The Privacy Office did not have controls to ensure that it timely and effectively processed Family Educational Rights and Privacy Act (FERPA) complaints during our audit period. The Privacy Office had a longstanding and substantial backlog of unresolved FERPA complaints that prevented timely and effective resolution of new complaints it received. It also had a number of significant control weaknesses that hampered its ability to resolve FERPA complaints. Unresolved FERPA policy questions have also affected the Privacy Office’s ability to resolve certain complaints. The Privacy Office placed many of these complaints into an indefinite inactive status as a result. The Privacy Office could not precisely quantify the unresolved complaint backlog due to weaknesses in its tracking process, but Privacy Office officials estimated they were about 2 years behind on complaint investigations. The Privacy Office had an opportunity to eliminate, or at least significantly reduce, the complaint backlog beginning in FY 2015 when it received authority to hire several additional staff for the student privacy function. Despite highlighting elimination of the significant complaint backlog as one of the primary benefits of increasing its staffing level, the Privacy Office dedicated the majority of the new staff it obtained to performing FERPA work unrelated to resolving existing complaints, such as providing technical assistance, training, and guidance on best practices. Although these other FERPA activities are important and can lead to fewer complaints in the future, it is critical that the Privacy Office focus its attention on eliminating or reducing the backlog to ensure it is meeting its legal obligation to timely and effectively resolve FERPA complaints and reduce the risks to students and the Department caused by substantial delays in resolving complaints. The Privacy Office does not have a plan to eliminate the complaint backlog despite characterizing the backlog as among its highest management priorities.
Open Recommendations
| Recommendation Number | Significant Recommendation | Recommended Questioned Costs | Recommended Funds for Better Use | Additional Details | |
|---|---|---|---|---|---|
| 1.1 | Yes | $0 | $0 | ||
| We recommend that the Acting Assistant Secretary of the Office of Management require the Privacy Office to allocate appropriate resources to the Compliance Office based on the stated priority of reducing or eliminating the investigation backlog so that FERPA complaints are resolved in a timely manner. | |||||
| 1.2 | Yes | $0 | $0 | ||
| We recommend that the Acting Assistant Secretary of the Office of Management require the Privacy Office to work with the Office of General Counsel to resolve outstanding policy issues that impede the Compliance Office's ability to investigate certain FERPA complaints. | |||||
| 1.3 | Yes | $0 | $0 | ||
| We recommend that the Acting Assistant Secretary of the Office of Management require the Privacy Office to implement an effective FERPA complaint tracking system that allows the Compliance Office to account for and track all complaints it receives, including the status and outcome of each complaint, and that provides an effective mechanism for reliable performance measurement and reporting. | |||||
| 1.4 | Yes | $0 | $0 | ||
| We recommend that the Acting Assistant Secretary of the Office of Management require the Privacy Office to use reliable performance data to design and implement appropriate performance standards for the Compliance Office as a whole and for individual personnel responsible for handling complaints. | |||||
| 1.5 | Yes | $0 | $0 | ||
| We recommend that the Acting Assistant Secretary of the Office of Management require the Privacy Office to investigate all complaints that meet the criteria requiring investigation and do not place complaints into an "inactive" status. | |||||
| 1.6 | Yes | $0 | $0 | ||
| We recommend that the Acting Assistant Secretary of the Office of Management require the Privacy Office to revise processes for resolving FERPA complaints to ensure effective and appropriate communication with the complainant, to include providing dismissal notifications, updates, and responses to inquiries in a timely manner and recording all communication in the tracking system. | |||||
| 1.7 | Yes | $0 | $0 | ||
| We recommend that the Acting Assistant Secretary of the Office of Management require the Privacy Office to design and implement a risk-based approach to processing and resolving FERPA complaints, where complaints deemed highest risk are prioritized. Risk can be evaluated based on the subject matter of the complaint, the severity of risk to student privacy, the number of students affected, or other relevant factors. | |||||
| 1.8 | Yes | $0 | $0 | ||
| We recommend that the Acting Assistant Secretary of the Office of Management require the Privacy Office to review and evaluate its current policies and procedures for processing FERPA complaints to ensure they are complete and appropriate. | |||||
