Student Aid on the Web Skip Navigation

Privacy Policy And Privacy Impact Assessment For FSA Student Aid On The Web

Thank you for visiting Federal Student Aid's Student Aid on the Web and reviewing our privacy policy. Our policy is simple: We collect no personal information about you unless you choose to provide that information to us. We do not give, share, sell, or transfer any personal information to a third party.

If you want to know more about how we record non-personal information about your visit or how we use information that you voluntarily submit, read on.

Otherwise, enjoy your visit!


What is 'Student Aid on the Web'?

Student Aid on the Web (hereafter the 'Web site') is a product of FSA of the U.S. Department of Education (ED). The site is divided into sections, the main FSA site, www.studentaid.ed.gov, and the "MyFSA" site, which permits you to register and create an account with "MyFSA".

On the Web site [You can visit the current web site at studentaid.ed.gov] you can search for information about colleges and/or careers related to areas of academic interest without providing any personal information at all. On the MyFSA site, you can perform customized scholarship/grant searches, college savings calculations, cost of attendance calculations and other tailored queries based on criteria and information you provide. In order to perform these customized searches or obtain personalized calculations, you must register with MyFSA and create an account. MyFSA permits you to save customized searches and personalized calculations to your account for future retrieval. In addition, you may provide and save further detail and background about yourself for purposes of pre-populating your college and student aid applications; MyFSA saves you having to input this information on each form, helping you cut application time and reduce application errors. In sum, we collect no personal information about you, unless you choose to provide that information to us.


What information is being collected in "MyFSA"?

If you choose to register with MyFSA, you must provide information about yourself, specifically, your individual user ID; first name; last name; email address; password; password hint question; password hint answer; date of birth; and education level. MyFSA will not permit children under the age of 13 to create accounts. Users must be 13 years of age or older to register with MyFSA.

As noted above, you can also choose to add personal background and interest information to your "MyFSA profile." This is information you can store to use later to pre-populate forms so you don't have to enter this information for each application. Voluntarily provided profile information includes: Student Name, Addresses (Permanent/Mailing/Phone), Personal Information (Sex, SSN), College Application Information, High School Information, College Information, Standardized Tests Scores, Parents (Name, Occupation), Spouse, Siblings, Other Relatives/Contacts, High School Activities, Employment/Work, and Current/Planned Coursework. We will not use this information except as may be consistent with purposes identified in the Web site's System of Records notice (68 Fed. Reg. 23113 (April 30, 2003) [http://www.ed.gov/legislation/FedRegister/other/2003-2/043003b.html]. Choosing to customize this Web site indicates that you understand that the information you are providing may be disclosed by the Department as provided by the Privacy Act (see Privacy Act explanation below) and the published System of Records notice.


Non-personal Information We Record

No cookies or other tracking technology are used on the Web site. If you do nothing during your visit but browse through the website, read pages, or download information, our website's operating system will automatically record some general information about your visit.

During your visit, our web operating system will record:

  • The Internet domain for your Internet service, such as "xcompany.com" or "xcompany.net" if you use a private Internet access account, or "yourschool.edu" if you connect from a college or university domain.
  • The type of browser (such as "Netscape version x" or "Internet Explorer version x") that you are using.
  • The type of operating system that you use (such as Macintosh, Unix, or Windows).
  • The date and time you visit our site, and the web pages that you visit on our site.
  • The address of the previous website you were visiting, if you linked to use from another website.

The user is not identified in the collection of non-personal information.


Links to Other Sites

Our policy discloses the privacy practices for Student Aid on the Web. But Student Aid on the Web provides links to other websites. When you leave Student Aid on the Web (http://studentaid.ed.gov), you will be going to sites that are beyond our control. We try to ensure that links that leave our site are clearly labeled. These other sites may send their own cookies to users, collect data, or solicit personal information. The privacy policies and procedures described here for Student Aid on the Web do not apply to any external links. We encourage you to read the privacy policies of any site you link to from ours, especially if you share any personal information. Be informed. You are the person best qualified to protect your own privacy.


What if I choose not to register with "MyFSA"?

Registering with MyFSA is strictly voluntary and will not impact your ability to obtain information about colleges or to apply for or receive financial aid. However, if you choose not to register, you will be unable to perform or store customized searches or personalized calculations for future retrieval or complete college or financial aid applications on-line.


How will the information collected be used?

Financial Aid Applications

The information you provide will allow us to facilitate the college and/or student financial aid (FAFSA) application processes by storing and pre-populating application forms with the required information. This service saves you time and enhances accuracy.

Although you do not have to provide your SSN to use MyFSA, the SSN is a mandatory field in completing the FAFSA [Sections 483 (20 U.S.C § 1090) and 484 (20 U.S.C. § 1091) of the Higher Education Act (HEA) of 1965, as amended]. Your SSN is collected so that you (borrower, whether student or parent) can apply for financial aid. Even if you are not yet ready to apply for financial aid, MyFSA can store your information so that you do not need to re-enter all of the information when the time comes to apply.


Wizards and Calculators

MyFSA enables you to utilize several financial aid wizards, college aid calculators, and scholarship/grant wizards and to store the results of your customized searches and personalized calculations for future retrieval.


Determination of Student Aid Awareness

FSA will add your date of birth, education level, city and state of residence, and country of residence to a demographic database that will assist FSA to better target financial aid materials to specific groups of students and/or parents (e.g., middle school students). This demographic data will not be linked to your personal information.


Information from E-Mail You Send Us

If you decide to send us an electronic mail message (e-mail), the message will usually contain your return e-mail address. If you include personally identifying information in your e-mail because you want us to address issues specific to your situation, we may use that information in responding to your request. This information is not maintained in a privacy act system of records.

Also, e-mail is not necessarily secure against interception. Please send only information necessary to help us process your request.


Survey

The Survey Form helps us determine the effectiveness of Student Aid on the Web as a customer service tool and its potential role in improving the delivery of FSA information and services. To the extent the user provides personally identifying information voluntarily, the agency will not retain that information in a system of record.

It should take you approximately 5 minutes to complete the Survey Form, including reading instructions, gathering information, filling out the application, and reviewing it. Completing the form is entirely voluntary. Our authority to collect the information is under OMB control number 1845-0045.


Security

The completion of system security plans is a requirement of the Office of Management and Budget (OMB) Circular A-130, "Management of Federal Information Resources," Appendix III, "Security of Federal Automated Information Resources," and Public Law 100-235, "Computer Security Act of 1987." The Web site has completed a system security plan demonstrating its compliance with the IT requirements mandated by federal law and policy. The security plan contains details regarding the Risk Assessment conducted for the Web site, as well as the security controls (hardware/software/facilities/personnel) in place to mitigate any identified risks to the information collected on the Web site. Management, operational, and technical security controls are in place for the Web site, encompassing personnel, physical environment access, contingency plans, disaster recovery, and identification and authentication procedures. The Web site is currently in the operations/maintenance phase of the life cycle. As such, the following functions are being performed: security operations and administration, operational assurance, audits and monitoring. The System Security Officer (SSO) for the Web site is Priscilla Mulford (Program Manager) (202) 377-3250.


Rights under the Privacy Act or other applicable law

A 'system of records' has been created under the Privacy Act, 5 U.S.C. 552a. It was published in the Federal Register at 68 Fed. Reg. 23113 (April 30, 2003).

Each record in this system is indexed and retrieved by a user name and password that is created by the user of MyFSA.Accordingly, we maintain the information you provide in a system of records protected by the Privacy Act and administer it in accordance with the Act and with the Privacy Act systems of record notice published at 68 Fed. Reg. 23113 (April 30, 2003) [http://www.ed.gov/legislation/FedRegister/other/2003-2/043003b.html]. The systems notice explains that the information you provide may be disclosed to third parties for discrete purposes. In addition, the information you provide may be shared with another agency for "matching" under the computer matching provisions of the Privacy Act (5 U.S.C. 552a). The agency, through MyFSA, is authorized to collect and use the information you provide under the following authorities:

Title IV of the Higher Education Act, as amended (HEA), 40 U.S.C. 1425(b), and 44 U.S.C. Chapter 35. The authority for collecting and using your Social Security Number (SSN) are sections 484(a)(4) (20 U.S.C. 1091), section 483(a)(7) (20 U.S.C. 1090) of the HEA (20 U.S.C. 1094(a)(4)) and section 428B(f) (20 U.S.C.1078-2) of the HEA. Providing the information in any case is voluntary on your part. However, if you choose not to register, you will be unable to perform or store customized searches or personalized calculations for future retrieval or complete college or financial aid applications on-line.

A link to the Privacy Act Statement is provided on each page of the Web site.

As the subject of an account in your name, the Privacy Act affords you the ability to access your account and the right to request amendment of inaccurate information in your record. A full explanation of your rights under the Privacy Act is set forth in the agency's Privacy Act regulations. At this link, if you wish to find out how to amend your records, go to "5b.7" and open either the Word or pdf version.


INTRODUCTION TO PRIVACY IMPACT ACCESSMENT

Section 208 of the E-Government Act of 2002 (P.L.107-347) requires FSA to complete a Privacy Impact Assessment for each new system that collects information from the public through the Internet.

During the Definition Phase of the FSA Solution Lifecycle, the SSO must make sure that the team completes the attached Privacy Impact Assessment Questionnaire, must have it reviewed by the Chief Information Officer or equivalent official, and must file the completed form in the system's Security Notebook as part of the system's documentation. This PIA must also be made publicly available.


Privacy Impact Assessment Questionnaire

System Name: FSA Student Aid on the Web
System Owner: Jennifer Douglas
Privacy Impact Assessment Questionnaire Author: Adam Essex
Date: 9/5/2003

Officials and organizational components involved in the analysis and review of the Privacy Impact Assessment included the following: Department of Education (ED) Office of the Chief Information Officer (CIO), specifically William Leitinger, John Tressler, and Chiquitta Thomas; FSA CIO, the System Security Officer (SSO) for Student Aid on the Web, and the Office of General Counsel (OGC).


1. What information will be collected for the system?
Student Aid on the Web (hereafter the 'Web site') collects information from visitors appropriate to the college search, application, and financial aid processes. This information is collected only if the visitors wish to register within MyFSA and use the functionality that permits users to perform and store customized searches and calculations based on information and criteria they provide, and to pre-populate college and loan applications. Depending on the function performed, different information is required.

  • To register with MyFSA and create a personal account, the following information is collected: First Name, Last Name, DOB, E-mail, Username, Password, Question, Answer, and Current Grade Level.

  • To perform customized searches and personalized calculations, information such as the following is collected but not saved: preferences regarding type (four-year, private), location (state), size (# of students, students/faculty), and cost (in-state, out-of-state tuition) of colleges; key values from the federal tax return for financial aid; and keyword searches for scholarships.

  • To store customized searches and personalized calculations, the following information is collected: None. The user bookmarks the search.

  • To pre-populate applications, the following information is collected: MyFSA registration information. In addition, for the college application, the user provides specific admissions information, such as high school information and activities, standardized test data, employment/work history, and information regarding parents/spouses/siblings. For a detailed listing of data elements, clickhere. In order to pre-populate the FAFSA, the following information is used: Last Name, First Name, Middle Initial, Permanent Address, State of Legal Residence, SSN, DOB, Permanent Home Phone Number, Driver's License Number, Driver's License State, and Citizenship.

In addition, the following demographic information will be captured and analyzed in order to permit FSA to target college and aid information to particular audiences: Zip Code and Education Level.


If a user decides to send FSA an electronic mail message (e-mail), the message will usually contain the return e-mail address. If the user includes personally identifying information in the e-mail because he/she wants FSA to address issues specific to his/her situation, FSA may use that information in responding to the request. Information submitted by e-mail will not be contained in a privacy act system of record.


Information collected through the Student Aid on the Web Feedback Survey Form is used to analyze overall satisfaction with Student Aid on the Web and its various features, assess the Web site's success, and determine how to enhance the service(s). Information submitted through the survey will not be contained in a privacy act system of record.


Using MyFSA is entirely voluntarily and therefore any information collected is provided voluntarily by users. Although one need not provide an SSN to use MyFSA, the SSN is a mandatory field in completing the FAFSA [Sections 483 (20 U.S.C § 1090) and 484 (20 U.S.C. § 1091) of the Higher Education Act (HEA) of 1965, as amended]. Therefore, registrants with MyFSA will be given the option to add the SSN to their profiles at any time for purposes of pre-populating the FAFSA.


FSA will not permit children under the age of 13 to create accounts. Users must be 13 years of age or older to register with MyFSA.


No cookies or other tracking technology are used on the web site. Ifa userdoes nothing duringthe visit but browse through the website, read pages, or download information, our website's operating system will automatically record some general information aboutthe visit.


During the visit, our web operating system will record:

  • The Internet domain for user's Internet service, such as "xcompany.com" or "xcompany.net" if the user has a private Internet access account, or "yourschool.edu" if the user connects from a college or university domain.
  • The type of browser (such as "Netscape version x" or "Internet Explorer version x") being used.
  • The type of operating system used (such as Macintosh, Unix, or Windows).
  • The date and time of the visit to our site, and the web pages visited on our site.
  • The address of the previous website the user was visiting, if the user linked to us from another website.

We use this non-personal information for statistical analysis, to help us make our site more useful to visitors. This tracking system does not record information about individuals.

2. Why is this information being collected?

Use of MyFSA facilitates the college search, application and loan processes.The information collected is needed in order to provide the student/borrower/parent personalized information regarding college savings, college applications, and financial aid applications. Based on user-provided information and criteria, "MyFSA" tools perform school searches, scholarship/grant searches, college savings calculations, cost of attendance calculations and other queries.

If personally identifying information is included in an e-mail, it is because the customer is requesting we address issues specific to his/her situation. Information collected through the Survey Form helps us determine the effectiveness of Student Aid on the Web as a customer service tool and its potential role in improving the delivery of FSA information and services. The Survey Form collects no privacy information.


3. How will FSA use this information?

The information is used by the Department and its Contractor to perform the following services:

  • Provide information targeted to the user, based on requirements and criteria provided by the user (information about schools, loans, applications, etc).

  • Store search results for later retrieval.

  • Pre-populate the electronic Free Application for Federal Student Aid (FAFSA).

  • Pre-populate college applications.

  • Assist FSA to target financial aid and college information to target audiences, based on the demographics provided by site users.
    Demographic data will not be linked to personal information to identify individuals. The demographic data will be used to determine the populations of Web site users that would benefit from specific programs, opportunities, and updates. The Department has not yet defined specific marketing plans but may request assistance from a qualified contractor(s) to execute specific aspects of the plan. Marketing will not involve the disclosure of any personal identifiable information. Additionally, there is no use of cookies or other tracking technology on the Web site.

  • Respond to requests received through e-mail.

  • Analyze overall satisfaction with Student Aid on the Web and its various features, assess the Web site's success, and determine how to enhance the service(s).

4. Will this information be shared with any other agency or entity? If so, with which agency or agencies/entities?

The Department of Education may disclose information contained in a record in an individual's account under the routine uses listed in the Privacy Act System of Records notice without the consent of the individual if the disclosure is compatible with the purposes for which the record was collected. Specific disclosures include the following:

  • Freedom of Information Act (FOIA) Advice Disclosure
  • Disclosure to the DOJ
  • Contract Disclosure
  • Litigation and Alternative Dispute Resolution (ADR) Disclosures
  • Research Disclosure
  • Congressional Member Disclosure
  • Disclosure for Use By Law Enforcement Agencies
  • Enforcement Disclosure
  • Employment, Benefit, and Contracting Disclosure
  • Employee Grievance, Complaint or Conduct Disclosure
  • Labor Organization Disclosure
  • Disclosure to Providers of Web-based Postsecondary Education Admission Applications

These disclosures may be made on a case-by-case basis. If the Department has complied with the computer matching requirements of the Privacy Act, disclosure also may be made to another agency under a computer matching agreement.

There will be no sharing of information for purposes outside of the above disclosure requirements or for anything other than the primary purpose(s) of collecting the information. Any contractor responsible for the operations of this Web site, including XAP, is held to the privacy and security requirements of the Department of Education in the handling of information collected through the Web site


5. Describe the notice or opportunities for consent that would be or are provided to individuals about what information is collected and how that information is shared with other organizations.

As the Web site is a government agency website that the public accesses, the Privacy Policy is appropriately posted for Web site users. This is a general policy, which applies to the handling of any information collected at the site. The policy highlights the voluntary nature of information collected, and explains which data elements are necessary for each level of functionality. Customers are notified that providing the information constitutes consent to all of its uses and they are given no option to affirmatively consent to certain uses. In addition, the policy notifies customers about the automatic recording and potential uses of any non-personal information about a visit (i.e., site management data).

A Privacy Act Statement is incorporated into the FSA web Privacy Policy articulating the specific authority for collecting personal information that will be maintained and retrieved by name or identifier from a Privacy Act system of records, the mandatory or voluntary nature of the information collected and the uses of the information. A link to the Privacy Act Statement is provided on each page of the Web site. Users are specifically notified that providing the SSN is mandatory to complete the FAFSA and are provided the statutory authority requiring the SSN for this purpose. However, users are given the option to voluntarily provide and store SSN information in their account profiles in anticipation of completing the FAFSA.


6. How will the information be secured?

The completion of system security plans is a requirement of the Office of Management and Budget (OMB) Circular A-130, "Management of Federal Information Resources," Appendix III, "Security of Federal Automated Information Resources," and Public Law 100-235, "Computer Security Act of 1987." The Web site has completed a system security plan demonstrating its compliance with the IT requirements mandated by federal law and policy. The security plan contains details regarding the Risk Assessment conducted for the Web site, as well as the security controls (hardware/software/facilities/personnel) in place to mitigate any identified risks to the information collected on the Web site. Management, operational, and technical security controls are in place for the Web site, encompassing personnel, physical environment access, contingency plans, disaster recovery, and identification and authentication procedures. The Web site is currently in the operations/maintenance phase of the life cycle. As such, the following functions are being performed: security operations and administration, operational assurance, audits and monitoring. The System Security Officer (SSO) for the Web site is Priscilla Mulford (Program Manager) (202) 377-3250.


7. Is a system of records being created or updated with the collection of this information?

Yes, a system of records has been created with this collection of information. Users are provided notice of rights under the Privacy Act via links to the agency Privacy Act regulations (5 C.F.R. Part 5b.) and to the Privacy Act system of records notice for the Web site (formerly, the Students Portal) (68 Fed. Reg. 23113 (April 30, 2003)).


8. List the web addresses (known or planned) that will have a Privacy Policy.

http://studentaid.ed.gov


Last updated/reviewed November 17, 2007

End of Page