Report Summary

Title: Safeguarding PII Collected in VBA Education Compliance Surveys
Report Number: 22-01637-176 Download
Issue Date: 7/6/2022
VA Office: Veterans Benefits Administration (VBA)
Report Author: Office of Audits and Evaluations
Report Type: Management Advisory Memo
Release Type: Unrestricted

In the course of its work, the OIG learned that survey records for VA educational programs submitted remotely during the pandemic lacked sufficient protection for students’ personally identifiable information. This management advisory memorandum conveyed information needed for the Veterans Benefits Administration (VBA) to determine the need for corrective actions.

Both VBA and state approving agencies use education compliance survey specialists to conduct in-person surveys meant to ensure VA payments to each school and the students enrolled there are based on proper and correct enrollment information, and applicable legal requirements are met. But on March 16, 2020, VBA required surveys to be conducted remotely and documents submitted electronically to the survey specialists as COVID-19 precautions. About 4,570 surveys were conducted through March 16, 2022. The OIG estimates almost 37,800 students had their records requested in the process.

The OIG reviewed documents for 30 of those compliance surveys and found 26 contained personally identifiable information of 323 students, including full names, dates of birth, social security numbers, and addresses.

VBA’s guidance for remote compliance surveys says under circumstances including a travel ban schools should submit requested documents by mail or email (with no mention of encryption). The memorandum issued to suspend in-person compliance surveys did not provide any indication of how documentation should be collected electronically. VBA and state approving agency staff asked school certifying officials to send the documents electronically, instead of requiring they be sent by mail with a tracking number.

The lack of standard procedures and oversight has resulted in personally identifiable information not being consistently safeguarded as required. The OIG did not assess whether any information had been inappropriately disclosed but requested that VBA provide follow-up information. VBA agreed to review, research, and evaluate the OIG findings and take corrective action as needed.

Last Updated: