The Catholic University of America

Responsibilities of the Director of Business Systems, Enrollment Services

Gramm Leach Bliley Act

This law regulates the disclosure of non-public personal information by financial institutions. Specifically, the law protects consumers or customers who are "individuals obtaining financial products or services to be used primarily for personal, family or other household purposes." The responsibilities of the Director of Enrollment Services, Business Systems with respect to the Act are as follows:

Data Security:

1.  Appropriately safeguard all covered data, including social security number data and student financial information such as credit card information provided to Enrollment Services.

2.  Ensure sensitive customer information provided to Enrollment Services is transmitted over encrypted networks, and not request that customers send credit card numbers or Social Security Numbers over non-encrypted networks.

3.  Oversee any service providers who will have access to customer information in the care of Enrollment Services, and request inclusion of an information security clause in relevant contracts with vendors.

Family Educational Rights and Privacy Act (FERPA)

This law regulates the keeping and dissemination of student education records. Subject to several exceptions, “student education records” include any records (regardless of format or medium) maintained by the University or an agent of the University which are directly related to a student.   The responsibilities of the Director of Enrollment Services, Business Systems with respect to the Act are to release student education records and information only in accordance with the following requirements:

Release of information without consent:

Release of student educational records and information without student consent is permitted in the following circumstances:  1) directory information (e.g. name, address, phone, major, participation in officially recognized activities/sports, date and place of birth, weight/height of athletic team members, dates of attendance, awards/degrees received, most recent educational institution attended) provided that the student has not exercised an opt out in this regard;  2) to school officials w/in the institution with need to know;  3) to other postsecondary education institutions for purposes related to enrollment or transfer; 4) to administer financial aid; 5) to organizations conducting studies to develop, validate, or administer predictive tests, administer student aid, or improve instruction; 6) to accrediting organizations to carry out their functions; 7) per judicial order or lawful subpoena; 8) in connection with a health or safety emergency; 9) to give the victim of a crime of violence or a sex offense the final results of the disciplinary proceeding against the alleged perpetrator re that alleged offense; 10) to a parent if the student violates law or institutional policy re use or possession of alcohol or controlled substances if the institution determines the student committed a disciplinary violation and the student is under 21 at the time of the disclosure. 

Disclosure in Emergency:

The University may disclose personally identifiable information from a student’s education records without consent to address a health or safety emergency if: 1) The emergency is actual or imminent and poses an articulable and significant threat, such as bodily harm, to the health or safety of the student or others; 2) disclosure is limited to the period of the emergency and is made only to appropriate parties (law enforcement, public health officials, trained medical personnel, parents) who need the information to protect health and/or safety; and 3) the institution records in the student’s education records the articulable and significant threat that formed the basis for the disclosure.

Release of Information requiring consent:

Release of student educational records and information not listed in the above categories requires that the University have written permission from the student to release information from a student's education record.  Consent must be in writing by the student and specify which records may be disclosed, to whom, and the time frame for disclosure.  If appropriate consent is obtained, the authority of the requestor to receive the information, and authentication as to the requestor’s identify, is required.

Payment Card Industry Data Security Standard (PCI DSS) (E-Commerce)

The  PCI DSS standards are contractual obligations imposed by credit card companies and require that the University protect consumers and cardholders against identity theft by enforcing best practice security standards.  The responsibilities of the Director of Enrollment Services, Business Systems with respect to the Act are to accept credit card payments on behalf of Enrollment Services only in accordance with approved, PCI-compliant methods as determined by Technology Services and Treasury Management.

Bankruptcy Reform Act of 1978 as amended, Title 11 U.S.C. § 523(a)(8),

The Act and amendments prohibits the discharge of most student loans in bankruptcy when the loans were obtained from the government or non-profit higher educational institutions. There is an exception for undue hardship and for loans that became due more seven years before the filing of the petition. The seven-year exception was eliminated for cases commenced after October 1, 1998, the effective date of the Higher Education Amendments of 1998, and thus borrowers will not be able to discharge their debts to educational institutions under the seven-year exception. An institution may be affected by the automatic stay (11 U.S.C. § 362(d)(1)), while the bankruptcy action is proceeding, and this prohibits the withholding of student transcripts to obtain payment. This action is also prohibited if the debt is actually discharged. For more on the issue of debt collection and student loans, go to the U.S. Department of Education Web site at that contains a guide to defaulted student loans.  The Director of Enrollment Services, Business Systems is responsible for ensuring that accounts of students who have filed for bankruptcy are not sent out for collections.

Tuition Payment Credit Reporting Requirements (26 U.S.C. § 6050S; 26 CFR 1.6050S-1 et seq.)

As an educational institution that receives payments of qualified tuition and related expenses, the University must furnish a statement to each individual for whom it is required to file an information return on or before January 31st of the year following the calendar year in which payments were received, or amounts billed, for qualified tuition and related expenses, or reimbursements, refunds, or reductions of such amounts were made.  The statements returns are intended to assist taxpayers and the Internal Revenue Service (IRS) in determining any education tax credit allowable as well as other tax benefits for higher education expenses. The reporting to both students and the IRS is accomplished by using Form 1098-T "Tuition Payments Statement". This form is filed with the IRS for each individual with respect to whom payments of qualified tuition and related expenses were received, or reimbursements or refunds of such expenses were made. The University does not have to file a 1098-T on a student when a refund is issued in an amount equal to or greater than the amount the student paid. The information reporting requirements of this section do not apply with respect to any individual who is a nonresident alien during the calendar year, unless the individual requests the institution or insurer to report. The institution is also not required to file a report for an individual who receives no academic credit, for students whose tuition and related expenses are covered by a formal billing arrangement between the institution and the student's employer, or for students whose tuition and related expenses are entirely waived or paid entirely with scholarships.

Colleges and universities that participate in the Perkins Loan Program, or operate their own institutional loan programs, must report student loan interest payments to the IRS. This is done on Form 1098-E which must be filed on or before February 28th or March 31st if filed electronically. The person making the payment must receive their statement by January 31st.

The Director of Enrollment Services, Business Systems is responsible for collecting all necessary information from students for completion of the Forms 1098-T and 1098-E, and for sending the forms to both students and the IRS. Detailed guidance and specifics for this process are set forth in Tuition Payment Credit Reporting Requirements.

Related Policies

Information Security and Assurance Policy

Student Records Policy