By Karen McCarthy, NASFAA Policy & Federal Relations Staff

The Department of Education (ED) has confirmed verbally that schools that receive unsolicited personally identifiable information (PII) from a student or parent through an unsecured manner, do not currently have to report it as a data breach to ED. Discussions on this topic are continuing at ED.

During an open forum at last month’s Federal Student Aid Training Conference, ED staff had advised that these cases must be reported to ED as data breaches. Schools expressed concerns about the lack of clear guidance and procedures and the necessity to report every time this occurs.

Schools should not request or offer that students and/or families submit PII in a manner that is unsecured, such as an unsecured email system. Financial aid administrators should consult with their institution’s data security team for assistance.

ED’s Privacy Technical Assistance Center has several resources on data security, including a Data Breach Response Checklist. In the checklist, they define a data breach as “any instance in which there is an unauthorized release or access of PII or other information not suitable for public release.” They include several examples of data breaches, such as hackers and employee negligence, but there is no mention of unsolicited receipt of PII in an unsecured manner as a data breach. In the checklist, ED recommends that schools contact ED when a data breach does occur.

Stay tuned to Today’s News for any updated guidance from ED.

Publication Date: 1/4/2018

Comments Disclaimer: NASFAA welcomes and encourages readers to comment and engage in respectful conversation about the content posted here. We value thoughtful, polite, and concise comments that reflect a variety of views. Comments are not moderated by NASFAA but are reviewed periodically by staff. Users should not expect real-time responses from NASFAA. To learn more, please view NASFAA’s complete Comments Policy.