30D Comment Response

Comment

FSA Response

“The Dep of ED should not launch this project at this time. They should first finish resolving the current issues with the FSA Partner Connect secure site, like that they can't release ECARs to schools and that there are some schools who still have not successfully accessed their E-App (though their third party servicer have access on their behalf) and there are third party servicers who are still having issues with granting access to additional users. The Dep of ED should also consider doing a beta testing phase to make sure the site is working before launching, being sure to engage partners from all sectors, especially organizations who access many schools, schools with additional locations who share a DPA (since these schools are still having issues since the launch of the NSLDS 2.0) and organizations with

many users. It would also be helpful if the Dep of ED sent emails to users before the accounts like (as is done by the G5/6 system), rather

than relying on users keeping track for themselves.”

Thank you for the comment. Any individual issues with FSA Partner Connect can be reported to the FSA Partner and School Relations Center at 1-800-848-0978. Thank you for the suggestions to conduct beta testing and send reminder emails. We will be sending reminder emails with the implementation of the new Access Management solution. No changes have been made to this information collection request related to this comment.

“This shows a cost of zero. That can't be correct since schools will need to retrain their school (in addition to dealing with the inevitable glitches that have plagued every Dep of ED site updated).”

Thank you for the comment. The breakdown of the burden (hours and cost) can be found in Item 12 of the Supporting Statement. The Department will be offering training focused on the new Access Management solution for schools. No changes have been made to this information collection request related to this comment.

“We in the Financial Aid community, and specifically on the Third Party Servicer side who interact with CPS SAIG at least weekly, urge you to PLEASE NOT move the School sign up process yet. PartnerConnect has been an absolute nightmare for us this year. Problems still can't be fixed quickly or sometimes at all. Please wait until PartnerConnect issues are worked out before moving more over to it from a system that while not ideal, at least works.

I think most of us see that one day, it will be a good system but that's not now. Not to mention that you will be having a new Contractor taking over at the same time. PLEASE don't move CPS SAIG responsibilities until you have a fully functional system where problems can be resolved quickly and effectively.”

Thank you for the comment. Any individual issues with FSA Partner Connect can be reported to the FSA Partner and School Relations Center at 1-800-848-0978. No changes have been made to this information collection request related to this comment.

“This is to the question whether “the estimate of burden [is] accurate”.

It is not. Any ED directive to education entities will trickle down and have an applicant, student, their families and personal information as objects. Impositions on the latter IS a burden resulting from the proposed rule. Entities’ actions to fulfill

Department’s directive have to be identified and evaluated for necessity and imposition in order to count the burden; public input is essential to this evaluation to factor in the objects’ incurred personal impact.

Ignoring burden to the rule’s objects lowers the cost of the rule, making it easier to get approved.

To further decrease the cost of the proposed rule, the Department excludes pro-active oversight over users’ access to FSA systems, feedback mechanism from the rule’s objects, and consistent investigative action response to signs of inappropriate use.

Therefore, this rule is incomplete and needs to be amended.”

Thank you for the comment. The breakdown of the burden (hours and cost) can be found in Item 12 of the Supporting Statement. FSA believes these changes will streamline the access/enrollment processes and will likely see burden reduction in future years. No changes have been made to this information collection request related to this comment.

Department puts in effort to remove public input from consideration.

The ED published a comment request notice ED-2024-SCC-0096 in the Federal Register on October 8, 2024 and directed comments to be submitted to reginfo.gov. However, Department failed to post the related ICR there, making submission of comments impossible. (See attached .pdf screenshot showing reginfo.gov having no ICR on the subject of SAIG Enrollment.) The countdown of the 30-day deadline was in progress. Comments that were attempted to be posted at that time have been effectively eliminated.

Department’s responses on the previous docket with the same number either ignore the comments (including the one pointing to Department’s creating a loophole – in “6.” on page 8 of 15) or do not reply to the comment’s point.

To a concern that Department relies on outdated documents created during an emergency pandemic time (see “2.” in 0096 Supporting Statement in ICR attachments of this docket), Department responds with a redundant restatement of the documents, noting that one of them is being updated, but leaves unclear whether the progression of the rule will await. And, what if the findings will not support the rule? This puts into question the funds spent on developing the rule to this point. It also puts into question the quality of these findings and Department’s influence on them. Department should not use a bluff as a base for proposed rule. This rule should not be approved; Department can submit a new proposal when it can substantiate it.

To the concern that access to the individuals’ personal information should be on a “need to know basis” (see “1.” In 0096 Supporting Statement), Department responds with quotes from their own text of the docket the comment was to. Department does not address the comment’s point that the proposed sharing is non-consensual, and instead says that accessing companies sign an acknowledgment of responsibility. It is as silly as to say that warning of penalty prevents crime from being committed.

Much like it, to the concern that database breaches are not preventable (“7” in 0096), Department, instead of restricting access or reducing content, speaks on the after-the-fact reporting of breaches.

It appears that once Department designs a regulation, it is averse to making meaningful adjustments when considering comments from public. This undermines public participation in rulemaking.

Department published similar proposed information in multiple dockets (ED–2024–SCC–0100, ED–FSA–2024–0062, ED-2024-FSA-0070, and ED-2024-SCC-0096). If they are a part of the same project, it should be identified. Department may be reluctant to heed public input, as that may require Department to align proposals of the same project to each adjustment.

The Department’s dockets show that many comments received from public were concealed by Department from public view. Those comments may have necessitated the proposed rule’s revision, but being concealed, loosens Department’s accountability.

Thank you for the comment. No changes have been made to this information collection request related to this comment.

On behalf of the University of California (UC), one of the country’s premier public research university systems, serving more than 295,000 undergraduate and graduate students, we appreciate the opportunity to provide comment on the October 8, 2024 notice of Request for Information regarding the proposed change to the Federal Student Aid (FSA) Partner Connect System and User Access Management, as referenced in Docket ID ED-2024-SCC-0096.

(1) We appreciate the drive towards consolidation of access management for several federal systems as noted. However, while we understand the need, we would encourage the department to focus its time and resources to ensure it is positioning itself to focus on maximizing technical resources for the support of the Federal Student Aid (FAFSA) form as well as its delivery and any subsequent corrections processes. Our campuses would prefer to have a reliable FAFSA application system and therefore urge the department to deprioritize other technical transitions, such as the one proposed in this information collection effort—especially as the Department is currently in beta testing mode for the 2025-2026 FAFSA application.

(2) Should the department pursue the transition, UC would like to stress the importance of adequate testing before implementation. As an example, the new certification process implemented as part of the transition to the FSA Partner Connect System created obstacles for some campuses, such as being unable to complete certification when changes in leadership structure resulted in a required signatory being unavailable. Therefore, we encourage conducting significant user access testing alongside consideration of secondary measures that address any potential roadblock to ensure a smooth transition and minimal opportunity for delays in a campus’s ability to administer federal student aid. (3) Additionally, we would like to get clarification on how the department plans to address this consolidation and any possible impact on the E-application process as this system is not part of the identified group.

Thank you for the comment. The Department is currently conducting best tests focused on the FAFSA. The new Access Management solution of FSA Partner Connect is planned for implementation later in 2025. The system will undergo vigorous testing before implementation. There are plans to offer a significant amount of training and a preview of the system with select organizations. For any individual issues with the E-App, please contact the FSA Partner and School Relations Center at 1-800-848-0978 if you need assistance. No changes have been made to this information collection request related to this comment.

“We have several concerns regarding the Federal Student Aid’s Information Collection Request (ICR) concerning Partner Connect and submit this public comment in response to the most recent ICR, Docket No. ED-2024-SCC-0096, 89 Fed. Reg. 81,502-03 (Oct. 8, 2024). We oppose this ICR for the following reasons:

1) Requiring sensitive, personally identifiable information of individual owners and ownership entities of postsecondary institutions as a condition to receive federal financial student aid under Title IV of the Higher Education Act of 1965, as amended, violates the Spending Clause of the United States Constitution. Partner Connect, specifically the e-APP, requires postsecondary institutions of higher education to provide highly confidential information regarding entities that own postsecondary institutions, including personally identifiable information of individual owners who have less than a 5% ownership interest. Neither Title IV of the Higher Education Act of 1965, as amended, nor its implementing regulations require postsecondary institutions, their ownership entities, and their respective owners to provide such detailed information, including but not limited to names, dates of birth, addresses, personal telephone numbers, social security numbers, and other sensitive, personally identifiable information that if disclosed, may cause an individual or ownership entity economic harm and injury. The U.S. Department of Education is in violation of the Spending Clause of the U.S. Constitution in requiring institutions to provide such sensitive, personally identifiable information of ownership entities and individual owners as a condition of receiving federal financial student aid under Title IV, when Title IV and its implementing regulations do not require the provision of such information to receive federal financial student aid. The U.S. Department of Education has not gone through negotiated rulemaking to promulgate regulations to require the provision of such sensitive, personally identifiable information as a condition to receive federal financial student aid. Even if the U.S. Department of Education commences negotiated rulemaking, Title IV does not clearly authorize the Department to condition receipt of federal financial student aid upon disclosure of sensitive, highly confidential personally identifiable information of ownership entities and their owners.

2) The U.S. Department of Education must provide appropriate safeguards to secure the sensitive, personally identifiable information stored in Partner Connect. The U.S. Department of Education fails to provide any reassurance that the Department will implement appropriate security measures to safeguard students, ownership entities, and individual owners’ personally identifiable information. This ICR requires the institution’s president, chief executive officer, or designee to certify that the institution is “operating as intended pursuant to the Federal Trade Commission’s (FTC) Final Rule on Standards for Safeguarding Customer Information (i.e., the Safeguards Rule),” and that the institution “has ensured the standards for protecting federal tax information (FTI) have been implemented according to Internal Revenue Code (IRC) 26 U.S.C. §6103.” The ICR, however, provides no assurance or any representation that the U.S. Department of Education will implement the same standards required of institutions to safeguard the sensitive, personally identifiable information of students, institutions, institutions’ ownership entities, and institutions’ individual owners. Allowing institutional third-party servicers, guaranty agencies and guaranty agency servicers, Federal Family Educational Loan Program lenders and lender servicers, federal loan servicers, and State Higher Education Agencies, to have access to Partner Connect, including sensitive, personally identifiable information of students and other individuals, without any assurance of adequate security protocols or safeguards is alarming. The federal government has experienced significant data breaches and failing to provide appropriate assurances that the federal government will adequately protect sensitive, personally identifiable information of students, owners, ownership entities, and institutions is unacceptable.

3) The ICR, as proposed, violates the Privacy Act of 1974, 5 U.S.C. § 552a. The Privacy Act provides: “No agency shall disclose any record which is contained in a system of records . . . to another agency.” 5 U.S.C. § 552a(b). This ICR provides the ability to disclose records and share information as between the U.S. Department of Education and the U.S. Department of Homeland Security, the U.S. Department of Justice, or the Office of Management and Budget. This ICR does not satisfy any of the exceptions under 5 U.S.C. § 552a(b) for authorized disclosures to other agencies. The U.S. District Court, Northern District of California, held in Manriquez v. DeVos, that the U.S. Department of Education violated the Privacy Act in disclosing information to the U.S. Department of Social Security Administration. 345 F. Supp. 3d 1077, 1097–98 (N.D. Cal. 2018). Accordingly, this Court enjoined the U.S. Department of Education under the Administrative Procedure Act from continuing a practice that required such disclosures in violation of the Privacy Act. Id. at 1108–09. This ICR permits and facilitates disclosure of records in Partner Connect, the U.S. Department of Education’s system of records, with the U.S. Department of Homeland Security, U.S. Department of Justice, or the Office of Management and Budget. Such disclosures to other agencies violates the Privacy Act. Accordingly, the Department should not proceed with this ICR.

For all these reasons, the U.S. Department of Education should not proceed with the ICR, as proposed, and should at the very least engage in negotiated rulemaking regarding whether sensitive, personally identifiable information of ownership entities and owners of institutions must be provided as part of the certification or recertification process to receive federal financial student aid. The Department also should provide reasonable assurances that Federal Student Aid will implement appropriate security protocols and safeguards to secure sensitive, personally identifiable information including of students, owners, ownership entities, and institutions. Finally, the Department should comply with the Privacy Act and should not disclose or allow for disclosure of information in its system of records to other agencies.”

(1) Thank you for this comment. We’ve forwarded this comment to the appropriate team within the Department to consider your feedback for OMB Control Number 1845-0012, Application for Approval to Participate in Federal Student Aid Programs.

(2) and (3) The Department safeguards personal privacy in its collection, maintenance, use, and dissemination of records about individuals and makes such information available to the individual in accordance with the requirements of the Privacy Act, as amended (5 U.S.C. §552a). As defined by the Act, a "record" is defined as information about an individual maintained by an agency and a "system of records" is defined as any group of records under the Department's control from which information is retrieved by a personal identifier. The Department may disclose information pursuant to the routine uses listed in the Department’s system of records notice, entitled “Student Aid Internet Gateway (SAIG), Participation Management System” (18–11–10), 83 FR 8855-8859 (March 1, 2018), without the consent of the individual if the disclosure is compatible with the purposes for which the information was collected.