FERPA Compliance Issues with non Copilot AI Tools

  1. Student Consent

    • AI tools must not access or process student education records without explicit written consent, unless the data qualifies as directory informationor falls under a FERPA exception.
      1

  2. Third-Party Vendor Agreements

    • AI providers must be contractually designated as “School Officials” with legitimate educational interests.
    • Contracts must include FERPA compliance clauses, prohibit data mining or repurposing, and ensure data minimization.
      2

  3. Data Security & Control

    • Institutions must retain full control over student data.
    • AI tools must support encryption, multi-factor authentication, and audit logging.
    • Vendors should not use student data for training AI modelsunless explicitly permitted.
      2

  4. Transparency & Governance

    • Institutions must be transparent with students about how their data is used.
    • Establish governance processesto monitor AI decision-making and prevent model drift.
      3

  5. AI Hallucinations & Misinterpretation

    • AI tools may misinterpret FERPA rules or fabricate responses.
    • Human oversight is essential to ensure contextual judgmentin data handling.
      3

Office 365 and FERPA

Microsoft Office 365 is designed to support FERPA compliance:

  • Microsoft agrees to act as a “School Official” under FERPA.
  • Office 365 services (including Teams, OneDrive, SharePoint, etc.) offer regional data residency, encryption, and access controls.
  • Institutions must still assess their own compliance and configure services appropriately