Education Department Debit Cards Rack Up Privacy Concerns

On January 19, the Office of Federal Student Aid (FSA) released a pre-solicitation notice for the Next Gen Payment Card Pilot Program, which would test a new way for FSA to disburse financial aid funds to current students. Now, FSA sends a student’s funds to her institution, which applies the money to the student’s account to cover tuition and fees. Any overages are refunded to the student by her preferred method of disbursement—by cards, Automated Clearing House (ACH) direct-deposit payments, or checks. The new program would provide students the option to receive disbursements on a payment card provided by the federal government and managed by a third-party provider.

While the intent of this pilot program is to test a new way for the Department to disburse federal student aid for living costs, and for students to potentially have faster access to their aid money, the potential privacy implications of the program are significant and FSA needs to be committed to seriously addressing those challenges.

For starters, it’s clear that FSA isn’t looking just to get certain types of federal aid out the door faster. As it said in the notice, it believes the pilot will also present a way to help students understand how they spend their federal student aid--and discourage them from using the funds in certain ways. Advocates are concerned that FSA will have access to students’ purchasing data, would have a strong incentive to closely track and monitor spending behavior, and could even go so far as to use this program to restrict how students are able to spend their loan dollars. While Congress has authorized the use of federal aid dollars on costs of living (like rent and groceries), the notion of heavily discouraging or restricting spending on those needs is even more concerning given the recent explosion of research showing that many college students are hungry or homeless.

Student aid could also be used as an entry point to market services to students. The notice outlines the opportunity for “cross program customer opportunities” and the ability for a company to build a “long-term, even life-long, relationship for other financial services and products.” Leveraging a student loan disbursement tool to market financial products is an inappropriate use of student data. Yet, under this program, companies could send students proposals and offers and receive access to their data if students provide permission. A permission-based privacy policy alone is not enough to ensure students’ data are used appropriately, especially when digital marketing research  suggests that most people don’t fully understand privacy policies and the scope of the data collected when they accept third-party provider permissions. In fact, the additional services marketed as a result of this program could be construed as services provided or endorsed by the Education Department, an inappropriate use of providers’ access to government beneficiaries.

Instead, data on students and their financial decisions participating in the federal payment card program should only be used for the administration of the Next Gen Payment Card program. They must not be misused by FSA or a third-party provider for marketing, tracking, or restricting student purchases. The pre-solicitation notice does describe data security requirements for the third-party provider, but does not detail specific privacy protections for students, nor does it detail the kinds of security precautions FSA will take with data from the third-party provider--a major problem.

Through our work with the Postsecondary Data Collaborative, we believe that student privacy must be front and center when implementing new policies. Proactive privacy principles are essential to the contract between FSA and the selected third-party provider. Here are three key recommendations for restrictions on data use to protect student privacy:

1. The contracted provider should not use student data to market additional products or services.
   
   
2. The contract should clearly define the permissible uses of the data collected by such a system. Student purchase behavior data is unrelated to the administration of federal student aid and should not be tracked or used beyond providing basic account information for students, like transactions and card balances. Further, the contractor, FSA, and colleges and universities should not restrict or control purchases made by students.
   
   
3. Data should not be shared with or sold to any additional third-party providers.

When used responsibly, data have great power to support student success. But in this situation, FSA has not demonstrated its due diligence to ensure that student privacy is protected and that data are not misused. The federal government should not allow third-party providers to market to students, to sell the data to other entities, or to inappropriately collect and use student data for non-educational purposes. The official solicitation for contractor support is expected soon, and we sincerely hope that FSA recognizes these important student privacy principles before moving forward.