AGENCY:

Federal Student Aid, Department of Education.

ACTION:

Notice of a modified system of records.

SUMMARY:

In accordance with the Privacy Act of 1974, as amended (Privacy Act), the Chief Operating Officer for Federal Student Aid (FSA) of the U.S. Department of Education (Department) publishes this notice of a modified system of records entitled the “Person Authentication Service” (PAS) (18–11–12). The information contained in this system is maintained for various purposes relating to applicants for a user ID and password (FSA ID), who include current, former, and prospective aid applicants and recipients, participants who enter their personally identifiable information (PII) as part of the Free Application for Federal Student Aid (FAFSA®) form ( i.e., parents of dependent FAFSA applicants or recipients and spouses of independent FAFSA applicants or recipients) under title IV of the Higher Education Act of 1965, as amended (HEA), spouses of aid applicants or recipients who enter their PII as part of income-driven repayment (IDR) certifications or recertifications, endorsers, and third-party preparers ( i.e., individuals who provide consultative or preparation services for the completion of the FAFSA).

DATES:

Submit your comments on this modified system of records notice on or before August 28, 2023. This modified system of records notice will become applicable upon publication in the Federal Register on July 28, 2023, except for new and modified routine uses (1)(a), (1)(b), (1)(c), (1)(d), (1)(e), (1)(f), (2), (9), (10), (11), (12), (13), and (14) that are outlined in the section entitled “ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND PURPOSES OF SUCH USES,” which will be applicable on August 28, 2023, unless they need to be changed as a result of public comment. The Department will publish any changes to the modified system of records notice resulting from public comment.

ADDRESSES:

Comments must be submitted via the Federal eRulemaking Portal at regulations.gov. However, if you require accommodation or cannot otherwise submit your comments via regulations.gov, please contact the program contact person listed under FOR FUTHER INFORMATION CONTACT .

The Department will not accept comments submitted by fax or by email, or comments submitted after the comment period closes. To ensure that the Department does not receive duplicate copies, please submit your comments only once. In addition, please include the Docket ID at the top of your comments.

• Federal eRulemaking Portal: Go to www.regulations.gov to submit your comments electronically. Information on using Regulations.gov, including instructions for accessing agency documents, submitting comments, and viewing the docket, is available on the site under the “FAQ” tab.

Privacy Note: The Department's policy is to make comments received from members of the public available for public viewing in their entirety on the Federal eRulemaking Portal at www.regulations.gov. Therefore, commenters should be careful to include in their comments only information that they wish to make publicly available.

Assistance to Individuals with Disabilities in Reviewing the Rulemaking Record: On request, we will provide an appropriate accommodation or auxiliary aid to an individual with a disability who needs assistance to review the comments or other documents in the public rulemaking record for this notice. If you want to schedule an appointment for this type of accommodation or auxiliary aid, please contact the person listed under FOR FURTHER INFORMATION CONTACT .

FOR FURTHER INFORMATION CONTACT:

Robert Anderson, FSA Identity and Access Management (IAM), PAS Manager, Technology Office, Federal Student Aid, UCP, 830 First St. NE, Room 103E2, Washington, DC 20202 or email: Robert.Anderson@ed.gov.

If you use a telecommunications device for the deaf (TDD) or a text telephone (TTY), you may call the Federal Relay Service (FRS), toll free, at 1–800–877–8339.

SUPPLEMENTARY INFORMATION:

In accordance with the Privacy Act, the Department proposes to modify the system of records notice entitled “Person Authentication Service (PAS)” (18–11–12), which was last published in full in the Federal Register on March 20, 2015 (80 FR 14981).

The Department is modifying the section entitled “SYSTEM LOCATION” as follows:

(i) By deleting the Dell Systems Virtual Data Center location and adding the Amazon AWS GovCloud located at 12th Avenue, Suite 1200, Seattle, WA 98114. (This is the Hosting Center for the PAS application, where all electronic PAS information is processed and maintained.); and

(ii) By updating the address of PPS Infotech from Rockville, MD, to Ashburn, VA.

The Department is modifying the section entitled “SYSTEM MANAGER(S)” to change the title of the system manager from simply “PAS Manager” to “FSA Identity and Access Management (IAM), Division Chief, PAS Manager,” and to make minor updates to the system manager's address.

The Department is modifying the section entitled “AUTHORITY FOR MAINTENANCE OF THE SYSTEM” to add “the FAFSA Simplification Act (title VII, division FF of Pub. L. 116–260, the Consolidated Appropriations Act, 2021) (including, but not limited to, section 702(m) that amends section 483 of the HEA and section 703 that amends section 401 of the HEA), and the FAFSA Simplification Act Technical Corrections Act (division R of Pub. L. 107–103, the Consolidated Appropriations Act, 2022),” which reflect amendments to the HEA to improve the financial aid application experience and expand title IV, HEA eligibility.

The Department is modifying the section entitled “PURPOSE(S) OF THE SYSTEM” as follows:

(i) The Department has reorganized the section to distinguish between purposes related to individuals covered by the system and purposes related to the Department's oversight and administration of the title IV, HEA programs and by adding numbering to the various purposes listed under each subsection;

(ii) For the purposes related to individuals covered by the system:

(a) The Department is consolidating, and designating as purpose (1), the Start Printed Page 48818 existing purposes relating to generating authentication and log-on credentials for those individuals wishing to access Departmental student financial assistance systems, online applications, websites and services, and to update their security challenge questions and corresponding answers;

(b) In purpose (2), the Department is the existing purpose relating to accessing Department systems by indicating that a purpose of the system is to allow single sign-on and token management for all Department student financial assistance systems including systems run by Department contractors;

(c) In purpose (3), the Department is clarifying the existing purpose relating to the electronic signature function by indicating that a purpose of the system is to include electronic signatures on student aid forms and applications, including, but not limited to, the consent/affirmative approval for the Department to disclose records to the Internal Revenue Service (IRS) to obtain Federal Tax Information (FTI) and for the disclosure and redisclosure of the FTI, revocation of such consent/affirmative approval, the FAFSA, Direct Loan Master Promissory Notes, loan benefit programs, deferments, and forbearances through Studentaid.gov and other Department websites; and

(d) The Department is adding purpose (4) to enable the Department, or other Federal, State, Tribal, or local government agencies, to investigate, respond to, or resolve complaints concerning the practices or processes of the Department and/or the Department's contractors, or to investigate, respond to, or resolve aid recipients' requests for assistance or relief with regard to title IV, HEA program funds;

(iii) For the purposes related to the Department's oversight and administration of title IV, HEA programs:

(a) The Department is adding purpose (1) to prevent fraud by taking measures to validate PII submitted by aid applicants, aid recipients, application participants;

(b) In purpose (2), the Department is modifying the existing purpose relating to matching user information with authorized entities by indicating that a purpose of the system is to match name, Social Security Number (SSN) (or address, where applicable), and Date of Birth (DOB) with an authorized entities for purposes of validating the PII submitted and, if applicable, to determine program eligibility and benefits;

(c) The Department is designating as purpose (3) the existing purpose relating to providing usage information for FSA systems and websites;

(d) The Department is designating as purpose (4) the existing purpose relating to tracking changes to user account information;

(e) The Department is adding purpose (5) to maintain and track the consent/affirmative approval on aid applicants and recipients to the IRS for the IRS to disclose FTI under subsection 494(a) of the HEA (20 U.S.C. 1098h(a)) and section 6103(l)(13)(A) and (C) of the IRC to the Department as part of a matching program to determine their determine their eligibility under title IV of the HEA and to permit the Department to redisclose FTI of individuals pursuant to section 6103(l)(13)(D)(iv) of the IRC and the revocation of such consent/affirmative approval for IDR; and

(f) The Department is adding purpose (6) to support research, analysis, and development, and the implementation and evaluation of educational policies in relation to title IV, HEA programs.

The Department is modifying the section entitled “CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM” by deleting and replacing “students” with “aid applicants and aid recipients” who apply for a FSA ID, clarifying that “their parents” who apply for a FSA ID refers to parents of dependent FAFSA applicants who are participants and enter their PII as part of the FAFSA form and apply for a FSA ID, adding spouses of independent FAFSA applicants who are participants and enter their PII as part of the FAFSA form and apply for a FSA ID, and to add spouses of aid applicants or recipients who enter their PII as part of IDR certifications or recertifications and apply for a FSA ID, and adding third-party preparers who provide consultative or preparation services for the completion of the FAFSA form and apply for a FSA ID, to better explain the individuals covered by the system.

The Department is modifying the section entitled “CATEGORIES OF RECORDS IN THE SYSTEM” as follows:

(i) The Department is adding a second paragraph to include consent/affirmative approval both to permit the Department to disclose information on aid applicants and recipients to the IRS for the IRS to disclose FTI under subsection 494(a) of the HEA (20 U.S.C. 1098h(a)) and section 6103(l)(13)(A) and (C) of the IRC to the Department as part of a matching program to determine their eligibility under title IV of the HEA and to permit the Department to redisclose FTI of individuals pursuant to section 6103(l)(13)(D)(iv) of the IRC and the revocation of such consent/affirmative approval; and

(ii) The Department is adding a third paragraph that explains that PAS maintains information, such as SSN verification flag, citizenship status, and death indicator, obtained by the Department pursuant to matching programs or other information exchanges with Federal agencies, and other external entities, to assist in verifying the identifying information of aid applicants or recipients, application participants, including the parents of dependent aid applicants or recipients and the spouses of independent aid applicants or recipients, endorsers, and third-party preparers.

The Department is modifying the section entitled “RECORD SOURCE CATEGORIES” as follows:

(i) The Department is modifying the first paragraph to explain that PAS receives the verification flag, citizenship flag, and death indicator through a matching program from the Central Processing System (CPS) or the FAFSA Processing System (FPS);

(ii) The Department is adding a new second paragraph to explain that PAS also collects from aid applicants or recipients their consent/affirmative approval both to permit the Department to disclose information on aid applicants and recipients to the IRS for the IRS to disclose FTI under subsection 494(a) of the HEA (20 U.S.C. 1098h(a)) and section 6103(l)(13)(A) and (C) of the IRC to the Department as part of a matching program to determine their eligibility under title IV of the HEA and to permit the Department to redisclose FTI of individuals pursuant to section 6103(l)(13)(D)(iv) of the IRC and the revocation of such consent/affirmative approval for IDR;

(iii) The Department is adding a new third paragraph to explain that information is also received from other Department systems or their successor systems, such as:

(a) The Digital and Customer Care Information Technology (IT), Central Processing System (CPS)and the FAFSA Processing System (FPS) (covered by the Department's Privacy Act system of records notice entitled “Aid Awareness and Application Processing (AAAP”) (18–11–21)); and

(b) The Enterprise Data Warehouse Analytics (EDWA) and Master Data Management (MDM) components covered under the “Enterprise Data Management and Analytics Platform Services” (covered by the Department's Privacy Act system of records notice entitled “Enterprise Data Management and Analytics Platform Services (EDMAPS)” (18–11–22)); and

(iv) The Department is adding a new fourth paragraph to indicate that Start Printed Page 48819 information in this system may be obtained from other persons or entities from whom or from which data is obtained following a disclosure under the listed routine uses.

The Department is modifying the section entitled “ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND PURPOSES OF SUCH USES” as follows:

(i) Routine use (1)(a) is being modified to delete “the individual whom records indicate is applying for, has applied for, has endorsed, or has received a title IV, HEA loan or grant” and add “current, former, and prospective aid applicant, aid recipient (or their third-party preparer), or endorser;” to add validate the PII being entered by the current, former, or prospective aid applicant or aid recipient (or their third-party preparer) or endorser, whom records indicate is applying for, has applied for, has endorsed, or has received a title IV, HEA loan and/or grant, or a participant of such an application including the spouse of an independent aid applicant or recipient or the parent(s) of a dependent aid applicant or recipient; to delete “authorized representatives;” and to add Tribal agencies to the list of entities to which the Department may disclose records to verify the identity of an individual;

(ii) Routine use (1)(b) is being modified to delete “their authorized representatives” to make the routine use clearer and to add Tribal agencies to the list of agencies to which information may be disclosed under this routine use;

(iii) Routine use (1)(c) is being deleted because PAS is not used to facilitate default reduction;

(iv) Newly renumbered routine use (1)(c) is being modified to delete the servicing, assigning, adjusting, transferring, referring, or discharging of a loan; to remove authorized representatives; and to add Tribal agencies to the list of agencies to which information may be disclosed to permit the making or collecting of a grant or loan obligation;

(v) Newly renumbered routine use (1)(d) is being modified to remove authorized representatives of applicable Federal Loan Servicers or Federal Perkins Loan Servicers, and Federal, State, or local agencies; and to add Tribal agencies to the list of agencies to which disclosures may be made to investigate possible fraud or abuse or verify compliance with program regulations;

(vi) Newly renumbered routine use (1)(e) is being added to permit the Department to disclose information on aid applicants and recipients to disclose FTI under subsection 494(a) of the HEA (20 U.S.C. 1098h(a)) and section 6103(l)(13)(A) and (C) of the IRC to the Department as part of a matching program to determine their determine their eligibility under title IV of the HEA and to permit the Department to redisclose FTI of individuals pursuant to section 6103(l)(13)(D)(iv) of the IRC and the revocation of such consent/affirmative approval for IDR, disclosures may be made to Federal Loan Servicers;

(vii) Routine use (1)(f) is being deleted because PAS is not used to locate delinquent or defaulted borrowers;

(viii) The newly renumbered routine use (1)(f) is being modified to delete authorized representatives of Guaranty agencies, educational and financial institutions, Federal Loan Services, Federal Perkins Loan Servicers, and Federal, State, or local agencies, and to add Tribal agencies to the list of agencies to which disclosures may be made to investigate complaints or to update information or correct errors contained in Department records;

(ix) Routine use (1)(g) is being deleted because PAS is not used to conduct credit checks or respond to inquiries or disputes;

(x) Routine use (2) entitled “Feasibility Study Disclosure” is being deleted because the system is not used to conduct feasibility studies;

(xi) Routine use (3) entitled “Disclosure for Use by Other Law Enforcement Agencies” is being deleted because of concerns that it was not compatible with the purposes for which records are collected in this system;

(xii) Newly renumbered routine use (2) entitled “Enforcement Disclosure” is being modified to indicate that if information in this system of records indicates, either on its face or in connection with other information, a violation or potential violation of any applicable statute, regulation, or order of a competent authority, the Department may disclose the relevant records to the appropriate agency, whether foreign, Federal, State, Tribal or local, responsible for investigating or prosecuting that violation or charged with enforcing or implementing the statute, Executive Order, rule, regulation, or order issued pursuant thereto;

(xiii) Newly renumbered routine use (9) entitled “Contract Disclosure” has been modified to delete and replace “[b]efore entering into such a contract, the Department shall require the contractor to establish and maintain Privacy Act safeguards as required under subsection (m) of the Privacy Act (5 U.S.C. 552a(m) with respect to the records in the system” with “[a]s part of such a contract, the Department shall require the contractor to agree to establish and maintain safeguards to protect the security and confidentiality of the disclosed records” to clarify when records can be shared;

(xiv) Newly renumbered routine use (10) entitled “Research Disclosure” has been modified to delete and replace “[t]he researcher shall be required to maintain safeguards required under the Privacy Act with respect to the records in the system” with “[t]he researcher shall be required to agree to establish and maintain safeguards to protect the security and confidentiality of the disclosed records” to clarify when records can be shared;

(xv) Newly renumbered routine use (11) entitled “Congressional Member Disclosure” is being modified to clarify that the Department may disclose the records of an individual to a member of Congress or their staff when necessary to respond to an inquiry from the Member and that the Member's request must be made not only at the written request of, but also on behalf of, the individual whose records are being disclosed;

(xvi) Routine use (14) entitled “Disclosure to OMB for Federal Credit Reform Act (CRA) Support” was deleted because disclosures to the Office of Management and Budget for CRA support are not made from the PAS system;

(xvii) Newly renumbered routine use (12) entitled “Disclosure in the Course of Responding to a Breach of Data” is being modified as follows: in paragraph (a), to delete and replace “the security or confidentiality of information in the system of records has been compromised” with “there has been a breach of the system of records”; in paragraph (b), to delete and replace “compromise” with “breach”; in paragraph (b), to permit the Department to make disclosures when, in addition to satisfying paragraphs (a) and (c), the Department determines that as a result of the suspected or confirmed breach there is a risk of harm to individuals, the Department (including its information systems, programs, and operations), the Federal government, or national security; and in paragraph (c), to delete and replace “compromise” with “breach”;

(xviii) Newly renumbered routine use (13) entitled “Disclosure in Assisting another Agency in Responding to a Breach of Data” is being added to permit disclosures to assist another Federal agency or Federal entity in responding to a suspected or confirmed breach of data; Start Printed Page 48820

(xix) Routine use (16) entitled “Disclosure to Third Parties through Computer Matching Programs” is being deleted because this is covered under the introductory paragraph of the section entitled ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND PURPOSES OF SUCH USES and covered under the separate programmatic routine use disclosures; and

(xx) Newly renumbered routine use (14) entitled “Disclosure to the National Archives and Records Administration (NARA)” is being added to permit disclosures to NARA for the purpose of records management inspections conducted under the authority of 44 U.S.C. 2904 and 2906.

The Department is modifying the section entitled “POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS” to explain that records are primarily maintained in accordance with ED Records Schedule 278, “FSA Person Authentication Service (PAS) Records” (DAA–0441–2016–0001) (ED 278), and the Department has submitted amendments to ED 278 for NARA's consideration and will not destroy records covered by ED 278 until such amendments are effective.

The Department is deleting the section entitled “POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING AND DISPOSING OF RECORDS IN THE SYSTEM” and added the new section entitled “ADMINISTRATIVE, TECHNICAL AND PHYSICAL SAGEGUARDS” which describes authorized users to the system; the physical safeguards of magnetic tapes, disc packs, computer equipment; how other forms of data and information are stored; the procedural safeguards required to access the information; the required Federal Information Security Management Act of 2002 (FISMA) requirements of a signed Authorization to Operate (ATO) and its rigorous assessment of security controls; and finally, the FISMA controls implemented that in combination secure the system and maintain the information safely.

The Department is modifying the section entitled “RECORD ACCESS PROCEDURES” to delete that individuals may access their records by visiting the ED PAS Account Management site or by calling the FAFSA on the web phone number listed on the website and to add that individuals who wish to access their records must provide the system manager with the necessary particulars such as their name, DOB, SSN, and any other identifying information requested by the Department while processing the request, to distinguish between individuals with the same name.

The Department is modifying the section entitled “CONTESTING RECORD PROCEDURES” to delete that individuals may contest their records by contacting the Customer Service Department and the last sentence directing individuals whose SSN does not match the records of the SSA either to correct their SSN in PAS or to contact the local office of the SSA for a SSN correction; and to add that individuals who wish to contest their records must provide the system manager with the necessary particulars such as their name, DOB, SSN, and any other identifying information requested by the Department while processing the request, to distinguish between individuals with the same name, and also must identify the specific item(s) to be changed and provide a justification for the change, including any supporting documentation. The Department is modifying the section entitled “NOTIFICATION PROCEDURES” to include that in order to determine whether a record exists about an individual in this system of records, the individual must provide the system manager with the necessary particulars such as their name, DOB, SSN, and any other identifying information requested by the Department while processing the request to distinguish between individuals with the same name.

Accessible Format: On request to the program contact person listed under FOR FURTHER INFORMATION CONTACT , individuals with disabilities can obtain this document in an accessible format. The Department will provide the requestor with an accessible format that may include Rich Text Format (RTF) or text format (txt), a thumb drive, an MP3 file, braille, large print, audiotape, or compact disc, or other accessible format.

Electronic Access to This Document: The official version of this document is the document published in the Federal Register . You may access the official edition of the Federal Register and the Code of Federal Regulations at www.govinfo.gov. At this site you can view this document, as well as all other documents of this Department published in the Federal Register , in text or Portable Document Format (PDF). To use PDF you must have Adobe Acrobat Reader, which is available free at the site.

You may also access documents of the Department published in the Federal Register by using the article search feature at www.federalregister.gov. Specifically, through the advanced search feature at this site, you can limit your search to documents published by the Department.

For the reasons discussed in the preamble, the Chief Operating Officer, Federal Student Aid (FSA), U.S. Department of Education (Department) publishes a notice of a modified system of records to read as follows:

SYSTEM NAME AND NUMBER:

Person Authentication Service (PAS) (18–11–12).

SECURITY CLASSIFICATION:

Unclassified.

SYSTEM LOCATION:

Amazon Web Services (AWS) Government Cloud, 1200 12th Avenue, Suite 1200, Seattle, WA 98114. (This is the Hosting Center for the PAS application, where all electronic PAS information is processed and maintained.)

PPS Infotech, 20745 Williamsport Place, Suite 320, Ashburn, VA 20147. (PPS Infotech has access to the system and contracts directly with the Department for the development, operations, and maintenance support for PAS.)

SYSTEM MANAGER(S):

FSA Identity and Access Management (IAM), Division Chief, PAS Manager, Technology Office, Federal Student Aid, Union Center Plaza, 830 First St. NE, 10th floor, Washington, DC 20202.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

The collection of personally identifiable information (PII) for the creation and management of a FSA ID (which includes a user ID and a password) is authorized programmatically by title IV of the Higher Education Act of 1965, as amended (HEA) (20 U.S.C. 1070, et seq.) and the FAFSA Simplification Act (title VII, division FF of Pub. L. 116–260, the Consolidated Appropriations Act, 2021) (including, but not limited to, section 702(m) that amends section 483 of the HEA and section 703 that amends section 401 of the HEA), and the FAFSA Simplification Act Technical Corrections Act (division R of Pub. L. 117–103, the Consolidated Appropriations Act, 2022).

PURPOSE(S) OF THE SYSTEM:

The information contained in this system is maintained for the following purposes related to the individuals covered by the system: Start Printed Page 48821

(1) to generate authentication and log-on credentials for those individuals wishing to access Departmental student financial assistance systems, online applications, websites and services, and to update security challenge questions and their corresponding answers;

(2) to allow a single sign-on and token management solution for all Department student financial assistance systems including systems operated by Department contractors;

(3) to allow electronic signature on student aid forms and applications, including, but not limited to, the consent/affirmative approval for the Department to disclose records to the Internal Revenue Service (IRS) to obtain Federal Tax Information (FTI) and for the disclosure and redisclosure of the FTI, revocation of such consent/affirmative approval, the Free Application for Federal Student Aid (FAFSA®), Direct Loan Master Promissory Notes, loan benefit program forms, deferments, or forbearances through StudentAid.gov and other Department websites; and

(4) to enable the Department, or other Federal, State, Tribal, or local government agencies, to investigate, respond to, or resolve complaints concerning the practices or processes of the Department and/or the Department's contractors, or to investigate, respond to, or resolve aid recipients' requests for assistance or relief with regard to title IV, HEA program funds.

The information maintained in this system is also maintained for the following purposes relating to the Department's oversight and administration of the title IV, HEA programs:

(1) to prevent fraud by taking measures to validate the PII submitted by aid applicants, aid recipients, application participants ( i.e., parents of dependent aid applicants or aid recipients and spouses of independent students), endorsers, and third-party preparers before allowing them to access Department websites, such as Studentaid.gov;

(2) to match name, Social Security number (SSN) (or address, where applicable), and Date of Birth (DOB) with an authorized entities for purposes of validating the PII submitted and, if applicable, to determine program eligibility and benefits;;

(3) to provide usage information for FSA systems and websites;

(4) to track changes to user account information;

(5) to maintain and track consent/affirmative approval the consent/affirmative approval on aid applicants and recipients to the IRS for the IRS to disclose FTI under subsection 494(a) of the HEA (20 U.S.C. 1098h(a)) and section 6103(l)(13)(A) and (C) of the IRC to the Department as part of a matching program to determine their determine their eligibility under title IV of the HEA and to permit the Department to redisclose FTI of individuals pursuant to section 6103(l)(13)(D)(iv) of the IRC and the revocation of such consent/affirmative approval for IDR; and

(6) to support research, analysis, and development, and the implementation and evaluation of educational policies in relation to title IV, HEA programs.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:

PAS contains records about former, current, and prospective aid applicants and aid recipients, participants who enter their PII as part of the FAFSA form ( i.e., parents of dependent aid applicants or recipients and spouses of independent aid applicants or recipients) under title IV of the HEA, spouses of aid applicants or recipients who enter their PII as part of IDR certifications or recertifications, endorsers, and third-party preparers ( i.e., individuals who provide consultative or preparation services for the completion of the FAFSA) who apply for a user ID and password (FSA ID).

CATEGORIES OF RECORDS IN THE SYSTEM:

This system maintains identifying information including, but not limited to, first name, middle name, last name, SSN, DOB, address, telephone number, email address, and security challenge questions.

The system also contains consent/affirmative approval of IDR applicants or recipients both to permit the Department to disclose information to the IRS for the IRS to disclose FTI under subsection 494(a) of the HEA (20 U.S.C. 1098h(a)) and section 6103(l)(13)(A) and (C) of the IRC to the Department as part of a matching program to determine title IV, program eligibility or monthly repayment obligation amounts for IDR plans under title IV of the HEA with respect to loans made under part D (the Direct Loan program) of title IV of the HEA and to permit the Department to redisclose FTI of individuals pursuant to section 6103(l)(13)(D)(iv) of the IRC. PAS also maintains the revocation of consent/affirmative approval for IDR.

PAS further maintains information, such as SSN verification flag, citizenship status, and death indicator, obtained pursuant to matching programs or other information exchanges with Federal agencies, and other external entities, to assist in verifying the identifying information of aid applicants or recipients, application participants including parents of dependent aid applicants or recipients and spouses of independent aid applicants or recipients, endorsers, and third-party preparers.

RECORD SOURCE CATEGORIES:

The identifying information (first name, middle name, last name, SSN, DOB, address, telephone number, email address, security challenge questions and corresponding answers) will be collected from individuals applying for a FSA ID or updating their information on the PAS registration website. In addition, PAS receives a verification flag, citizenship flag and death flag indicator which are maintained in the system through a matching program from the Central Processing System (CPS) and the FAFSA Processing System (FPS) system.

PAS also collects from aid applicants or recipients their consent/affirmative approval both to permit the Department to disclose information to the IRS for the IRS to disclose FTI under subsection 494(a) of the HEA (20 U.S.C. 1098h(a)) and section 6103(l)(13)(A) and (C) of the IRC to the Department as part of a matching program to determine title IV, program eligibility or their monthly repayment obligation amounts for IDR plans under title IV of the HEA with respect to loans made under part D of title IV of the HEA (the Direct Loan program) and to permit the Department to redisclose the FTI of such individuals pursuant to section 6103(l)(13)(D)(iv) of the IRC.

Information is also obtained from other Department systems, or their successor systems, including:

The Digital and Customer Care Information Technology (IT), Central Processing System (CPS) and FAFSA Processing System (FPS) system (covered by the Department's Privacy Act system of records notice entitled “Aid Awareness and Application Processing (AAAP)” (18–11–21)); and

• The Enterprise Data Warehouse Analytics (EDWA) and Person Master Data Management (pMDM) components covered under the “Enterprise Data Management and Analytics Platform Services” (covered by the Department's Privacy Act system of records notice entitled “Enterprise Data Management and Analytics Platform Services (EDMAPS)” (18–11–22)).

Information in this system also may be obtained from other persons or entities from whom or from which information is obtained following a disclosure under the listed routine uses. Start Printed Page 48822

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND PURPOSES OF SUCH USES:

The Department may disclose information contained in a record in this system of records under the routine uses listed in this system of records without the consent of the individual if the disclosure is compatible with a purpose for which the record was collected. These disclosures may be made on a case-by-case basis or, if the Department has complied with the computer matching requirements of the Privacy Act of 1974, as amended (Privacy Act) (5 U.S.C. 552a), under a computer matching agreement (CMA).

(1) Program Disclosures. The Department may disclose records for the following program purposes:

(a) To validate the PII entered by the current, former, or prospective aid applicant or aid recipient (or their third-party preparer) or endorser, whom records indicate is applying for, has applied for, has endorsed, or has received a title IV, HEA loan and/or grant, or a participant of such an application including the spouse of an independent aid applicant or recipient or the parent(s) of a dependent aid applicant or recipient, disclosures may be made to: Guaranty agencies, educational and financial institutions, Federal Loan Servicers, or Federal Perkins Loan Servicers, Federal, State, local, or Tribal agencies, private parties such as relatives, business and personal associates, and present and former employers, creditors, consumer reporting agencies, adjudicative bodies, and the individual whom the records identify as the endorser or the party obligated to repay the debt;

(b) To determine program eligibility and benefits, disclosures may be made to: Guaranty agencies, educational and financial institutions, Federal Loan Servicers, Federal Perkins Loan Servicers, Federal, State, local, or Tribal agencies; private parties such as relatives, business and personal associates, and present and former employers, creditors, consumer reporting agencies, and adjudicative bodies;

(c) To permit the making or collecting of a grant or loan obligation, disclosures may be made to: Guaranty agencies, educational institutions, financial institutions, Federal Loan Servicers, or Federal Perkins Loan Servicers that made, held, serviced, or have been assigned the debt; a party identified by the debtor as willing to advance funds to repay the debt; Federal, State, local, or Tribal agencies; private parties such as relatives, business and personal associates, and present and former employers, creditors, consumer reporting agencies, and adjudicative bodies;

(d) To investigate possible fraud or abuse or verify compliance with program regulations, disclosures may be made to: Guaranty agencies, educational and financial institutions, Federal Loan Servicers or Federal Perkins Loan Servicers, Federal, State, local, or Tribal agencies, private parties such as relatives, present and former employers, and business and personal associates, creditors, consumer reporting agencies, and adjudicative bodies;

(e) To permit the Department to disclose information on aid applicants and recipients to the IRS for the IRS to disclose FTI under subsection 494(a) of the HEA (20 U.S.C. 1098h(a)) and section 6103(l)(13)(A) and (C) of the IRC to the Department as part of a matching program to determine their determine their eligibility under title IV of the HEA and to permit the Department to redisclose FTI of individuals pursuant to section 6103(l)(13)(D)(iv) of the IRC and the revocation of such consent/affirmative approval for IDR, disclosures may be made to Federal Loan Servicers;

(f) To investigate complaints or to update information or correct errors contained in Department records, disclosures may be made to: Guaranty agencies, educational and financial institutions, Federal Loan Servicers, or Federal Perkins Loan Servicers, Federal, State, local, or Tribal agencies; private parties such as relatives, present and former employers, and business and personal associates, creditors, credit reporting agencies, and adjudicative bodies; and

(g) To report information required by law to be reported, including, but not limited to, reports required by 26 U.S.C. 6050P and 6050S, disclosures may be made to the IRS.

(2) Enforcement Disclosure. In the event that information in this system of records indicates, either on its face or in connection with other information, a violation or potential violation of any applicable statute, regulation, or order of a competent authority, the Department may disclose the relevant records to the appropriate agency, whether foreign, Federal, State, Tribal or local, charged with the responsibility of investigating or prosecuting that violation or charged with enforcing or implementing the statute, Executive Order, rule, regulation, or order issued pursuant thereto.

(3) Litigation and Alternative Dispute Resolution (ADR) Disclosure.

(a) Introduction. In the event that one of the parties listed below is involved in judicial or administrative litigation or ADR, or has an interest in such litigation or ADR, the Department may disclose certain records to the parties described in paragraphs (b), (c), and (d) of this routine use under the conditions specified in those paragraphs:

(i) The Department or any of its components;

(ii) Any Department employee in their official capacity;

(iii) Any Department employee in their individual capacity where the Department of Justice (DOJ) has been requested to or agrees to provide or arrange for representation for the employee;

(iv) Any Department employee in their individual capacity where the Department has agreed to represent the employee;

(v) The United States, where the Department determines that the litigation is likely to affect the Department or any of its components.

(b) Disclosure to the DOJ. If the Department determines that disclosure of certain records to the DOJ is relevant and necessary to the judicial or administrative litigation or ADR and is compatible with the purpose for which the records were collected, the Department may disclose those records as a routine use to the DOJ.

(c) Adjudicative Disclosure. If the Department determines that disclosure of certain records to an adjudicative body before which the Department is authorized to appear or to an individual or an entity designated by the Department or otherwise empowered to resolve or mediate disputes is relevant and necessary to judicial or administrative litigation or ADR, the Department may disclose those records as a routine use to the adjudicative body, individual, or entity.

(d) Disclosure to Parties, Counsel, Representatives, and Witnesses. If the Department determines that disclosure of certain records is relevant and necessary to judicial or administrative litigation or ADR, the Department may disclose those records as a routine use to a party, counsel, representative, or witness.

(4) Employment, Benefit, and Contracting Disclosure.

(a) For Decisions by the Department. The Department may disclose a record to a Federal, State, or local agency, or another public authority or professional organization, maintaining civil, criminal, or other relevant enforcement or other pertinent records, if necessary to obtain information relevant to a Department decision concerning the hiring or retention of an employee or other personnel action, the issuance of a security clearance, the letting of a Start Printed Page 48823 contract, or the issuance of a license, grant, or other benefit.

(b) For Decisions by Other Public Agencies and Professional Organizations. The Department may disclose a record to a Federal, State, local, or other public authority or professional organization, in connection with the hiring or retention of an employee or other personnel action, the issuance of a security clearance, the reporting of an investigation of an employee, the letting of a contract, or the issuance of a license, grant, or other benefit, to the extent that the record is relevant and necessary to the receiving entity's decision on the matter.

(5) Employee Grievance, Complaint, or Conduct Disclosure. If a record is relevant and necessary to an employee grievance, complaint, or disciplinary action, the Department may disclose the record in this system of records in the course of investigation, fact-finding, or adjudication to any party or the party's counsel or representative, a witness, or to a designated fact-finder, mediator, or other person designated to resolve issues or decide the matter.

(6) Labor Organization Disclosure. The Department may disclose records from this system of records to an arbitrator to resolve disputes under a negotiated grievance procedure or to officials of labor organizations recognized under 5 U.S.C. chapter 71 when relevant and necessary to their duties of exclusive representation.

(7) Freedom of Information Act (FOIA) and Privacy Act Advice Disclosure. The Department may disclose records to the DOJ or the Office of Management and Budget if the Department seeks advice regarding whether records maintained in this system of records are required to be disclosed under the FOIA or the Privacy Act.

(8) Disclosure to the DOJ. The Department may disclose records to the DOJ, or the authorized representative of the DOJ, to the extent necessary for obtaining DOJ advice on any matter relevant to an audit, inspection, or other inquiry related to the programs covered by this system.

(9) Contract Disclosure. If the Department contracts with an entity for the purposes of performing any function that requires disclosure of records in this system to employees of the contractor, the Department may disclose the records to those employees. As part of such a contract, the Department shall require the contractor to agree to establish and maintain safeguards to protect the security and confidentiality of the disclosed records.

(10) Research Disclosure. The Department may disclose records to a researcher if the Department determines that the individual or organization to which the disclosure would be made is qualified to carry out specific research related to functions or purposes of this system of records. The Department may disclose records from this system of records to that researcher solely for the purpose of carrying out that research related to the functions or purposes of this system of records. The researcher shall be required to agree to establish and maintain safeguards to protect the security and confidentiality of the disclosed records.

(11) Congressional Member Disclosure. The Department may disclose the records of an individual to a Member of Congress or the Member's staff when necessary to respond to an inquiry from the Member made at the written request of that individual and on behalf of that individual. The Member's right to the information is no greater than the right of the individual who requested the inquiry.

(12) Disclosure in the Course of Responding to a Breach of Data. The Department may disclose records from this system of records to appropriate agencies, entities, and persons when (a) the Department suspects or has confirmed that there has been a breach of the system of records; (b) the Department has determined that as a result of the suspected or confirmed breach there is a risk of harm to individuals, the Department (including its information systems, programs, and operations), the Federal government, or national security; and (c) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with the Department's efforts to respond to the suspected or confirmed breach and prevent, minimize, or remedy such harm.

(13) Disclosure in Assisting another Agency in Responding to a Breach of Data. The Department may disclose records from this system to another Federal agency or Federal entity, when the Department determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (a) responding to a suspected or confirmed breach or (b) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the Federal government, or national security, resulting from a suspected or confirmed breach.

(14) Disclosure to the National Archives and Records Administration (NARA). The Department may disclose records from this system of records to NARA for the purpose of records management inspections conducted under the authority of 44 U.S.C. 2904 and 2906.

DISCLOSURE TO CONSUMER REPORTING AGENCIES:

Disclosures pursuant to 5 U.S.C. 552a(b)(12): The Department may disclose the following information to a consumer reporting agency regarding a valid overdue claim of the Department: (1) the name, address, taxpayer identification number, and other information necessary to establish the identity of the individual responsible for the claim; (2) the amount, status, and history of the claim; and (3) the program under which the claim arose. The Department may disclose the information specified in this paragraph under 5 U.S.C. 552a(b)(12) and the procedures contained in subsection 31 U.S.C. 3711(e). A consumer reporting agency to which these disclosures may be made is defined in 15 U.S.C. 1681a(f) and 31 U.S.C. 3701(a)(3).

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:

The records are stored electronically.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:

In order for users to retrieve aid applicant or recipient information, they must supply the respective SSN, name, and DOB or by the unique internal account identifier.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:

Records are primarily retained and disposed of in accordance with ED Records Schedule 278, “FSA Person Authentication Service (PAS) Records” (DAA–0441–2016–0001) (ED 278). The Department has submitted amendments to ED 278 for NARA's consideration and will not destroy records covered by ED 278 until such amendments are in effect, as applicable.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:

Authorized users: Access to the system is limited to authorized PAS program personnel and contractors responsible for administering the PAS program. Authorized personnel include Department employees and officials, financial and fiscal management personnel, computer personnel, and program managers who have responsibilities for implementing the PAS program. Read-only users: Read-only access is given to servicers, holders, financial/fiscal management personnel, and institutional personnel. Start Printed Page 48824

Physical safeguards: Magnetic tapes, disc packs, computer equipment, and other forms of data are stored in areas where fire and life safety codes are strictly enforced. Security guards are staffed 24 hours a day, seven days a week, to perform random checks on the physical security of the record storage areas.

Procedural safeguards: A password is required to access the terminal, and a data set name controls the release of information to only authorized users. In addition, all sensitive data is encrypted using Oracle Transparent Data Encryption functionality. Access to records is strictly limited to those staff members trained in accordance with the Privacy Act and Automatic Data Processing (ADP) security procedures. Contractors are required to maintain confidentiality safeguards with respect to these records. Contractors are instructed to make no further disclosure of the records except as authorized by the System Manager and permitted by the Privacy Act. All individuals who have access to these records receive appropriate ADP security clearances.

Department personnel make site visits to ADP facilities for the purpose of ensuring that ADP security procedures continue to be met. Privacy Act and ADP system security requirements are specifically included in contracts. The PAS project directors, project officers, and the system manager oversee compliance with these requirements.

In accordance with the Federal Information Security Management Act of 2002 (FISMA), as amended by the Federal Information Security Modernization Act of 2014, every Department system must receive a signed Authorization to Operate (ATO) from a designated Department official. The ATO process includes a rigorous assessment of security controls, a plan of actions and milestones to remediate any identified deficiencies, and a continuous monitoring program.

FISMA controls implemented are comprised of a combination of management, operational, and technical controls, and include the following control families: access control, awareness and training, audit and accountability, security assessment and authorization, configuration management, contingency planning, identification and authentication, incident response, maintenance, media protection, physical and environmental protection, planning, personnel security, privacy, risk assessment, system and services acquisition, system and communications protection, system and information integrity, and program management.

RECORD ACCESS PROCEDURES:

If you wish to gain access to a record in this system, you must contact the system manager with the necessary particulars such as your name, DOB, SSN, and any other identifying information requested by the Department while processing the request, to distinguish between individuals with the same name. Requests by an individual for access to a record must meet the requirements of the regulations at 34 CFR 5b.5, including proof of identity.

CONTESTING RECORD PROCEDURES:

If you wish to contest the content of a record in the system of records, you must contact the system manager with the necessary particulars such as your name, DOB, SSN, and any other identifying information requested by the Department while processing the request, to distinguish between individuals with the same name. You must also identify the specific item(s) to be changed, and provide a justification for the change, including any supporting documentation. Requests to amend a record must meet the requirements of the Department's Privacy Act regulations at 34 CFR 5b.7.

NOTIFICATION PROCEDURES:

If you wish to determine whether a record exists regarding you in this system of records, you must contact the system manager with the necessary particulars such as your name, DOB, SSN,and any other identifying information requested by the Department while processing the request, to distinguish between individuals with the same name. Requests for notification about whether the system of records contains information about an individual must meet the requirements of the regulations at 34 CFR 5b.5, including proof of identity.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:

None.

HISTORY:

The system of records notice entitled the “Person Authentication Service” (18–11–12) was last modified and published in full in the Federal Register on March 20, 2015 (80 FR 14981).