CLUSTER 5.1 — FERPA and AI: The Compliance Map
URL: /education/ai-governance-education/ferpa-ai-compliance-map/
---
FERPA — the Family Educational Rights and Privacy Act — was written in 1974. Generative AI was not contemplated when the statute was drafted. The intersection between FERPA and modern AI use in education is the single most underdeveloped compliance surface in U.S. higher education.
Institutions that have built a FERPA-AI compliance map operate with clarity. Institutions that haven't operate with exposure they often do not recognize.
Where FERPA touches AI use
Student-identifying inputs to AI systems. Faculty pasting student work, advising notes, or grade information into general-purpose AI tools may constitute FERPA disclosure depending on system architecture and data handling.
AI tutoring systems. Products that collect student academic performance data may be FERPA-covered. Vendor contracts must reflect the institution's FERPA obligations.
AI proctoring systems. Behavioral data, biometric data, and academic performance data collected by proctoring systems trigger FERPA considerations.
Administrative AI systems. Admissions AI tools, financial aid AI tools, advising AI tools, and student success prediction systems all handle FERPA-covered records.
Vendor AI training data. Where AI vendors use institutional data to train models — including student data — institutional FERPA obligations may be implicated. Most institutions have not audited this.
The compliance map
1. Inventory AI systems handling student data. Every system across the institution. Documented. Current.
2. Evaluate each system against FERPA requirements. Disclosure permissions. School official designation. Legitimate educational interest standards. Vendor contractual obligations.
3. Update vendor contracts. Standard FERPA contractual language must address AI use, training data, retention, deletion, and third-party access.
4. Document faculty practice guidance. What student information can be entered into which AI systems. Specific. Operational.
5. Train faculty and staff. Ongoing. Practical. Scenario-based.
6. Audit annually. AI systems change. Vendor practices change. Faculty practice changes. The compliance map requires refresh.
What institutions get wrong
Treating AI as outside FERPA scope. Generative AI tools that handle student information fall within FERPA's scope. Treating them as outside the framework produces exposure.
Relying on vendor representations alone. Vendor compliance claims require institutional verification.
Inconsistent faculty practice. Faculty practices that diverge from documented institutional policy produce both compliance exposure and inconsistent student experience.
Failure to address training data. Vendors that use institutional data to train models without explicit institutional authorization create FERPA exposure most institutions have not evaluated.
The institutions that have built FERPA-AI compliance maps operate from clarity. The institutions that haven't operate from exposure that compounds with every additional AI tool deployed.
---
