What GAO Found
The Department of Education's (Education) Office of Federal Student Aid (FSA) and postsecondary schools collect, use, and share a variety of information—including personally identifiable information (PII)—from students, their families, and others to support the administration of student aid. This information is used to make decisions about the eligibility of schools to participate in federal student aid programs, the processing of student applications and students' eligibility to receive various types of aid, the disbursement of funds to aid recipients, and the repayment of loans and recovery of defaulted loan payments.
Education and FSA have established policies and procedures for managing and protecting student information that are aligned with applicable federal laws. However, shortcomings in key areas hinder the effectiveness of FSA's procedures. For example, FSA established procedures and tools for managing and organizing records and scheduling them for disposition, but did not fully establish such procedures for electronic data, ensure that employees regularly received training, or conduct a required internal assessment of its records management program. Regarding the protection of student information, FSA did not consistently analyze privacy risks for its electronic information systems, and policies and procedures for protecting information systems were not always up to date. FSA's shortcomings are consistent with the Education Inspector General's identification of persistent weaknesses in the department's information security policies, procedures, and controls. Recommendations to address these weaknesses are not yet fully implemented. Until FSA implements the recommendations, it increases the risk of improper disclosure of information contained in student aid records.
Based on a GAO survey of schools, the majority (an estimated 95 percent of all schools) of those participating in the federal student aid process reported having policies in place, including records retention and disposition policies. However, schools varied in the methods they used to store records, the retention periods for paper and electronic records, and the disposition control activities they employed (such as the authorization and approval process for destroying records).
FSA oversees schools' participation in student aid programs, but this oversight does not extend to schools' information security programs. To oversee schools' compliance, FSA conducts reviews of schools' student aid programs, based on a number of risk factors. However, it has not identified implementation of information security programs as a factor to consider in selecting schools for program reviews, even though schools have reported serious data breaches. GAO's review of selected schools' policies found that schools did not always include required information security elements, such as assessing risks or designing and implementing safeguards. Moreover, Education's implementing regulations do not require schools to demonstrate their ability to protect student information as a condition for participating in federal aid programs. This raises concerns about FSA's oversight and how effectively schools are protecting student aid information. Until Education ensures that information security requirements are considered in program reviews of schools, FSA will lack assurance that schools have effective information security programs.
Why GAO Did This Study
FSA oversees the award of billions of dollars in federal student aid to eligible students each year. The processing of student aid requires FSA, along with participating schools, to perform a range of functions across the student aid life cycle, including the management of PII on students and their families.
GAO was asked to examine how FSA and schools manage federal student aid records. The objectives of this study were to: (1) describe how FSA and schools use information they collect to manage the federal student aid program, (2) determine the extent to which FSA policies and procedures for managing and protecting this information align with federal requirements, (3) describe the extent to which schools have established policies and procedures for managing student aid information, and (4) determine the extent to which FSA ensures that schools protect this information. To do this, GAO reviewed Education and FSA policies and interviewed agency officials. GAO also administered a survey to a stratified random sample of 560 schools that is generalizable to the population of about 6,200 schools.
Reissued on December 15, 2017
GAO recommends that FSA take seven actions to strengthen its management and protection of federal student aid records and enhance its oversight of schools. FSA concurred or generally concurred with five of GAO's recommendations, partially concurred with another, and did not concur with another. GAO believes all of the recommendations as discussed in the report are warranted.
Recommendations for Executive Action
|Department of Education||1. The Secretary of Education should direct the Chief Operating Officer of FSA to establish and document a procedure for the destruction of records contained in electronic systems in accordance with approved disposition schedules. (Recommendation 1)|
|Department of Education||2. The Secretary of Education should direct the Chief Operating Officer of FSA to ensure staff receive records management training annually. (Recommendation 2)|
|Department of Education||3. The Secretary of Education should direct the Chief Operating Officer of FSA to conduct the triennial assessment of the FSA records management program. (Recommendation 3)|
|Department of Education||4. The Secretary of Education should direct the Chief Operating Officer of FSA to ensure that privacy impact assessments address all required elements. (Recommendation 4)|
|Department of Education||5. The Secretary of Education should direct the Chief Operating Officer of FSA to ensure that information security-related policies and procedures are reviewed at least annually, in accordance with FSA policy; updated as needed; and approved by security officials. (Recommendation 5)|
|Department of Education||
Priority Rec.6. The Secretary of Education should incorporate into its program review process the review of postsecondary schools' information security program requirements. (Recommendation 6)
|Department of Education||7. The Secretary of Education should update its regulation to include protections of personal information as an element of a school's ability to demonstrate its administrative capability. (Recommendation 7)|