# The Anyra Anonymization Workflow **A district-ready procedure for using AI (Claude, ChatGPT, Gemini) on student data without the data ever reaching a third party in identifiable form.** --- ## Who this is for District data staff, principals, directors, and superintendents who: - Have legitimate access to student records for their role - Want AI-powered insights (risk scoring, cohort analysis, narrative generation, pattern detection) - Need to stay compliant with FERPA, CSDPA, and district policy --- ## The core idea ``` Student roster with real names │ ▼ (run in YOUR browser — never leaves your device) Anyra Anonymizer │ ┌─────┴────────────┐ ▼ ▼ anonymized.xlsx mapping.json (pseudonyms only) (real names, stays private) │ │ ▼ │ Claude / ChatGPT │ (AI never sees │ real names) │ │ │ ▼ │ Insights with │ pseudonyms │ ("stu_abc123 at risk") │ │ │ └──────────────────┤ ▼ Anyra Re-Identify tool (run in YOUR browser) │ ▼ Insights with real names ("Emma Martinez at risk") │ ▼ Take action locally ``` --- ## Step-by-step ### Step 1 — Export from your SIS Export the roster or record set you want to analyze from your Student Information System (Aeries, PowerSchool, Infinite Campus, Synergy, Q, etc.). Save as `.xlsx` or `.csv`. **Where to save:** somewhere private on your own computer (not a public shared drive, not an external USB that travels). ### Step 2 — Anonymize 1. Open the Anyra Anonymizer (hosted link your district received, or downloaded `.html` file). 2. Enter your district's access code on first use. 3. Drag your exported file into the drop zone. 4. Review the auto-classification. Look especially for: - Columns the tool couldn't auto-classify (it shows sample values) - Any PII columns it wants to keep that shouldn't be kept (override to STRIP) - Any free-text columns auto-stripped that you actually need for this analysis (manually keep, but then you're responsible for reviewing the output) 5. Click **Anonymize**. 6. If the safety modal appears, read the concerns carefully. If anything looks like real PII, cancel and adjust. 7. Download all four files: - `anonymized.xlsx` — safe to share with AI - `real_data.js` — for Anyra dashboards (skip if not using) - `mapping.json` — **keep this private**, it's the key back to real names - `audit-log.txt` — save for your district's records ### Step 3 — Use with AI (Claude, ChatGPT, Gemini) **Before you open an AI tool, confirm you're using a zero-retention tier.** Anonymization protects the *upstream* — what leaves your computer. A zero-retention AI tier protects the *downstream* — what the AI vendor does with it. You want both. **Acceptable tiers:** - **Claude Team** or **Claude Enterprise** (recommended) — zero retention, no training on inputs, workspace admin controls - **ChatGPT Team** or **Enterprise** with data controls turned on - **Gemini** inside Google Workspace for Education (your district's existing Workspace DPA covers it) **Not appropriate for this workflow:** - Consumer claude.ai on a free or Pro personal account - Consumer ChatGPT on a free or Plus personal account - Any AI tool where you haven't read the retention + training policy If your district doesn't have access to an enterprise AI tier yet, that's the thing to fix first. This anonymizer is not a workaround for that. **Then:** 1. After anonymization completes, the tool shows a **Use with Claude** section. 2. Copy the starter prompt (tuned to your data's schema and domain). 3. Open your enterprise AI workspace in a new tab and sign in with your district account. 4. Paste the prompt into the chat. 5. Upload `anonymized.xlsx` as an attachment. 6. Chat freely. Ask follow-ups. Request specific analyses. **Examples of what Claude can do with anonymized data:** - Identify at-risk students (by pseudonym) - Compare site-level outcomes - Draft board-ready summaries - Suggest intervention strategies - Write talking points for principal meetings - Spot patterns in subgroup performance The AI sees `stu_a7f3c1d2e9`. It does not see `Emma Martinez`. ### Step 4 — Re-identify locally to take action When Claude returns insights with pseudonyms ("stu_abc123 shows graduation risk..."), you'll want real names to actually do anything. 1. Return to the Anyra Anonymizer. 2. Switch to **Re-identify** mode (toggle at top). 3. Load your `mapping.json` file. 4. Paste Claude's response into the text box (or drop an xlsx if Claude returned a downloadable file). 5. Click **Re-identify**. 6. Real names appear in place of pseudonyms. 7. Copy the result into your notes, action plan, or counselor outreach. ### Step 5 — Clean up - Click **Clear session & reload** in the tool when you're finished. This drops the mapping, salt, and anonymized data from browser memory and reloads the page. - `mapping.json` should stay on your own device, in a secured folder. - Original raw roster — delete if you no longer need it, or store according to district data retention policy. - `anonymized.xlsx` — can be retained indefinitely, shared, archived. - `audit-log.txt` — keep for district records if asked during a compliance review. --- ## Using the workflow with Anyra dashboards Anyra dashboards built with Claude Code follow the same pseudonymization rule: - Dashboard ships with pseudonymized data embedded - Users click **Load mapping** button (bottom-right of the dashboard) - Their `mapping.json` is read locally in the browser - All student references swap from pseudonyms to real names - Closing the tab clears the real names from view This means a dashboard can be safely emailed, stored on a shared drive, or left open on a screen — it shows pseudonyms by default. Only the authorized person with the mapping file sees real names, and only while they're actively viewing. --- ## What this workflow is NOT - **Not a compliance certification.** It's a workflow that reduces risk. Your district remains responsible for policy, training, and appropriate use. - **Not a substitute for authorization.** If a staff member uses the tool to process data they weren't authorized to access in the first place, the tool doesn't make that authorized. - **Not protection against deliberate misuse.** If someone intentionally leaks a mapping file or shares real names externally, the tool doesn't prevent that. --- ## What this workflow IS - **A defensible answer** to the question *"did staff use AI with student data?"* — the honest answer is *"yes, per our anonymization workflow; data was pseudonymized before leaving our environment."* - **A tool for staff to actually get value** from AI without triggering compliance review on every interaction. - **An artifact** (the audit log) that demonstrates governance in the face of audits. - **A structure** your district can incorporate into its Acceptable Use Policy for AI tools. --- ## Recommended district roles | Role | What they do in this workflow | |---|---| | **Superintendent / Director** | Uses workflow for strategic analysis, board prep, district-wide pattern recognition | | **Site principal** | Uses workflow for site-specific cohort analysis, intervention planning | | **Counselor** | Uses workflow for at-risk student identification, outreach planning | | **Data/MIS staff** | Handles the actual export + anonymization; delivers anonymized xlsx + mapping to authorized users | | **Data privacy officer** | Reviews audit-log.txt periodically; owns the district AUP that references this workflow | --- ## Training recommendation Each staff member using this workflow should complete a ~20 minute orientation covering: 1. When it's appropriate to use AI with student data (and when it isn't) 2. How to run the anonymizer correctly (how to review classifications) 3. How to securely handle the mapping file 4. How to re-identify locally when needed 5. Who to ask if something looks wrong Anyra can provide this training as a Learning Studio module, a standalone session, or a short video. --- ## Escalation path If you hit something this workflow doesn't cover — a data type you're not sure about, a Claude response that seems to contain PII even though you anonymized, an export format the tool didn't recognize — stop and contact your district data privacy officer or Anyra's support line. When in doubt: **the default should be not to share anything externally** until you've reviewed it with someone who understands the rules. --- *Version 1.1 — April 2026. This is a workflow recommendation. It does not constitute legal advice. Your district is responsible for adopting, adapting, and enforcing its own policies.*