Dec 20, 2018
ED Debit Card Still Maxing Out Privacy Concerns
In October, the Office of Federal Student Aid (FSA) released a notice inviting applications from banking providers interested in participating in the Payment Vehicle Account Pilot Program after an earlier solicitation in January 2018. Selected banking providers for the pilot will partner with FSA to provide co-branded debit cards for students to access federal financial aid disbursements. The services will integrate with FSA’s myStudentAid mobile app, allowing students to file their FAFSA application, manage their student loans, and receive federal funds. The new notice improves upon the previous proposal by describing clearer data privacy and security requirements for students who choose to use the services, but it does not detail key protocols that are needed to protect students.
The Next Gen Payment Card Pilot quickly drew concerns from higher education advocates because of the potential privacy and security implications of the debit card program. IHEP’s previous blog highlighted concerns with this proposal, including the use of student data for marketing, FSA’s role in tracking student purchases, and the potentially inappropriate sharing and selling of student data. Advocates also were worried that the contractor, FSA, or colleges and universities could use the payment pilot as a way to restrict or control students’ purchases. The newly released pilot program addresses some, but not all, of these concerns.
In terms of improvements, the notice now provides consent protocols for marketing additional services to students and requires explicit permission of students on an “individual” or “case-by-case basis”. Banking providers participating in the pilot will not be allowed to market services through general or blanket opt-in promotions or through any opt-out methods. Additionally, the notice states that FSA will only receive aggregated purchase data and will not receive customer records or other individually-identifiable data on student purchases from the banking company, students, or participating schools.
Despite these incremental improvements, advocates and policymakers still have many questions and concerns about how FSA plans to implement and monitor the privacy and security regulations added to the pilot. Sen. Ron Wyden (D-OR), ranking member of the Senate Committee on Finance, sent a letter to Education Secretary Betsy DeVos expressing his concern for the potential abuse of student data through the payment vehicle pilot. He believes that many privacy issues remained unanswered, and said he was concerned that students will be “aggressively encouraged to share their data with companies that put profits above students.”
Other advocates took to Twitter using the hashtags #FSATC2018 and #NextGenFSA to discuss concerns raised during two sessions on the Next Gen Project at the FSA Training conference in late November, including privacy concerns about FSA using aggregated data to restrict and limit where students can use federal aid refunds. Students should not be asked to sacrifice their privacy to access the aid to which they are entitled to pay for college expenses.
Through our work with the Postsecondary Data Collaborative, we believe that student privacy and security must be at the forefront of new proposals like the payment vehicle pilot. To protect students, we offer additional recommendations for restrictions on the use of this new debit card data:
- Contracted banking providers should be required to detail how students will be asked to opt-in to additional services, the language used, and the frequency of contact. Further, FSA should provide an action plan for monitoring and enforcing marketing restrictions.
Depending on the language used by the banking provider, the additional services marketed as a result of this program could be construed as services provided or endorsed by the Education Department. Using language like “case-by-case” and “by occurrence” for the marketing opt-in method is vague and is not detailed enough about the methods and language used for obtaining consent, the definitions “case” and “occurrence”, what students will actually be consenting to, and how often students will be asked to give permission for additional services. Leveraging a student loan disbursement tool to market financial products is an inappropriate use of student data and students should not be aggressively asked to opt-in to these products.
- FSA should require the contracted banking provider to include in its Quality Control Plan a data governance and management plan that details any data sharing between FSA and the banking provider, data retention, and data destruction plans.
Students have a right to know what information of theirs is being collected and used, how long their data are stored, who has access to the data, when data are destroyed, and how to remove themselves from the system once they no longer use services from the banking provider. Creating a detailed Quality Control Plan will illuminate for students how their data are stored and managed.
- FSA should require the contracted provider to specify and implement additional high-level data security protocols, like National Institute of Standards and Technology (NIST) cybersecurity standards, in addition to the leading banking industry standards outlined in the Federal Register notice.
FSA ensures that data security will be implemented by using “industry-leading technologies and methods” geared primarily toward security risk prevention that thwart hacking of debit cards and electronic banking systems. Enforcing NIST standards, as well, will provide base line security controls for secure data management by banking providers and secure data sharing with FSA. FSA should also explain how they will oversee and ensure providers’ compliance with the NIST framework.
The second register notice makes strides in creating a more private and secure banking system than previously proposed, but it does not go far enough. Safeguarding student information and protecting against misuse of student information, however, must be at the forefront of the planning process. We hope that FSA considers these recommendations to improve the pilot program.