Notice2023-16001
Privacy Act of 1974; System of Records
Primary source
Metadata and text below are from the Federal Register, a public-domain U.S. government work. Always verify the official published version before relying on it for any legal matter.
Published
July 28, 2023
Issuing agencies
Education Department
Abstract
In accordance with the Privacy Act of 1974, as amended (Privacy Act), the Chief Operating Officer for Federal Student Aid (FSA) of the U.S. Department of Education (Department) publishes this notice of a modified system of records entitled the "Person Authentication Service" (PAS) (18-11-12). The information contained in this system is maintained for various purposes relating to applicants for a user ID and password (FSA ID), who include current, former, and prospective aid applicants and recipients, participants who enter their personally identifiable information (PII) as part of the Free Application for Federal Student Aid (FAFSA[supreg]) form (i.e., parents of dependent FAFSA applicants or recipients and spouses of independent FAFSA applicants or recipients) under title IV of the Higher Education Act of 1965, as amended (HEA), spouses of aid applicants or recipients who enter their PII as part of income-driven repayment (IDR) certifications or recertifications, endorsers, and third-party preparers (i.e., individuals who provide consultative or preparation services for the completion of the FAFSA).
Full Text
<html>
<head>
<title>Federal Register, Volume 88 Issue 144 (Friday, July 28, 2023)</title>
</head>
<body><pre>
[Federal Register Volume 88, Number 144 (Friday, July 28, 2023)]
[Notices]
[Pages 48817-48824]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2023-16001]
-----------------------------------------------------------------------
DEPARTMENT OF EDUCATION
[Docket ID ED-2023-FSA-0136]
Privacy Act of 1974; System of Records
AGENCY: Federal Student Aid, Department of Education.
ACTION: Notice of a modified system of records.
-----------------------------------------------------------------------
SUMMARY: In accordance with the Privacy Act of 1974, as amended
(Privacy Act), the Chief Operating Officer for Federal Student Aid
(FSA) of the U.S. Department of Education (Department) publishes this
notice of a modified system of records entitled the ``Person
Authentication Service'' (PAS) (18-11-12). The information contained in
this system is maintained for various purposes relating to applicants
for a user ID and password (FSA ID), who include current, former, and
prospective aid applicants and recipients, participants who enter their
personally identifiable information (PII) as part of the Free
Application for Federal Student Aid (FAFSA[supreg]) form (i.e., parents
of dependent FAFSA applicants or recipients and spouses of independent
FAFSA applicants or recipients) under title IV of the Higher Education
Act of 1965, as amended (HEA), spouses of aid applicants or recipients
who enter their PII as part of income-driven repayment (IDR)
certifications or recertifications, endorsers, and third-party
preparers (i.e., individuals who provide consultative or preparation
services for the completion of the FAFSA).
DATES: Submit your comments on this modified system of records notice
on or before August 28, 2023. This modified system of records notice
will become applicable upon publication in the Federal Register on July
28, 2023, except for new and modified routine uses (1)(a), (1)(b),
(1)(c), (1)(d), (1)(e), (1)(f), (2), (9), (10), (11), (12), (13), and
(14) that are outlined in the section entitled ``ROUTINE USES OF
RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND
PURPOSES OF SUCH USES,'' which will be applicable on August 28, 2023,
unless they need to be changed as a result of public comment. The
Department will publish any changes to the modified system of records
notice resulting from public comment.
ADDRESSES: Comments must be submitted via the Federal eRulemaking
Portal at <a href="http://regulations.gov">regulations.gov</a>. However, if you require accommodation or
cannot otherwise submit your comments via <a href="http://regulations.gov">regulations.gov</a>, please
contact the program contact person listed under FOR FUTHER INFORMATION
CONTACT.
The Department will not accept comments submitted by fax or by
email, or comments submitted after the comment period closes. To ensure
that the Department does not receive duplicate copies, please submit
your comments only once. In addition, please include the Docket ID at
the top of your comments.
<bullet> Federal eRulemaking Portal: Go to <a href="http://www.regulations.gov">www.regulations.gov</a> to
submit your comments electronically. Information on using
Regulations.gov, including instructions for accessing agency documents,
submitting comments, and viewing the docket, is available on the site
under the ``FAQ'' tab.
Privacy Note: The Department's policy is to make comments received
from members of the public available for public viewing in their
entirety on the Federal eRulemaking Portal at <a href="http://www.regulations.gov">www.regulations.gov</a>.
Therefore, commenters should be careful to include in their comments
only information that they wish to make publicly available.
Assistance to Individuals with Disabilities in Reviewing the
Rulemaking Record: On request, we will provide an appropriate
accommodation or auxiliary aid to an individual with a disability who
needs assistance to review the comments or other documents in the
public rulemaking record for this notice. If you want to schedule an
appointment for this type of accommodation or auxiliary aid, please
contact the person listed under FOR FURTHER INFORMATION CONTACT.
FOR FURTHER INFORMATION CONTACT: Robert Anderson, FSA Identity and
Access Management (IAM), PAS Manager, Technology Office, Federal
Student Aid, UCP, 830 First St. NE, Room 103E2, Washington, DC 20202 or
email: <a href="/cdn-cgi/l/email-protection#8ddfe2efe8fff9a3cce3e9e8fffee2e3cde8e9a3eae2fb"><span class="__cf_email__" data-cfemail="f5a79a97908781dbb49b919087869a9bb59091db929a83">[email protected]</span></a>.
If you use a telecommunications device for the deaf (TDD) or a text
telephone (TTY), you may call the Federal Relay Service (FRS), toll
free, at 1-800-877-8339.
SUPPLEMENTARY INFORMATION: In accordance with the Privacy Act, the
Department proposes to modify the system of records notice entitled
``Person Authentication Service (PAS)'' (18-11-12), which was last
published in full in the Federal Register on March 20, 2015 (80 FR
14981).
The Department is modifying the section entitled ``SYSTEM
LOCATION'' as follows:
(i) By deleting the Dell Systems Virtual Data Center location and
adding the Amazon AWS GovCloud located at 12th Avenue, Suite 1200,
Seattle, WA 98114. (This is the Hosting Center for the PAS application,
where all electronic PAS information is processed and maintained.); and
(ii) By updating the address of PPS Infotech from Rockville, MD, to
Ashburn, VA.
The Department is modifying the section entitled ``SYSTEM
MANAGER(S)'' to change the title of the system manager from simply
``PAS Manager'' to ``FSA Identity and Access Management (IAM), Division
Chief, PAS Manager,'' and to make minor updates to the system manager's
address.
The Department is modifying the section entitled ``AUTHORITY FOR
MAINTENANCE OF THE SYSTEM'' to add ``the FAFSA Simplification Act
(title VII, division FF of Pub. L. 116-260, the Consolidated
Appropriations Act, 2021) (including, but not limited to, section
702(m) that amends section 483 of the HEA and section 703 that amends
section 401 of the HEA), and the FAFSA Simplification Act Technical
Corrections Act (division R of Pub. L. 107-103, the Consolidated
Appropriations Act, 2022),'' which reflect amendments to the HEA to
improve the financial aid application experience and expand title IV,
HEA eligibility.
The Department is modifying the section entitled ``PURPOSE(S) OF
THE SYSTEM'' as follows:
(i) The Department has reorganized the section to distinguish
between purposes related to individuals covered by the system and
purposes related to the Department's oversight and administration of
the title IV, HEA programs and by adding numbering to the various
purposes listed under each subsection;
(ii) For the purposes related to individuals covered by the system:
(a) The Department is consolidating, and designating as purpose
(1), the
[[Page 48818]]
existing purposes relating to generating authentication and log-on
credentials for those individuals wishing to access Departmental
student financial assistance systems, online applications, websites and
services, and to update their security challenge questions and
corresponding answers;
(b) In purpose (2), the Department is the existing purpose relating
to accessing Department systems by indicating that a purpose of the
system is to allow single sign-on and token management for all
Department student financial assistance systems including systems run
by Department contractors;
(c) In purpose (3), the Department is clarifying the existing
purpose relating to the electronic signature function by indicating
that a purpose of the system is to include electronic signatures on
student aid forms and applications, including, but not limited to, the
consent/affirmative approval for the Department to disclose records to
the Internal Revenue Service (IRS) to obtain Federal Tax Information
(FTI) and for the disclosure and redisclosure of the FTI, revocation of
such consent/affirmative approval, the FAFSA, Direct Loan Master
Promissory Notes, loan benefit programs, deferments, and forbearances
through <a href="http://Studentaid.gov">Studentaid.gov</a> and other Department websites; and
(d) The Department is adding purpose (4) to enable the Department,
or other Federal, State, Tribal, or local government agencies, to
investigate, respond to, or resolve complaints concerning the practices
or processes of the Department and/or the Department's contractors, or
to investigate, respond to, or resolve aid recipients' requests for
assistance or relief with regard to title IV, HEA program funds;
(iii) For the purposes related to the Department's oversight and
administration of title IV, HEA programs:
(a) The Department is adding purpose (1) to prevent fraud by taking
measures to validate PII submitted by aid applicants, aid recipients,
application participants;
(b) In purpose (2), the Department is modifying the existing
purpose relating to matching user information with authorized entities
by indicating that a purpose of the system is to match name, Social
Security Number (SSN) (or address, where applicable), and Date of Birth
(DOB) with an authorized entities for purposes of validating the PII
submitted and, if applicable, to determine program eligibility and
benefits;
(c) The Department is designating as purpose (3) the existing
purpose relating to providing usage information for FSA systems and
websites;
(d) The Department is designating as purpose (4) the existing
purpose relating to tracking changes to user account information;
(e) The Department is adding purpose (5) to maintain and track the
consent/affirmative approval on aid applicants and recipients to the
IRS for the IRS to disclose FTI under subsection 494(a) of the HEA (20
U.S.C. 1098h(a)) and section 6103(l)(13)(A) and (C) of the IRC to the
Department as part of a matching program to determine their determine
their eligibility under title IV of the HEA and to permit the
Department to redisclose FTI of individuals pursuant to section
6103(l)(13)(D)(iv) of the IRC and the revocation of such consent/
affirmative approval for IDR; and
(f) The Department is adding purpose (6) to support research,
analysis, and development, and the implementation and evaluation of
educational policies in relation to title IV, HEA programs.
The Department is modifying the section entitled ``CATEGORIES OF
INDIVIDUALS COVERED BY THE SYSTEM'' by deleting and replacing
``students'' with ``aid applicants and aid recipients'' who apply for a
FSA ID, clarifying that ``their parents'' who apply for a FSA ID refers
to parents of dependent FAFSA applicants who are participants and enter
their PII as part of the FAFSA form and apply for a FSA ID, adding
spouses of independent FAFSA applicants who are participants and enter
their PII as part of the FAFSA form and apply for a FSA ID, and to add
spouses of aid applicants or recipients who enter their PII as part of
IDR certifications or recertifications and apply for a FSA ID, and
adding third-party preparers who provide consultative or preparation
services for the completion of the FAFSA form and apply for a FSA ID,
to better explain the individuals covered by the system.
The Department is modifying the section entitled ``CATEGORIES OF
RECORDS IN THE SYSTEM'' as follows:
(i) The Department is adding a second paragraph to include consent/
affirmative approval both to permit the Department to disclose
information on aid applicants and recipients to the IRS for the IRS to
disclose FTI under subsection 494(a) of the HEA (20 U.S.C. 1098h(a))
and section 6103(l)(13)(A) and (C) of the IRC to the Department as part
of a matching program to determine their eligibility under title IV of
the HEA and to permit the Department to redisclose FTI of individuals
pursuant to section 6103(l)(13)(D)(iv) of the IRC and the revocation of
such consent/affirmative approval; and
(ii) The Department is adding a third paragraph that explains that
PAS maintains information, such as SSN verification flag, citizenship
status, and death indicator, obtained by the Department pursuant to
matching programs or other information exchanges with Federal agencies,
and other external entities, to assist in verifying the identifying
information of aid applicants or recipients, application participants,
including the parents of dependent aid applicants or recipients and the
spouses of independent aid applicants or recipients, endorsers, and
third-party preparers.
The Department is modifying the section entitled ``RECORD SOURCE
CATEGORIES'' as follows:
(i) The Department is modifying the first paragraph to explain that
PAS receives the verification flag, citizenship flag, and death
indicator through a matching program from the Central Processing System
(CPS) or the FAFSA Processing System (FPS);
(ii) The Department is adding a new second paragraph to explain
that PAS also collects from aid applicants or recipients their consent/
affirmative approval both to permit the Department to disclose
information on aid applicants and recipients to the IRS for the IRS to
disclose FTI under subsection 494(a) of the HEA (20 U.S.C. 1098h(a))
and section 6103(l)(13)(A) and (C) of the IRC to the Department as part
of a matching program to determine their eligibility under title IV of
the HEA and to permit the Department to redisclose FTI of individuals
pursuant to section 6103(l)(13)(D)(iv) of the IRC and the revocation of
such consent/affirmative approval for IDR;
(iii) The Department is adding a new third paragraph to explain
that information is also received from other Department systems or
their successor systems, such as:
(a) The Digital and Customer Care Information Technology (IT),
Central Processing System (CPS)and the FAFSA Processing System (FPS)
(covered by the Department's Privacy Act system of records notice
entitled ``Aid Awareness and Application Processing (AAAP'') (18-11-
21)); and
(b) The Enterprise Data Warehouse Analytics (EDWA) and Master Data
Management (MDM) components covered under the ``Enterprise Data
Management and Analytics Platform Services'' (covered by the
Department's Privacy Act system of records notice entitled ``Enterprise
Data Management and Analytics Platform Services (EDMAPS)'' (18-11-22));
and
(iv) The Department is adding a new fourth paragraph to indicate
that
[[Page 48819]]
information in this system may be obtained from other persons or
entities from whom or from which data is obtained following a
disclosure under the listed routine uses.
The Department is modifying the section entitled ``ROUTINE USES OF
RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND
PURPOSES OF SUCH USES'' as follows:
(i) Routine use (1)(a) is being modified to delete ``the individual
whom records indicate is applying for, has applied for, has endorsed,
or has received a title IV, HEA loan or grant'' and add ``current,
former, and prospective aid applicant, aid recipient (or their third-
party preparer), or endorser;'' to add validate the PII being entered
by the current, former, or prospective aid applicant or aid recipient
(or their third-party preparer) or endorser, whom records indicate is
applying for, has applied for, has endorsed, or has received a title
IV, HEA loan and/or grant, or a participant of such an application
including the spouse of an independent aid applicant or recipient or
the parent(s) of a dependent aid applicant or recipient; to delete
``authorized representatives;'' and to add Tribal agencies to the list
of entities to which the Department may disclose records to verify the
identity of an individual;
(ii) Routine use (1)(b) is being modified to delete ``their
authorized representatives'' to make the routine use clearer and to add
Tribal agencies to the list of agencies to which information may be
disclosed under this routine use;
(iii) Routine use (1)(c) is being deleted because PAS is not used
to facilitate default reduction;
(iv) Newly renumbered routine use (1)(c) is being modified to
delete the servicing, assigning, adjusting, transferring, referring, or
discharging of a loan; to remove authorized representatives; and to add
Tribal agencies to the list of agencies to which information may be
disclosed to permit the making or collecting of a grant or loan
obligation;
(v) Newly renumbered routine use (1)(d) is being modified to remove
authorized representatives of applicable Federal Loan Servicers or
Federal Perkins Loan Servicers, and Federal, State, or local agencies;
and to add Tribal agencies to the list of agencies to which disclosures
may be made to investigate possible fraud or abuse or verify compliance
with program regulations;
(vi) Newly renumbered routine use (1)(e) is being added to permit
the Department to disclose information on aid applicants and recipients
to disclose FTI under subsection 494(a) of the HEA (20 U.S.C. 1098h(a))
and section 6103(l)(13)(A) and (C) of the IRC to the Department as part
of a matching program to determine their determine their eligibility
under title IV of the HEA and to permit the Department to redisclose
FTI of individuals pursuant to section 6103(l)(13)(D)(iv) of the IRC
and the revocation of such consent/affirmative approval for IDR,
disclosures may be made to Federal Loan Servicers;
(vii) Routine use (1)(f) is being deleted because PAS is not used
to locate delinquent or defaulted borrowers;
(viii) The newly renumbered routine use (1)(f) is being modified to
delete authorized representatives of Guaranty agencies, educational and
financial institutions, Federal Loan Services, Federal Perkins Loan
Servicers, and Federal, State, or local agencies, and to add Tribal
agencies to the list of agencies to which disclosures may be made to
investigate complaints or to update information or correct errors
contained in Department records;
(ix) Routine use (1)(g) is being deleted because PAS is not used to
conduct credit checks or respond to inquiries or disputes;
(x) Routine use (2) entitled ``Feasibility Study Disclosure'' is
being deleted because the system is not used to conduct feasibility
studies;
(xi) Routine use (3) entitled ``Disclosure for Use by Other Law
Enforcement Agencies'' is being deleted because of concerns that it was
not compatible with the purposes for which records are collected in
this system;
(xii) Newly renumbered routine use (2) entitled ``Enforcement
Disclosure'' is being modified to indicate that if information in this
system of records indicates, either on its face or in connection with
other information, a violation or potential violation of any applicable
statute, regulation, or order of a competent authority, the Department
may disclose the relevant records to the appropriate agency, whether
foreign, Federal, State, Tribal or local, responsible for investigating
or prosecuting that violation or charged with enforcing or implementing
the statute, Executive Order, rule, regulation, or order issued
pursuant thereto;
(xiii) Newly renumbered routine use (9) entitled ``Contract
Disclosure'' has been modified to delete and replace ``[b]efore
entering into such a contract, the Department shall require the
contractor to establish and maintain Privacy Act safeguards as required
under subsection (m) of the Privacy Act (5 U.S.C. 552a(m) with respect
to the records in the system'' with ``[a]s part of such a contract, the
Department shall require the contractor to agree to establish and
maintain safeguards to protect the security and confidentiality of the
disclosed records'' to clarify when records can be shared;
(xiv) Newly renumbered routine use (10) entitled ``Research
Disclosure'' has been modified to delete and replace ``[t]he researcher
shall be required to maintain safeguards required under the Privacy Act
with respect to the records in the system'' with ``[t]he researcher
shall be required to agree to establish and maintain safeguards to
protect the security and confidentiality of the disclosed records'' to
clarify when records can be shared;
(xv) Newly renumbered routine use (11) entitled ``Congressional
Member Disclosure'' is being modified to clarify that the Department
may disclose the records of an individual to a member of Congress or
their staff when necessary to respond to an inquiry from the Member and
that the Member's request must be made not only at the written request
of, but also on behalf of, the individual whose records are being
disclosed;
(xvi) Routine use (14) entitled ``Disclosure to OMB for Federal
Credit Reform Act (CRA) Support'' was deleted because disclosures to
the Office of Management and Budget for CRA support are not made from
the PAS system;
(xvii) Newly renumbered routine use (12) entitled ``Disclosure in
the Course of Responding to a Breach of Data'' is being modified as
follows: in paragraph (a), to delete and replace ``the security or
confidentiality of information in the system of records has been
compromised'' with ``there has been a breach of the system of
records''; in paragraph (b), to delete and replace ``compromise'' with
``breach''; in paragraph (b), to permit the Department to make
disclosures when, in addition to satisfying paragraphs (a) and (c), the
Department determines that as a result of the suspected or confirmed
breach there is a risk of harm to individuals, the Department
(including its information systems, programs, and operations), the
Federal government, or national security; and in paragraph (c), to
delete and replace ``compromise'' with ``breach'';
(xviii) Newly renumbered routine use (13) entitled ``Disclosure in
Assisting another Agency in Responding to a Breach of Data'' is being
added to permit disclosures to assist another Federal agency or Federal
entity in responding to a suspected or confirmed breach of data;
[[Page 48820]]
(xix) Routine use (16) entitled ``Disclosure to Third Parties
through Computer Matching Programs'' is being deleted because this is
covered under the introductory paragraph of the section entitled
ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES
OF USERS AND PURPOSES OF SUCH USES and covered under the separate
programmatic routine use disclosures; and
(xx) Newly renumbered routine use (14) entitled ``Disclosure to the
National Archives and Records Administration (NARA)'' is being added to
permit disclosures to NARA for the purpose of records management
inspections conducted under the authority of 44 U.S.C. 2904 and 2906.
The Department is modifying the section entitled ``POLICIES AND
PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS'' to explain that
records are primarily maintained in accordance with ED Records Schedule
278, ``FSA Person Authentication Service (PAS) Records'' (DAA-0441-
2016-0001) (ED 278), and the Department has submitted amendments to ED
278 for NARA's consideration and will not destroy records covered by ED
278 until such amendments are effective.
The Department is deleting the section entitled ``POLICIES AND
PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING AND DISPOSING
OF RECORDS IN THE SYSTEM'' and added the new section entitled
``ADMINISTRATIVE, TECHNICAL AND PHYSICAL SAGEGUARDS'' which describes
authorized users to the system; the physical safeguards of magnetic
tapes, disc packs, computer equipment; how other forms of data and
information are stored; the procedural safeguards required to access
the information; the required Federal Information Security Management
Act of 2002 (FISMA) requirements of a signed Authorization to Operate
(ATO) and its rigorous assessment of security controls; and finally,
the FISMA controls implemented that in combination secure the system
and maintain the information safely.
The Department is modifying the section entitled ``RECORD ACCESS
PROCEDURES'' to delete that individuals may access their records by
visiting the ED PAS Account Management site or by calling the FAFSA on
the web phone number listed on the website and to add that individuals
who wish to access their records must provide the system manager with
the necessary particulars such as their name, DOB, SSN, and any other
identifying information requested by the Department while processing
the request, to distinguish between individuals with the same name.
The Department is modifying the section entitled ``CONTESTING
RECORD PROCEDURES'' to delete that individuals may contest their
records by contacting the Customer Service Department and the last
sentence directing individuals whose SSN does not match the records of
the SSA either to correct their SSN in PAS or to contact the local
office of the SSA for a SSN correction; and to add that individuals who
wish to contest their records must provide the system manager with the
necessary particulars such as their name, DOB, SSN, and any other
identifying information requested by the Department while processing
the request, to distinguish between individuals with the same name, and
also must identify the specific item(s) to be changed and provide a
justification for the change, including any supporting documentation.
The Department is modifying the section entitled ``NOTIFICATION
PROCEDURES'' to include that in order to determine whether a record
exists about an individual in this system of records, the individual
must provide the system manager with the necessary particulars such as
their name, DOB, SSN, and any other identifying information requested
by the Department while processing the request to distinguish between
individuals with the same name.
Accessible Format: On request to the program contact person listed
under FOR FURTHER INFORMATION CONTACT, individuals with disabilities
can obtain this document in an accessible format. The Department will
provide the requestor with an accessible format that may include Rich
Text Format (RTF) or text format (txt), a thumb drive, an MP3 file,
braille, large print, audiotape, or compact disc, or other accessible
format.
Electronic Access to This Document: The official version of this
document is the document published in the Federal Register. You may
access the official edition of the Federal Register and the Code of
Federal Regulations at <a href="http://www.govinfo.gov">www.govinfo.gov</a>. At this site you can view this
document, as well as all other documents of this Department published
in the Federal Register, in text or Portable Document Format (PDF). To
use PDF you must have Adobe Acrobat Reader, which is available free at
the site.
You may also access documents of the Department published in the
Federal Register by using the article search feature at
<a href="http://www.federalregister.gov">www.federalregister.gov</a>. Specifically, through the advanced search
feature at this site, you can limit your search to documents published
by the Department.
Richard Cordray,
Chief Operating Officer, Federal Student Aid.
For the reasons discussed in the preamble, the Chief Operating
Officer, Federal Student Aid (FSA), U.S. Department of Education
(Department) publishes a notice of a modified system of records to read
as follows:
SYSTEM NAME AND NUMBER:
Person Authentication Service (PAS) (18-11-12).
SECURITY CLASSIFICATION:
Unclassified.
SYSTEM LOCATION:
Amazon Web Services (AWS) Government Cloud, 1200 12th Avenue, Suite
1200, Seattle, WA 98114. (This is the Hosting Center for the PAS
application, where all electronic PAS information is processed and
maintained.)
PPS Infotech, 20745 Williamsport Place, Suite 320, Ashburn, VA
20147. (PPS Infotech has access to the system and contracts directly
with the Department for the development, operations, and maintenance
support for PAS.)
SYSTEM MANAGER(S):
FSA Identity and Access Management (IAM), Division Chief, PAS
Manager, Technology Office, Federal Student Aid, Union Center Plaza,
830 First St. NE, 10th floor, Washington, DC 20202.
AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
The collection of personally identifiable information (PII) for the
creation and management of a FSA ID (which includes a user ID and a
password) is authorized programmatically by title IV of the Higher
Education Act of 1965, as amended (HEA) (20 U.S.C. 1070, et seq.) and
the FAFSA Simplification Act (title VII, division FF of Pub. L. 116-
260, the Consolidated Appropriations Act, 2021) (including, but not
limited to, section 702(m) that amends section 483 of the HEA and
section 703 that amends section 401 of the HEA), and the FAFSA
Simplification Act Technical Corrections Act (division R of Pub. L.
117-103, the Consolidated Appropriations Act, 2022).
PURPOSE(S) OF THE SYSTEM:
The information contained in this system is maintained for the
following purposes related to the individuals covered by the system:
[[Page 48821]]
(1) to generate authentication and log-on credentials for those
individuals wishing to access Departmental student financial assistance
systems, online applications, websites and services, and to update
security challenge questions and their corresponding answers;
(2) to allow a single sign-on and token management solution for all
Department student financial assistance systems including systems
operated by Department contractors;
(3) to allow electronic signature on student aid forms and
applications, including, but not limited to, the consent/affirmative
approval for the Department to disclose records to the Internal Revenue
Service (IRS) to obtain Federal Tax Information (FTI) and for the
disclosure and redisclosure of the FTI, revocation of such consent/
affirmative approval, the Free Application for Federal Student Aid
(FAFSA[supreg]), Direct Loan Master Promissory Notes, loan benefit
program forms, deferments, or forbearances through StudentAid.gov and
other Department websites; and
(4) to enable the Department, or other Federal, State, Tribal, or
local government agencies, to investigate, respond to, or resolve
complaints concerning the practices or processes of the Department and/
or the Department's contractors, or to investigate, respond to, or
resolve aid recipients' requests for assistance or relief with regard
to title IV, HEA program funds.
The information maintained in this system is also maintained for
the following purposes relating to the Department's oversight and
administration of the title IV, HEA programs:
(1) to prevent fraud by taking measures to validate the PII
submitted by aid applicants, aid recipients, application participants
(i.e., parents of dependent aid applicants or aid recipients and
spouses of independent students), endorsers, and third-party preparers
before allowing them to access Department websites, such as
<a href="http://Studentaid.gov">Studentaid.gov</a>;
(2) to match name, Social Security number (SSN) (or address, where
applicable), and Date of Birth (DOB) with an authorized entities for
purposes of validating the PII submitted and, if applicable, to
determine program eligibility and benefits;;
(3) to provide usage information for FSA systems and websites;
(4) to track changes to user account information;
(5) to maintain and track consent/affirmative approval the consent/
affirmative approval on aid applicants and recipients to the IRS for
the IRS to disclose FTI under subsection 494(a) of the HEA (20 U.S.C.
1098h(a)) and section 6103(l)(13)(A) and (C) of the IRC to the
Department as part of a matching program to determine their determine
their eligibility under title IV of the HEA and to permit the
Department to redisclose FTI of individuals pursuant to section
6103(l)(13)(D)(iv) of the IRC and the revocation of such consent/
affirmative approval for IDR; and
(6) to support research, analysis, and development, and the
implementation and evaluation of educational policies in relation to
title IV, HEA programs.
CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
PAS contains records about former, current, and prospective aid
applicants and aid recipients, participants who enter their PII as part
of the FAFSA form (i.e., parents of dependent aid applicants or
recipients and spouses of independent aid applicants or recipients)
under title IV of the HEA, spouses of aid applicants or recipients who
enter their PII as part of IDR certifications or recertifications,
endorsers, and third-party preparers (i.e., individuals who provide
consultative or preparation services for the completion of the FAFSA)
who apply for a user ID and password (FSA ID).
CATEGORIES OF RECORDS IN THE SYSTEM:
This system maintains identifying information including, but not
limited to, first name, middle name, last name, SSN, DOB, address,
telephone number, email address, and security challenge questions.
The system also contains consent/affirmative approval of IDR
applicants or recipients both to permit the Department to disclose
information to the IRS for the IRS to disclose FTI under subsection
494(a) of the HEA (20 U.S.C. 1098h(a)) and section 6103(l)(13)(A) and
(C) of the IRC to the Department as part of a matching program to
determine title IV, program eligibility or monthly repayment obligation
amounts for IDR plans under title IV of the HEA with respect to loans
made under part D (the Direct Loan program) of title IV of the HEA and
to permit the Department to redisclose FTI of individuals pursuant to
section 6103(l)(13)(D)(iv) of the IRC. PAS also maintains the
revocation of consent/affirmative approval for IDR.
PAS further maintains information, such as SSN verification flag,
citizenship status, and death indicator, obtained pursuant to matching
programs or other information exchanges with Federal agencies, and
other external entities, to assist in verifying the identifying
information of aid applicants or recipients, application participants
including parents of dependent aid applicants or recipients and spouses
of independent aid applicants or recipients, endorsers, and third-party
preparers.
RECORD SOURCE CATEGORIES:
The identifying information (first name, middle name, last name,
SSN, DOB, address, telephone number, email address, security challenge
questions and corresponding answers) will be collected from individuals
applying for a FSA ID or updating their information on the PAS
registration website. In addition, PAS receives a verification flag,
citizenship flag and death flag indicator which are maintained in the
system through a matching program from the Central Processing System
(CPS) and the FAFSA Processing System (FPS) system.
PAS also collects from aid applicants or recipients their consent/
affirmative approval both to permit the Department to disclose
information to the IRS for the IRS to disclose FTI under subsection
494(a) of the HEA (20 U.S.C. 1098h(a)) and section 6103(l)(13)(A) and
(C) of the IRC to the Department as part of a matching program to
determine title IV, program eligibility or their monthly repayment
obligation amounts for IDR plans under title IV of the HEA with respect
to loans made under part D of title IV of the HEA (the Direct Loan
program) and to permit the Department to redisclose the FTI of such
individuals pursuant to section 6103(l)(13)(D)(iv) of the IRC.
Information is also obtained from other Department systems, or
their successor systems, including:
The Digital and Customer Care Information Technology (IT), Central
Processing System (CPS) and FAFSA Processing System (FPS) system
(covered by the Department's Privacy Act system of records notice
entitled ``Aid Awareness and Application Processing (AAAP)'' (18-11-
21)); and
<bullet> The Enterprise Data Warehouse Analytics (EDWA) and Person
Master Data Management (pMDM) components covered under the ``Enterprise
Data Management and Analytics Platform Services'' (covered by the
Department's Privacy Act system of records notice entitled ``Enterprise
Data Management and Analytics Platform Services (EDMAPS)'' (18-11-22)).
Information in this system also may be obtained from other persons
or entities from whom or from which information is obtained following a
disclosure under the listed routine uses.
[[Page 48822]]
ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES
OF USERS AND PURPOSES OF SUCH USES:
The Department may disclose information contained in a record in
this system of records under the routine uses listed in this system of
records without the consent of the individual if the disclosure is
compatible with a purpose for which the record was collected. These
disclosures may be made on a case-by-case basis or, if the Department
has complied with the computer matching requirements of the Privacy Act
of 1974, as amended (Privacy Act) (5 U.S.C. 552a), under a computer
matching agreement (CMA).
(1) Program Disclosures. The Department may disclose records for
the following program purposes:
(a) To validate the PII entered by the current, former, or
prospective aid applicant or aid recipient (or their third-party
preparer) or endorser, whom records indicate is applying for, has
applied for, has endorsed, or has received a title IV, HEA loan and/or
grant, or a participant of such an application including the spouse of
an independent aid applicant or recipient or the parent(s) of a
dependent aid applicant or recipient, disclosures may be made to:
Guaranty agencies, educational and financial institutions, Federal Loan
Servicers, or Federal Perkins Loan Servicers, Federal, State, local, or
Tribal agencies, private parties such as relatives, business and
personal associates, and present and former employers, creditors,
consumer reporting agencies, adjudicative bodies, and the individual
whom the records identify as the endorser or the party obligated to
repay the debt;
(b) To determine program eligibility and benefits, disclosures may
be made to: Guaranty agencies, educational and financial institutions,
Federal Loan Servicers, Federal Perkins Loan Servicers, Federal, State,
local, or Tribal agencies; private parties such as relatives, business
and personal associates, and present and former employers, creditors,
consumer reporting agencies, and adjudicative bodies;
(c) To permit the making or collecting of a grant or loan
obligation, disclosures may be made to: Guaranty agencies, educational
institutions, financial institutions, Federal Loan Servicers, or
Federal Perkins Loan Servicers that made, held, serviced, or have been
assigned the debt; a party identified by the debtor as willing to
advance funds to repay the debt; Federal, State, local, or Tribal
agencies; private parties such as relatives, business and personal
associates, and present and former employers, creditors, consumer
reporting agencies, and adjudicative bodies;
(d) To investigate possible fraud or abuse or verify compliance
with program regulations, disclosures may be made to: Guaranty
agencies, educational and financial institutions, Federal Loan
Servicers or Federal Perkins Loan Servicers, Federal, State, local, or
Tribal agencies, private parties such as relatives, present and former
employers, and business and personal associates, creditors, consumer
reporting agencies, and adjudicative bodies;
(e) To permit the Department to disclose information on aid
applicants and recipients to the IRS for the IRS to disclose FTI under
subsection 494(a) of the HEA (20 U.S.C. 1098h(a)) and section
6103(l)(13)(A) and (C) of the IRC to the Department as part of a
matching program to determine their determine their eligibility under
title IV of the HEA and to permit the Department to redisclose FTI of
individuals pursuant to section 6103(l)(13)(D)(iv) of the IRC and the
revocation of such consent/affirmative approval for IDR, disclosures
may be made to Federal Loan Servicers;
(f) To investigate complaints or to update information or correct
errors contained in Department records, disclosures may be made to:
Guaranty agencies, educational and financial institutions, Federal Loan
Servicers, or Federal Perkins Loan Servicers, Federal, State, local, or
Tribal agencies; private parties such as relatives, present and former
employers, and business and personal associates, creditors, credit
reporting agencies, and adjudicative bodies; and
(g) To report information required by law to be reported,
including, but not limited to, reports required by 26 U.S.C. 6050P and
6050S, disclosures may be made to the IRS.
(2) Enforcement Disclosure. In the event that information in this
system of records indicates, either on its face or in connection with
other information, a violation or potential violation of any applicable
statute, regulation, or order of a competent authority, the Department
may disclose the relevant records to the appropriate agency, whether
foreign, Federal, State, Tribal or local, charged with the
responsibility of investigating or prosecuting that violation or
charged with enforcing or implementing the statute, Executive Order,
rule, regulation, or order issued pursuant thereto.
(3) Litigation and Alternative Dispute Resolution (ADR) Disclosure.
(a) Introduction. In the event that one of the parties listed below
is involved in judicial or administrative litigation or ADR, or has an
interest in such litigation or ADR, the Department may disclose certain
records to the parties described in paragraphs (b), (c), and (d) of
this routine use under the conditions specified in those paragraphs:
(i) The Department or any of its components;
(ii) Any Department employee in their official capacity;
(iii) Any Department employee in their individual capacity where
the Department of Justice (DOJ) has been requested to or agrees to
provide or arrange for representation for the employee;
(iv) Any Department employee in their individual capacity where the
Department has agreed to represent the employee;
(v) The United States, where the Department determines that the
litigation is likely to affect the Department or any of its components.
(b) Disclosure to the DOJ. If the Department determines that
disclosure of certain records to the DOJ is relevant and necessary to
the judicial or administrative litigation or ADR and is compatible with
the purpose for which the records were collected, the Department may
disclose those records as a routine use to the DOJ.
(c) Adjudicative Disclosure. If the Department determines that
disclosure of certain records to an adjudicative body before which the
Department is authorized to appear or to an individual or an entity
designated by the Department or otherwise empowered to resolve or
mediate disputes is relevant and necessary to judicial or
administrative litigation or ADR, the Department may disclose those
records as a routine use to the adjudicative body, individual, or
entity.
(d) Disclosure to Parties, Counsel, Representatives, and Witnesses.
If the Department determines that disclosure of certain records is
relevant and necessary to judicial or administrative litigation or ADR,
the Department may disclose those records as a routine use to a party,
counsel, representative, or witness.
(4) Employment, Benefit, and Contracting Disclosure.
(a) For Decisions by the Department. The Department may disclose a
record to a Federal, State, or local agency, or another public
authority or professional organization, maintaining civil, criminal, or
other relevant enforcement or other pertinent records, if necessary to
obtain information relevant to a Department decision concerning the
hiring or retention of an employee or other personnel action, the
issuance of a security clearance, the letting of a
[[Page 48823]]
contract, or the issuance of a license, grant, or other benefit.
(b) For Decisions by Other Public Agencies and Professional
Organizations. The Department may disclose a record to a Federal,
State, local, or other public authority or professional organization,
in connection with the hiring or retention of an employee or other
personnel action, the issuance of a security clearance, the reporting
of an investigation of an employee, the letting of a contract, or the
issuance of a license, grant, or other benefit, to the extent that the
record is relevant and necessary to the receiving entity's decision on
the matter.
(5) Employee Grievance, Complaint, or Conduct Disclosure. If a
record is relevant and necessary to an employee grievance, complaint,
or disciplinary action, the Department may disclose the record in this
system of records in the course of investigation, fact-finding, or
adjudication to any party or the party's counsel or representative, a
witness, or to a designated fact-finder, mediator, or other person
designated to resolve issues or decide the matter.
(6) Labor Organization Disclosure. The Department may disclose
records from this system of records to an arbitrator to resolve
disputes under a negotiated grievance procedure or to officials of
labor organizations recognized under 5 U.S.C. chapter 71 when relevant
and necessary to their duties of exclusive representation.
(7) Freedom of Information Act (FOIA) and Privacy Act Advice
Disclosure. The Department may disclose records to the DOJ or the
Office of Management and Budget if the Department seeks advice
regarding whether records maintained in this system of records are
required to be disclosed under the FOIA or the Privacy Act.
(8) Disclosure to the DOJ. The Department may disclose records to
the DOJ, or the authorized representative of the DOJ, to the extent
necessary for obtaining DOJ advice on any matter relevant to an audit,
inspection, or other inquiry related to the programs covered by this
system.
(9) Contract Disclosure. If the Department contracts with an entity
for the purposes of performing any function that requires disclosure of
records in this system to employees of the contractor, the Department
may disclose the records to those employees. As part of such a
contract, the Department shall require the contractor to agree to
establish and maintain safeguards to protect the security and
confidentiality of the disclosed records.
(10) Research Disclosure. The Department may disclose records to a
researcher if the Department determines that the individual or
organization to which the disclosure would be made is qualified to
carry out specific research related to functions or purposes of this
system of records. The Department may disclose records from this system
of records to that researcher solely for the purpose of carrying out
that research related to the functions or purposes of this system of
records. The researcher shall be required to agree to establish and
maintain safeguards to protect the security and confidentiality of the
disclosed records.
(11) Congressional Member Disclosure. The Department may disclose
the records of an individual to a Member of Congress or the Member's
staff when necessary to respond to an inquiry from the Member made at
the written request of that individual and on behalf of that
individual. The Member's right to the information is no greater than
the right of the individual who requested the inquiry.
(12) Disclosure in the Course of Responding to a Breach of Data.
The Department may disclose records from this system of records to
appropriate agencies, entities, and persons when (a) the Department
suspects or has confirmed that there has been a breach of the system of
records; (b) the Department has determined that as a result of the
suspected or confirmed breach there is a risk of harm to individuals,
the Department (including its information systems, programs, and
operations), the Federal government, or national security; and (c) the
disclosure made to such agencies, entities, and persons is reasonably
necessary to assist in connection with the Department's efforts to
respond to the suspected or confirmed breach and prevent, minimize, or
remedy such harm.
(13) Disclosure in Assisting another Agency in Responding to a
Breach of Data. The Department may disclose records from this system to
another Federal agency or Federal entity, when the Department
determines that information from this system of records is reasonably
necessary to assist the recipient agency or entity in (a) responding to
a suspected or confirmed breach or (b) preventing, minimizing, or
remedying the risk of harm to individuals, the recipient agency or
entity (including its information systems, programs, and operations),
the Federal government, or national security, resulting from a
suspected or confirmed breach.
(14) Disclosure to the National Archives and Records Administration
(NARA). The Department may disclose records from this system of records
to NARA for the purpose of records management inspections conducted
under the authority of 44 U.S.C. 2904 and 2906.
DISCLOSURE TO CONSUMER REPORTING AGENCIES:
Disclosures pursuant to 5 U.S.C. 552a(b)(12): The Department may
disclose the following information to a consumer reporting agency
regarding a valid overdue claim of the Department: (1) the name,
address, taxpayer identification number, and other information
necessary to establish the identity of the individual responsible for
the claim; (2) the amount, status, and history of the claim; and (3)
the program under which the claim arose. The Department may disclose
the information specified in this paragraph under 5 U.S.C. 552a(b)(12)
and the procedures contained in subsection 31 U.S.C. 3711(e). A
consumer reporting agency to which these disclosures may be made is
defined in 15 U.S.C. 1681a(f) and 31 U.S.C. 3701(a)(3).
POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
The records are stored electronically.
POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
In order for users to retrieve aid applicant or recipient
information, they must supply the respective SSN, name, and DOB or by
the unique internal account identifier.
POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
Records are primarily retained and disposed of in accordance with
ED Records Schedule 278, ``FSA Person Authentication Service (PAS)
Records'' (DAA-0441-2016-0001) (ED 278). The Department has submitted
amendments to ED 278 for NARA's consideration and will not destroy
records covered by ED 278 until such amendments are in effect, as
applicable.
ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
Authorized users: Access to the system is limited to authorized PAS
program personnel and contractors responsible for administering the PAS
program. Authorized personnel include Department employees and
officials, financial and fiscal management personnel, computer
personnel, and program managers who have responsibilities for
implementing the PAS program. Read-only users: Read-only access is
given to servicers, holders, financial/fiscal management personnel, and
institutional personnel.
[[Page 48824]]
Physical safeguards: Magnetic tapes, disc packs, computer
equipment, and other forms of data are stored in areas where fire and
life safety codes are strictly enforced. Security guards are staffed 24
hours a day, seven days a week, to perform random checks on the
physical security of the record storage areas.
Procedural safeguards: A password is required to access the
terminal, and a data set name controls the release of information to
only authorized users. In addition, all sensitive data is encrypted
using Oracle Transparent Data Encryption functionality. Access to
records is strictly limited to those staff members trained in
accordance with the Privacy Act and Automatic Data Processing (ADP)
security procedures. Contractors are required to maintain
confidentiality safeguards with respect to these records. Contractors
are instructed to make no further disclosure of the records except as
authorized by the System Manager and permitted by the Privacy Act. All
individuals who have access to these records receive appropriate ADP
security clearances.
Department personnel make site visits to ADP facilities for the
purpose of ensuring that ADP security procedures continue to be met.
Privacy Act and ADP system security requirements are specifically
included in contracts. The PAS project directors, project officers, and
the system manager oversee compliance with these requirements.
In accordance with the Federal Information Security Management Act
of 2002 (FISMA), as amended by the Federal Information Security
Modernization Act of 2014, every Department system must receive a
signed Authorization to Operate (ATO) from a designated Department
official. The ATO process includes a rigorous assessment of security
controls, a plan of actions and milestones to remediate any identified
deficiencies, and a continuous monitoring program.
FISMA controls implemented are comprised of a combination of
management, operational, and technical controls, and include the
following control families: access control, awareness and training,
audit and accountability, security assessment and authorization,
configuration management, contingency planning, identification and
authentication, incident response, maintenance, media protection,
physical and environmental protection, planning, personnel security,
privacy, risk assessment, system and services acquisition, system and
communications protection, system and information integrity, and
program management.
RECORD ACCESS PROCEDURES:
If you wish to gain access to a record in this system, you must
contact the system manager with the necessary particulars such as your
name, DOB, SSN, and any other identifying information requested by the
Department while processing the request, to distinguish between
individuals with the same name. Requests by an individual for access to
a record must meet the requirements of the regulations at 34 CFR 5b.5,
including proof of identity.
CONTESTING RECORD PROCEDURES:
If you wish to contest the content of a record in the system of
records, you must contact the system manager with the necessary
particulars such as your name, DOB, SSN, and any other identifying
information requested by the Department while processing the request,
to distinguish between individuals with the same name. You must also
identify the specific item(s) to be changed, and provide a
justification for the change, including any supporting documentation.
Requests to amend a record must meet the requirements of the
Department's Privacy Act regulations at 34 CFR 5b.7.
NOTIFICATION PROCEDURES:
If you wish to determine whether a record exists regarding you in
this system of records, you must contact the system manager with the
necessary particulars such as your name, DOB, SSN,and any other
identifying information requested by the Department while processing
the request, to distinguish between individuals with the same name.
Requests for notification about whether the system of records contains
information about an individual must meet the requirements of the
regulations at 34 CFR 5b.5, including proof of identity.
EXEMPTIONS PROMULGATED FOR THE SYSTEM:
None.
HISTORY:
The system of records notice entitled the ``Person Authentication
Service'' (18-11-12) was last modified and published in full in the
Federal Register on March 20, 2015 (80 FR 14981).
[FR Doc. 2023-16001 Filed 7-27-23; 8:45 am]
BILLING CODE 4000-01-P
</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body>
</html>Indexed from Federal Register on July 28, 2023.
This is legal information, not legal advice. Laws vary by jurisdiction and change frequently. Always verify current law with official sources and consult a licensed attorney in your jurisdiction for advice on your specific situation.