Dear Colleague:
As explained in Electronic Announcement (EA) GENERAL-23-34, the HEA and IRC were amended by the Fostering Undergraduate Talent by Unlocking Resources for Education Act (FUTURE Act) and the Consolidated Appropriations Acts of 2021 (in the section called the FAFSA Simplification Act) and 2022. Among the requirements of these revisions is that FAFSA applicants and contributors (i.e., an applicant’s parent(s) or spouse, as relevant) approve the disclosure and use of data they enter on the FAFSA form as well as the FTI that is transferred from the Internal Revenue Service (IRS) for determining eligibility for federal student aid. This letter expands on the guidance in the above EA, and it replaces outright EA GENERAL-24-129, which explained the treatment of FAFSA and non-FAFSA data but not FTI. This Dear Colleague Letter (DCL) and the EAs cited herein comprise the U.S Department of Education’s (Department’s) current guidance on this topic.
Other than statutory and regulatory requirements included in the document, the contents of this guidance do not have the force and effect of law and are not meant to bind the public. This document is intended only to provide clarity to the public regarding existing requirements under the law or agency policies.
It is important to understand the distinctions between the types of data mentioned above because there are different usage rules for each data type under the HEA, IRC, and FERPA. When determining whether a use or disclosure is allowable, the most restrictive statute applies.
-
FAFSA data is all information entered on the application or transferred from the previous year’s application. It also includes most data that the FAFSA Processing System (FPS) derives from the application, such as Federal Pell Grant eligibility and the Student Aid Index (SAI). In general, FAFSA data is what appears on the Institutional Student Information Record (ISIR) that is not FTI. For a full list of the ISIR information, see the ISIR Guide, which is Volume 6 of the FAFSA Specifications Guide.
-
FTI is all the data received from the IRS via the FUTURE Act Direct Data Exchange (FA-DDX) as well as data that the FPS directly derives that could be used to reverse calculate FTI, such as the student or parent payroll tax allowance. These items are specifically listed in EA GENERAL-23-34; the FA-DDX items were included when the EA was originally published in 2023, and the directly derived data were added at the beginning of 2025. The EA also explains the protocol for handling FTI, which includes labeling it as “CUI//SP-TAX” (Controlled Unclassified Information/Specified Tax). The Department will label FTI fields on the ISIR, and FTI must also be labeled as CUI//SP-TAX by our partners; these labels must follow FTI wherever it is accessed, stored, or redisclosed with the written consent of the student as explained below.
Note that not all tax data are FTI; manually entered tax data, such as those from a foreign tax return or from an IRS return that was not eligible for the data exchange, are considered FAFSA data. The FUTURE Act allowed the Department for the first time to maintain FTI in its systems; the FTI must be used and safeguarded according to the strict requirements of the IRC and the HEA. Prior to the 2024–2025 award year, when the FA-DDX was implemented, all tax data were considered FAFSA data, even when transferred by the now-retired IRS Data Retrieval Tool (IRS DRT), because it was either directly entered by the student or parent or, in the case of the DRT, they agreed to the transfer of the data from the IRS, which they then could view and edit. In the current environment, they are not able to view or edit data transferred via the FA-DDX. -
Non-FAFSA, institutional, or school data are the terms for information that is originated by schools or other entities. This includes total aid awarded, grant and loan receipt and amounts, and unmet financial need. While some of this information, such as Pell Grant receipt and amount, is reported to Department systems, such as the National Student Loan Data System (NSLDS®), it is not considered FAFSA data because it originates from schools rather than from the ISIR. By contrast, Pell Grant eligibility is considered FAFSA data since it is part of the ISIR and is derived from information entered on the FAFSA form.
In this context, the IRC governs the use and access of FTI, while the HEA and the Privacy Act cover FAFSA data use as well as FTI.
The Privacy Act applies to federal agencies and governs information about individuals that is in a “record” contained in a “system of records” (see 5 U.S.C. §§ 552a(a)(1)–(7), (b), and (e)). Information that the Privacy Act protects cannot be disclosed by federal agencies without prior written consent unless one of the statutory exceptions applies. Under one exception, a federal agency may publish in the Federal Register a “routine use” for the information in a system of records notice (SORN) that outlines how the agency may disclose the information without prior written consent so long as the routine use is compatible with the purpose for which the agency collected the information. The Department’s routine uses for FAFSA data are outlined in the Aid Awareness and Application Processing (AAAP) (18-11-21) SORN, and the routine uses for FTI data are outlined in the FUTURE Act System (FAS) (18-11-23) SORN.
FERPA and its implementing regulations protect the privacy of student education records at all educational institutions and agencies that receive funds under a Department program. This protection encompasses FTI and FAFSA data as well as an institution’s financial aid records on a student. FERPA is more broadly applicable, but generally less restrictive, than the HEA and IRC.
The Department’s FERPA regulations (see 34 C.F.R. § 99.3) define education records, parent, and student, noting that the latter means anyone who is attending or has attended an educational agency or institution and for whom the agency or institution maintains education records. A person’s records at a school he or she has applied to but not attended are therefore not education records protected by FERPA. When a student reaches 18 years of age or attends a school at any age, he or she becomes an “eligible student,” and all rights accorded to, and consent required of, parents under FERPA transfer from the parent to the student. (34 C.F.R. §§ 99.3, 99.5(a)(1)).
It is helpful to separate those activities that schools and state agencies are entitled to and expected to perform without additional consent from students (beyond the approval students provide when completing the FAFSA form) from those activities that require such consent. See EA GENERAL-24-149 for guidance about the form and collection methods of this additional consent. We also discuss it further below.
Application, Award, and Administration of Aid: Schools and state agencies and their respective contractors may receive and use FTI and FAFSA data for the application, award, and administration of financial aid, consistent with the HEA, Privacy Act, and FERPA, and as outlined in their Student Aid Internet Gateway (SAIG) agreements. According to HEA section 483, state agencies are to use FTI and FAFSA data “solely for the application, award, and administration of state-based financial aid for which the applicant is eligible,” while schools are to use the same information “solely for the application, award, and administration of financial aid to the applicant.” The language in both cases is similar though more general for schools, which are responsible for creating and administering a student’s entire aid package, while the purview of state agencies is to focus on their own aid programs. The law also specifies research uses for FAFSA data, which will be explained further below. The Department interprets “the application, award, and administration of aid” to be the administrative and business functions necessary to deliver federal, state, and institutional financial aid efficiently and effectively to students. These functions may include but are not limited to:
-
managing aid applications, eligibility, verification, and packaging and assisting students with those processes;
-
processing and disbursing federal, state, or institutional financial aid;
-
monitoring the academic progress of aid recipients and enforcing other aid requirements (e.g., satisfactory academic progress or SAP);
-
complying with mandatory reporting for participation in aid programs, such as the Integrated Postsecondary Education Data System (IPEDS) reporting and net price calculator publishing under HEA sections 487 and 132 respectively;
-
performing analyses necessary to the administration of financial aid programs by leveraging FTI and FAFSA data to estimate and model how financial aid will be allocated by the school or state agency; and
-
conducting audits and program evaluations necessary for the efficient and effective administration of those student aid programs.
The above duties are largely, but not entirely, school functions, and often the financial aid office performs them, but other personnel in offices or programs within a school who have duties related to the application, award, or administration of financial aid will be involved too. This includes, but is not limited to, those in the admissions and business (or bursar’s) offices, support programs, athletic and academic departments (e.g., awarding scholarships), and offices responsible for mandatory monitoring and reporting related to aid administration (e.g., SAP and IPEDS). Also included are contractors administering any aspect of a school’s or state agency’s aid-related activities; the contractors must assume all appropriate safeguards and responsibilities, including liability for any civil and criminal penalties under the HEA, IRC, and Privacy Act.
In handling FTI and FAFSA data, the principle of “least privilege” should apply. Users should only have access to and make use of the data if it is necessary for them to perform their duties related to the application, award, and administration of aid or, for FAFSA data, applicable research. This will minimize potential security risks and breaches. The SAIG agreements schools and state agencies signed clarify who can access and use FAFSA data and FTI. The authorized personnel mentioned in state agency SAIG agreements and the administrators described in school SAIG agreements must be under the direct control of or bound by written agreement to the state agency or school. The SAIG agreements detail the responsibilities of authorized personnel and administrators and any penalties that might apply for failure to execute those responsibilities.
Because of the special sensitivity of FTI and the penalties involved for even inadvertently mishandling the data, schools and state agencies should limit those accessing FTI to financial aid administrators (FAAs) as much as possible even though a variety of offices may have duties related to the application, award, and administration of aid. For example, a school’s financial aid office should use FTI to calculate eligibility for monetary scholarships that might be administered by other parts of the institution such as athletics or academic departments or an alumni association. Offices like institutional research that hold responsibility for required reporting such as IPEDS are permitted to access FTI, but the school must ensure they have taken all necessary steps to ensure the appropriate use of FTI, which also includes ensuring staff fully understand their responsibilities for protecting FTI. All individuals within a school or state agency who access FTI are required to take all applicable training.
In addition, the Department will ensure the security of FTI by holding schools and state agencies to the National Institute of Standards and Technology (NIST) Special Publication 800.171, Rev. 3 (Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations) CUI security standards, and they, in turn, will be required to ensure that any external entities that receive FTI from them are held to the same standards. This requirement may narrow the outside entities that are able to receive FTI because they may not meet the NIST standards and because the school or state agency may lack the oversight to ensure compliance. The Department will provide more information about this requirement in the future. As of the publication of this letter, there are not yet any compliance obligations regarding NIST SP 800.171.
Research: Both state agencies and schools can use FAFSA data, but not FTI, to perform research without student consent as long as the research activities pertain to college attendance, persistence, and completion. The research cannot release any individually identifiable information about students. Contractors or third-party servicers that otherwise already have access to student FAFSA data due to their role in aid application, award, and administration may also perform this research under the direction of the school or state agency. This could involve, for example, a school using student-level FAFSA data to conduct a study about program completion of Pell-eligible students, as long as any results of the study that are released do not contain any identifiable information about the students involved.
This function can also include the creation of de-identified, aggregate statistics (of FAFSA data but not FTI) that a school makes publicly available by posting them to its website or releasing them to another party for the purpose of college attendance, persistence, and completion, such as an organization that uses the statistics to provide the public more information about the schools that released them. Such statistics are a research product that is being used with the implicit purpose of encouraging attendance at the schools that publish them.
FAFSA Completion Efforts: State agencies, in collaboration with local education agencies (LEAs) or secondary schools, may use only students' identifying information from the FAFSA form to check if a graduating student has submitted the application. Per the state agency SAIG agreement, identifying information means: the applicant’s first and last name, date of birth, and ZIP code; FAFSA submitted and processed dates; selected for verification flag; and a FAFSA completion flag as determined by the state agency (e.g., FAFSA not submitted, FAFSA complete, or FAFSA incomplete). The state agency should consult its SAIG agreement for more details on how to properly redisclose and use identifying information from the FAFSA form for this purpose. The LEA or secondary school must comply, as applicable, with FERPA requirements if it discloses any personally identifiable information (PII) from students’ education records to the state agency. There is no provision in the HEA for colleges performing this function.
Means-tested Benefits Outreach: As explained in EA GENERAL-24-93, state agencies and schools can use FAFSA data such as the Student Aid Index (SAI) and Pell Grant eligibility to determine which students they will contact about possible eligibility for means-tested benefits like the Child Tax Credit and Medicaid. They should minimize the FAFSA information and number of personnel needed for this function.
Designated Scholarship Organizations: While this DCL is concerned with institutions of higher education and state agencies, it bears noting that HEA section 483(a)(2)(D) refers to scholarship organizations that are authorized to receive ISIR data, including FTI, directly from the Department due to a prior designation from the Secretary of Education. There are only two: the United Negro College Fund and Hispanic Scholarship Fund can receive ISIR data without additional prior written consent of the applicant. However, these entities are not permitted to further disclose FAFSA data or FTI for any other purpose beyond the application, award, and administration of their specific aid programs. They will also be required to adhere to the NIST SP 800.171 CUI security standards in their handling of FTI.
As noted above, the consent process is described in EA GENERAL-24-149, and it applies to both schools and state agencies. However, there are some differences between what the obtaining of student consent allows the two kinds of organizations to do.
Sharing Data for Assistance from Government Agencies and Other Entities: Under HEA section 483, state agencies, with student consent, may share FAFSA data (excluding FTI) with federal, state, local government agencies, or tribal organizations to help students receive assistance for any component of the cost of attendance (COA). That may include financial or non-monetary assistance, including means-tested benefits. A public college or university that qualifies as a government agency (i.e., its employees are government employees) may be eligible for this redisclosure by a state higher education agency. This would be helpful, for instance, for TRIO programs that are run by public institutions (not private nonprofit or for-profit schools) but that do not already have access to FAFSA data because they do not provide monetary support to students and therefore do not participate in the application, award, and administration of aid. Such TRIO programs could receive FAFSA data from the state agency with written consent.
Under HEA section 494, schools that obtain student consent may share both FAFSA data and FTI with the same organizations as state agencies, to help students receive financial assistance (but not non-monetary assistance), including means-tested benefits, for any component of the COA. And unlike state agencies, schools may also share FAFSA data and FTI with external scholarship-granting organizations, including tribal organizations. This highlights schools’ wider purview in coordinating the entire financial aid package for students, including the scholarships provided by non-governmental organizations. However, as stated, schools will be required to ensure that any external entities that receive FTI are held to the NIST SP 800-171 CUI security standards.
Any person or organization receiving such information from state agencies or schools may only use that information for the express purpose(s) intended by the students’ consent.
School-only Provisions With Student Consent: There are a few actions that apply only to schools. Normally students who complete an application will receive a FAFSA Submission Summary (FSS, the document that replaced the Student Aid Report mentioned in the law) that lists the data they entered on the application but does not contain their FTI. Under the HEA, students who give consent can receive a complete, unredacted copy of their record that includes their FTI (likely a copy of their ISIR) from their school, and they are free to further disclose that document as they choose.
Also, students who provide consent may have a discussion of their FAFSA data and FTI with their school that includes an advisor or other individual that they choose to participate in the discussion, which may be someone internal or external to the institution, such as TRIO or other program personnel.
As noted above, a third-party servicer that has access to FAFSA data may perform research pertaining to college attendance, persistence, and completion on behalf of a school or state agency. Under HEA section 483(a)(3)(C)(iii), a school may, with student consent, share FAFSA data but not FTI with an external entity that is not a third-party servicer to perform that research.
As with governmental agencies and scholarship organizations receiving information with student consent, the advisor and the external research entity mentioned above shall only use the information they receive for the purpose for which consent was granted by the student.
A scholarship-granting organization, government or tribal agency, or the advisor mentioned above that receives information via a school that has obtained a student’s written consent cannot redisclose the information to any other person without the additional express written permission of, or request by, the student.
As explained above, information that is not created by the Department but that may reside in Department systems is considered non-FAFSA or school data and is not governed by the same HEA or IRC restrictions as FAFSA data and FTI. Because the HEA and IRC are more restrictive than FERPA regarding the use of FAFSA data and FTI, it was not necessary in that discussion to explain how that use satisfies the FERPA statutes and regulations. However, when determining the uses of institutional data, on which the IRC and HEA are silent, it is necessary to discuss the FERPA rules.
As outlined in the Department’s An Eligible Student Guide to the Family Educational Rights and Privacy Act (FERPA), a school may not disclose PII from eligible students’ education records without their prior written consent unless an exception to the consent requirement is met. The Department’s FERPA regulations (see 34 CFR 99.31) describe the exceptions to general consent, such as disclosures to school officials who the school has determined have legitimate educational interests in the education records; disclosures in connection with an eligible student’s application for, or receipt of, financial aid; and disclosures to organizations conducting certain types of studies for, or on behalf of, the school. Please note that this guidance does not provide comprehensive details of all the requirements necessary to implement a FERPA exception (e.g., both the studies and audit or evaluation exceptions under FERPA have requirements for what must be included in a written agreement). More information on these requirements can be found through the Department’s student privacy website.
It may benefit schools to use institutional data instead of similar FAFSA data if they are able because that could offer more flexibility. Consider, for example, a school that wanted to have an outside researcher do work under the FERPA studies exception that examined Pell-eligible students. If the school sorted the students according to those to whom it disbursed Pell Grants rather than those whose ISIRs had a Pell eligibility flag of Y, it would not need student consent because the former is school data while the latter is FAFSA data from the ISIR. As noted above, the studies exception mandates the criteria that must be met, such as what the studies can cover and the details of the agreement between the school and the outside researcher. See §99.31(a)(6).
Similar rationales about the flexibility available for the use of school data can be made for other FERPA exceptions, such as the school official exception. For example, while schools could use FAFSA data and FTI to administer a TRIO program like Student Support Services because it offers funds to students, which falls under the application, award, and administration of aid, FAFSA data and FTI cannot be used to determine eligibility for TRIO programs that do not offer aid. In those cases, it might be possible to use non-FAFSA data and the school official exception to determine student eligibility for non-monetary TRIO benefits, such as tutoring and counseling.
Correcting the FAFSA: Under FERPA, eligible students have the right to seek to amend inaccurate information in their education records. For FAFSA data, this is accomplished either by students or FAAs according to the guidance in Chapter 4 of the Application and Verification Guide, a volume of the FSA Handbook. However, while FTI is part of a student’s education record, because the Department received it directly from the IRS and shared it with schools, it is by definition accurate tax data, and there is no correcting it. Students who believe their SAI has been calculated incorrectly should contact their school financial aid office. If they are contesting the accuracy of their FTI, the school should refer them to the IRS. If they need to file an amended tax return, the school can refer them to a tax professional.
In cases where students request and are granted a professional judgment (PJ) adjustment by their school because the FTI, which is from the prior-prior year, does not reflect their current financial situation, the action that the FAA takes suppresses the FTI in the ISIR and instead uses more current income information. In PJ situations, because the tax data is provided by the student (or parent or spouse), it is considered FAFSA data rather than FTI.
Certain NSLDS Data Use Provisions Unchanged: It is important to note that neither the FUTURE Act nor the FAFSA Simplification Act amended some specific prohibitions in the HEA. Paragraph (d)(2) of Section 485B of the HEA still prohibits nongovernmental researchers and policy analysts from accessing PII from NSLDS, and paragraph (d)(5)(B) still prohibits the use of NSLDS data for marketing purposes.
The guidance above refers to two consent processes: one for the disclosure of information under FERPA and one for HEA disclosures. The regulations explain the contents of student consent under FERPA in §99.30, and the HEA explains what student consent for FTI/FAFSA data sharing must contain in section 494(c)(4)(B). Institutions of higher education can use the same process to obtain written consent that adheres to the requirements of the HEA and FERPA from applicants who are eligible students under both statutes.
Under the HEA, written consent requires a separate, written document (which may be in an electronic format) signed and dated by the applicant. The written consent must state the information being disclosed, and if that includes FTI it must specifically say so. The consent must also state the purpose for the disclosure and that the information may only be used for this purpose. Written consent is required to be maintained for a period of at least three years from the student’s last date of attendance at the institution and made available to the Department upon request.
Written consent from an eligible student under FERPA must specify the records that may be disclosed, state the purpose of the disclosure, and identify the party or class of parties to whom the disclosure may be made. Upon students' request, the agency or institution shall provide them with a copy of the records disclosed. The signed and dated consent may be in an electronic form that identifies and authenticates the students as the source of the electronic consent and indicates their approval of the information contained in it.
For More Information
The Department appreciates stakeholders’ cooperation and continued role in safeguarding the integrity of the Title IV programs and protecting the sensitive information, including FTI, provided by students and their families. If you need additional information or have specific questions, visit FSA’s Partner Connect Help Center and select the Topic “Policy Guidance” on the Contact Customer Support form. Further discussion of all the key terms, definitions, and systems related to the FAFSA Simplification and FUTURE acts is available in EA GENERAL-23-63.
For more information on FERPA, including what exceptions to the general consent requirement might be relevant, and other student privacy issues, visit studentprivacy.ed.gov. FERPA questions can be submitted at studentprivacy.ed.gov/contact.
Dr. Christopher J. McCaghren
Acting Assistant Secretary
Office of Postsecondary Education