FERPA & AI: What Higher Ed Needs to Know

In this episode of Generation AI, Ardis Kadiu and Dr. JC Bonilla unpack FERPA—the Family Educational Rights and Privacy Act—and its critical role in protecting student data within AI-driven educational tools. They clarify common misunderstandings around FERPA compliance, specifically addressing the handling of AI-powered student engagement platforms, chatbots, and data security practices. Learn how institutions can effectively utilize AI while safeguarding student privacy and maintaining compliance.

Understanding FERPA Basics (00:00:07)

• Introduction of the topic based on questions from the AI Engagement Summit
• FERPA stands for Family Educational Rights and Privacy Act
• Federal law enacted in 1974 that protects privacy of student educational records
• Applies to institutions receiving US Department of Education funding
• Grants students (or parents of minors) rights regarding their educational records

What Constitutes Educational Records Under FERPA (00:07:33)

• Academic records including grades, transcripts, and course enrollment
• Personally identifiable information (PII) such as names, student IDs, birthdates
• Disciplinary records and counseling information
• Financial aid and billing information
• Student communications with advisers, faculty, and staff
• Institutions must maintain control and prevent unauthorized disclosure

FERPA Compliance for Engagement Tools (00:08:52)

• Student data must remain protected from unauthorized access
• Information cannot be used for unintended purposes outside institutional contracts
• Data must remain under the institution's control at all times
• The "school official exception" allows third-party vendors to access data
• Vendors must perform services the school would otherwise use its own staff for
• Schools must maintain direct control over records use and maintenance

Vendor Contracts and FERPA Compliance (00:13:01)

• Contracts must clearly state vendors act as school officials bound by FERPA
• Vendors cannot use student records outside the scope of their contracts
• Institutions must retain full control over how student data is accessed
• Importance of granular access controls and role-based permissions
• Vendors should not use student data to train AI models without specific permission
• Data minimization principles should be followed in all AI processes

Data Security Requirements (00:15:51)

• Encryption requirements for data in transit and at rest
• Importance of multifactor authentication
• Access logging to track who interacts with data
• Data deletion and retention policies must be clearly defined
• Vendors should have clear procedures for data deletion after contract ends

Audits and Compliance Monitoring (00:16:40)

• Vendors should comply with security and privacy standards
• Regular security audits and compliance reviews by third parties
• The importance of SOC 2 Type 2 certification as the gold standard
• Institutions' rights to conduct independent security audits

AI-Specific FERPA Concerns (00:18:50)

• Chatbots and AI assistants must follow proper verification protocols
• AI-powered tools must adhere to role-based access permissions
• Risks of using public AI tools like ChatGPT with student data
• Directory vs. non-directory information distinctions
• The dangers of uploading student data to non-FERPA compliant AI tools

AI Training and Data Use Risks (00:24:00)

• Many AI models store and use interactions for training
• Risks of unauthorized retention of student records
• Importance of checking data retention policies in AI tools
• Free versions of AI tools typically don't offer data protection options
• Paid versions may have data retention turned on by default

Element451's FERPA Compliance Approach (00:26:28)

• SOC 2 Type 2 compliance with third-party verification
• Data encryption in transit and at rest with additional field-level encryption
• Multifactor authentication enforcement
• Identity verification in AI chatbots before sharing any personal information
• No training on user data and anonymization of activity data
• Institution control over data deletion and visibility of all records
• AI inherits institutional security policies and access controls

Closing Thoughts (00:29:39)

• The importance of understanding FERPA in the AI context
• Building trust through proper compliance
• Addressing misinformation around FERPA and AI
• Invitation for listeners to suggest future topics

- - - -

Connect With Our Co-Hosts:
Ardis Kadiu
https://www.linkedin.com/in/ardis/
https://twitter.com/ardis

Dr. JC Bonilla
https://www.linkedin.com/in/jcbonilla/
https://twitter.com/jbonillx

About The Enrollify Podcast Network:
Generation AI is a part of the Enrollify Podcast Network. If you like this podcast, chances are you’ll like other Enrollify shows too! 

Enrollify is made possible by Element451 —  the next-generation AI student engagement platform helping institutions create meaningful and personalized interactions with students. Learn more at element451.com. 

Attend the 2025 Engage Summit! 
The Engage Summit is the premier conference for forward-thinking leaders and practitioners dedicated to exploring the transformative power of AI in education. Explore the strategies and tools to step into the next generation of student engagement, supercharged by AI. You'll leave ready to deliver the most personalized digital engagement experience every step of the way.

Register now to secure your spot in Charlotte, NC, on June 24-25, 2025! Early bird registration ends February 1st -- https://engage.element451.com/register