The Department of Education’s Office of Federal Student Aid (FSA) is only dropping the ball a little bit in making sure that the private collection agencies it hires keep the personally identifiable information (PII) that is provided to them safe and secure, but where the ball is really being dropped is with banks that make loans on behalf of the government, according to a report released earlier this week by the Government Accountability Office.
The report says that the FSA is “generally” addressing the “key practices” related to overseeing the protection of PII with respect to the collection agencies it uses. The one area in which not all of the key practices were being addressed was in the ongoing monitoring to make sure collection agencies and loan servicers are keeping borrowers’ PII safe and secure.
The servicers and collection agencies are required to enroll in the FSA’s Continuous Security Authorization program, but have not done so, according to the GAO. Instead, the servicers and agencies are relying on their own internal controls and policies to keep the information safe.
With respect to the other areas of the audit — requiring risk-based security and privacy controls, independently assessing implementation controls, and developing and implementing corrective actions, the GAO report gave the FSA a thumbs up in how it is working with servicers and collection agencies.
How the FSA is working with lenders received a much sterner rebuke from the GAO.
FSA has limited assurance that they are protecting student aid data consistent with the agency’s requirements. FSA’s limited oversight could result in inconsistent or ineffective implementation of security controls, which in turn could have serious consequences for the privacy of millions of borrowers whose information is shared with non-school partners.