only with no real names and no photos. The agreement is the line between de-identified drafting and real student data.
What does the DPA need to say about model training?
This is the clause an AI tool adds over an ordinary vendor contract. The DPA must ban the vendor from training models on student data and ban resale or sharing. The vendor may process data only to deliver the service. AI tools used in schools should be FERPA-aware, and MagicSchool advertises this posture for districts. Verify it in writing, do not assume.
| Clause | What to require |
|---|---|
| FERPA role | Vendor is a school official; legitimate educational interest stated |
| No training | Student data never trains models, never sold, never shared |
| Ownership | District owns data; vendor is processor only |
| Deletion | Export and delete on request and at contract end |
| Breach notice | Defined timeline to notify the district |
| Subprocessors | List of who else touches the data |
From the 2024 community survey: "Getting suitable pictures is 90 percent of the work." That photo pressure pushes SLPs toward real student photos, which makes the deletion and image clauses the ones to read twice before anyone uploads a face.
Is FERPA or HIPAA the right standard?
FERPA, not HIPAA. Services delivered to K-5 students in a school fall under FERPA. HIPAA covers private clinics and ABA practices, not your caseload. A photo of a student is an education record, so the agreement must treat images the same as written records. State student-privacy laws may add requirements, so name those too.
Who signs it, and how do you start?
The district signs, usually IT or the privacy officer, not the individual SLP. You request it and supply the use case: AI-assisted social story drafting for IEP students. Most districts keep an approved-vendor list, so check there first. If the tool is on it, you are done. If not, hand IT the six-clause checklist above.
Does the tool need to support the agreement technically?
Yes. A DPA you cannot enforce is paper. Confirm the tool lets you export and delete student profiles, uses first names only by default, and stores files where your district controls access. Social narratives are evidence-based per AFIRM, so the goal is to keep using them at speed without student data leaking. The contract and the product have to match.
Frequently Asked Questions
Do I need a data privacy agreement to use an AI social story tool?
If you put any student-identifying detail into the tool, yes. A signed DPA makes the vendor a school official under FERPA so the school can share records. Without one, use no real names and no photos.
What must the DPA say about training on student data?
It should ban the vendor from training models on student data and from selling or sharing it. The vendor processes data only to provide the service. This is the single most important clause for an AI tool.
Who owns the social stories I create?
The DPA should name the district as the data owner. The vendor is a processor. You should be able to export and delete every story and student profile on request and on contract end.
Is FERPA or HIPAA the right standard for schools?
FERPA. School services for K-5 students fall under FERPA, not HIPAA. HIPAA applies to private clinics. Your DPA should cite FERPA and any state student-privacy law your district follows.
Can I just sign a DPA myself?
No. The district signs, usually through IT or the privacy officer. You request it and supply the use case. Most districts keep an approved vendor list, so check there first.
What about photos of students?
A student photo is an education record under FERPA. The DPA must cover image storage and deletion. Until that is signed, use stock or generic illustrations instead of real student photos.
One approach for school SLPs short on time is to keep a 5-tool stack: a methodology checklist, a slide template you reuse, a folder of stock photos sorted by scenario, an AI text drafter (ChatGPT, Claude, MagicSchool, or Emoquest for one-sentence-in story output), and a delivery format your district already uses (Google Slides or PDF). Before any of them touch student data, get the six-clause DPA signed and the speed is safe.