Information for Financial Aid Professionals (IFAP) Privacy Impact Assessment Questionnaire

System Name: Information for Financial Aid Professionals (IFAP)
System Owner: Jana Hernandes
System Manager: Marcello Rojtman
System Security Officer: Theon Dam
Privacy Impact Assessment Questionnaire Author: Theon Dam
Date: 3/4/2009

Officials and organizational components involved in the analysis and review of the Privacy Impact Assessment included the following: Department of Education Office of the Chief Information Officer, Federal Student Aid (FSA) CIO Computer Security Officer, and COD management, including the System Security Officer.

1. What information will be collected for the system (Ex. Name, Social Security Number, annual income, etc)?

    Customers have an option to provide names, business email, Institution/Organization, city, state, and 3 security questions so that the customer may customize the IFAP web site. Customers also have an option to participate in discussion groups with users of similar interests by selecting yes to the Discussion Groups option. The general public does not have access to IFAP database.

2. Why is this information being collected?

    The information that is collected so that the customer shall have the options to customize the IFAP web site, receive broadcast from the IFAP web site and to participate in discussion groups with users of similar interests.

3. How will FSA use this information?

    FSA will use the information to so that the customer shall have the options to customize the IFAP web site by establishing a �My IFAP� account, receive regular broadcast from the IFAP web site through the Subscription Options and to occasionally participate in discussion groups with users of similar interests.

4. Will this information be shared with any other agency? If so, with which agency or agencies?

    No information is shared with any other agency or agencies. No information is collected on the Web site that either directly identifies an individual user of the Website (i.e. Social Security Number, address or other identifying number or code, telephone number, or personal e-mail address) or that is intended to be used to identify a specific user of the Website in conjunction with any other data.

5. Describe the notice or opportunities for consent would be/ or are provided to individuals about what information is collected and how that information is shared with others organizations. (e.g., posted Privacy Notice)

    As the Web site is a government agency website that the public accesses, the Privacy Policy is appropriately posted for Web site users. This is a general policy, which applies to the handling of any information collected at the site. The policy highlights the voluntary nature of information collected, and explains which data elements are necessary for each level of functionality. Customers are notified that providing the information constitutes consent to all of its uses and they are given no option to affirmatively consent to certain uses.

    Privacy Act Statement is incorporated into the FSA web Privacy Policy articulating the specific authority for collecting personal information that will be maintained and retrieved by name or identifier from a Privacy Act system of records, the mandatory or voluntary nature of the information collected and the uses of the information. A link to the Privacy Act Statement is provided on each page of the Web site.

6. How will the information be secured?

  • All information is protected by password and is monitored by automated and manual controls.
  • IFAP is developed and maintained under a contract with Phoenix Programming Services Co., LLC and is housed within a secure facility run under a subcontract with Perot Systems, Inc.
  • Interfacing ED systems are operated for the most part within FSA�s Virtual Data Center (VDC), located in Plano Texas, which provides the respective security controls.
  • System administrators outside of the VDC provide comparable security controls to protect the system and the information contained therein.

7. Is a system of records being created or updated with the collection of this information? (A system of record is created when information can be retrieved from the system by the name of the individual or an identifying number, symbol or other identifying particular assigned to an individual. Also, in responding to this question a helpful reference may be to the system�s System of Record organization step completed in the Definition phase of the Solution Lifecycle process.)

    No. IFAP is not a system of record.