ED Reminds Schools of Privacy and Security Responsibilities

By Karen McCarthy, NASFAA Policy & Federal Relations Staff

In anticipation of the redeployment of the IRS Data Retrieval Tool (DRT) for the start of the 2018-19 application year on October 1, ED reminds schools in an Electronic Announcement that they must have policies and practices in place that provide for adequate authentication of an applicant’s identity before disclosing any confidential information.

As announced in May, the DRT will be modified to address privacy and security concerns by encrypting the taxpayer’s information, making it unviewable by the applicant. Schools and state agencies will continue to receive all of the tax return information transferred into the FAFSA via the DRT. The encryption solution is intended to strike a balance between ensuring the continued availability of the DRT and its many benefits, and protecting the privacy of personal information and maintaining the integrity of our tax collection system.

The announcement reiterates current policy that schools must not disclose income and tax information from the FAFSA with the applicant (and, if applicable, his or her spouse or parents) unless the FAFSA applicant (and, if applicable, his or her spouse or parents) can authenticate their identity. The most secure method to do this is in person, with the FAFSA applicant presenting an unexpired, valid government issued photo identification (e.g. a driver’s license, non-driver’s identification card, other State issued identification, or U.S. passport).

However, ED recognizes that in-person authentication is not always possible and stresses that schools must have policies and procedures in place that ensure that highly confidential information is not inappropriately disclosed, regardless of the disclosure method. ED states that “institutions and state agencies may need to strengthen their internal controls and provide additional training for staff to ensure that confidential information is not inappropriately or inadvertently disclosed.”

NASFAA appreciates that ED reminds schools of their responsibilities regarding confidential information while allowing schools the discretion to develop their own policies. To avoid any future data breaches that may lead to the permanent removal of the DRT, NASFAA encourages schools to critically self-evaluate their policies and procedures in this area. To assist in this effort, NASFAA will be offering a webinar with a panel of financial aid administrators who will share their best practices on privacy and security of financial aid information. Stay tuned to Today’s News for details about the webinar.


Publication Date: 9/6/2017

You must be logged in to comment on this page.

Comments Disclaimer: NASFAA welcomes and encourages readers to comment and engage in respectful conversation about the content posted here. We value thoughtful, polite, and concise comments that reflect a variety of views. Comments are not moderated by NASFAA but are reviewed periodically by staff. Users should not expect real-time responses from NASFAA. To learn more, please view NASFAA’s complete Comments Policy.

Related Content

AskRegs COVID-19 Questions


Verification 2020-21


View Desktop Version