Privacy Act of 1974; System of Records, 48817-48824 [2023-16001]

Agencies

• DEPARTMENT OF EDUCATION

[Federal Register Volume 88, Number 144 (Friday, July 28, 2023)]
[Notices]
[Pages 48817-48824]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-16001]


-----------------------------------------------------------------------

DEPARTMENT OF EDUCATION

[Docket ID ED-2023-FSA-0136]


Privacy Act of 1974; System of Records

AGENCY: Federal Student Aid, Department of Education.

ACTION: Notice of a modified system of records.

-----------------------------------------------------------------------

SUMMARY: In accordance with the Privacy Act of 1974, as amended 
(Privacy Act), the Chief Operating Officer for Federal Student Aid 
(FSA) of the U.S. Department of Education (Department) publishes this 
notice of a modified system of records entitled the ``Person 
Authentication Service'' (PAS) (18-11-12). The information contained in 
this system is maintained for various purposes relating to applicants 
for a user ID and password (FSA ID), who include current, former, and 
prospective aid applicants and recipients, participants who enter their 
personally identifiable information (PII) as part of the Free 
Application for Federal Student Aid (FAFSA[supreg]) form (i.e., parents 
of dependent FAFSA applicants or recipients and spouses of independent 
FAFSA applicants or recipients) under title IV of the Higher Education 
Act of 1965, as amended (HEA), spouses of aid applicants or recipients 
who enter their PII as part of income-driven repayment (IDR) 
certifications or recertifications, endorsers, and third-party 
preparers (i.e., individuals who provide consultative or preparation 
services for the completion of the FAFSA).

DATES: Submit your comments on this modified system of records notice 
on or before August 28, 2023. This modified system of records notice 
will become applicable upon publication in the Federal Register on July 
28, 2023, except for new and modified routine uses (1)(a), (1)(b), 
(1)(c), (1)(d), (1)(e), (1)(f), (2), (9), (10), (11), (12), (13), and 
(14) that are outlined in the section entitled ``ROUTINE USES OF 
RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND 
PURPOSES OF SUCH USES,'' which will be applicable on August 28, 2023, 
unless they need to be changed as a result of public comment. The 
Department will publish any changes to the modified system of records 
notice resulting from public comment.

ADDRESSES: Comments must be submitted via the Federal eRulemaking 
Portal at regulations.gov. However, if you require accommodation or 
cannot otherwise submit your comments via regulations.gov, please 
contact the program contact person listed under FOR FUTHER INFORMATION 
CONTACT.
    The Department will not accept comments submitted by fax or by 
email, or comments submitted after the comment period closes. To ensure 
that the Department does not receive duplicate copies, please submit 
your comments only once. In addition, please include the Docket ID at 
the top of your comments.
     Federal eRulemaking Portal: Go to www.regulations.gov to 
submit your comments electronically. Information on using 
Regulations.gov, including instructions for accessing agency documents, 
submitting comments, and viewing the docket, is available on the site 
under the ``FAQ'' tab.
    Privacy Note: The Department's policy is to make comments received 
from members of the public available for public viewing in their 
entirety on the Federal eRulemaking Portal at www.regulations.gov. 
Therefore, commenters should be careful to include in their comments 
only information that they wish to make publicly available.
    Assistance to Individuals with Disabilities in Reviewing the 
Rulemaking Record: On request, we will provide an appropriate 
accommodation or auxiliary aid to an individual with a disability who 
needs assistance to review the comments or other documents in the 
public rulemaking record for this notice. If you want to schedule an 
appointment for this type of accommodation or auxiliary aid, please 
contact the person listed under FOR FURTHER INFORMATION CONTACT.

FOR FURTHER INFORMATION CONTACT: Robert Anderson, FSA Identity and 
Access Management (IAM), PAS Manager, Technology Office, Federal 
Student Aid, UCP, 830 First St. NE, Room 103E2, Washington, DC 20202 or 
email: [email protected].
    If you use a telecommunications device for the deaf (TDD) or a text 
telephone (TTY), you may call the Federal Relay Service (FRS), toll 
free, at 1-800-877-8339.

SUPPLEMENTARY INFORMATION: In accordance with the Privacy Act, the 
Department proposes to modify the system of records notice entitled 
``Person Authentication Service (PAS)'' (18-11-12), which was last 
published in full in the Federal Register on March 20, 2015 (80 FR 
14981).
    The Department is modifying the section entitled ``SYSTEM 
LOCATION'' as follows:
    (i) By deleting the Dell Systems Virtual Data Center location and 
adding the Amazon AWS GovCloud located at 12th Avenue, Suite 1200, 
Seattle, WA 98114. (This is the Hosting Center for the PAS application, 
where all electronic PAS information is processed and maintained.); and
    (ii) By updating the address of PPS Infotech from Rockville, MD, to 
Ashburn, VA.
    The Department is modifying the section entitled ``SYSTEM 
MANAGER(S)'' to change the title of the system manager from simply 
``PAS Manager'' to ``FSA Identity and Access Management (IAM), Division 
Chief, PAS Manager,'' and to make minor updates to the system manager's 
address.
    The Department is modifying the section entitled ``AUTHORITY FOR 
MAINTENANCE OF THE SYSTEM'' to add ``the FAFSA Simplification Act 
(title VII, division FF of Pub. L. 116-260, the Consolidated 
Appropriations Act, 2021) (including, but not limited to, section 
702(m) that amends section 483 of the HEA and section 703 that amends 
section 401 of the HEA), and the FAFSA Simplification Act Technical 
Corrections Act (division R of Pub. L. 107-103, the Consolidated 
Appropriations Act, 2022),'' which reflect amendments to the HEA to 
improve the financial aid application experience and expand title IV, 
HEA eligibility.
    The Department is modifying the section entitled ``PURPOSE(S) OF 
THE SYSTEM'' as follows:
    (i) The Department has reorganized the section to distinguish 
between purposes related to individuals covered by the system and 
purposes related to the Department's oversight and administration of 
the title IV, HEA programs and by adding numbering to the various 
purposes listed under each subsection;
    (ii) For the purposes related to individuals covered by the system:
    (a) The Department is consolidating, and designating as purpose 
(1), the

[[Page 48818]]

existing purposes relating to generating authentication and log-on 
credentials for those individuals wishing to access Departmental 
student financial assistance systems, online applications, websites and 
services, and to update their security challenge questions and 
corresponding answers;
    (b) In purpose (2), the Department is the existing purpose relating 
to accessing Department systems by indicating that a purpose of the 
system is to allow single sign-on and token management for all 
Department student financial assistance systems including systems run 
by Department contractors;
    (c) In purpose (3), the Department is clarifying the existing 
purpose relating to the electronic signature function by indicating 
that a purpose of the system is to include electronic signatures on 
student aid forms and applications, including, but not limited to, the 
consent/affirmative approval for the Department to disclose records to 
the Internal Revenue Service (IRS) to obtain Federal Tax Information 
(FTI) and for the disclosure and redisclosure of the FTI, revocation of 
such consent/affirmative approval, the FAFSA, Direct Loan Master 
Promissory Notes, loan benefit programs, deferments, and forbearances 
through Studentaid.gov and other Department websites; and
    (d) The Department is adding purpose (4) to enable the Department, 
or other Federal, State, Tribal, or local government agencies, to 
investigate, respond to, or resolve complaints concerning the practices 
or processes of the Department and/or the Department's contractors, or 
to investigate, respond to, or resolve aid recipients' requests for 
assistance or relief with regard to title IV, HEA program funds;
    (iii) For the purposes related to the Department's oversight and 
administration of title IV, HEA programs:
    (a) The Department is adding purpose (1) to prevent fraud by taking 
measures to validate PII submitted by aid applicants, aid recipients, 
application participants;
    (b) In purpose (2), the Department is modifying the existing 
purpose relating to matching user information with authorized entities 
by indicating that a purpose of the system is to match name, Social 
Security Number (SSN) (or address, where applicable), and Date of Birth 
(DOB) with an authorized entities for purposes of validating the PII 
submitted and, if applicable, to determine program eligibility and 
benefits;
    (c) The Department is designating as purpose (3) the existing 
purpose relating to providing usage information for FSA systems and 
websites;
    (d) The Department is designating as purpose (4) the existing 
purpose relating to tracking changes to user account information;
    (e) The Department is adding purpose (5) to maintain and track the 
consent/affirmative approval on aid applicants and recipients to the 
IRS for the IRS to disclose FTI under subsection 494(a) of the HEA (20 
U.S.C. 1098h(a)) and section 6103(l)(13)(A) and (C) of the IRC to the 
Department as part of a matching program to determine their determine 
their eligibility under title IV of the HEA and to permit the 
Department to redisclose FTI of individuals pursuant to section 
6103(l)(13)(D)(iv) of the IRC and the revocation of such consent/
affirmative approval for IDR; and
    (f) The Department is adding purpose (6) to support research, 
analysis, and development, and the implementation and evaluation of 
educational policies in relation to title IV, HEA programs.
    The Department is modifying the section entitled ``CATEGORIES OF 
INDIVIDUALS COVERED BY THE SYSTEM'' by deleting and replacing 
``students'' with ``aid applicants and aid recipients'' who apply for a 
FSA ID, clarifying that ``their parents'' who apply for a FSA ID refers 
to parents of dependent FAFSA applicants who are participants and enter 
their PII as part of the FAFSA form and apply for a FSA ID, adding 
spouses of independent FAFSA applicants who are participants and enter 
their PII as part of the FAFSA form and apply for a FSA ID, and to add 
spouses of aid applicants or recipients who enter their PII as part of 
IDR certifications or recertifications and apply for a FSA ID, and 
adding third-party preparers who provide consultative or preparation 
services for the completion of the FAFSA form and apply for a FSA ID, 
to better explain the individuals covered by the system.
    The Department is modifying the section entitled ``CATEGORIES OF 
RECORDS IN THE SYSTEM'' as follows:
    (i) The Department is adding a second paragraph to include consent/
affirmative approval both to permit the Department to disclose 
information on aid applicants and recipients to the IRS for the IRS to 
disclose FTI under subsection 494(a) of the HEA (20 U.S.C. 1098h(a)) 
and section 6103(l)(13)(A) and (C) of the IRC to the Department as part 
of a matching program to determine their eligibility under title IV of 
the HEA and to permit the Department to redisclose FTI of individuals 
pursuant to section 6103(l)(13)(D)(iv) of the IRC and the revocation of 
such consent/affirmative approval; and
    (ii) The Department is adding a third paragraph that explains that 
PAS maintains information, such as SSN verification flag, citizenship 
status, and death indicator, obtained by the Department pursuant to 
matching programs or other information exchanges with Federal agencies, 
and other external entities, to assist in verifying the identifying 
information of aid applicants or recipients, application participants, 
including the parents of dependent aid applicants or recipients and the 
spouses of independent aid applicants or recipients, endorsers, and 
third-party preparers.
    The Department is modifying the section entitled ``RECORD SOURCE 
CATEGORIES'' as follows:
    (i) The Department is modifying the first paragraph to explain that 
PAS receives the verification flag, citizenship flag, and death 
indicator through a matching program from the Central Processing System 
(CPS) or the FAFSA Processing System (FPS);
    (ii) The Department is adding a new second paragraph to explain 
that PAS also collects from aid applicants or recipients their consent/
affirmative approval both to permit the Department to disclose 
information on aid applicants and recipients to the IRS for the IRS to 
disclose FTI under subsection 494(a) of the HEA (20 U.S.C. 1098h(a)) 
and section 6103(l)(13)(A) and (C) of the IRC to the Department as part 
of a matching program to determine their eligibility under title IV of 
the HEA and to permit the Department to redisclose FTI of individuals 
pursuant to section 6103(l)(13)(D)(iv) of the IRC and the revocation of 
such consent/affirmative approval for IDR;
    (iii) The Department is adding a new third paragraph to explain 
that information is also received from other Department systems or 
their successor systems, such as:
    (a) The Digital and Customer Care Information Technology (IT), 
Central Processing System (CPS)and the FAFSA Processing System (FPS) 
(covered by the Department's Privacy Act system of records notice 
entitled ``Aid Awareness and Application Processing (AAAP'') (18-11-
21)); and
    (b) The Enterprise Data Warehouse Analytics (EDWA) and Master Data 
Management (MDM) components covered under the ``Enterprise Data 
Management and Analytics Platform Services'' (covered by the 
Department's Privacy Act system of records notice entitled ``Enterprise 
Data Management and Analytics Platform Services (EDMAPS)'' (18-11-22)); 
and
    (iv) The Department is adding a new fourth paragraph to indicate 
that

[[Page 48819]]

information in this system may be obtained from other persons or 
entities from whom or from which data is obtained following a 
disclosure under the listed routine uses.
    The Department is modifying the section entitled ``ROUTINE USES OF 
RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND 
PURPOSES OF SUCH USES'' as follows:
    (i) Routine use (1)(a) is being modified to delete ``the individual 
whom records indicate is applying for, has applied for, has endorsed, 
or has received a title IV, HEA loan or grant'' and add ``current, 
former, and prospective aid applicant, aid recipient (or their third-
party preparer), or endorser;'' to add validate the PII being entered 
by the current, former, or prospective aid applicant or aid recipient 
(or their third-party preparer) or endorser, whom records indicate is 
applying for, has applied for, has endorsed, or has received a title 
IV, HEA loan and/or grant, or a participant of such an application 
including the spouse of an independent aid applicant or recipient or 
the parent(s) of a dependent aid applicant or recipient; to delete 
``authorized representatives;'' and to add Tribal agencies to the list 
of entities to which the Department may disclose records to verify the 
identity of an individual;
    (ii) Routine use (1)(b) is being modified to delete ``their 
authorized representatives'' to make the routine use clearer and to add 
Tribal agencies to the list of agencies to which information may be 
disclosed under this routine use;
    (iii) Routine use (1)(c) is being deleted because PAS is not used 
to facilitate default reduction;
    (iv) Newly renumbered routine use (1)(c) is being modified to 
delete the servicing, assigning, adjusting, transferring, referring, or 
discharging of a loan; to remove authorized representatives; and to add 
Tribal agencies to the list of agencies to which information may be 
disclosed to permit the making or collecting of a grant or loan 
obligation;
    (v) Newly renumbered routine use (1)(d) is being modified to remove 
authorized representatives of applicable Federal Loan Servicers or 
Federal Perkins Loan Servicers, and Federal, State, or local agencies; 
and to add Tribal agencies to the list of agencies to which disclosures 
may be made to investigate possible fraud or abuse or verify compliance 
with program regulations;
    (vi) Newly renumbered routine use (1)(e) is being added to permit 
the Department to disclose information on aid applicants and recipients 
to disclose FTI under subsection 494(a) of the HEA (20 U.S.C. 1098h(a)) 
and section 6103(l)(13)(A) and (C) of the IRC to the Department as part 
of a matching program to determine their determine their eligibility 
under title IV of the HEA and to permit the Department to redisclose 
FTI of individuals pursuant to section 6103(l)(13)(D)(iv) of the IRC 
and the revocation of such consent/affirmative approval for IDR, 
disclosures may be made to Federal Loan Servicers;
    (vii) Routine use (1)(f) is being deleted because PAS is not used 
to locate delinquent or defaulted borrowers;
    (viii) The newly renumbered routine use (1)(f) is being modified to 
delete authorized representatives of Guaranty agencies, educational and 
financial institutions, Federal Loan Services, Federal Perkins Loan 
Servicers, and Federal, State, or local agencies, and to add Tribal 
agencies to the list of agencies to which disclosures may be made to 
investigate complaints or to update information or correct errors 
contained in Department records;
    (ix) Routine use (1)(g) is being deleted because PAS is not used to 
conduct credit checks or respond to inquiries or disputes;
    (x) Routine use (2) entitled ``Feasibility Study Disclosure'' is 
being deleted because the system is not used to conduct feasibility 
studies;
    (xi) Routine use (3) entitled ``Disclosure for Use by Other Law 
Enforcement Agencies'' is being deleted because of concerns that it was 
not compatible with the purposes for which records are collected in 
this system;
    (xii) Newly renumbered routine use (2) entitled ``Enforcement 
Disclosure'' is being modified to indicate that if information in this 
system of records indicates, either on its face or in connection with 
other information, a violation or potential violation of any applicable 
statute, regulation, or order of a competent authority, the Department 
may disclose the relevant records to the appropriate agency, whether 
foreign, Federal, State, Tribal or local, responsible for investigating 
or prosecuting that violation or charged with enforcing or implementing 
the statute, Executive Order, rule, regulation, or order issued 
pursuant thereto;
    (xiii) Newly renumbered routine use (9) entitled ``Contract 
Disclosure'' has been modified to delete and replace ``[b]efore 
entering into such a contract, the Department shall require the 
contractor to establish and maintain Privacy Act safeguards as required 
under subsection (m) of the Privacy Act (5 U.S.C. 552a(m) with respect 
to the records in the system'' with ``[a]s part of such a contract, the 
Department shall require the contractor to agree to establish and 
maintain safeguards to protect the security and confidentiality of the 
disclosed records'' to clarify when records can be shared;
    (xiv) Newly renumbered routine use (10) entitled ``Research 
Disclosure'' has been modified to delete and replace ``[t]he researcher 
shall be required to maintain safeguards required under the Privacy Act 
with respect to the records in the system'' with ``[t]he researcher 
shall be required to agree to establish and maintain safeguards to 
protect the security and confidentiality of the disclosed records'' to 
clarify when records can be shared;
    (xv) Newly renumbered routine use (11) entitled ``Congressional 
Member Disclosure'' is being modified to clarify that the Department 
may disclose the records of an individual to a member of Congress or 
their staff when necessary to respond to an inquiry from the Member and 
that the Member's request must be made not only at the written request 
of, but also on behalf of, the individual whose records are being 
disclosed;
    (xvi) Routine use (14) entitled ``Disclosure to OMB for Federal 
Credit Reform Act (CRA) Support'' was deleted because disclosures to 
the Office of Management and Budget for CRA support are not made from 
the PAS system;
    (xvii) Newly renumbered routine use (12) entitled ``Disclosure in 
the Course of Responding to a Breach of Data'' is being modified as 
follows: in paragraph (a), to delete and replace ``the security or 
confidentiality of information in the system of records has been 
compromised'' with ``there has been a breach of the system of 
records''; in paragraph (b), to delete and replace ``compromise'' with 
``breach''; in paragraph (b), to permit the Department to make 
disclosures when, in addition to satisfying paragraphs (a) and (c), the 
Department determines that as a result of the suspected or confirmed 
breach there is a risk of harm to individuals, the Department 
(including its information systems, programs, and operations), the 
Federal government, or national security; and in paragraph (c), to 
delete and replace ``compromise'' with ``breach'';
    (xviii) Newly renumbered routine use (13) entitled ``Disclosure in 
Assisting another Agency in Responding to a Breach of Data'' is being 
added to permit disclosures to assist another Federal agency or Federal 
entity in responding to a suspected or confirmed breach of data;

[[Page 48820]]

    (xix) Routine use (16) entitled ``Disclosure to Third Parties 
through Computer Matching Programs'' is being deleted because this is 
covered under the introductory paragraph of the section entitled 
ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND PURPOSES OF SUCH USES and covered under the separate 
programmatic routine use disclosures; and
    (xx) Newly renumbered routine use (14) entitled ``Disclosure to the 
National Archives and Records Administration (NARA)'' is being added to 
permit disclosures to NARA for the purpose of records management 
inspections conducted under the authority of 44 U.S.C. 2904 and 2906.
    The Department is modifying the section entitled ``POLICIES AND 
PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS'' to explain that 
records are primarily maintained in accordance with ED Records Schedule 
278, ``FSA Person Authentication Service (PAS) Records'' (DAA-0441-
2016-0001) (ED 278), and the Department has submitted amendments to ED 
278 for NARA's consideration and will not destroy records covered by ED 
278 until such amendments are effective.
    The Department is deleting the section entitled ``POLICIES AND 
PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING AND DISPOSING 
OF RECORDS IN THE SYSTEM'' and added the new section entitled 
``ADMINISTRATIVE, TECHNICAL AND PHYSICAL SAGEGUARDS'' which describes 
authorized users to the system; the physical safeguards of magnetic 
tapes, disc packs, computer equipment; how other forms of data and 
information are stored; the procedural safeguards required to access 
the information; the required Federal Information Security Management 
Act of 2002 (FISMA) requirements of a signed Authorization to Operate 
(ATO) and its rigorous assessment of security controls; and finally, 
the FISMA controls implemented that in combination secure the system 
and maintain the information safely.
    The Department is modifying the section entitled ``RECORD ACCESS 
PROCEDURES'' to delete that individuals may access their records by 
visiting the ED PAS Account Management site or by calling the FAFSA on 
the web phone number listed on the website and to add that individuals 
who wish to access their records must provide the system manager with 
the necessary particulars such as their name, DOB, SSN, and any other 
identifying information requested by the Department while processing 
the request, to distinguish between individuals with the same name.
    The Department is modifying the section entitled ``CONTESTING 
RECORD PROCEDURES'' to delete that individuals may contest their 
records by contacting the Customer Service Department and the last 
sentence directing individuals whose SSN does not match the records of 
the SSA either to correct their SSN in PAS or to contact the local 
office of the SSA for a SSN correction; and to add that individuals who 
wish to contest their records must provide the system manager with the 
necessary particulars such as their name, DOB, SSN, and any other 
identifying information requested by the Department while processing 
the request, to distinguish between individuals with the same name, and 
also must identify the specific item(s) to be changed and provide a 
justification for the change, including any supporting documentation. 
The Department is modifying the section entitled ``NOTIFICATION 
PROCEDURES'' to include that in order to determine whether a record 
exists about an individual in this system of records, the individual 
must provide the system manager with the necessary particulars such as 
their name, DOB, SSN, and any other identifying information requested 
by the Department while processing the request to distinguish between 
individuals with the same name.
    Accessible Format: On request to the program contact person listed 
under FOR FURTHER INFORMATION CONTACT, individuals with disabilities 
can obtain this document in an accessible format. The Department will 
provide the requestor with an accessible format that may include Rich 
Text Format (RTF) or text format (txt), a thumb drive, an MP3 file, 
braille, large print, audiotape, or compact disc, or other accessible 
format.
    Electronic Access to This Document: The official version of this 
document is the document published in the Federal Register. You may 
access the official edition of the Federal Register and the Code of 
Federal Regulations at www.govinfo.gov. At this site you can view this 
document, as well as all other documents of this Department published 
in the Federal Register, in text or Portable Document Format (PDF). To 
use PDF you must have Adobe Acrobat Reader, which is available free at 
the site.
    You may also access documents of the Department published in the 
Federal Register by using the article search feature at 
www.federalregister.gov. Specifically, through the advanced search 
feature at this site, you can limit your search to documents published 
by the Department.

Richard Cordray,
Chief Operating Officer, Federal Student Aid.

    For the reasons discussed in the preamble, the Chief Operating 
Officer, Federal Student Aid (FSA), U.S. Department of Education 
(Department) publishes a notice of a modified system of records to read 
as follows:

SYSTEM NAME AND NUMBER:
    Person Authentication Service (PAS) (18-11-12).

SECURITY CLASSIFICATION:
    Unclassified.

SYSTEM LOCATION:
    Amazon Web Services (AWS) Government Cloud, 1200 12th Avenue, Suite 
1200, Seattle, WA 98114. (This is the Hosting Center for the PAS 
application, where all electronic PAS information is processed and 
maintained.)
    PPS Infotech, 20745 Williamsport Place, Suite 320, Ashburn, VA 
20147. (PPS Infotech has access to the system and contracts directly 
with the Department for the development, operations, and maintenance 
support for PAS.)

SYSTEM MANAGER(S):
    FSA Identity and Access Management (IAM), Division Chief, PAS 
Manager, Technology Office, Federal Student Aid, Union Center Plaza, 
830 First St. NE, 10th floor, Washington, DC 20202.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    The collection of personally identifiable information (PII) for the 
creation and management of a FSA ID (which includes a user ID and a 
password) is authorized programmatically by title IV of the Higher 
Education Act of 1965, as amended (HEA) (20 U.S.C. 1070, et seq.) and 
the FAFSA Simplification Act (title VII, division FF of Pub. L. 116-
260, the Consolidated Appropriations Act, 2021) (including, but not 
limited to, section 702(m) that amends section 483 of the HEA and 
section 703 that amends section 401 of the HEA), and the FAFSA 
Simplification Act Technical Corrections Act (division R of Pub. L. 
117-103, the Consolidated Appropriations Act, 2022).

PURPOSE(S) OF THE SYSTEM:
    The information contained in this system is maintained for the 
following purposes related to the individuals covered by the system:

[[Page 48821]]

    (1) to generate authentication and log-on credentials for those 
individuals wishing to access Departmental student financial assistance 
systems, online applications, websites and services, and to update 
security challenge questions and their corresponding answers;
    (2) to allow a single sign-on and token management solution for all 
Department student financial assistance systems including systems 
operated by Department contractors;
    (3) to allow electronic signature on student aid forms and 
applications, including, but not limited to, the consent/affirmative 
approval for the Department to disclose records to the Internal Revenue 
Service (IRS) to obtain Federal Tax Information (FTI) and for the 
disclosure and redisclosure of the FTI, revocation of such consent/
affirmative approval, the Free Application for Federal Student Aid 
(FAFSA[supreg]), Direct Loan Master Promissory Notes, loan benefit 
program forms, deferments, or forbearances through StudentAid.gov and 
other Department websites; and
    (4) to enable the Department, or other Federal, State, Tribal, or 
local government agencies, to investigate, respond to, or resolve 
complaints concerning the practices or processes of the Department and/
or the Department's contractors, or to investigate, respond to, or 
resolve aid recipients' requests for assistance or relief with regard 
to title IV, HEA program funds.
    The information maintained in this system is also maintained for 
the following purposes relating to the Department's oversight and 
administration of the title IV, HEA programs:
    (1) to prevent fraud by taking measures to validate the PII 
submitted by aid applicants, aid recipients, application participants 
(i.e., parents of dependent aid applicants or aid recipients and 
spouses of independent students), endorsers, and third-party preparers 
before allowing them to access Department websites, such as 
Studentaid.gov;
    (2) to match name, Social Security number (SSN) (or address, where 
applicable), and Date of Birth (DOB) with an authorized entities for 
purposes of validating the PII submitted and, if applicable, to 
determine program eligibility and benefits;;
    (3) to provide usage information for FSA systems and websites;
    (4) to track changes to user account information;
    (5) to maintain and track consent/affirmative approval the consent/
affirmative approval on aid applicants and recipients to the IRS for 
the IRS to disclose FTI under subsection 494(a) of the HEA (20 U.S.C. 
1098h(a)) and section 6103(l)(13)(A) and (C) of the IRC to the 
Department as part of a matching program to determine their determine 
their eligibility under title IV of the HEA and to permit the 
Department to redisclose FTI of individuals pursuant to section 
6103(l)(13)(D)(iv) of the IRC and the revocation of such consent/
affirmative approval for IDR; and
    (6) to support research, analysis, and development, and the 
implementation and evaluation of educational policies in relation to 
title IV, HEA programs.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    PAS contains records about former, current, and prospective aid 
applicants and aid recipients, participants who enter their PII as part 
of the FAFSA form (i.e., parents of dependent aid applicants or 
recipients and spouses of independent aid applicants or recipients) 
under title IV of the HEA, spouses of aid applicants or recipients who 
enter their PII as part of IDR certifications or recertifications, 
endorsers, and third-party preparers (i.e., individuals who provide 
consultative or preparation services for the completion of the FAFSA) 
who apply for a user ID and password (FSA ID).

CATEGORIES OF RECORDS IN THE SYSTEM:
    This system maintains identifying information including, but not 
limited to, first name, middle name, last name, SSN, DOB, address, 
telephone number, email address, and security challenge questions.
    The system also contains consent/affirmative approval of IDR 
applicants or recipients both to permit the Department to disclose 
information to the IRS for the IRS to disclose FTI under subsection 
494(a) of the HEA (20 U.S.C. 1098h(a)) and section 6103(l)(13)(A) and 
(C) of the IRC to the Department as part of a matching program to 
determine title IV, program eligibility or monthly repayment obligation 
amounts for IDR plans under title IV of the HEA with respect to loans 
made under part D (the Direct Loan program) of title IV of the HEA and 
to permit the Department to redisclose FTI of individuals pursuant to 
section 6103(l)(13)(D)(iv) of the IRC. PAS also maintains the 
revocation of consent/affirmative approval for IDR.
    PAS further maintains information, such as SSN verification flag, 
citizenship status, and death indicator, obtained pursuant to matching 
programs or other information exchanges with Federal agencies, and 
other external entities, to assist in verifying the identifying 
information of aid applicants or recipients, application participants 
including parents of dependent aid applicants or recipients and spouses 
of independent aid applicants or recipients, endorsers, and third-party 
preparers.

RECORD SOURCE CATEGORIES:
    The identifying information (first name, middle name, last name, 
SSN, DOB, address, telephone number, email address, security challenge 
questions and corresponding answers) will be collected from individuals 
applying for a FSA ID or updating their information on the PAS 
registration website. In addition, PAS receives a verification flag, 
citizenship flag and death flag indicator which are maintained in the 
system through a matching program from the Central Processing System 
(CPS) and the FAFSA Processing System (FPS) system.
    PAS also collects from aid applicants or recipients their consent/
affirmative approval both to permit the Department to disclose 
information to the IRS for the IRS to disclose FTI under subsection 
494(a) of the HEA (20 U.S.C. 1098h(a)) and section 6103(l)(13)(A) and 
(C) of the IRC to the Department as part of a matching program to 
determine title IV, program eligibility or their monthly repayment 
obligation amounts for IDR plans under title IV of the HEA with respect 
to loans made under part D of title IV of the HEA (the Direct Loan 
program) and to permit the Department to redisclose the FTI of such 
individuals pursuant to section 6103(l)(13)(D)(iv) of the IRC.
    Information is also obtained from other Department systems, or 
their successor systems, including:
    The Digital and Customer Care Information Technology (IT), Central 
Processing System (CPS) and FAFSA Processing System (FPS) system 
(covered by the Department's Privacy Act system of records notice 
entitled ``Aid Awareness and Application Processing (AAAP)'' (18-11-
21)); and
     The Enterprise Data Warehouse Analytics (EDWA) and Person 
Master Data Management (pMDM) components covered under the ``Enterprise 
Data Management and Analytics Platform Services'' (covered by the 
Department's Privacy Act system of records notice entitled ``Enterprise 
Data Management and Analytics Platform Services (EDMAPS)'' (18-11-22)).
    Information in this system also may be obtained from other persons 
or entities from whom or from which information is obtained following a 
disclosure under the listed routine uses.

[[Page 48822]]

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND PURPOSES OF SUCH USES:
    The Department may disclose information contained in a record in 
this system of records under the routine uses listed in this system of 
records without the consent of the individual if the disclosure is 
compatible with a purpose for which the record was collected. These 
disclosures may be made on a case-by-case basis or, if the Department 
has complied with the computer matching requirements of the Privacy Act 
of 1974, as amended (Privacy Act) (5 U.S.C. 552a), under a computer 
matching agreement (CMA).
    (1) Program Disclosures. The Department may disclose records for 
the following program purposes:
    (a) To validate the PII entered by the current, former, or 
prospective aid applicant or aid recipient (or their third-party 
preparer) or endorser, whom records indicate is applying for, has 
applied for, has endorsed, or has received a title IV, HEA loan and/or 
grant, or a participant of such an application including the spouse of 
an independent aid applicant or recipient or the parent(s) of a 
dependent aid applicant or recipient, disclosures may be made to: 
Guaranty agencies, educational and financial institutions, Federal Loan 
Servicers, or Federal Perkins Loan Servicers, Federal, State, local, or 
Tribal agencies, private parties such as relatives, business and 
personal associates, and present and former employers, creditors, 
consumer reporting agencies, adjudicative bodies, and the individual 
whom the records identify as the endorser or the party obligated to 
repay the debt;
    (b) To determine program eligibility and benefits, disclosures may 
be made to: Guaranty agencies, educational and financial institutions, 
Federal Loan Servicers, Federal Perkins Loan Servicers, Federal, State, 
local, or Tribal agencies; private parties such as relatives, business 
and personal associates, and present and former employers, creditors, 
consumer reporting agencies, and adjudicative bodies;
    (c) To permit the making or collecting of a grant or loan 
obligation, disclosures may be made to: Guaranty agencies, educational 
institutions, financial institutions, Federal Loan Servicers, or 
Federal Perkins Loan Servicers that made, held, serviced, or have been 
assigned the debt; a party identified by the debtor as willing to 
advance funds to repay the debt; Federal, State, local, or Tribal 
agencies; private parties such as relatives, business and personal 
associates, and present and former employers, creditors, consumer 
reporting agencies, and adjudicative bodies;
    (d) To investigate possible fraud or abuse or verify compliance 
with program regulations, disclosures may be made to: Guaranty 
agencies, educational and financial institutions, Federal Loan 
Servicers or Federal Perkins Loan Servicers, Federal, State, local, or 
Tribal agencies, private parties such as relatives, present and former 
employers, and business and personal associates, creditors, consumer 
reporting agencies, and adjudicative bodies;
    (e) To permit the Department to disclose information on aid 
applicants and recipients to the IRS for the IRS to disclose FTI under 
subsection 494(a) of the HEA (20 U.S.C. 1098h(a)) and section 
6103(l)(13)(A) and (C) of the IRC to the Department as part of a 
matching program to determine their determine their eligibility under 
title IV of the HEA and to permit the Department to redisclose FTI of 
individuals pursuant to section 6103(l)(13)(D)(iv) of the IRC and the 
revocation of such consent/affirmative approval for IDR, disclosures 
may be made to Federal Loan Servicers;
    (f) To investigate complaints or to update information or correct 
errors contained in Department records, disclosures may be made to: 
Guaranty agencies, educational and financial institutions, Federal Loan 
Servicers, or Federal Perkins Loan Servicers, Federal, State, local, or 
Tribal agencies; private parties such as relatives, present and former 
employers, and business and personal associates, creditors, credit 
reporting agencies, and adjudicative bodies; and
    (g) To report information required by law to be reported, 
including, but not limited to, reports required by 26 U.S.C. 6050P and 
6050S, disclosures may be made to the IRS.
    (2) Enforcement Disclosure. In the event that information in this 
system of records indicates, either on its face or in connection with 
other information, a violation or potential violation of any applicable 
statute, regulation, or order of a competent authority, the Department 
may disclose the relevant records to the appropriate agency, whether 
foreign, Federal, State, Tribal or local, charged with the 
responsibility of investigating or prosecuting that violation or 
charged with enforcing or implementing the statute, Executive Order, 
rule, regulation, or order issued pursuant thereto.
    (3) Litigation and Alternative Dispute Resolution (ADR) Disclosure.
    (a) Introduction. In the event that one of the parties listed below 
is involved in judicial or administrative litigation or ADR, or has an 
interest in such litigation or ADR, the Department may disclose certain 
records to the parties described in paragraphs (b), (c), and (d) of 
this routine use under the conditions specified in those paragraphs:
    (i) The Department or any of its components;
    (ii) Any Department employee in their official capacity;
    (iii) Any Department employee in their individual capacity where 
the Department of Justice (DOJ) has been requested to or agrees to 
provide or arrange for representation for the employee;
    (iv) Any Department employee in their individual capacity where the 
Department has agreed to represent the employee;
    (v) The United States, where the Department determines that the 
litigation is likely to affect the Department or any of its components.
    (b) Disclosure to the DOJ. If the Department determines that 
disclosure of certain records to the DOJ is relevant and necessary to 
the judicial or administrative litigation or ADR and is compatible with 
the purpose for which the records were collected, the Department may 
disclose those records as a routine use to the DOJ.
    (c) Adjudicative Disclosure. If the Department determines that 
disclosure of certain records to an adjudicative body before which the 
Department is authorized to appear or to an individual or an entity 
designated by the Department or otherwise empowered to resolve or 
mediate disputes is relevant and necessary to judicial or 
administrative litigation or ADR, the Department may disclose those 
records as a routine use to the adjudicative body, individual, or 
entity.
    (d) Disclosure to Parties, Counsel, Representatives, and Witnesses. 
If the Department determines that disclosure of certain records is 
relevant and necessary to judicial or administrative litigation or ADR, 
the Department may disclose those records as a routine use to a party, 
counsel, representative, or witness.
    (4) Employment, Benefit, and Contracting Disclosure.
    (a) For Decisions by the Department. The Department may disclose a 
record to a Federal, State, or local agency, or another public 
authority or professional organization, maintaining civil, criminal, or 
other relevant enforcement or other pertinent records, if necessary to 
obtain information relevant to a Department decision concerning the 
hiring or retention of an employee or other personnel action, the 
issuance of a security clearance, the letting of a

[[Page 48823]]

contract, or the issuance of a license, grant, or other benefit.
    (b) For Decisions by Other Public Agencies and Professional 
Organizations. The Department may disclose a record to a Federal, 
State, local, or other public authority or professional organization, 
in connection with the hiring or retention of an employee or other 
personnel action, the issuance of a security clearance, the reporting 
of an investigation of an employee, the letting of a contract, or the 
issuance of a license, grant, or other benefit, to the extent that the 
record is relevant and necessary to the receiving entity's decision on 
the matter.
    (5) Employee Grievance, Complaint, or Conduct Disclosure. If a 
record is relevant and necessary to an employee grievance, complaint, 
or disciplinary action, the Department may disclose the record in this 
system of records in the course of investigation, fact-finding, or 
adjudication to any party or the party's counsel or representative, a 
witness, or to a designated fact-finder, mediator, or other person 
designated to resolve issues or decide the matter.
    (6) Labor Organization Disclosure. The Department may disclose 
records from this system of records to an arbitrator to resolve 
disputes under a negotiated grievance procedure or to officials of 
labor organizations recognized under 5 U.S.C. chapter 71 when relevant 
and necessary to their duties of exclusive representation.
    (7) Freedom of Information Act (FOIA) and Privacy Act Advice 
Disclosure. The Department may disclose records to the DOJ or the 
Office of Management and Budget if the Department seeks advice 
regarding whether records maintained in this system of records are 
required to be disclosed under the FOIA or the Privacy Act.
    (8) Disclosure to the DOJ. The Department may disclose records to 
the DOJ, or the authorized representative of the DOJ, to the extent 
necessary for obtaining DOJ advice on any matter relevant to an audit, 
inspection, or other inquiry related to the programs covered by this 
system.
    (9) Contract Disclosure. If the Department contracts with an entity 
for the purposes of performing any function that requires disclosure of 
records in this system to employees of the contractor, the Department 
may disclose the records to those employees. As part of such a 
contract, the Department shall require the contractor to agree to 
establish and maintain safeguards to protect the security and 
confidentiality of the disclosed records.
    (10) Research Disclosure. The Department may disclose records to a 
researcher if the Department determines that the individual or 
organization to which the disclosure would be made is qualified to 
carry out specific research related to functions or purposes of this 
system of records. The Department may disclose records from this system 
of records to that researcher solely for the purpose of carrying out 
that research related to the functions or purposes of this system of 
records. The researcher shall be required to agree to establish and 
maintain safeguards to protect the security and confidentiality of the 
disclosed records.
    (11) Congressional Member Disclosure. The Department may disclose 
the records of an individual to a Member of Congress or the Member's 
staff when necessary to respond to an inquiry from the Member made at 
the written request of that individual and on behalf of that 
individual. The Member's right to the information is no greater than 
the right of the individual who requested the inquiry.
    (12) Disclosure in the Course of Responding to a Breach of Data. 
The Department may disclose records from this system of records to 
appropriate agencies, entities, and persons when (a) the Department 
suspects or has confirmed that there has been a breach of the system of 
records; (b) the Department has determined that as a result of the 
suspected or confirmed breach there is a risk of harm to individuals, 
the Department (including its information systems, programs, and 
operations), the Federal government, or national security; and (c) the 
disclosure made to such agencies, entities, and persons is reasonably 
necessary to assist in connection with the Department's efforts to 
respond to the suspected or confirmed breach and prevent, minimize, or 
remedy such harm.
    (13) Disclosure in Assisting another Agency in Responding to a 
Breach of Data. The Department may disclose records from this system to 
another Federal agency or Federal entity, when the Department 
determines that information from this system of records is reasonably 
necessary to assist the recipient agency or entity in (a) responding to 
a suspected or confirmed breach or (b) preventing, minimizing, or 
remedying the risk of harm to individuals, the recipient agency or 
entity (including its information systems, programs, and operations), 
the Federal government, or national security, resulting from a 
suspected or confirmed breach.
    (14) Disclosure to the National Archives and Records Administration 
(NARA). The Department may disclose records from this system of records 
to NARA for the purpose of records management inspections conducted 
under the authority of 44 U.S.C. 2904 and 2906.

DISCLOSURE TO CONSUMER REPORTING AGENCIES:
    Disclosures pursuant to 5 U.S.C. 552a(b)(12): The Department may 
disclose the following information to a consumer reporting agency 
regarding a valid overdue claim of the Department: (1) the name, 
address, taxpayer identification number, and other information 
necessary to establish the identity of the individual responsible for 
the claim; (2) the amount, status, and history of the claim; and (3) 
the program under which the claim arose. The Department may disclose 
the information specified in this paragraph under 5 U.S.C. 552a(b)(12) 
and the procedures contained in subsection 31 U.S.C. 3711(e). A 
consumer reporting agency to which these disclosures may be made is 
defined in 15 U.S.C. 1681a(f) and 31 U.S.C. 3701(a)(3).

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    The records are stored electronically.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    In order for users to retrieve aid applicant or recipient 
information, they must supply the respective SSN, name, and DOB or by 
the unique internal account identifier.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    Records are primarily retained and disposed of in accordance with 
ED Records Schedule 278, ``FSA Person Authentication Service (PAS) 
Records'' (DAA-0441-2016-0001) (ED 278). The Department has submitted 
amendments to ED 278 for NARA's consideration and will not destroy 
records covered by ED 278 until such amendments are in effect, as 
applicable.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    Authorized users: Access to the system is limited to authorized PAS 
program personnel and contractors responsible for administering the PAS 
program. Authorized personnel include Department employees and 
officials, financial and fiscal management personnel, computer 
personnel, and program managers who have responsibilities for 
implementing the PAS program. Read-only users: Read-only access is 
given to servicers, holders, financial/fiscal management personnel, and 
institutional personnel.

[[Page 48824]]

    Physical safeguards: Magnetic tapes, disc packs, computer 
equipment, and other forms of data are stored in areas where fire and 
life safety codes are strictly enforced. Security guards are staffed 24 
hours a day, seven days a week, to perform random checks on the 
physical security of the record storage areas.
    Procedural safeguards: A password is required to access the 
terminal, and a data set name controls the release of information to 
only authorized users. In addition, all sensitive data is encrypted 
using Oracle Transparent Data Encryption functionality. Access to 
records is strictly limited to those staff members trained in 
accordance with the Privacy Act and Automatic Data Processing (ADP) 
security procedures. Contractors are required to maintain 
confidentiality safeguards with respect to these records. Contractors 
are instructed to make no further disclosure of the records except as 
authorized by the System Manager and permitted by the Privacy Act. All 
individuals who have access to these records receive appropriate ADP 
security clearances.
    Department personnel make site visits to ADP facilities for the 
purpose of ensuring that ADP security procedures continue to be met. 
Privacy Act and ADP system security requirements are specifically 
included in contracts. The PAS project directors, project officers, and 
the system manager oversee compliance with these requirements.
    In accordance with the Federal Information Security Management Act 
of 2002 (FISMA), as amended by the Federal Information Security 
Modernization Act of 2014, every Department system must receive a 
signed Authorization to Operate (ATO) from a designated Department 
official. The ATO process includes a rigorous assessment of security 
controls, a plan of actions and milestones to remediate any identified 
deficiencies, and a continuous monitoring program.
    FISMA controls implemented are comprised of a combination of 
management, operational, and technical controls, and include the 
following control families: access control, awareness and training, 
audit and accountability, security assessment and authorization, 
configuration management, contingency planning, identification and 
authentication, incident response, maintenance, media protection, 
physical and environmental protection, planning, personnel security, 
privacy, risk assessment, system and services acquisition, system and 
communications protection, system and information integrity, and 
program management.

RECORD ACCESS PROCEDURES:
    If you wish to gain access to a record in this system, you must 
contact the system manager with the necessary particulars such as your 
name, DOB, SSN, and any other identifying information requested by the 
Department while processing the request, to distinguish between 
individuals with the same name. Requests by an individual for access to 
a record must meet the requirements of the regulations at 34 CFR 5b.5, 
including proof of identity.

CONTESTING RECORD PROCEDURES:
    If you wish to contest the content of a record in the system of 
records, you must contact the system manager with the necessary 
particulars such as your name, DOB, SSN, and any other identifying 
information requested by the Department while processing the request, 
to distinguish between individuals with the same name. You must also 
identify the specific item(s) to be changed, and provide a 
justification for the change, including any supporting documentation. 
Requests to amend a record must meet the requirements of the 
Department's Privacy Act regulations at 34 CFR 5b.7.

NOTIFICATION PROCEDURES:
    If you wish to determine whether a record exists regarding you in 
this system of records, you must contact the system manager with the 
necessary particulars such as your name, DOB, SSN,and any other 
identifying information requested by the Department while processing 
the request, to distinguish between individuals with the same name. 
Requests for notification about whether the system of records contains 
information about an individual must meet the requirements of the 
regulations at 34 CFR 5b.5, including proof of identity.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    None.

HISTORY:
    The system of records notice entitled the ``Person Authentication 
Service'' (18-11-12) was last modified and published in full in the 
Federal Register on March 20, 2015 (80 FR 14981).

[FR Doc. 2023-16001 Filed 7-27-23; 8:45 am]
BILLING CODE 4000-01-P