Education Department Debit Cards Rack Up Privacy Concerns

On
January 19, the Office of Federal Student Aid (FSA) released a pre-solicitation notice for the Next Gen Payment Card Pilot Program,
which would test a new way for FSA to disburse financial aid funds to current
students. Now, FSA sends a student’s funds to her institution, which applies
the money to the student’s account to cover tuition and fees. Any overages are
refunded to the student by her preferred method of disbursement—by cards,
Automated Clearing House (ACH) direct-deposit payments, or checks. The new
program would provide students the option to receive disbursements on a payment
card provided by the federal government and managed by a third-party provider.

While
the intent of this pilot program is to test a new way for the Department to
disburse federal student aid for living costs, and for students to
potentially have faster access to their aid money, the potential privacy
implications of the program are significant and FSA needs to be committed to
seriously addressing those challenges.

For
starters, it’s clear that FSA isn’t looking just to get certain types of federal
aid out the door faster. As it said in the notice, it believes the pilot will
also present a way to help students understand how they spend their federal
student aid–and discourage them from using the funds in certain ways. Advocates are concerned that FSA will have access to students’
purchasing data, would have a strong incentive to closely track and monitor
spending behavior, and could even go so far as to use this program to restrict
how students are able to spend their loan dollars. While Congress has
authorized the use of federal aid dollars on costs of living (like rent and
groceries), the notion of heavily discouraging or restricting spending on those
needs is even more concerning given the recent explosion of research showing
that many college students are hungry or homeless.

Student
aid could also be used as an entry point to market services to students. The
notice outlines the opportunity for “cross program customer opportunities” and
the ability for a company to build a “long-term, even life-long, relationship
for other financial services and products.” Leveraging a student loan
disbursement tool to market financial products is an inappropriate use of
student data. Yet, under this program, companies could send students proposals
and offers and receive access to their data if students provide permission. A
permission-based privacy policy alone is not enough to ensure students’ data
are used appropriately, especially when digital marketing research  suggests
that most people don’t fully understand privacy policies and the scope of the
data collected when they accept third-party provider permissions. In fact, the
additional services marketed as a result of this program could be construed as
services provided or endorsed by the Education Department, an inappropriate use
of providers’ access to government beneficiaries.

Instead,
data on students and their financial decisions participating in the federal
payment card program should only be
used for the administration of the Next Gen Payment Card program. They must not
be misused by FSA or a third-party provider for marketing, tracking, or
restricting student purchases. The pre-solicitation notice does describe data
security requirements for the third-party provider, but does not detail
specific privacy protections for students, nor does it detail the kinds of
security precautions FSA will take with data from the third-party provider–a major
problem.

Through
our work with the Postsecondary Data Collaborative, we believe that student privacy must be front
and center when implementing new policies. Proactive privacy principles are
essential to the contract between FSA and the selected third-party provider.
Here are three key recommendations for restrictions on data use to protect
student privacy:

1. The contracted provider should not
   use student data to market additional products or services.

2. The contract should clearly define
   the permissible uses of the data collected by such a system. Student
   purchase behavior data is unrelated to the administration of federal
   student aid and should not be tracked or used beyond providing basic
   account information for students, like transactions and card balances.
   Further, the contractor, FSA, and colleges and universities should not
   restrict or control purchases made by students.

3. Data should not be shared with or
   sold to any additional third-party providers.

When
used responsibly, data have great power to support student success. But in this
situation, FSA has not demonstrated its due diligence to ensure that student
privacy is protected and that data are not misused. The federal government
should not allow third-party providers to market to students, to sell the data
to other entities, or to inappropriately collect and use student data for
non-educational purposes. The official solicitation for contractor support is
expected soon, and we sincerely hope that FSA recognizes these important
student privacy principles before moving forward.