1. EachPod

FERPA & AI: What Higher Ed Needs to Know

Author
Enrollify
Published
Tue 11 Mar 2025
Episode Link
https://generationaishow.com/episodes/making-sense-of-ferpa-compliance-in-the-age-of-ai-xdKEBaBM

In this episode of Generation AI, Ardis Kadiu and Dr. JC Bonilla unpack FERPA—the Family Educational Rights and Privacy Act—and its critical role in protecting student data within AI-driven educational tools. They clarify common misunderstandings around FERPA compliance, specifically addressing the handling of AI-powered student engagement platforms, chatbots, and data security practices. Learn how institutions can effectively utilize AI while safeguarding student privacy and maintaining compliance.

Understanding FERPA Basics (00:00:07)

  • Introduction of the topic based on questions from the AI Engagement Summit
  • FERPA stands for Family Educational Rights and Privacy Act
  • Federal law enacted in 1974 that protects privacy of student educational records
  • Applies to institutions receiving US Department of Education funding
  • Grants students (or parents of minors) rights regarding their educational records

What Constitutes Educational Records Under FERPA (00:07:33)

  • Academic records including grades, transcripts, and course enrollment
  • Personally identifiable information (PII) such as names, student IDs, birthdates
  • Disciplinary records and counseling information
  • Financial aid and billing information
  • Student communications with advisers, faculty, and staff
  • Institutions must maintain control and prevent unauthorized disclosure

FERPA Compliance for Engagement Tools (00:08:52)

  • Student data must remain protected from unauthorized access
  • Information cannot be used for unintended purposes outside institutional contracts
  • Data must remain under the institution's control at all times
  • The "school official exception" allows third-party vendors to access data
  • Vendors must perform services the school would otherwise use its own staff for
  • Schools must maintain direct control over records use and maintenance

Vendor Contracts and FERPA Compliance (00:13:01)

  • Contracts must clearly state vendors act as school officials bound by FERPA
  • Vendors cannot use student records outside the scope of their contracts
  • Institutions must retain full control over how student data is accessed
  • Importance of granular access controls and role-based permissions
  • Vendors should not use student data to train AI models without specific permission
  • Data minimization principles should be followed in all AI processes

Data Security Requirements (00:15:51)

  • Encryption requirements for data in transit and at rest
  • Importance of multifactor authentication
  • Access logging to track who interacts with data
  • Data deletion and retention policies must be clearly defined
  • Vendors should have clear procedures for data deletion after contract ends

Audits and Compliance Monitoring (00:16:40)

  • Vendors should comply with security and privacy standards
  • Regular security audits and compliance reviews by third parties
  • The importance of SOC 2 Type 2 certification as the gold standard
  • Institutions' rights to conduct independent security audits

AI-Specific FERPA Concerns (00:18:50)

  • Chatbots and AI assistants must follow proper verification protocols
  • AI-powered tools must adhere to role-based access permissions
  • Risks of using public AI tools like ChatGPT with student data
  • Directory vs. non-directory information distinctions
  • The dangers of uploading student data to non-FERPA compliant AI tools

AI Training and Data Use Risks (00:24:00)

  • Many AI models store and use interactions for training
  • Risks of unauthorized retention of student records
  • Importance of checking data retention policies in AI tools
  • Free versions of AI tools typically don't offer data protection options
  • Paid versions may have data retention turned on by default

Element451's FERPA Compliance Approach (00:26:28)

  • SOC 2 Type 2 compliance with third-party verification
  • Data encryption in transit and at rest with additional field-level encryption
  • Multifactor authentication enforcement
  • Identity verification in AI chatbots before sharing any personal information
  • No training on user data and anonymization of activity data
  • Institution control over data deletion and visibility of all records
  • AI inherits institutional security policies and access controls

Closing Thoughts (00:29:39)

  • The importance of understanding FERPA in the AI context
  • Building trust through proper compliance
  • Addressing misinformation around FERPA and AI
  • Invitation for listeners to suggest future topics


- - - -

Connect With Our Co-Hosts:
Ardis Kadiu
https://www.linkedin.com/in/ardis/
https://twitter.com/ardis

Dr. JC Bonilla
https://www.linkedin.com/in/jcbonilla/
https://twitter.com/jbonillx

About The Enrollify Podcast Network:
Generation AI is a part of the Enrollify Podcast Network. If you like this podcast, chances are you’ll like other Enrollify shows too! 

Enrollify is made possible by Element451 — The AI Workforce Platform for Higher Ed. Learn more at element451.com

Share to: