Protecting Student Data/ Financial Aid Data Sharing MSFAA Summer Conference June 10 – 13, 2018
Presenter Ryan Rafko Associate Director of Financial Aid & Scholarships – Operations University of Michigan – Dearborn 2018-2019 MSFAA President
Historical Context In fall of 2017, ED upended the long standing guidance by reinterpreting the existing law to prohibit schools from sharing student specific information with other entities Whereas previously, student authorization was permitted, ED now stated that such authorization was not sufficient This created uncertainty among financial aid professionals and has created another unnecessary hoop
Historical Context This new guidance prohibited institutions from sharing data with other entities (outside scholarship entities, sibling verification forms, Section 8 (Housing Act of 1937) housing information, fee waivers, etc.). Efficiency is now grounded in regards to decades of practice concerning data sharing. How do we respond to this reinterpretation?
Historical Context We recognize security is a viable concern (one year ago we learned of the data breach regarding the DRT). The implementation of protecting PII and masking/encrypting data is understood but it must be balanced against measures that become counter effective to service and processing.
Introduction Guidance from PTAC states Colleges and Universities are not permitted to release any financial aid data unless the release is for one of the specific purposes permitted by law, even with the student’s written authorization. This guidance prohibited institutions from sharing data with other entities: Outside Scholarship Entities **clarified on March 23, 2018 with FY2018 Spending Bill: permissible with private scholarship providers with explicit written consent from the students. Sibling Verification Forms Section 8 housing Information Fee Waivers
Applicable Laws HEA: Higher Education Act of 1965 as amended Section 483(a)(3)(E) FERPA: Family Educational Rights and Privacy Act 20 U.S.C § 1232g C.F.R Part 99 Privacy Act of 1974 5 U.S.C. § 552
Section 483(a)(3)(E) of the HEA Specifies that financial aid data, which includes information related to the student’s Expected Family Contribution (EFC) and financial aid awards “shall be used only for the application, award and administration of aid awarded under federal student aid programs, state aid or aid awarded by the eligible institution or such entities as the Department may designate.”
Higher Education Act FSA programs are authorized by the Higher Education Act of 1965 (HEA), as amended The Federal Law that governs the administration of most FSA programs. Some of the statutory provisions found in the HEA, including provisions restricting the use of FAFSA/ISIR and NSLDS data, do not have corresponding regulations because Congress has limited the Department’s authority to further regulate the application and need–analysis process.
Higher Education Act The provisions of the HEA apply broadly to the information collected or derived FASFA/ISIR data Key Processing Results EFC FA History (NSLDS history within the SAR/ISIR) Also includes use of ISIR data to determine awards, the resulting awards and disbursement data including COD ED interprets “administration of aid” to include audits and program evaluations necessary for the efficient and effective administration of those student aid programs.
Scope of FERPA Prohibits institutions receiving federal funds from disclosing Personally Identifiable Information contained in education records without the express written consent of the student unless doing so falls in one of several exceptions found in 34 C.F. R. 99.312. PII: includes name, address, SSN, student ID number, DOB, place of birth, mother’s maiden name etc. PII: includes information alone or in combination is linked or linkable to a specific student that would allow a reasonable person to identify the student
Scope of the Privacy Act Applies to the Department’s student records to prevent the improper release of government-held student PII. The Department is prohibited from releasing student records from their systems without prior written consent from the individual to whom the record pertains. Allows for the release of data to institutions for the ‘routine use’ for which the data is collected. The SAIG agreement establishes requirements for the electronic exchange of student data.
When Is Disclosure of PII/Education records permitted? Under FERPA: When necessary to determine financial aid eligibility or amount of award, conditions for the aid, or to enforce the terms and conditions of the aid. Under HEA: FASFA application data may only be used for the application , award and administration of Title IV funds, state aid, and institutional aid programs. Under PTAC: de-identified, aggregate, descriptive statistics about program participants is permitted use of the FAFSA/ISIR data and related ward information.
When Is Disclosure of PII/Education records permitted? May not release a student’s FAFSA/ISIR data and related award information that ha snot bee de- identified for the purpose other than those prescribed in the HEA, even if the student provides a signed release. The student must provide the data directly to the requesting party. Institutions are required, without obtaining prior written consent, to release information to: Auditors The Department Accrediting agencies Other state and local education agencies
We need to understand The importance and the time line on the uses of FAFSA data under the HEA The general restrictions on the release of all student data under FERPA The release of government data under the Privacy Act
Resources Privacy Technical Assistance Center Guidance on the Use of FA Information https://studentprivacy.ed.gov/sites/default/files/resource_document/file/FSA_final_0.pdf NASFAA Financial Aid Data Sharing White Paper https://www.nasfaa.org/uploads/documents/june2017_data_sharing_white_paper.pdf FSA Session #30 and #37 https://fsaconferences.ed.gov/2017sessionlist.html Cybersecurity Compliance IFAP Resources https://ifap.ed.gov/eannouncements/Cyber.html FAQ’s @ Cybersecurity Compliance https://ifap.ed.gov/eannouncements/attachments/CyberFAQ.pdf
What are you doing? What have other schools done? Have you made any changes to your office policies? Are you keeping your campus informed of these changes?
Contact Information Thank You for coming to this presentation! Email: rrafko@umich.edu Phone: 313-583-6652 Any other questions?