Federal Student Aid:

Better Program Management and Oversight of Postsecondary Schools Needed to Protect Student Information [Reissued on December 15, 2017]

GAO-18-121: Published: Nov 27, 2017. Publicly Released: Dec 4, 2017.

Multimedia:

  • PODCAST: Protecting Students' Information When Applying for Federal Student Aid

    The Education Department and schools gather personal information on the millions of students receiving aid each year. How well is that information protected?

    View the transcript

Additional Materials:

Contact:

Nick Marinos
(202) 512-9342
marinosn@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

The Department of Education's (Education) Office of Federal Student Aid (FSA) and postsecondary schools collect, use, and share a variety of information—including personally identifiable information (PII)—from students, their families, and others to support the administration of student aid. This information is used to make decisions about the eligibility of schools to participate in federal student aid programs, the processing of student applications and students' eligibility to receive various types of aid, the disbursement of funds to aid recipients, and the repayment of loans and recovery of defaulted loan payments.

Education and FSA have established policies and procedures for managing and protecting student information that are aligned with applicable federal laws. However, shortcomings in key areas hinder the effectiveness of FSA's procedures. For example, FSA established procedures and tools for managing and organizing records and scheduling them for disposition, but did not fully establish such procedures for electronic data, ensure that employees regularly received training, or conduct a required internal assessment of its records management program. Regarding the protection of student information, FSA did not consistently analyze privacy risks for its electronic information systems, and policies and procedures for protecting information systems were not always up to date. FSA's shortcomings are consistent with the Education Inspector General's identification of persistent weaknesses in the department's information security policies, procedures, and controls. Recommendations to address these weaknesses are not yet fully implemented. Until FSA implements the recommendations, it increases the risk of improper disclosure of information contained in student aid records.

Based on a GAO survey of schools, the majority (an estimated 95 percent of all schools) of those participating in the federal student aid process reported having policies in place, including records retention and disposition policies. However, schools varied in the methods they used to store records, the retention periods for paper and electronic records, and the disposition control activities they employed (such as the authorization and approval process for destroying records).

FSA oversees schools' participation in student aid programs, but this oversight does not extend to schools' information security programs. To oversee schools' compliance, FSA conducts reviews of schools' student aid programs, based on a number of risk factors. However, it has not identified implementation of information security programs as a factor to consider in selecting schools for program reviews, even though schools have reported serious data breaches. GAO's review of selected schools' policies found that schools did not always include required information security elements, such as assessing risks or designing and implementing safeguards. Moreover, Education's implementing regulations do not require schools to demonstrate their ability to protect student information as a condition for participating in federal aid programs. This raises concerns about FSA's oversight and how effectively schools are protecting student aid information. Until Education ensures that information security requirements are considered in program reviews of schools, FSA will lack assurance that schools have effective information security programs.

Why GAO Did This Study

FSA oversees the award of billions of dollars in federal student aid to eligible students each year. The processing of student aid requires FSA, along with participating schools, to perform a range of functions across the student aid life cycle, including the management of PII on students and their families.

GAO was asked to examine how FSA and schools manage federal student aid records. The objectives of this study were to: (1) describe how FSA and schools use information they collect to manage the federal student aid program, (2) determine the extent to which FSA policies and procedures for managing and protecting this information align with federal requirements, (3) describe the extent to which schools have established policies and procedures for managing student aid information, and (4) determine the extent to which FSA ensures that schools protect this information. To do this, GAO reviewed Education and FSA policies and interviewed agency officials. GAO also administered a survey to a stratified random sample of 560 schools that is generalizable to the population of about 6,200 schools.

What GAO Recommends

GAO recommends that FSA take seven actions to strengthen its management and protection of federal student aid records and enhance its oversight of schools. FSA concurred or generally concurred with five of GAO's recommendations, partially concurred with another, and did not concur with another. GAO believes all of the recommendations as discussed in the report are warranted.

For more information, contact Nick Marinos at (202) 512-9342 or marinosn@gao.gov.

Recommendations for Executive Action

  1. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Secretary of Education should direct the Chief Operating Officer of FSA to establish and document a procedure for the destruction of records contained in electronic systems in accordance with approved disposition schedules. (Recommendation 1)

    Agency Affected: Department of Education

  2. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Secretary of Education should direct the Chief Operating Officer of FSA to ensure staff receive records management training annually. (Recommendation 2)

    Agency Affected: Department of Education

  3. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Secretary of Education should direct the Chief Operating Officer of FSA to conduct the triennial assessment of the FSA records management program. (Recommendation 3)

    Agency Affected: Department of Education

  4. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Secretary of Education should direct the Chief Operating Officer of FSA to ensure that privacy impact assessments address all required elements. (Recommendation 4)

    Agency Affected: Department of Education

  5. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Secretary of Education should direct the Chief Operating Officer of FSA to ensure that information security-related policies and procedures are reviewed at least annually, in accordance with FSA policy; updated as needed; and approved by security officials. (Recommendation 5)

    Agency Affected: Department of Education

  6. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Secretary of Education should incorporate into its program review process the review of postsecondary schools' information security program requirements. (Recommendation 6)

    Agency Affected: Department of Education

  7. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Secretary of Education should update its regulation to include protections of personal information as an element of a school's ability to demonstrate its administrative capability. (Recommendation 7)

    Agency Affected: Department of Education

 

Explore the full database of GAO's Open Recommendations »

Dec 4, 2017

Nov 30, 2017

Sep 20, 2017

Sep 14, 2017

Sep 13, 2017

Jul 18, 2017

Jul 12, 2017

May 24, 2017

Looking for more? Browse all our products here