Jun 2026

FERPA and AI Governance

Table of Contents

blog-cta-image
Secure Your Employee Conversations with AI Assistants
Book A Demo

Is Generative AI Compliant with FERPA?

Under the Family Educational Rights and Privacy Act (FERPA), the use of generative AI systems introduces additional considerations when education records or student information are included in prompts.

Depending on how these systems are used and configured, such data may be processed or disclosed in ways that fall under FERPA requirements.

This matters because:

  • Student data may be shared with external AI providers
  • Prompt inputs may include education records protected under FERPA
  • FERPA applies to how educational institutions disclose and protect student information

What the Family Educational Rights and Privacy Act (FERPA) Regulates

The Family Educational Rights and Privacy Act (FERPA) is a U.S. federal law that protects the privacy of student education records.

It applies to:

  • schools
  • colleges and universities
  • institutions that receive funding under programs administered by the U.S. Department of Education

FERPA governs:

  • access to education records
  • disclosure of student information
  • rights of students and parents

Institutions must ensure that student data is not disclosed without proper authorization or a permitted FERPA exception.

Key Terms (Simplified)

  • Education Records
    Records that are directly related to a student and maintained by an educational institution or party acting on its behalf
  • Personally Identifiable Information (PII)
    Information that can identify a student directly or indirectly, including names, student IDs, contact details, grades, schedules, and other information that can reasonably be linked to a specific student
  • School Official
    A party that performs an institutional service the school would otherwise use employees for, is under the direct control of the institution with respect to the use and maintenance of education records, and uses the data only for authorized purposes without redisclosure, typically established through contractual agreements

In generative AI workflows:

  • the institution remains responsible for student data
  • an AI provider may qualify as a school official only if these conditions are met

Use of external tools does not remove FERPA obligations.

Responsibilities of Educational Institutions

Under FERPA, institutions are responsible for:

  • protecting education records from unauthorized disclosure
  • ensuring appropriate conditions are met before disclosing data to third parties
  • ensuring appropriate controls are in place when disclosing student data under FERPA exceptions
  • providing students with the right to inspect and review their records and request amendments

These responsibilities continue to apply when using third-party systems.

Why Generative AI Changes Risk

Generative AI systems introduce additional considerations in how student data is handled:

  • data may be transmitted to external providers
  • prompts may contain education records or PII
  • data may be processed outside institutional systems
  • visibility into how data is handled may be limited

FERPA applies specifically to records maintained by or on behalf of an institution, which raises additional considerations when data is processed through external AI systems.

These factors can make it more complex to ensure alignment with FERPA requirements.

Where AI Interacts with FERPA Requirements

Disclosure of Education Records

FERPA restricts disclosure of student records without consent, unless specific exceptions apply.

School Official Exception

Institutions may share data with third parties if they qualify as “school officials” under FERPA and meet required conditions.

Directory Information

FERPA permits disclosure of certain “directory information” (such as name or email) unless a student has opted out, provided the institution has given public notice and defined what qualifies as directory information.

Control and Use of Data

Institutions must ensure that data shared under FERPA exceptions is used only for authorized purposes and not redisclosed.

What Teams Actually Do (and Where Risk Starts)

In practice, student data may be used in generative AI workflows as part of everyday tasks:

  • a teacher pastes student assignments into AI tools for feedback
  • an administrator analyzes student records for reporting
  • a support team summarizes student communications
  • staff use AI to generate recommendations based on student data

These workflows are often intended to improve productivity, but may involve:

  • sharing education records with external systems
  • processing student data outside institutional controls
  • limited oversight into how data is handled after submission

Student Rights vs Generative AI

FERPA provides students (and parents, where applicable) with rights over education records, including:

  • the right to inspect and review their records
  • the right to request amendments to inaccurate or misleading records
  • the right to provide consent before education records are disclosed, except where FERPA permits disclosure without consent

In AI workflows, institutions must ensure that:

  • student data can be accessed and corrected where required
  • disclosures are tracked and justified
  • obligations under FERPA are maintained

Risk Assessment and Generative AI

FERPA requires institutions to ensure that education records are protected and only disclosed under permitted conditions.

Generative AI may require additional evaluation where:

  • student data is shared with third-party providers
  • the provider may not meet the conditions required to qualify under the school official exception
  • institutional oversight of data handling is limited

Institutions may need to assess whether safeguards and agreements are sufficient.

Why AI Usage Becomes Difficult to Govern

Individually, these risks may be manageable. In combination, they can create situations where:

  • student data is shared without proper authorization or applicable exception
  • conditions required under FERPA exceptions are not fully met
  • visibility into data handling is limited

This can make it more difficult to ensure alignment with FERPA requirements.

The Core Problem: Prompts May Involve Disclosure of Education Records

When student data is included in prompts, it may involve:

  • transmission of education records to external systems
  • processing of student information outside institutional environments
  • disclosure to third-party providers

Under FERPA, such disclosures must meet specific conditions or fall under a permitted exception.

Without appropriate controls, these interactions may not align with FERPA requirements.

How AI Governance Supports FERPA Alignment

To support alignment with FERPA requirements, institutions may implement controls that operate before and during AI usage.

These may include:

  • identifying and restricting student data shared with AI systems
  • enforcing policies on acceptable data use
  • maintaining visibility into AI usage
  • implementing safeguards to prevent unauthorized disclosure

Such measures can help institutions manage student data responsibly.

Where Wald.ai Fits

Wald provides controls that can be used to manage how student data is handled in generative AI workflows.

This includes:

  • detection of student-related sensitive data in prompts
  • redaction before data is sent to AI systems
  • enforcement of usage policies across users
  • visibility into AI interactions for monitoring and review

These capabilities can support institutions in applying governance controls to AI usage.

FAQs

Is generative AI compliant with FERPA?
Generative AI can be used in a manner that aligns with FERPA requirements depending on how student data is handled, whether disclosures are permitted, and whether appropriate safeguards are in place.

Can student data be entered into AI tools like ChatGPT?
Student data should only be shared where FERPA conditions for disclosure are met, including appropriate control and contractual safeguards.

Does using AI count as disclosing education records?
It may, depending on how the data is shared and whether the third party qualifies under FERPA exceptions such as the school official provision.

What is the school official exception?
It allows institutions to share student data with third parties performing institutional services, provided they are under direct control, use data only for authorized purposes, and do not redisclose the data.

Why is AI governance important for FERPA?
AI governance helps institutions manage how student data is shared, ensure disclosures meet FERPA conditions, and maintain accountability.

blog-cta-image
Secure Your Employee Conversations with AI Assistants
Book A Demo