In this episode of Generation AI, Ardis Kadiu and Dr. JC Bonilla unpack FERPA—the Family Educational Rights and Privacy Act—and its critical role in protecting student data within AI-driven educational tools. They clarify common misunderstandings around FERPA compliance, specifically addressing the handling of AI-powered student engagement platforms, chatbots, and data security practices. Learn how institutions can effectively utilize AI while safeguarding student privacy and maintaining compliance.
Understanding FERPA Basics (00:00:07)
- Introduction of the topic based on questions from the AI Engagement Summit
- FERPA stands for Family Educational Rights and Privacy Act
- Federal law enacted in 1974 that protects privacy of student educational records
- Applies to institutions receiving US Department of Education funding
- Grants students (or parents of minors) rights regarding their educational records
What Constitutes Educational Records Under FERPA (00:07:33)
- Academic records including grades, transcripts, and course enrollment
- Personally identifiable information (PII) such as names, student IDs, birthdates
- Disciplinary records and counseling information
- Financial aid and billing information
- Student communications with advisers, faculty, and staff
- Institutions must maintain control and prevent unauthorized disclosure
FERPA Compliance for Engagement Tools (00:08:52)
- Student data must remain protected from unauthorized access
- Information cannot be used for unintended purposes outside institutional contracts
- Data must remain under the institution's control at all times
- The "school official exception" allows third-party vendors to access data
- Vendors must perform services the school would otherwise use its own staff for
- Schools must maintain direct control over records use and maintenance
Vendor Contracts and FERPA Compliance (00:13:01)
- Contracts must clearly state vendors act as school officials bound by FERPA
- Vendors cannot use student records outside the scope of their contracts
- Institutions must retain full control over how student data is accessed
- Importance of granular access controls and role-based permissions
- Vendors should not use student data to train AI models without specific permission
- Data minimization principles should be followed in all AI processes
Data Security Requirements (00:15:51)
- Encryption requirements for data in transit and at rest
- Importance of multifactor authentication
- Access logging to track who interacts with data
- Data deletion and retention policies must be clearly defined
- Vendors should have clear procedures for data deletion after contract ends
Audits and Compliance Monitoring (00:16:40)
- Vendors should comply with security and privacy standards
- Regular security audits and compliance reviews by third parties
- The importance of SOC 2 Type 2 certification as the gold standard
- Institutions' rights to conduct independent security audits
AI-Specific FERPA Concerns (00:18:50)
- Chatbots and AI assistants must follow proper verification protocols
- AI-powered tools must adhere to role-based access permissions
- Risks of using public AI tools like ChatGPT with student data
- Directory vs. non-directory information distinctions
- The dangers of uploading student data to non-FERPA compliant AI tools
AI Training and Data Use Risks (00:24:00)
- Many AI models store and use interactions for training
- Risks of unauthorized retention of student records
- Importance of checking data retention policies in AI tools
- Free versions of AI tools typically don't offer data protection options
- Paid versions may have data retention turned on by default
Element451's FERPA Compliance Approach (00:26:28)
- SOC 2 Type 2 compliance with third-party verification
- Data encryption in transit and at rest with additional field-level encryption
- Multifactor authentication enforcement
- Identity verification in AI chatbots before sharing any personal information
- No training on user data and anonymization of activity data
- Institution control over data deletion and visibility of all records
- AI inherits institutional security policies and access controls
Closing Thoughts (00:29:39)
- The importance of understanding FERPA in the AI context
- Building trust through proper compliance
- Addressing misinformation around FERPA and AI
- Invitation for listeners to suggest future topics
- - - -
Connect With Our Co-Hosts:
Ardis Kadiu
https://www.linkedin.com/in/ardis/
https://twitter.com/ardis
Dr. JC Bonilla
https://www.linkedin.com/in/jcbonilla/
https://twitter.com/jbonillx
About The Enrollify Podcast Network:
Generation AI is a part of the Enrollify Podcast Network. If you like this podcast, chances are you’ll like other Enrollify shows too!
Enrollify is made possible by Element451 — The AI Workforce Platform for Higher Ed. Learn more at element451.com.