Title IV

Recent U.S. Department of Education Dear Colleague Letter Raises the Bar on Standards for Protecting Federal Financial Aid Data

July 13, 2016

doe-logoOn July 1, 2016 the U.S. Department of Education issued a follow-up Dear Colleague Letter to the Dear Colleague Letter of July 29, 2015. This most recent letter reminds institutions of their legal obligation to protect student data under Title IV and sets forth the new standards and methods the DOE will use when evaluating data security compliance. An institution’s Title IV Program Participation Agreement (PPA) requires that they must protect all student financial aid data. The Student Aid Internet Gateway (SAIG) Enrollment Agreement, the system used by educational institutions and third-party servicers to exchange data electronically with the U.S. Department of Education, contains similar requirements. In addition, the letter reminds institutions that the specific requirements of the Gramm-Leach-Bliley Act (GLBA) governing data security at financial services organizations apply to post-secondary institutions. These include implementing a written information security program, designating an individual to coordinate information security, performing ongoing risk assessments, and properly vetting third-party service providers. It is also noted that compliance with the GLBA will be incorporated into the DOE’s annual student aid compliance audit requirements. Most significantly, the letter “strongly encourages institutions to review and understand the standards defined in NIST SP 800-171.”  These standards were developed by the National Institute of Standards and Technology (NIST) to protect sensitive federal information that is used and stored in non-federal information systems and organizations. NIST SP 800-171 sets forth a significant expansion of the data security requirements and controls expected in the handling of student financial aid data and other types of federal data and information. In citing these standards, the DOE acknowledges “the investment and effort by institutions to meet and maintain the standards set forth in NIST SP 800-171” but “strongly encourages those institutions that fall short of NIST standards to assess their current gaps and immediately begin to design and implement plans to close those gaps using NIST standards as a model.” The message from the US DOE is clear – institutions of higher education that use student financial aid data, and other forms of federal data are expected to “immediately” begin to integrate the specific requirements of NIST SP-171.

Confidentiality and Title IX

May 20, 2014

By John Gaal

doe-logoIn OCR’s April 2011 Dear Colleague Letter, OCR referenced a covered institution’s obligations in the face of knowledge of sexual harassment/misconduct and a victim’s request for confidentiality and/or that the institution not act on the report, but did not provide particularly helpful guidance on how an institution is to balance those competing concerns.  Its recent Questions and Answers on Title IX and Sexual Violence (“Q&A”) provide a little more help. Title IX requires that an institution with notice of sexual harassment/misconduct act to end and remedy that harassment/misconduct.  Notwithstanding this obligation, OCR has made clear that it “strongly supports” a student’s interest in confidentiality and, while it recognizes that there may be instances where an institution must deny a student’s request for confidentiality in order to meet its Title IX obligations, it has now characterized those instances as “limited,” noting that even then information should only be shared with those individuals responsible for handling the institution’s response to the situation. OCR’s Q&A confirms that when confronted with a student request for confidentiality, the institution must inform the student that honoring that request may impair the institution’s ability to fully investigate and respond to the incident (including disciplining or taking other action against a perpetrator).  As part of that discussion, the institution needs to explain to the student Title IX’s prohibition against retaliation, that it will take steps to prevent retaliation, and that it will take “strong responsive action” if retaliation occurs. If a student still insists upon confidentiality, the institution is required to balance that request against its obligation to provide a safe and nondiscriminatory environment for all students, including the reporting student.  While not required, OCR believes that this is a determination best made by the Title IX coordinator.  The Q&A lists a number of factors to be considered in making this determination:

  • Have there been other complaints of sexual harassment/misconduct against the alleged perpetrator?
  • Does the alleged perpetrator have a history of arrests or records from a prior school indicating a history of harassment/misconduct?
  • Has the alleged perpetrator threatened further sexual harassment/misconduct against the complainant, or others?
  • Was the harassment/misconduct perpetrated by multiple individuals?
  • Does the report of harassment/misconduct reveal a pattern of perpetration (e.g., via illicit use of drugs or alcohol) at a given location or by a particular group)?
  • Was a weapon involved?
  • Are there other means of obtaining relevant information?

If an institution determines that it cannot provide confidentiality, it should inform the student prior to making any disclosure.  In addition, the institution needs to consider interim measures necessary to protect the student and ensure the safety of other students.  If the reporting individual requests the institution to inform the alleged perpetrator that he or she had asked the school not to investigate or seek discipline, the institution should honor that request and inform the alleged perpetrator that the decision to proceed is an institutional decision. In situations where an institution determines that it can honor a request for confidentiality, the institution is not relieved of its duty to act.  There may be any number of steps an institution may take, and may have to take, without identifying the reporting individual or commencing disciplinary proceedings.  For example, the Q&A specifically references increased monitoring, supervision or security at locations or activities where the misconduct occurred; providing training and educational materials for students and staff; changing or publicizing the institution’s policies on harassment/misconduct; and conducting climate surveys on harassment/misconduct. Where many students are involved, an alleged perpetrator may be put on notice of the allegations and counseled appropriately, without revealing the identity of any reporting student. Finally, even where confidentiality is provided, institutions must take other steps (beyond confidentiality) necessary to protect the reporting individual, including providing support services and/or changing living arrangements, course schedules, assignments or tests. Certainly, OCR’s recent Q&A provides clearer insight into OCR’s view of requests for confidentiality (which are usually actually requests that the institution “not do anything”).  However, institutions should understand that even this amount of guidance does not answer all of the vexing questions, or insulate an institution from all possible liability, in the face of a request for confidentiality.  Unfortunately,   hindsight is 20/20.  If an institution honors a request to not proceed with disciplinary action, and if the perpetrator offends again, it may very well be that OCR (or, even worse, a jury) may conclude that the institution made the wrong call.  Conversely, if an institution pursues a perpetrator over a victim’s objections, and if the victim suffers extreme distress as a result, the institution may be found at fault for that situation. In sum, while OCR’s guidance is helpful, the landscape remains a dimly lit path fraught with “damned if you do; damned if you don’t” eventualities.  Institutions will need to proceed with caution and with a full view of the consequences of any decision.  It pays to recall that, while OCR’s view is a major consideration, it is not the only consideration or source of potential liability or backlash.  Unfortunately, real life situations rarely reduce to simple decisions.