The Gramm-Leach-Billey Act (GLBA) "governs the treatment of nonpublic personal information about consumers by... financial institutions [from which those consumers] obtain financial products or services primarily for personal, family or household purposes." While primarily directed at banks, schools that provide or help their students obtain financial aid also fall under GLBA's purview.
The question then arises: Can a school that uses Populi be considered GLBA-compliant?
16 CFR § 313.1 and 16 CFR § 313.3 indicate that the onus is on the school to be GLBA-compliant, including the requirement to "develop, implement, and maintain" an "Information Security Program" that "is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue." This Program "shall include the elements set forth in § 314.4".
The elements described in § 314.4 make several references to the use of "service providers", which are defined by the FTC as "any person or entity that receives, maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to a financial institution that is subject to this part." Under this definition, Populi is a service provider, and to the extent that we handle the relevant information, our own data security measures and internal security policies are in compliance with the elements set forth in § 314.4.