There are many federal laws that control the disclosure of student data and the different laws that influence the use of this information by the Office of Student Financial Aid (OSFA) in different ways, depending on the source of the data and whether personal data (PII) (information that can be used to identify a person, i.e. name , address, SSN, DOB, place of birth, any information related to or related to a particular student or in combination or alone) that has been correctly identified by an appropriate person within the school community who has no personal knowledge of the relevant circumstances to identify the student with sufficient certainty). Collection Title: Student Aid Internet Gateway (SAIG) Enrollment Document. On February 28, 2020, the U.S. Department of Education`s Office of Federal Student Aid (FSA) issued an electronic announcement to enforce the cybersecurity requirements of the Gramm-Leach-Bliley Act (GLBA) for all higher education institutions participating in The Higher Education Act (HIGHER Education Act) and their third-party higher education programs. The notice indicates that auditors are expected to assess three GLBA requirements for information protection in annual compliance audits of post-secondary institutions and external service providers. All findings regarding non-compliance will be communicated to the Federal Trade Commission (FTC) and the FSA cybersecurity team to continue the investigation and take negative action. All institutions participating in Title IV should consult with the Commission on the very serious consequences and administrative measures that can be taken if they or their third-party providers do not meet the GLBA`s information security requirements. The requirement to protect student data is not new and the recent announcement reminds all participating Universities of Title IV of these long-standing requirements. The only method allowed for most third parties to obtain FAFSA information under HEA is directly from the student; THE OSFA also cannot provide this information with the student`s written permission. However, the legislation of 2018 and 2019 has made changes to this section of the EEA, to allow institutes to share a student`s FAFSA data with scholarships that award scholarships and tribal organizations to assist in the application, award or management of scholarship programs (or to help students apply for assistance that would be paid for items in a student`s official Title IV fee) , but only if the student expressly gives written consent to authorize the publication of this data. Recently, in October 2019, the ministry issued a letter to certified accountants conducting annual compliance audits of some higher education institutions and all specialized service providers. In this letter, the Department amended the September 2016 Audit Guide, the Home Schools Audit Guide and the compliance obligations of third parties who manage Title IV programs, adding Section C.8.12 to Chapter 3 to determine whether higher education institutions have complied with the GLBA and the protection policy regarding the security and confidentiality of student information.
Auditors must certify that institutions and service providers: (1) have appointed a person to coordinate the institution`s information security program; (2) conducted a risk assessment that takes into account the three required areas defined in the protection rule; and (3) protection for each identified risk. The announcement outlines for the first time the possible consequences when the department receives an audit report containing a glBA review that revealed non-compliance, a strong signal that the department is strengthening the implementation of the GLBA.