AI is changing how education providers talk to students. But what happens to compliance when the conversation is automated?
AI is no longer a future consideration for education providers. It’s a present one. Across the sector, providers are exploring how AI can help them respond to more enquiries, convert more leads, and do it without stretching already-lean teams.
But alongside the opportunity sits a very reasonable question: if an AI is handling student conversations, who is responsible for what gets said? And does using AI put an education provider’s compliance obligations at risk?
These aren’t hypothetical concerns. Education providers operate in a regulated environment. ASQA has standards around student communications. Privacy law governs how enquiry data is collected and used. The stakes of getting it wrong are real, and for a marketing manager already stretched across campaigns, leads, and reporting, adding a compliance grey area to the mix isn’t an appealing prospect.
So we put the hard questions to the two people who have been building our new AI enrolment advisor, GabbyAI, from the ground up.
I sat down with Nicholaus Crofts, Head of Operations in Enrolment Services and Edwin Camilleri, our Head of AI, to talk about the compliance questions education providers are actually asking on privacy, accuracy, ASQA obligations, and what happens when something goes wrong.
The compliance questions education providers are actually asking
For Edwin, responsible AI isn’t a policy document on a shelf. It’s a set of active design decisions that determine how GabbyAI behaves on every single call. Candlefox’s approach is shaped by Australia’s AI Ethics Principles, Guidance for AI Adoption, National Framework for the Assurance of Artificial Intelligence and National AI Plan, which serve as a foundation for how the product is built.
Edwin: “We’re working on aligning our processes and GabbyAI’s behaviour with the combined principles across those frameworks. Things like accountability, transparency to end users, privacy and data security, human oversight, and contestability. We’re in the process of auditing against what we’ve implemented so far, and we’ll be building on that over time.”
The principles cover a variety of areas from fairness and data privacy through to record-keeping and accountability. Work is still underway to audit and align GabbyAI against each of them, but the commitment is already shaping how the product is built and how it behaves on every call.
Who is responsible for student data privacy when AI is handling enrolment enquiries?
When AI enters the picture, it’s natural to wonder whether the rules change. Do existing consent obligations still apply? Who carries responsibility for how student data is collected and used? And does introducing an AI layer create new gaps in compliance?
Nich: “Standard consent obligations don’t change because AI is involved. The collection, storage, and use of student data sit within existing privacy and data responsibilities. GabbyAI handles the conversations, and the providers – alongside Candlefox – retain responsibility for how that data is managed. As with any student communication, providers should ensure that their privacy policy accurately reflects how enquiry data is collected and used. GabbyAI operates within that framework.”
Edwin: “The data boundaries are also tighter than providers might assume. GabbyAI is only provided with the course details relevant to a student’s enquiry, along with the student’s first name and phone number. All other personal information remains within our CRM. Any recordings and call records collected during the conversation are retained exclusively within Candlefox’s data platform.”
This is the framing that matters: AI doesn’t create a separate compliance category. It’s a channel, like email or phone, and the same obligations that govern those interactions apply here, too. The responsibility doesn’t transfer to the technology; it stays with the provider and Candlefox, exactly as it would with any other form of student communication.
Before deploying GabbyAI, it’s worth reviewing whether your privacy policy accurately describes how enquiry data flows through your systems. That’s a housekeeping step, not a new burden, and it’s one Candlefox supports providers through as part of the setup process.
How do you make sure an AI gives students accurate information about courses, fees, and funding?
What happens if it tells a student the wrong thing? It’s a fair concern. Fees change. Funding rules shift. Course details get updated. And in a regulated environment, inaccurate information isn’t just an inconvenience – it’s a compliance risk.
But the concern is based on a misconception about how GabbyAI actually works.
Nich: “GabbyAI doesn’t generate the information. It works from the source. Everything she presents to students – course details, fees, funding options – is sourced directly from the provider and loaded into the system. The same information that course advisors would be presenting, nothing more. If the information changes, it gets updated. GabbyAI stays current and compliant because the provider controls what it knows.”
Edwin: “There’s also a safeguard built into what happens when GabbyAI reaches the edge of its knowledge. If a student asks something GabbyAI doesn’t have information to answer, it’s directed to say so clearly and offer to transfer to a human advisor. No guessing, no gap-filling.”
This is a meaningful distinction. GabbyAI isn’t drawing on a general knowledge base or making inferences. It’s operating from a curated, provider-controlled information set, which is the same material a trained human advisor would reference on a call. The accuracy question isn’t an AI problem. It’s an information management process, and one that education providers already own.
Does using AI for student communications put your ASQA compliance at risk?
Education providers operate under real, enforceable standards when it comes to how they communicate with prospective students. So when an AI is handling those conversations, the question of regulatory fit matters.
The short answer is that GabbyAI is designed to sit within an education provider’s existing compliance framework, not outside it. The longer answer is worth understanding before you deploy.
Nich: “The same way a well-trained advisor does. Just as education providers train their human advisors to communicate within ASQA standards, GabbyAI is coached to operate within those same parameters. As part of the GabbyAI setup process, providers supply information, guidelines, and boundaries that govern how GabbyAI communicates with students. That becomes the framework it operates within, consistently across every communication. Compliance responsibility doesn’t disappear – but GabbyAI is built to support it, not work around it.”
Think of the setup process as the equivalent of onboarding a new team member, except GabbyAI applies that briefing consistently, across every conversation, without variation. The standards an education provider sets during implementation become the guardrails GabbyAI operates within at scale.
If a student complaint is raised about an AI-handled call, what evidence does an education provider have?
No communication channel is entirely without risk. But the question worth asking isn’t whether risk exists – it’s whether you’re better or worse positioned to respond to it.
For education providers using GabbyAI, the answer is clear.
Nich: “Every conversation GabbyAI has is recorded, and if a complaint is raised, a full review of all calls relating to that student is available, giving providers a clear and complete picture of every interaction from first contact to point of complaint. This actually puts education providers in a stronger position than they’d often be with human advisors, where call notes can be inconsistent or incomplete.”
Edwin: “That audit trail is reinforced by GabbyAI’s QA process, which assesses every call against a defined set of criteria covering compliance, call process, discovery quality, pitch personalisation, objection handling, conversational quality, and closing. Transcripts are checked against actual course information to verify accuracy, and any discrepancies are flagged in generated reports.”
That last point is worth sitting with. Human-handled enquiries often rely on advisor notes that vary in quality and detail. With GabbyAI, the record is complete, consistent, and retrievable. In a complaints scenario, that’s not just reassuring – it’s a material advantage.
For providers who carry compliance obligations around student communications, a full audit trail isn’t a nice-to-have. It’s exactly the kind of evidence base that demonstrates due diligence.
AI doesn’t remove compliance responsibility. It just changes the shape of it.
The compliance questions around AI are worth asking. What this conversation makes clear is that the answers are less complicated than most providers expect.
GabbyAI doesn’t operate outside your existing obligations; it operates within them. Data is handled responsibly, information is provider-controlled, and every conversation is recorded and auditable. The standards you set during setup become the guardrails that hold across every call, every time.

