Today, the Department of Education released Dear Colleague Letter GEN-25-08, clarifying how institutions, state agencies, and their contractors may use Federal Tax Information (FTI), FAFSA data, and non-FAFSA institutional data. This guidance builds on the FUTURE Act and FAFSA Simplification Act and provides much-needed detail on permissible uses, consent requirements, and security obligations.
This blog provides a summary of GEN-25-08 for informational purposes only. It may not capture every detail of the official guidance. Institutions should consult the full announcement and seek advice from their legal counsel if questions arise.
Three Categories of Data, Three Standards
The Department reinforces that aid offices work with three distinct types of data, each with its own legal and regulatory framework:
- FAFSA Data: Everything collected on the FAFSA form plus calculated elements (like SAI or Pell Grant eligibility).
- FTI: IRS-sourced tax data received through the FA-DDX—or any information that could reasonably reveal IRS data. This category has the strictest rules.
- Non-FAFSA Data: Institutional or state-level records (scholarships, institutional aid, unmet need, etc.), not derived directly from the FAFSA.
A critical principle: when data types overlap, the most restrictive rules apply. If FTI is part of a data set, treat the entire set as FTI.
No Extra Consent for Core Aid Functions
Institutions, state agencies, and their authorized contractors may use FAFSA data and FTI without additional student consent for standard financial aid administration. This includes:
- Eligibility determination, verification, packaging, and awarding
- Disbursement and compliance monitoring
- Satisfactory academic progress review
- Mandated reporting (IPEDS, net price calculators, audits, program reviews)
- Operational analysis and aid modeling
FAAs should apply the principle of least privilege, ensuring access is limited to staff who truly need it.
Additionally, FAFSA data (but not FTI) may be used for institutional research on persistence, completion, and other outcomes—so long as individuals cannot be identified.
When Written Consent Is Required
The guidance also makes clear that written, dated, and specific consent must be obtained for certain disclosures, such as:
- Sharing FAFSA data (and in limited cases FTI) with external agencies, nonprofits, or scholarship providers.
- Providing students their full ISIR record—including FTI.
- Allowing third parties, such as TRIO counselors or advisors, access to FAFSA/FTI data.
- Conducting external research beyond the institution’s internal operational needs.
Consent documentation must specify what data is being shared, with whom, and for what purpose. Institutions must retain these records for at least three years.
Overlapping Compliance Obligations
The letter reminds institutions that FAFSA data and FTI are also part of a student’s education record under FERPA, layering FERPA restrictions on top of IRS and Title IV rules.
FTI carries additional requirements: it must be secured under NIST SP 800-171 standards for Controlled Unclassified Information (CUI). This has implications for IT infrastructure, vendor contracts, and staff training.
What Aid Offices Should Do Now
Financial aid leaders should treat GEN-25-08 as both guidance and a compliance checklist. Key action steps include:
- Update internal policies to reflect distinctions between FAFSA data, FTI, and non-FAFSA data.
- Review vendor and state contracts to ensure data-sharing and security align with new standards.
- Train staff and contractors on consent requirements, data handling, and retention rules.
- Audit security practices to confirm NIST SP 800-171 compliance for systems touching FTI.
- Strengthen documentation of consent records and data access logs.