FERPA-Approved Productivity Tools
Much of the data at UW–Madison is related to students and may be regulated by FERPA.
Some student data, such as name, UW–Madison email, and major, is directory information and may be released unless the student has restricted it. However, other student data exceeds directory information and is classified as restricted institutional data under UW–Madison’s classification structure.
To protect the privacy and security of this data, UW–Madison provides enterprise tools that can be used to collect, use, or store both directory and restricted student data.
Before working with data that may be protected by FERPA, there are a few things you should do:
- Know your data: Data may be covered by multiple regulations or data classifications. We must classify data according to its most restrictive type. If you need help classifying data, reach out to Data Governance.
- Get trained: Review our guidance and training to make sure you understand the data you’re using.
- Choose the right tool: Easily store and share FERPA data using tools from the “Permitted” list below. This list does not preclude the use of other approved systems (including systems of record and reference) like SIS, Canvas and integrated tools, InfoAccess, and others. Contact the Student Record Data Steward with questions.
- Read about FERPA and AI: Sharing FERPA data with AI tools is only allowed when the tool has been reviewed and approved for use with restricted data.
When in doubt, ask! Final determinations regarding security and privacy risk assessments are made by campus data governance, cybersecurity, and procurement partners. If you have any questions about your use of a tool with FERPA data, contact the Student Record Data Steward at andrew.s.hahn@wisc.edu.
In addition to guidance on FERPA rights and responsibilities, UW–Madison provides operational guidance on the secure use of enterprise tools with student data. This guidance is developed in partnership with Data Governance, Privacy, and Cybersecurity to help employees select appropriate tools for collecting, storing, and sharing student records.
Tools Permitted For Use With Student Data
Use the following campus-provided tools to safely process FERPA-protected data:
- File sharing via Google Drive
- Box
- Teams (without AI features)
- Zoom (may include AI features only if consistent with the Office of the Registrar’s FERPA and AI guidance and your unit’s guidance)
- Microsoft Office 365 (excluding Copilot tools)
- SharePoint
- Research Drive
- Globus
- Qualtrics
- Other enterprise solutions that meet all the following conditions:
- Requirement to log in using an institutional account (i.e. using your UW–Madison Box account rather than a personal account)
- One account per user (i.e. not using shared passwords)
- Dual authentication (or authentication using your NetID)
- Complies with UW–Madison AI policy and does not expose student data to unapproved LLM/AI tools
Tools Requiring Risk Review Prior to Use With Student Data
If you must use a tool that is not listed as permitted for FERPA-protected data, a privacy and security risk review is likely required, including for the following tools:
- Amazon Web Services
- Google Cloud Platform
- Microsoft Azure
- AI tools and features that have not been approved through the risk review process
Tools Prohibited For Use With Student Data
The following tools (and many others) are not appropriate for student data, and using them with such data may be prohibited by FERPA and UW–Madison’s Institutional Data Policy:
- Any personal, non-university-issued, instance of a tool or software, such as your non-work instance of Google, Microsoft, Box
- Social media
- AI tools and features that have not been approved specifically for your use case
- Portable storage devices, including flash drives, CDs, and external hard drives that do not authenticate access and can be used from multiple workstations
- SMS/text messaging