Student Aid on the Web Skip Navigation

Privacy Policy And Privacy Impact Assessment For FSA Student Aid On The Web

Thank you for visiting Federal Student Aid's Student Aid on the Web and reviewing our privacy policy. Our policy is simple: We collect no personal information about you unless you choose to provide that information to us. We do not give, share, sell, or transfer any personal information to a third party.

If you want to know more about how we record non-personal information about your visit or how we use information that you voluntarily submit, read on.

Otherwise, enjoy your visit!


What is 'Student Aid on the Web'?

Student Aid on the Web (hereafter the 'Web site') is a product of FSA of the U.S. Department of Education (ED). The site is divided into sections, the main FSA site, www.studentaid.ed.gov, and the "MyFSA" site, which permits you to register and create an account with "MyFSA".

On the Web site [You can visit the current web site at studentaid.ed.gov] you can search for information about colleges and/or careers related to areas of academic interest without providing any personal information at all. On the MyFSA site, you can perform customized scholarship/grant searches, college savings calculations, cost of attendance calculations and other tailored queries based on criteria and information you provide. In order to perform these customized searches or obtain personalized calculations, you must register with MyFSA and create an account. MyFSA permits you to save customized searches and personalized calculations to your account for future retrieval. In addition, you may provide and save further detail and background about yourself for purposes of pre-populating your college and student aid applications; MyFSA saves you having to input this information on each form, helping you cut application time and reduce application errors. In sum, we collect no personal information about you, unless you choose to provide that information to us.


What information is being collected in "MyFSA"?

If you choose to register with MyFSA, you must provide information about yourself, specifically, your individual user ID; first name; last name; email address; password; password hint question; password hint answer; date of birth; and education level. MyFSA will not permit children under the age of 13 to create accounts. Users must be 13 years of age or older to register with MyFSA.

As noted above, you can also choose to add personal background and interest information to your "MyFSA profile." This is information you can store to use later to pre-populate forms so you don't have to enter this information for each application. Voluntarily provided profile information includes: Student Name, Addresses (Permanent/Mailing/Phone), Personal Information (Sex, SSN), College Application Information, High School Information, College Information, Standardized Tests Scores, Parents (Name, Occupation), Spouse, Siblings, Other Relatives/Contacts, High School Activities, Employment/Work, and Current/Planned Coursework. We will not use this information except as may be consistent with purposes identified in the Web site's System of Records notice (68 Fed. Reg. 23113 (April 30, 2003) [http://www.ed.gov/legislation/FedRegister/other/2003-2/043003b.html]. Choosing to customize this Web site indicates that you understand that the information you are providing may be disclosed by the Department as provided by the Privacy Act (see Privacy Act explanation below) and the published System of Records notice.


Non-personal Information We Record

No cookies or other tracking technology are used on the Web site. If you do nothing during your visit but browse through the website, read pages, or download information, our website's operating system will automatically record some general information about your visit.

During your visit, our web operating system will record:

  • The Internet domain for your Internet service, such as "xcompany.com" or "xcompany.net" if you use a private Internet access account, or "yourschool.edu" if you connect from a college or university domain.
  • The type of browser (such as "Netscape version x" or "Internet Explorer version x") that you are using.
  • The type of operating system that you use (such as Macintosh, Unix, or Windows).
  • The date and time you visit our site, and the web pages that you visit on our site.
  • The address of the previous website you were visiting, if you linked to use from another website.

The user is not identified in the collection of non-personal information.


Links to Other Sites

Our policy discloses the privacy practices for Student Aid on the Web. But Student Aid on the Web provides links to other websites. When you leave Student Aid on the Web (http://studentaid.ed.gov), you will be going to sites that are beyond our control. We try to ensure that links that leave our site are clearly labeled. These other sites may send their own cookies to users, collect data, or solicit personal information. The privacy policies and procedures described here for Student Aid on the Web do not apply to any external links. We encourage you to read the privacy policies of any site you link to from ours, especially if you share any personal information. Be informed. You are the person best qualified to protect your own privacy.


What if I choose not to register with "MyFSA"?

Registering with MyFSA is strictly voluntary and will not impact your ability to obtain information about colleges or to apply for or receive financial aid. However, if you choose not to register, you will be unable to perform or store customized searches or personalized calculations for future retrieval or complete college or financial aid applications on-line.


How will the information collected be used?

Financial Aid Applications

The information you provide will allow us to facilitate the college and/or student financial aid (FAFSA and FAFSA4caster) application processes by storing and pre-populating application forms with the required information. This service saves you time and enhances accuracy.

Although you do not have to provide your SSN to use MyFSA, the SSN is a mandatory field in completing the FAFSA [Sections 483 (20 U.S.C § 1090) and 484 (20 U.S.C. § 1091) of the Higher Education Act (HEA) of 1965, as amended]. Your SSN is collected so that you (borrower, whether student or parent) can apply for financial aid. Even if you are not yet ready to apply for financial aid, MyFSA can store your information so that you do not need to re-enter all of the information when the time comes to apply.


Wizards and Calculators

MyFSA enables you to utilize several financial aid wizards, college aid calculators, and scholarship/grant wizards and to store the results of your customized searches and personalized calculations for future retrieval.


Determination of Student Aid Awareness

FSA will add your date of birth, education level, city and state of residence, and country of residence to a demographic database that will assist FSA to better target financial aid materials to specific groups of students and/or parents (e.g., middle school students). This demographic data will not be linked to your personal information.


Information from E-Mail You Send Us

If you decide to send us an electronic mail message (e-mail), the message will usually contain your return e-mail address. If you include personally identifying information in your e-mail because you want us to address issues specific to your situation, we may use that information in responding to your request. This information is not maintained in a privacy act system of records.

Also, e-mail is not necessarily secure against interception. Please send only information necessary to help us process your request.


Survey

The Survey Form helps us determine the effectiveness of Student Aid on the Web as a customer service tool and its potential role in improving the delivery of FSA information and services. To the extent the user provides personally identifying information voluntarily, the agency will not retain that information in a system of record.

It should take you approximately 5 minutes to complete the Survey Form, including reading instructions, gathering information, filling out the application, and reviewing it. Completing the form is entirely voluntary. Our authority to collect the information is under OMB control number 1845-0045.


Security

The completion of system security plans is a requirement of the Office of Management and Budget (OMB) Circular A-130, "Management of Federal Information Resources," Appendix III, "Security of Federal Automated Information Resources," and Public Law 100-235, "Computer Security Act of 1987." The Web site has completed a system security plan demonstrating its compliance with the IT requirements mandated by federal law and policy. The security plan contains details regarding the Risk Assessment conducted for the Web site, as well as the security controls (hardware/software/facilities/personnel) in place to mitigate any identified risks to the information collected on the Web site. Management, operational, and technical security controls are in place for the Web site, encompassing personnel, physical environment access, contingency plans, disaster recovery, and identification and authentication procedures. The Web site is currently in the operations/maintenance phase of the life cycle. As such, the following functions are being performed: security operations and administration, operational assurance, audits and monitoring. The System Security Officer (SSO) for the Web site is Priscilla Mulford (Program Manager) (202) 377-3250.


Rights under the Privacy Act or other applicable law

A 'system of records' has been created under the Privacy Act, 5 U.S.C. 552a. It was published in the Federal Register at 68 Fed. Reg. 23113 (April 30, 2003).

Each record in this system is indexed and retrieved by a user name and password that is created by the user of MyFSA.Accordingly, we maintain the information you provide in a system of records protected by the Privacy Act and administer it in accordance with the Act and with the Privacy Act systems of record notice published at 68 Fed. Reg. 23113 (April 30, 2003) [http://www.ed.gov/legislation/FedRegister/other/2003-2/043003b.html]. The systems notice explains that the information you provide may be disclosed to third parties for discrete purposes. In addition, the information you provide may be shared with another agency for "matching" under the computer matching provisions of the Privacy Act (5 U.S.C. 552a). The agency, through MyFSA, is authorized to collect and use the information you provide under the following authorities:

Title IV of the Higher Education Act, as amended (HEA), 40 U.S.C. 1425(b), and 44 U.S.C. Chapter 35. The authority for collecting and using your Social Security Number (SSN) are sections 484(a)(4) (20 U.S.C. 1091), section 483(a)(7) (20 U.S.C. 1090) of the HEA (20 U.S.C. 1094(a)(4)) and section 428B(f) (20 U.S.C.1078-2) of the HEA. Providing the information in any case is voluntary on your part. However, if you choose not to register, you will be unable to perform or store customized searches or personalized calculations for future retrieval or complete college or financial aid applications on-line.

A link to the Privacy Act Statement is provided on each page of the Web site.

As the subject of an account in your name, the Privacy Act affords you the ability to access your account and the right to request amendment of inaccurate information in your record. A full explanation of your rights under the Privacy Act is set forth in the agency's Privacy Act regulations. At this link, if you wish to find out how to amend your records, go to "5b.7" and open either the Word or pdf version.


INTRODUCTION TO PRIVACY IMPACT ACCESSMENT

Section 208 of the E-Government Act of 2002 (P.L.107-347) requires FSA to complete a Privacy Impact Assessment for each new system that collects information from the public through the Internet.

During the Definition Phase of the FSA Solution Lifecycle, the SSO must make sure that the team completes the attached Privacy Impact Assessment Questionnaire, must have it reviewed by the Chief Information Officer or equivalent official, and must file the completed form in the system's Security Notebook as part of the system's documentation. This PIA must also be made publicly available.


Privacy Impact Assessment Questionnaire

System Name: Student Aid on the Web
System Owner: Jennifer Douglas
Privacy Impact Assessment Questionnaire Author: Priscilla Mulford
Date: 06/15/09


1. System Information. Describe the system.

Student Aid on the Web (hereafter the 'Web site') is a product of Federal Student Aid, an office of the U.S. Department of Education (ED). The site is divided into sections, the main site, www.studentaid.ed.gov, and the "MyFSA" site, which permits you to register and create an account with "MyFSA".

On the Web site [You can visit the current Web site at studentaid.ed.gov], you can search for information about colleges and/or careers related to areas of academic interest without providing any personal information at all. On the MyFSA site, you can perform customized scholarship/grant searches, college savings calculations, cost of attendance calculations, and other tailored queries based on criteria and information you provide. In order to perform these customized searches or obtain personalized calculations, you must register with MyFSA and create an account. In addition, you may provide and save further detail and background information about yourself for purposes of pre-populating your college and student aid applications. MyFSA saves you having to input this information on each form, helping you cut application time and reduce application errors. In sum, we collect no personal information about you, unless you choose to provide that information to us.


2. Legal Authority. Cite the legal authority to collect and use this data.

Using MyFSA is entirely voluntarily and therefore any information collected is provided voluntarily by users. Although one need not provide an SSN to use MyFSA, the SSN is a mandatory field in completing the FAFSA [Sections 483 (20 U.S.C § 1090) and 484 (20 U.S.C. § 1091) of the Higher Education Act (HEA) of 1965, as amended]. Therefore, registrants with MyFSA will be given the option to add the SSN to their profiles at any time for purposes of pre-populating the FAFSA.


3. Characterization of the Information. What elements of Personal Identifiable Information (PII) are collected and maintained by the system (e.g., name, social security number, date of birth, address, phone number, etc.)?

The use of the MyFSA functionality within Student Aid on the Web is entirely voluntarily and; therefore, any of the following information collected is provided voluntarily by users.

  • To register with MyFSA and create a personal account, the following information is collected: First Name, Last Name, DOB, E-mail, Username, Password, Question, Answer, and Current Grade Level.

  • To perform customized searches and personalized calculations, information such as the following is collected but not saved: preferences regarding type (four-year, private), location (state), size (# of students, students/faculty), and cost (in-state, out-of-state tuition) of colleges; key values from the federal tax return for financial aid; and keyword searches for scholarships.

  • To store customized searches and personalized calculations, the following information is collected: None. You bookmark the search.

  • To pre-populate applications, the following information is collected: MyFSA registration information. In addition, for the college application, you provide specific admissions information, such as high school information and activities, standardized test data, employment/work history, and information regarding parents/spouses/siblings. For a detailed listing of data elements, click here. In order to pre-populate the FAFSA, the following information is used: Last Name, First Name, Middle Initial, Permanent Address, State of Legal Residence, SSN, DOB, Permanent Home Phone Number, Driver's License Number, Driver's License State, and Citizenship. To pre-populate the FAFSA4caster, the following information is used: Last Name, First Name, Middle Initial, Permanent Address, State of Legal Residence, SSN, and DOB.

If you decide to send Federal Student Aid an electronic mail message (e-mail), the message will usually contain the return e-mail address. If personally identifying information is included in the e-mail because you want Federal Student Aid to address issues specific to your situation, Federal Student Aid may use that information in responding to the request. Information submitted by e-mail will not be contained in a privacy act system of record.

Information collected through the Student Aid on the Web Feedback Survey Form is used to analyze overall satisfaction with Student Aid on the Web and its various features, assess the Web site's success, and determine how to enhance the service(s). Information submitted through the survey will not be contained in a privacy act system of record.

FSA will not permit children under the age of 13 to create accounts. You must be 13 years of age or older to register with MyFSA.

No cookies or other tracking technology are used on the Web site. If you do nothing during the visit but browse through the Web site, read pages, or download information, our Web site's operating system will automatically record some general information about the visit.

During the visit, our web operating system will record:

  • The Internet domain for your Internet service, such as "xcompany.com" or "xcompany.net" if you have a private Internet access account, or "yourschool.edu" if you connect from a college or university domain.
  • The type of browser (such as "Netscape version x" or "Internet Explorer version x") being used.
  • The type of operating system used (such as Macintosh, Unix, or Windows).
  • The date and time of the visit to our site, and the web pages visited on our site.
  • The address of the previous Web site you were visiting, if you linked to us from another Web site.

We use this non-personal information for statistical analysis, to help us make our site more useful to visitors. This tracking system does not record information about individuals.


4. Why is the information collected? How is this information necessary to the mission of the program, or contributes to a necessary agency activity.

Use of MyFSA facilitates the college search, college application and financial aid application processes. The information collected is needed in order to provide the student/borrower/parent personalized information regarding college savings, college applications, and financial aid applications. Based on the information provided and criteria, "MyFSA" tools perform school searches, scholarship/grant searches, college savings calculations, cost of attendance calculations and other queries.

If personally identifying information is included in an e-mail, it is because you are requesting we address issues specific to your situation. Information collected through the Survey Form helps us determine the effectiveness of Student Aid on the Web as a customer service tool and its potential role in improving the delivery of Federal Student Aid information and services. The Survey Form collects no privacy information.


5. Social Security Numbers - If an SSN is collected and used, describe the purpose of the collection, the type of use, and any disclosures.

Although you do not have to provide your SSN to use MyFSA, the SSN is a mandatory field in completing the FAFSA [Sections 483 (20 U.S.C § 1090) and 484 (20 U.S.C. § 1091) of the Higher Education Act (HEA) of 1965, as amended]. Your SSN is collected so that you (borrower, whether student or parent) can apply for financial aid. Even if you are not yet ready to apply for financial aid, MyFSA can store your information so that you do not need to re-enter all of the information when the time comes to apply.

A Privacy Act Statement is incorporated into the FSA web Privacy Policy articulating the specific authority for collecting personal information that will be maintained and retrieved by name or identifier from a Privacy Act system of records, the mandatory or voluntary nature of the information collected and the uses of the information. A link to the Privacy Act Statement is provided on each page of the Web site. Users are specifically notified that providing the SSN is mandatory to complete the FAFSA and are provided the statutory authority requiring the SSN for this purpose. However, users are given the option to voluntarily provide and store SSN information in their account profiles in anticipation of completing the FAFSA.


6. Uses of the Information. What is the intended use of the information?

The information is used by the Department and its Contractor to perform the following services:

  • Provide information targeted to the user, based on requirements and criteria provided by the user (information about schools, loans, applications, etc).
  • Store search results for later retrieval.
  • Pre-populate the electronic Free Application for Federal Student Aid (FAFSA).
  • Pre-populate the FAFSA4caster.
  • Pre-populate college applications.
  • Assist FSA to target financial aid and college information to target audiences, based on the demographics provided by site users. Demographic data will not be linked to personal information to identify individuals. The demographic data will be used to determine the populations of Web site users that would benefit from specific programs, opportunities, and updates. The Department has not yet defined specific marketing plans but may request assistance from a qualified contractor(s) to execute specific aspects of the plan. Marketing will not involve the disclosure of any personal identifiable information. Additionally, there is no use of cookies or other tracking technology on the Web site.
  • Respond to requests received through e-mail.
  • Analyze overall satisfaction with Student Aid on the Web and its various features, assess the Web site's success, and determine how to enhance the service(s).


7. Internal Sharing and Disclosure. Which internal DoED organizations is the information being shared?

The Department of Education may disclose information contained in a record in an individual's account under the routine uses listed in the Privacy Act System of Records notice without the consent of the individual if the disclosure is compatible with the purposes for which the record was collected. Specific disclosures include the following:

  • Freedom of Information Act (FOIA) Advice Disclosure
  • Disclosure to the DOJ
  • Contract Disclosure
  • Litigation and Alternative Dispute Resolution (ADR) Disclosures
  • Research Disclosure
  • Congressional Member Disclosure
  • Disclosure for Use By Law Enforcement Agencies
  • Enforcement Disclosure
  • Employment, Benefit, and Contracting Disclosure
  • Employee Grievance, Complaint or Conduct Disclosure
  • Labor Organization Disclosure
  • Disclosure to Providers of Web-based Postsecondary Education Admission Applications

These disclosures may be made on a case-by-case basis. If the Department has complied with the computer matching requirements of the Privacy Act, disclosure also may be made to another agency under a computer matching agreement.


8. External Sharing and Disclosure. With what external entity will the information be shared (e.g., another agency for a specified programmatic purpose)?

There will be no sharing of information for purposes outside of the above disclosure requirements or for anything other than the primary purpose(s) of collecting the information. Any contractor responsible for the operations of this Web site, including XAP, is held to the privacy and security requirements of the Department of Education in the handling of information collected through the Web site.


9. Notice. Is a notice provided to the individual prior to collection of their information (e.g., a posted Privacy Notice)?

As the Web site is a government agency Web site that the public accesses, the Privacy Policy is appropriately posted for Web site users. This is a general policy, which applies to the handling of any information collected at the site. The policy highlights the voluntary nature of information collected, and explains which data elements are necessary for each level of functionality. Customers are notified that providing the information constitutes consent to all of its uses and they are given no option to affirmatively consent to certain uses. In addition, the policy notifies customers about the automatic recording and potential uses of any non-personal information about a visit (i.e., site management data).

A Privacy Act Statement is incorporated into the Federal Student Aid web Privacy Policy articulating the specific authority for collecting personal information that will be maintained and retrieved by name or identifier from a Privacy Act system of records, the mandatory or voluntary nature of the information collected and the uses of the information. A link to the Privacy Act Statement is provided on each page of the Web site. You are specifically notified that providing the SSN is mandatory to complete the FAFSA and are provided the statutory authority requiring the SSN for this purpose. However, you are given the option to voluntarily provide and store SSN information in their account profiles in anticipation of completing the FAFSA.


10. Web Addresses. List the Web addresses (known or planned that have a Privacy Notice.

http://studentaid.ed.gov


11. Security. What administrative, technical, and physical security safeguards are in place to protect the PII?

The completion of system security plans is a requirement of the Office of Management and Budget (OMB) Circular A-130, "Management of Federal Information Resources," Appendix III, "Security of Federal Automated Information Resources," and Public Law 100-235, "Computer Security Act of 1987." The Web site has completed a system security plan demonstrating its compliance with the IT requirements mandated by federal law and policy. The security plan contains details regarding the Risk Assessment conducted for the Web site, as well as the security controls (hardware/software/facilities/personnel) in place to mitigate any identified risks to the information collected on the Web site. Management, operational, and technical security controls are in place for the Web site, encompassing personnel, physical environment access, contingency plans, disaster recovery, and identification and authentication procedures. The Web site is currently in the operations/maintenance phase of the life cycle. As such, the following functions are being performed: security operations and administration, operational assurance, audits and monitoring.

The Web site completed Certification and Accreditation June 2, 2008.


12. Privacy Act System of Records. Is a system of records being created or altered under the Privacy Act, 5 U.S.C. 552a?

A 'system of records' has been created under the Privacy Act, 5 U.S.C. 552a. It was published in the Federal Register at 68 Fed. Reg. 23113 (April 30, 2003).


13. Records Retention and Disposition. Is there a records retention and disposition schedule approved by the National Archives and Records Administration (NARA) for the records created by the system development lifecycle AND for the data collected?

No.


Last updated/reviewed June 30, 2009

End of Page