FAFSA® Simplification: Protecting FTI — Institutional Responsibility

Melissa Maichle .

In our June blog, we discussed how the process of obtaining federal income tax information will be changing for the 2024-2025 award year. In summary, the current IRS data retrieval tool allows the student, their parents or spouse, collectively known as the ‘contributors,’ to authorize the transfer of federal tax return information (FTI) to their online FAFSA® form.  They share the information with Federal Student Aid (FSA), institutions, state agencies, etc. by clicking the submit button. In the new process, the FAFSA® contributors authorize the IRS to share elements of federal tax returns with FSA directly. FSA then shares the data with other institutions and agencies eligible to receive the data. As a result, institutions and agencies that receive and store this protected data will be subject to some new rules.

In order to receive ISIRs for 2024 – 2025, institutions will need to sign a new SAIG Enrollment agreement, enroll in the FTI SAIG mailbox, and install upgraded SAIG software. FTI is considered Controlled Unclassified Information (CUI) because it contains personally identifiable information (PII) that is not classified but requires safeguarding and dissemination controls. When this data is present in an ISIR, the code CUI//SP-TAX will appear before and after the element — and these codes must be maintained in the student’s files. See NIST Special Publication 800-171 for more detail on handling CUI.

Here are some common scenarios where the Financial Aid Office may be asked to share application data and what the appropriate response should be under the new rules:

  • The student asks to see the application responses, even those provided by other contributors —in this case, you may share the complete, unredacted FAFSA Submission Summary (FSS) with the student.
  • The student asks to share application data with a private scholarship provider — with the written consent of the student, the Financial Aid Office can share the complete, unredacted FSS with a third party.
  • The institution or state agency uses application data to conduct research – FAFSA data excluding FTI, may be used in research, provided no applicant PII is released.
  • The institution or state agency hires a contractor to manage one or more facets of the financial aid awarding and/or delivery processes — FAFSA data, including FTI, can be shared with third party contractors only to the extent necessary to fulfill the work they are contracted to do.

These new rules supplement rather than replace the existing data protection regulations found in HEA, FERPA, and the Privacy Act.

Learn more on this topic by visiting the  FSA Knowledge Center and as always, if you have questions or concerns, the Higher Education Assistance Group has Title IV Compliance Support resources available. Email us at info@heag.us to get more information about our compliance services.