COMPUTER MATCHING AND PRIVACY PROTECTION ACT OF 1988

Declassified and Approved For Release 2013/01/17 CIA-RDP91B00390R000200200009-7 106TH CONGRESS 2d Session HOUSE OF REPRESENTATIVES { REPORT 100-802 COMPUTER MATCHING AND PRIVACY PROTECTION ACT OF 1988 JULY 27, 1988.?Committed to the Committee of the Whole House on the State of the Union and ordered to be printed Mr. BROOKS, from the Committee on Government Operations, submitted the following RE [To accompany H.R. 4699] [Including cost estima ngressional Budget Office] The Committee on Government Operations, to whom was re- ferred the bill (H.R. 4699) to amend title 5, United States Code, to ensure privacy, integrity, and verification of data disclosed for com- puter matching, to establish Data Integrity Boards within Federal agencies, and for other purposes, having considered the same, report favorably thereon without amendment and recommend that the bill do pass. SUMMARY AND PURPOSE The purpose of H.R. 4699, the Computer Matching and Privacy Protection Act of 1988, is to regulate the use of computer matching conducted by Federal agencies or using Federal records subject to the Privacy Act of 1974. Computer matching is the computerized comparison of records for the purpose of (i) establishing or verifying eligibility for a Fed- eral benefit program, or (ii) recouping payments or delinquent debts under such programs. Matches performed for statistical, re- search, law enforcement, tax, and certain other purposes are not subject to the act. H.R. 4699 provides that computer matching involving Federal data can be conducted, only pursuant to matching agreements en- tered into by the agency providing the data to be matched and the agency receiving the dkitta. Matching agreememts must specify the purpose and legal authdrity for the matching Program, describe the nature of the match and the expected results, include procedures 86-619 Declassified and Approved For Release 2013/01/17 ICIA-RDP91B00390R000200200009-7 Declassified and Approved For Release 2013/01/17: . CIA-RDP91B00390R000200200009-7 2 for notifying individuals affected by the match and for verifying in- formation, and describe how the records will be protected. Information resulting from computer matching programs must be independently verified before any adverse action can be taken. Individuals must be given notice and an opportunity to contest any findings resulting from a computer match. The act requires each Federal agency involved in a matching program to establish a Data Integrity Board composed of senior agency officials. The Board will review and approve matching agreements, programs, and activities; evaluate compliance of matching programs with applicable requirements; review the con- tinued justification for matching; provide guidance; and file an annual report with OMB. The Privacy Act responsibilities of the Office of Management and Budget are consolidated and codified. OMB is required to issue guidelines and regulations for computer matching; hear appeals from Data Integrity Board disapprovals of matching program; and file a consolidated report on computer matching with the Congress. Existing Privacy Act system reporting requirements are modified to include computer matching. The reporting requirements for new and changed system notices are revised. Current requirements for a report by the President and publication of a compilation by the Office of Federal Register are changed from annual to biennial. COMMITTEE ACTION AND VOTE H.R. 4699 was introduced by Representative Glenn English on May 26, 1988. The Committee on Government Operations ordered the bill reported on June 9, 1988, by voice vote. HEARINGS On June 23, 1987, the Government Information, Juice, and Ag- riculture Subcommittee held a hearing on S. 496,1 a computer matching bill that passed the Senate on May 21, 1987. Witnesses were Joseph R. Wright, Jr., Deputy Director, Office of Management and Budget; Eleanor Chelimsky, Director, Program Evaluation and Methodology Division, General Accounting Office; Ronald L. Plesser, Nash, Railsback & Plesser, representing the American Bar Association; and Janlori Goldman, staff attorney, American Civil Liberties Union. BACKGROUND Computer matching has been a controversial matter for more than 10 years.' Computer matching using Federal agency records The most recent hearing on computer matching legislatior; was held in 1987. Computer Matching and Privacy Protection Act of 1987, Hearing before a Subcommittee of the House Com- mittee on Government Operations, 100th Cong., 1st Sess. (1987) [hereinafter cited as "1987 House Matching Hearing"]. Other hearings, reports, and documents about computer matching cited throughout this report are: House Committee on Government Operations, Who Cares About Privacy? Oversight of the Pri- vacy Act of 1974 by the Office of Management and Budget and by the Congress, H.R. Rept. No. 98-455, 98th Cong., 1st Sess. (1983) [hereinafter cited as "1983 House Privacy Act Oversight Report']. Continued Declassified and Approved For Release 2013/01/17: IA-RDP91B00390R000200200009-7 Declassified and Approved For Release 2013/01/17: CIA-RDP91B00390R000200200009-7 3 began in 1977 at the Department of Health and Human Services with a program called Project Match.2 Secretary Joseph Califano announced a program to compare welfare rolls in selected jurisdic- tions with Federal payroll records for the same areas. The assump- tion behind the program was that people on the Federal payroll would not be eligible to receive welfare payments. The identifica- tion of these people through computer matching was intended to reduce fraud, waste, and abuse.3 Matching has been highly touted by inspectors general, the President's Council on Integrity and Efficiency [PCIE], and the Congress as an effective weapon in the battle against fraud. The goals of computer matching programs are admirable. The results are less certain. Matching has been criticized as unproven and inef- fective, as well as illegal and violative of privacy rights. The purpose of H.R. 4699 is to regulate the use of computer matching by Federal agencies. H.R. 4699 also applies when Federal records maintained in a system of records as defined in the Privacy Act of 1974 are used for matching State and local governments. H.R. 4699 primarily addresses due process, administrative controls, and cost-effectiveness issues. Other concerns about computer matching are beyond the scope of this bill. Oversight of the Privacy Act of 1974: Hearings before a Subcommittee of the House Committee on Government Operations, 98th Cong., 1st Sess. (1983) [hereinafter cited as "1983 House Privacy Hearings"]. Kirchner, "Privacy: A History of Computer Matching in Federal Government," Computer- world (December 14, 1981), reprinted in 1983 Privacy H_earings at Appendix 2 [hereinafter cited as "Kirchner"]. Oversight of Computer Matching to Detect Fraud and Mismanagement in Government Pro- grams: Hearings before the Subcommittee on Oversight of Government Management of the Senate Committee on Governmental Affairs, 97th Congress, 2d Sess. (1982) [hereinafter cited as "1982 Senate Hearings"]. Computer Matching and Privacy Protection Act of 1986, Hearing before the Subcommittee on Oversight of Government Management, Senate Committee on Governmental Affairs, 99th Cong., 2d Sess. (1986) [hereinafter cited as "1986 Senate Hearings"]. Office of Management and Budget, "Guidelines for the Conduct of Matching Programs," 44 Federal Register 23138 (April 18, 1979), reprinted in 1983 House Privacy Hearings, Appendix 1 [hereinafter cited as "1979 OMB Matching Guidelines"]. Office of Management and Budget, "Revised Supplemental Guidance for Conducting Matching Programs," 47 Federal Register 21656 (May 19, 1982), reprinted in 1983 House Privacy Hearings, Appendix 1 [hereinafter cited as "1982 OMB Matching Guidelines"]. Office of Technology Assessment, Electronic Record Systems and Individual Privacy (1986) [hereinafter cited as "OTA Report']. General Accounting Office, Computer Matching: Assessing Its Costs and Benefits (1986) (GAO/ PEMD-87-2) [hereinafter cited as "GAO Cost Benefit Report"]. General Accounting Office, Computer Matching: Factors Influencing the Agency Decision- Making Process (1986) (GAO/PEMD-87-3BR) [hereinafter cited as "GAO Decision-Making Report"]. General Accounting Office, Eligiblity Verification and Privacy in Federal Benefit Programs: A Delicate Balance (1985) (GAO/HRD-85-22) [hereinafter cited as "GAO Eligibility Verification Report"]. 2 There may have been some earlier computer matching. GAO refers generally to two pre- 1976 computer matches, but provides no description. See GAO Eligibility Verification Report at 11. See also 1982 Senate Hearings at 47 (testimony of Richard Kusserow, Inspector General, De- partment of Health and Human Services). It appears likely that there was some use of computer matching before HEW's Project Match. However, the discussion of matching as a policy issue begins with the HEW announcement. For an excellent review of the early history of computer matching, see Kirchner. 3 For a review of some of the results of the HEW matching program, see Hendricks, "How Not to Catch Welfare Cheaters," Washington Post (July 1, 1979). Henricks concluded that Project Match cost more than it saved and that it subjected innocent welfare recipients to har- assment and coercion. Declassified and Approved For Release 2013/01/17: CIA-RDP91B00390R000200200009-7 Declassified and Approved For Release 2013/01/17: CIA-RDP91B00390R000200200009-7 4 A. WHAT IS COMPUTER MATCHING? Typically, Federal agencies use computer matching to locate an individual, verify eligibility for benefits, or to develop investigatory leads. There are several different computer-assisted techniques for identifying similarities and differences between records. With "classic" computer matching, a computer compares the records of two separate data bases looking for individuals (or organizations) that appear in both files. Typically, the data bases contain informa- tion on beneficiaries under two different Government programs. Government records can also be matched against nongovernmental records.4 Matching may be used to identify people enrolled in two pro- grams. For example, a match might attempt to find all Federal em- ployees who are receiving food stamps. Matching might also be fo- cused more narrowly. It can identify people in one program who are also involved in a second program and who have a specific characteristic. For example, matching was used to compare welfare records with bank records in order to identify welfare recipients with bank acounts that exceeded specified amounts.5 The result of a match is a list of so-called raw hits. Anyone iden- tified as meeting the criteria set for the match will normally be the subject of additional investigation.6 However, an individual whose name appears on such a list cannot automatically be assumed to be in violation of law. There are many reasons the initial results of a match must be used with caution. For example, the data may be incorrect, social security numbers may be inaccurate, the records may cover inconsistent time periods, or the match may be based on invalid or improbable assumptions.7 Another type of computer matching is "front-end verification." This technique compares information provided by a program appli- cant with data in other Government files. This procedure allows verification of the accuracy of the applicant's information at the time of application.5 A major difference between front-end verification and classic matching is in the number of records involved. Classic matching in- volves all the records in one record system with all the records in a second system. All records are reviewed without any selectivity or targeting. Front-end matching is more narrowly focused because it compares a single record with the contents of a separate record system.9 B. COMPUTER MATCHING AND THE PRIVACY ACT OF 1974 The Privacy Act of 1974 10 establishes rules governing the collec- tion, maintenance, use, and disclosure of personal information 4 See OTA Report at 37-66 (1986); GAO Cost Benefit Report at 16. 6 See, for exam*, 1982 Senate Hearings (testimony of 'William T. Hogan, Secretary, Executive Office of Human Services, State of Massachusetts). 6 GAO Cost Benefit Report at 20-21. 7 Id. 8 OTA Report at 67-86. GAO Cost Benefit Report at 16. 9 There are other related computer-based techniques that are not generally within the scope . of H.R. 4699. See the discussions of computer profiling and computer screening in OTA Report at 87-98 and GAO Cost Benefit Report at 16. '? 5 U.S.C. ? 552a (1982). Declassified and Approved For Release 2013/01/17: CIA-RDP91B00390R000200200009-7 Declassified and Approved For Release 2013/01/17: CIA-RDP91B00390R000200200009-7 5 maintained by Federal agencies. The act has no specific provisions addressing computer matching," but the rules governing systems of records 12 may apply to matching operations. The rules requir- ing public notice and restricting disclosure of information are the most relevant. In 1979 and 1982, the Office of Management and Budget issued guidance on the conduct of matching programs in- corporating the Privacy Act requirements:13 Under current law, an agency must provide public notice of matching activities in two circumstances. First, if a new system of records is established to support a computer match, the agency must publish a description of the system in the Federal Register." Second, if the disclosure of information from a system of records is required to support a matching activity, the agency must publish a description of the "routine use" authorizing the disclosure.' The disclosure limitations of the Privacy Act have not restricted disclosures for computer matching. There was considerable contro- versy over the legality of disclosures for matching purposes during the first few years following HEW's Project Match." These legal issues are discussed elsewhere." However, it is fair to state that the disclosure restrictions of the Privacy Act have been interpreted by OMB and other agencies to permit disclosures necessary to sup- port computer matching.' 8 As a result, the Privacy Act presents only a few procedural bar- riers to matching, and those barriers are easily overcome. The com- mittee is not aware of any computer match that could not be con- ducted because of Privacy Act disclosure rules.19 The Office of Technology Assessment found that "the Privacy Act as interpreted by the courts and OMB guidelines offers little protection to individ- uals who are the subjects of computer matching." 20 " The congressional findings in the Privacy Act state that the increasing use of computers and sophisticated information technology, while essential to the efficient operations of the Gov- ernment, has greatly magnified the harm to individual privacy that can occur from any collec- tion, maintenance, use, or dissemination of personal information." Public Law 93-579, ? 2(a)(2). 12 A "system of records" is a defined term that means a group of records from which identifia- ble information is retrieved by the name or other individual identifier assigned to an individual. 5 U.S.C. ? 552a(a)(5) (1982). Most personal information maintained by Federal agencies is kept in systems of records subject to the Privacy Act. 13 The 1979 guidelines included a requirement for the preparation of a cost-benefit analysis. The 1982 revision eliminated the cost-benefit requirement. This issue is discussed below in the general discussion of the costs and benefits of computer matching. See text accompanying notes 55-98. 14 5 U.S.C. ? 552a(e)(4). 16 A "routine use" is a disclosure of information from a system of records that is compatible with the purpose for which the information was collected. 5 U.S.C. ? 552a(aX7). An agency may establish routine uses for each system of records in order to authorize necessary disclosures. 5 U.S.C. ? 552a(b)(3). Routine uses must be published to allow for public comment. 5 U.S.C. ? 552a(e)(11). The Privacy Act also requires that an agency inform each individual asked to supply informa- tion about the routine uses that will be made of the information. 5 U.S.C. ? 552a(e)(3). The disclo- sure is supposed to be made on the form used to collect the data or on a separate form that can be retained. Compliance with this requirement is an unresolved problem with matching. No per- sonal notice is likely to be provided if a match is conducted after the "source" information has been collected. 16 See generally Kirchner. 17 See text accompanying notes 109-116. 18 See 1987 Housing Matching Hearings at 31 (statement of Joseph Wright, Deputy Director, Office of Management and Budget) (the Privacy Act is not interfering with the fight against fraud, waste, and abuse). "See also 1,987 House Matching Hearing at 123 (testimony of Ronald L. Plesser, American Bar Association). 20 OTA Report at 57. Other Privacy Act provisions requiring accounting for disclosures, main- tenance of accurate records, and safeguarding of information are applicable to information used in matching activities. Declassified and Approved For Release 2013/01/17: CIA-RDP91B00390R000200200009-7 Declassified and Approved For Release 2013/01/17: CIA-RDP91B00390R000200200009-7 6 C. DUE PROCESS The need for due process procedures in computer matching was highlighted by a match conducted in Massachusetts in 1982. The State matched welfare records against the account records of pri- vate banks. The purpose was to identify welfare recipients who had more assets than allowed by law." Over 1,600 welfare recipients found to have excess assets were automatically sent immediate termination notices. The Massachu- setts Welfare Department did not take any action to verify or con- firm the information used in the match nor did it seek an explana- tion from the affected individuals before sending the termination notices.22 The appeal rate of those who received the termination notices was six times higher than the usual rate. Of those who appealed, half of the errors involved mistakes in social security numbers. In other words, 15 percent of all those sent termination notices re- ceived them because of social security number errors." In some cases, money was in joint accounts and did not belong entirely to the welfare recipient. Money was sometimes held in trust for others. Other funds were held for legal purposes such as paying fu- neral expenses.2 4 This episode illustrates a problem with relying on raw results from computer matches. Computer data cannot automatically be assumed to be accurate, complete, or timely. Data should be veri- fied before a Government agency takes any adverse action against an individual. Due process also requires that the individual receive notice of any proposed action and an opportunity to contest the action. Providing due process for people who become targets of investiga- tion as a result of computer matching is not generally controver- sial. For example, matching programs authorized under the Deficit Reduction Act of 1984 must provide for verification of data and for notice to individuals and an opportunity to contest adverse ac- tions.25 OTA found that front-end verification raises similar due process issues. OTA questioned whether applicants were receiving useful notice of what types of records will be searched.26 OTA also ques- tioned whether front-end verification conflicts with the require- ment of the Privacy Act that information should be collected di- rectly from the individual." 21 The Massachusetts bank match is discussed in 1982 Senate Hearings, passim. See also OTA Report at 43. 22 See 1982 Senate Hearings at 129-139 (Affidavit of Allan G. Rogers, Director, Massachusetts Law Reform Institute). There is also evidence that the termination notices were sent in violation of the agency's standard practices. Id. 23 Id. 24 Id. See also 1982 Senate Hearings at 117-120 (testimony of John Shattuck, National Legisla- tive Director, American Civil Liberties Union). 25 42 U.S.C.A. ? 1320b-7(cX2) (Supp. 1987). For a more detailed description of the mechanics of verification and notification, see also the conference report on the Deficit Reduction Act, HR. Rept. No. 98-861, 98th Cong., 2d Sess. at 1411-12, reprinted in 1984 U.S. Code Cong & Adm. News at 1445, 2099-2100. 26 OTA Report at 78-80. 27 OTA Report at 80. See also 5 U.S.C. ? 552a(e)(2) (Each agency shall "collect information to the greatest extent practicable directly from the subject individual when the information may result in adverse determinations about an individual's rights, benefits, and privileges under Fed- eral programs"). Declassified and Approved For Release 2013/01/17: CIA-RDP91B00390R000200200009-7 Declassified and Approved For Release 2013/01/17: CIA-RDP91B00390R000200200009-7 7 There is broad support for statutory due process standards. In testimony about S. 496, Deputy OMB Director Joseph Wright said: The provisions of this bill, especially those that provide due process steps to ensure citizen rights, are the keys to creating the kind of balance that is necessary to keep im- portant government programs working efficiently and to reassure a sometimes skeptical public that the government is sensitive to their concerns about automation.28 The American Bar Association 29 and the American Civil Liberties Union 30 also support statutory due process procedures for comput- er matching. D. NEED FOR ADMINISTRATIVE CONTROLS 1. Extent of Computer Matching.?No one know how much com- puter matching is being done by Federal agencies. According to the Office of Technology Assessment: It is difficult to determine how much computer matching is being done by Federal agencies, for what purposes, and with what results. However, OTA estimates that, in the five years from 1980 to 1984, the number of computer matches nearly tripled.3 Any attempt to compile a list of computer matches will face sev- eral complex problems. First, there are no clear definitions of what constitutes a "computer match." 32 Second, there has been no accu- rate accounting of the number of Federal matches.33 Third, docu- mentation for past matching activities is hard to find.34 The exact number of matches taking place is not significant. The limited information available shows clearly that computer match- ing has been a growth industry during the 1980's. If counted, the number of matches would be in the thousands; the number of records matched would be in the billions.35 There is a similar lack of information about front-end verifica- tion. There has been an increase in the use of front-end verification in Federal and State programs. But OTA found that there is no comprehensive information on the use of front-end verification by Federal agencies.36 2. Legally Required Matching.?Some matching is mandated by law. A 1986 OTA report identifies seven Federal statutes that au- thorize the use of computer matching.37 Other laws support front- 28 1987 House Matching Hearings at 23. 29 Id. at 117-139 (testimony of Ronald Plesser). 30 Id. at 94-113 (testimony of Janlori Goldman, staff attorney, American Civil Liberties Union). 31 OTA Report at 46. 32 Id. 33 Id. 34 Id. See generally GAO Decisionmaking Report at 5-6 (limited documentation available for many computer matches reviewed). 35 OTA Report at 49 ("the total number of records matched was reported to be over 7 billion due to multiple matches of the same records."). 36 OTA Report at 74-75. 37 Tax Reform Act of 1976 (Public Law 94-455); Social Security Amendments of 1977 (Public Law 95-216); Food Stamp Act Amendments of 1977 (Public Law 96-58);-Food Stamp Amend- ments of 1980 (Public Law 96-249); Food Stamp and Commodity Distribution Amendments of Continued Declassified and Approved For Release 2013/01/17: CIA-RDP91B00390R000200200009-7 , Declassified and Approved For Release 2013/01/17: CIA-RDP91B00390R000200200009-7 8 end verification and other matching-like and data sharing activi- ties.38 OTA concluded that congressional actions "appear to be contra- dictory." 3 9 While Congress has directed or acquiesced in computer matching by Federal agencies, OTA found that Congress also im- posed restrictions on agency disclosure of personal information. The most important restrictions are in the Privacy Act of 1974,4? which establishes controls on the collection, maintenance, and dis- closure of personal information. But it would be more accurate to describe Federal law in this area as disjointed rather than contradictory. The Privacy Act pre- dates the computer matching era, and some of its substantive dis- closure restrictions have been ignored or avoided by the agencies.'" 3. Agency Initiated Matching.?Much computer matching has been undertaken without specific legislative direction. The PCIE has encouraged agencies to use computer matching. PCIE programs included a long-term matching project; Project Clean Data (stand- ardization of data elements; improved data accuracy and reliabil- ity); and an inventory of State matching software packages.'" Com- puter matching has also been promoted by the General Accounting Office.43 But despite some central direction within the executive branch in later years, a considerable amount of computer matching was undertaken by agencies without any criteria, planning, or docu- mentation. A 1986 GAO report prepared at the request of Repre- sentative Ted Weiss described the shortcomings in the decision- making process: In general, for many of the matches we discussed with agency officials, little written documentation was available on the development of a match between its initial concep- tion and its actual implementation. Written descriptions of the criteria or factors considered in the decision to perform a match were lacking.44 In testimony before the Subcommittee on Government Informa- tion, Justice, and Agriculture, Eleanor Chelimsky, Director of GAO's Program Evaluation and Methodology Division, elaborated on the informality of the process by which decisions to conduct computer matches were made: [I]n examining how decisions about computer matches have been made in federal agencies, we noted a generally 1981 (Public Law 97-98); Department of Defense Authorization Act of 1983 (Public Law 97-252); Deficit Reduction Act of 1984 (Public Law 98-369). OTA Report at 46. This list is not necessarily current or complete. Additional matching may have been authorized in later legislation. 38 OTA Report at 43-46,74-78. 39 Id. at 43. 49 5 U.S.C. ? 552a (1982). 4 See text accompanying notes 109-116. 42 OTA Report at 43. See also 1986 Senate Hearings at 56-61 (testimony of Joseph R. Wright, Jr., Deputy Director, Office of Management and Budget). 43 See, for example, 1982 Senate Hearings at 176 (testimony of Wilbur D. Campbell, Director, Accounting and Financial Management Division, General Accounting Office) ("[W]e believe that computer matching can be a very cost-effective tool for detecting error and fraud in Government entitlement programs and for identifying actions needed to strengthen program controls."). But see note 64. 44 GAO Decisionmaking Report at 6. Declassified and Approved For Release 2013/01/17: CIA-RDP91B00390R000200200009-7 Declassified and Approved For Release 2013/01/17: CIA-RDP91B00390R000200200009-7 9 informal approach. The agencies presently have only gen- eral guidance for documentation and for what should be considered and how it should be considered in the match decision process. We found no specific written criteria for determining whether or not a proposed match should be implemented, little documentation of what has been con- sidered, and wide variation in the use of systematic plan- ning procedures for developing and implementing matches. We found that the existence of improved technological ca- pacity, legislative requirements, the extent and magnitude of the problems that were experienced (for example, over- payments being made because of unreported deaths), and concern for detecting and preventing waste, fraud, and abuse were more prominent in the agency decisionmaking than the quantification of costs or benefits. Indeed, our work clearly shows that decisions to perform or continue a computer match are often made without systematic consid- eration of those costs and benefits.45 Another GAO report discussed the lack of an effective compli- ance enforcement mechanism for the Privacy Act: The Office of Management and Budget [OMB] has issued matching guidelines applicable to all Federal agencies under the Privacy Act who are doing matches or providing data for nonfederal matches and a checklist to help agen- cies comply with the guidelines. OMB also has issued a "Model Control System and Resource Document" for com- puter matching. Moreover, HHS' inspector general has published guidelines for State managers of the AFDC, Food Stamp, and Medicaid programs to aid in decisions on state matches. However, existing Federal guidance appears to lack an effective compliance enforcement mechanism.46 OTA also found that, despite procedural guidelines for matching, there is little oversight or followup: Program personnel appear to have substantial discretion in deciding whether or not to use computer matching as an audit technique or means to detect fraud, waste, and abuse. There are few internal agency checks. The Inspec- tor General's Office may be involved in planning a com- puter match; and the General Counsel's Office and the Pri- vacy Act officer may be involved. But it appears that there are no agency or general policy guidelines regarding what types of information should be matched, against which records of what other agencies, and for what purposes. These substantive issues are rarely addressed.47 A 1983 oversight report on the Privacy Act of 1974 by this com- mittee reviewed OMB's oversight of matching activities." The 46 1987 House Matching Hearing at 70. 46 GAO Eligibility Verification Report at 12. (Footnote omitted.) (Emphasis supplied.) "OTA Report at 53. (Emphasis supplied.) 48 1983 House Privacy Act Oversight Report at 36. Declassified and Approved For Release 2013/01/17: CIA-RDP91B00390R000200200009-7 Declassified and Approved For Release 2013/01/17 CIA-RDP91B00390R000200200009-7 10 committee concluded that OMB does not monitor agency compli- ance with its own matching guidelines: OMB's oversight record for computer matching oper- ations also leaves something to be desired. Under the 1979 matching guidelines, agencies conducting matches were obliged to file matching reports with OMB in advance of the conduct of a matching operation. In the 1982 revisions, this was changed to require the filing with OMB of a brief description of a match and the publication of the descrip- tion. . . in the Federal Register "as close to the initiation of the matching program as possible." It is not apparent what OMB did with the notices or matching reports that it required agencies to file. Al- though hundreds of matches have been conducted, the Senate Subcommittee on Oversight of Government Man- agement was unable to find any record of OMB ever reject- ing any matching proposal. OMB has made no effort to enforce the minimal notice and publication requirements of its 1982 guidelines. In August, 1982, the Department of Education initiated a computer match of records for purposes of identifying fed- eral employees who had defaulted on student loans. Under the applicable guidelines, the Department was required to publish a Federal Register notice before starting the match. The notice was not published until December 7, 1982. When questioned about the Education Department's dis- regard of the matching guidelines, OMB responded by stat- ing that its guidance is not binding on agencies, that OMB does not routinely monitor the operation of matching pro- grams to ensure compliance with the guidelines, that the OMB did not correspond with the Education Department regarding this incident.49 The lack of OMB oversight and enforcement of its own guidelines is well illustrated by a problem encountered by the GAO during a study of matching. GAO needed to select a scientific sample of matches for its study. But GAO was unable to draw its sample using the OMB matching reports because OMB did not receive re- ports on all matches.5? Similar problems exist for front-end verification as well. OTA found that there are no general Federal guidelines, statutory or ad- ministrative, governing the use of front-end verification. The OMB matching guidelines specifically exclude record searches that are conducted at the application stage.5' Finally, even OMB has recognized that there are shortcomings with existing administrative controls. In testifying before the House on S. 496, Joseph Wright, Deputy Director of OMB, said: 4? 1983 House Privacy Act Oversight Report at 23-4 (footnotes omitted). The reference in the quote to the conclusions of the Senate Subcommittee can be found in 1982 Senate Hearings at 81 (Statement of Senator William Cohen). 5? 1987 GAO Cost Benefit Report at 13. 51 OTA Report at 81. Declassified and Approved For Release 2013/01/17 CIA-RDP91B00390R000200200009-7 Declassified and Approved For Release 2013/01/17: CIA-RDP91B00390R000200200009-7 11 But, even with this kind of public support, the problem remains that citizens are worried that the power the Gov- ernment has over their lives can be amplified in possibly harmful ways by computers. After all, that concern was one of the forces that brought about the Privacy Act of 1984. Matching contributes to this perception, and admin- istrative procedures like those prescribed by OMB guide- lines, can only go so far to allay public concern. Although we think that the Matching Guidelines have worked very well to control the problem, we in the Administration have supported the development of a comprehensive legislative solution that will ensure that the government's legitimate need to use this technology and the privacy and other rights of record subjects are put in balance.52 It is apparent from these studies and reports that, over the course of a few years, computer matching has burgeoned into a major Federal activity. Both the executive and legislative branches have encouraged the growth of matching. However, few adminis- trative controls, procedures, or guidelines are in place." Guidance issued by OMB has been largely ignored by agencies and unen- forced by OMB. There is no meaningful oversight of computer matching in the Executive Branch.54 E. THE COSTS AND BENEFITS OF COMPUTER MATCHING 1. The Importance of Cost-Benefit Analysis.?Those who promote the use of computer matching contend that a principal is savings to the Government through reductions in fraud, waste, and abuse in Government benefit programs.55 There is little doubt that match- ing is one of several management techniques that can be useful in identifying and limiting program losses. However, it is equally apparent that computer matching raises serious concerns about fourth amendment rights, privacy rights, and computer linkage.56 Given the existence of these substantial concerns, matching should be restricted to those circumstances where it is demonstrably beneficial and where less intrusive tech- niques are clearly inadequate. 52 1987 House Matching Hearing at 22. 53 The committee is aware that OMB and the PCIE have developed a model control system for conducting computer matching projects. See, for example, 1987 House Matching Hearings at 31 (testimony of Joseph Wright, Deputy Director, Office of Management and Budget); OTA Report at 54-55. See also 1986 Senate Hearings at 154-176. There is some evidence that more recent computer matches have been more formally planned. See GAO Decisionmaking Report. Never- theless, there is no evidence that there is any oversight or followup any of the procedural guide- lines issued by OMB. See, e.g., OTA Report at 53. 54 Computer matching has become a public policy concern in Canada in recent years. A March 1987 report by a committee of the Canadian Parliament found shortcomings in the Cana- dian privacy laws similar to those in American law. The committee recommended increased oversight and controls as a response to computer matching. See Standing Committee on Justice and Solicitor General, Open and Shut: Enhancing the Right to Know and the Right to Privacy, 33rd Pan., 2d Sess. 43-4 (1987) (Report on the Review of the Access to Information Act and the Privacy Act) [hereinafter cited as "Canadian Parliament Report"]. 55 See, for example, OTA Report 50-51. 56 See, for example, American Bar Association, Section of Individual Rights and Responsibil- ities, Report to the House of Delegates (1986), reprinted in 1987 House Matching Hearing at 130. For a discussion of computer linkage, see text accompanying notes 99-109. Declassified and Approved For Release 2013/01/17: CIA-RDP91B00390R000200200009-7 r Declassified and Approved For Release 2013/91/17: CIA-RDP91B00390R000200200009-7 12 One useful measure of the value of an audit and management technique like computer matching is its cost effectiveness. The GAO elaborated on the purpose and value of cost-benefit analysis: One purpose of cost-benefit analysis is to provide deci- sionmakers with information that will help them deter- mine whether to implement or continue a program. The most apparent value of the cost-benefit analysis is that it summarizes a variety of information in a single number that gives a clear message, as long as the measurement as- sumptions underlying the analysis are satisfactory. It also has some secondary benefits, one of which is that it pro- vides information on the magnitude of individual cost and benefit elements that can, in turn, provide insights con- cerning correctable process inefficiencies. Cost-benefit analyses, if conducted properly, can deter- mine the value of matching operations for achieving effi- ciency improvements and cost savings in programs whose beneficiaries are being matched. Information about the magnitude of match benefits may be especially relevant in consideration of the costs that matching might pose to in- dividual privacy and the right to due process. Also, the very process of examining match activities carefully and measuring their costs and benefits may indicate areas in which changes should be considered in match operations.57 An emphasis on cost effectiveness for matching is important be- cause resources for programs to detect fraud, waste, and abuse are limited. If scarce dollars are spent on programs that are more visi- ble but less effective, then the results will be a smaller reduction in Government expenditures than might otherwise occur. A recent OTA report expands on the value of determining cost effectiveness: Computer matching is a technique that has been used primarily to detect client fraud, which is only one compo- nent of fraud, waste, and abuse. In order to accurately de- termine the cost effectiveness of computer matching, the extent of client fraud must first be documented. If client fraud accounts for only a small percentage of total fraud, waste, and abuse, then other techniques to detect other types of fraud, waste, and abuse may be more cost effective overall. In this respect, one author cited the 1978 Annual Report of the HEW inspector general, which estimated that the Department lost between $5.5 and $6.5 billion through management inefficiencies, program misuse, and fraud. In this instance, management inefficiencies and pro- gram misuse accounted for 97 percent of the inspector gen- eral's estimate of losses, while client fraud accounted for only 3 percent.58 57 GAO Cost Benefit Report at 22. 58 OTA Report at 40. (Footnote omitted.) Declassified and Approved For Release 2013/01/17: CIA-RDP91B00390R000200200009-7 Declassified and Approved For Release 2013/01/17: CIA-RDP91B00390R000200200009-7 13 The OTA report suggests that an undue emphasis on computer matching may allow larger program losses to go undetected while relatively smaller amounts of fraud are pursued vigorously. 2. Is Computer Matching Cost Effective??The cost effectiveness of computer matching has yet to be clearly demonstrated. This is the conclusion that can be drawn from recent, studies by GAO and OTA. OTA found no firm evidence on the costs and benefits of match- ing: As yet, no firm evidence is available to determine the costs and benefits of computer matching and to document claims made by OMB, the inspectors general, and others that computer matching is cost effective.59 A GAO study requested by Representative Ted Weiss took a broad look at the problem of determining' the cost effectiveness of computer matching. GAO was not asked to determine if matching was cost effective.6? GAO found that there was no well-developed methodology for as- sessing cost effectiveness of computer matching: [W]e did not discover a well established methodology for performing cost-benefit analysis of computer matching. In- stead, although cost-benefit analysis has had a venerable development and application in other areas, we found this has not been the case in the particular area of computer matching, rather research in this field is still quite imma- ture.6' In other words, despite a 10-year history of matching and despite repeated reference to the importance of cost-benefit analysis by OMB, the PCIE, and inspectors general, no one has developed a re- alistic methodology for conducting a cost-benefit analysis of match- ing. It is apparent that the physical matching of records can be done more efficiently by computer rather than manually. The pur- pose of cost-benefit analysis of computer matching is to determine if the entire matching operation is cost effective. GAO selected for detailed examination a sample of matches, in- cluding a few for which some type of cost-benefit information was available.62 GAO found serious deficiencies in all cost-benefit re- ports that had been done. The deficiencies included: Reports varied considerably in terms of when and how they were prepared. Most reports were incomplete or not reported in monetary terms or both. Reports included analyses of benefits much more often than costs. Deterrence was often claimed as a benefit but not measured. 59 OTA Report at 50. 60 GAO Cost Benefit Report at appendix 1. 61 1987 House Matching Hearing at 65 (testimony of Eleanor Chelimsky, Director, Program Evaluation and Methodology Division, General Accounting Office). 62 GAO was unable to draw a statistically valid sample of computer matches. "We did not use a rigorous sampling approach to select matches, because we could not for sampling purposes confidently delineate a population of matches for which some form of cost-benefit analysis had been performed." 1987 GAO Cost Benefit Report at 13. Declassified and Approved For Release 2013/01/17: CIA-RDP91B00390R000200200009-7 Declassified and Approved For Release 2013/01/17 CIA-RDP91B00390R000200200009-7 14 Some benefits measurements were inadequately or inappro- priately presented. For example, overpayments were often re- ported, as the maximum amount possible rather than the actual or expected amount. None of the match analyses made use of discounting the present value of future revenues, a technique GAO described as the "most hallowed and conventional of cost benefit tech- niques." 33 Based on GAO's work, it is apparent that none of the few cost- benefit analyses done by Federal agencies is significant or useful." This supports the conclusion of OTA that the cost effectiveness of matching has not been established. There is a similar lack of information on the cost of front-end verification. OTA found that there has been no comprehensive study of how to conduct front-end verification in the most cost-ef- fective manner. Front-end verification may be cheaper than com- puter matching, but there are some high initial overhead costs. Also, costs are directly tied to data quality.65 3. The Need for Legislation. ?H.R. 4699 makes the preparation of a cost-benefit analysis a requirement in the approval process for a computer match. A Data Integrity Board may not approve any matching agreement unless a cost-benefit analysis demonstrates that the match is likely to be cost effective. The requirement may be waived pursuant to guidelines issued by the Director of OMB. The history of the OMB matching guidelines shows why legisla- tion is needed. In 1979, OMB issued the first computer matching guidelines.66 The guidelines specifically required that agencies con- ducting matching prepare estimates of the costs and benefits. OMB's instructions on preparing these estimates, although incom- plete, were detailed. Agencies were directed to undertake only those matches for which a "demonstrable financial benefit can be realized which significantly outweighs the cost of the match." 67 63 1987 House Matching Hearing at 65-6 (testimony of Eleanor Chelimsky, Director, Program Evaluation and Methodology Division, General Accounting Office). 64 Some divisions of GAO have been major proponents of computer matching. See, e.g., 1982 Senate Hearings at 176 (testimony of Wilbur D. Campbell, Director, Accounting and Financial Management Division, General Accounting Office). But the divisions of GAO that supported matching did not develop a cost-benefit methodology. Since the development of guidance on the conduct of cost-benefit analyses of matching was only undertaken at the request of a Member of Congress, the basis for GAO's earlier assertions is unclear. The lack of a preexisting cost-benefit methodology at GAO calls into question much of GAO's earlier work on computer matching. In fact, the objectivity of that earlier GAO work has already been questioned. See the letter from Glenn English, Chairmam, Subcommittee on Government Information, Justice, and Agri- culture, to Charles Bowsher, Comptroller General (March 13, 1985) (criticizing GAO Eligibility Verification Report). At the hearing, the Director of the GAO division that developed the cost-benefit guidance was asked whether GAO would routinely use the guidance in the future. She was unable to provide a positive response. She did state that she had "noticed a great deal more interest in costs in recent publications that I had seen before, and I think our work will probably have some effect, but I can't say anything firm on that score." 1987 House Matching Hearings at 90 (testimony of Eleanor Chelimsky, Director, Program Evaluation and Methodology Division, General Account- ing Office). Thus, even after the development of the cost-benefit methodology by GAO, its use during GAO audit work remains uncertain. 65 OTA Report at 80-81. 66 1979 OMB Matching Guidelines, 67 Id at 5.a. The entire subparagraph reads: Development of matching programs.?A matching program should be undertaken only if a de- monstrable financial benefit can be realized which significantly outweights the costs of the Continued Declassified and Approved For Release 2013/01/17 CIA-RDP91B00390R000200200009-7 Declassified and Approved For Release 2013/01/17: CIA-RDP91B00390R000200200009-7 15 The 1979 guidelines included requirements for the conduct of the required cost-benefit study. Although these requirements did not encompass all the important elements of cost-benefit analysis?for example, discounting of savings to reflect the time value of money?the guidelines were a step in the proper direction. The major problem with the 1979 guidance was that it was gen- erally ignored by the agencies. There is no evidence that agencies took the cost-benefit requirement seriously. Few, if any, thorough cost-benefit studies were conducted.68 In 1982, OMB revised the matching guidelines and dropped the cost-benefit requirement." According to an analysis by the Con- gressional Research Service, the elimination of the cost-benefit lan- guage was one of the principal changes in the revisions.70 The changes in the OMB guidelines were made at the urging of the PCIE and the inspectors general who promoted the use of matching." According to Richard Kusserow, HHS inspector gener- al and former co-chair of the PCIE's long-term computer matching project, the paperwork burdens were the most substantial problem with the guidelines.72 Mr. Kusserow stated that the PCIE support- ed undertaking cost-benefit analysis but preferred to use pilot matches to develop estimates." The support for cost-benefit analyses expressed by Mr. Kusserow at the hearings is difficult to assess. Despite his support, the re- quirement was dropped entirely from the 1982 revised guidelines, and nothing comparable was put in its place. If realistic cost-bene- match and any potential harm to individuals that could be caused by the matching program, e.g., public disclosure of information about an individual or improper termination of a benefit. The matching agency should consider alternative means of detecting or curtailing fraud and abuse or collecting debts owed to the Federal Government, and should undertake a matching program only if the alternative are less effective, more expensive or would present a greater threat to personal privacy. An analysis of the benefits, costs, potential harm, and alternatives considered should be prepared and documented by the agency proposing to conduct the match. The analysis should, as a minimum, include: (1) Estimated losses resulting from fraud, abuse, error, or loan defaults. (2) Estimates of the number of individuals who are receiving or have received benefits for which they are ineligible, or who have defaulted on loans. (3) The amount which could potentially be recovered or saved by identification of those individuals and the termination of improper payments or the collection of delinquent debts. (4) Potential savings which could be achieved through deterrence of ineligible applicants or through other improvements in the program management (e.g., reduced error rates), based on the matching program. (5) Estimates of the reimbursement costs to be paid to the matching source for the acquisi- tion of records for the matching programs. (6) Estimates of any cost involved in the actual matching itself, including costs of plan- ning the match, time or effort necessary to make the sets of personal records compatible and the computer time required for the match. (7) Estimates costs of follow-up on individual "hits," including verification of individuals' records, locating the individuals, any planned counseling of those individuals, collection ef- forts, and litigation. (8) An assessment of the extent to which the conduct of the matching program could dis- courage individuals from exercising their rights. (9) An analysis of alternative means for curtailing fraud that were considered and reject- ed, including a full description of the reasons why they were not considered viable alterna- tives to conducting a matching program. 68 See, for example, OTA Report at 50 (Only three out of 37 agencies did cost-benefit analyses prior to computer matching). 69 1982 OMB Computer Matching Guidelines. 70 The CRS analysis is reprinted in 1982 Senate Hearings at 273. " See, for example, 1986' Senate Hearing at 57-58 (testimony of Joseph Wright, Deputy Direc- tor, Office of Management and Budget). 72 1.987 House Matching Hearings at 51-52. Mr. Kusserow's concerns are difficult to evaluate in so far as they applied to cost-benefit requirements because there is so little evidence that agencies followed the guidelines and conducted meaningful cost-benefit analyses. 73 Id. at 52. Declassified and Approved For Release 2013/01/17: CIA-RDP91B00390R000200200009-7 Declassified and Approved For Release 2013/01/17: CIA-RDP91B00390R000200200009-7 16 fit studies were conducted in the absence of the OMB requirement, GAO was unable to find them. Second, Mr. Kusserow was asked to provide a copy of the most comprehensive cost-benefit analysis done by his office.74 He provid- ed only one very sketchy report.75 This was apparently the only cost-benefit analysis done in the HHS Inspector General's office. Mr. Kusserow's response continued the standard practice of citing matches that generated large savings. But he offered no documen- tation of the savings or the costs of the matches.76 The history of computer matching shows that legislation requir- ing cost-benefit studies is needed. Without a specific legislative di- rective and enforcement mechanism, the matching bureaucracy will not conduct satisfactory cost-benefit studies. Joseph Wright, Deputy Director of OMB, testified in favor of the Senate bill (S. 496) and in favor of using cost-benefit analysis to measure the value of at least some matching activity.77 4. Elements of a Cost-Benefit Analysis?Without the use of a con- sistent and complete method of assessing cost and benefits, it is dif- ficult to assess fairly the cost effectiveness of computer matching. The problem is best illustrated by specific example. In 1982, HHS Inspector General Richard Kusserow testified about a New York State match of welfare recipient records with employer supplied wage data. He stated that for the period from 1979 through 1983, savings would total $114 million and costs would be $28.1 million.78 Mr. Kusserow provided no figures to document the costs or bene- fits, nor did he describe how the estimates were calculated. At the same hearing, Norma Rollins, director of the Privacy Project of the New York Civil Liberties Union, offered the commit- tee a detailed analysis of the same match. The analysis showed that: (1) the actual costs of operating the wage reporting system used in the match were far greater than the State admitted; (2) there were hidden costs to employers that were not included in the calculation; (3) estimates of savings included millions of dollars that cannot or will not actually be saved; and (4) losses to public assistance and unemployment programs due to deliberate fraud and abuse could be detected by less cumbersome and less wasteful means.7 9 Without an objective method of assessing the cost effectiveness of computer matches, it is impossible to resolve the differences be- tween the points of view expressed by Mr. Kusserow and Ms. Rol- lins. Without a realistic yardstick, resources may be wasted on in- effectual matches while other more effective fraud, waste, and abuse reduction techniques remain unfunded. Undocumented and possibly exaggerated claims of the returns from computer matching may have encouraged the Congress to include matching require- ments in legislation. The complexity of cost-benefit analysis for matching is shown by the history of quarterly wage reporting. In the past, all employers 74 Id. at 47 (question 2). 75 Id. at 64. 78 Id. at 50-51. 77 Id. at 31-5. 78 1982 Senate Hearings at 11. 79 Id. at 428. Declassified and Approved For Release 2013/01/17: CIA-RDP91B00390R000200200009-7 Declassified and Approved For Release 2013/01/17: CIA-RDP91B00390R000200200009-7 17, were required to file quarterly reports with the Treasury on wages paid to employees. The 1976 law made the requirement annual.8? iThe Senate report explained that the savings to employers could be as much as $235 million annually: The preparation and filing of this quarterly report in- volves considerable effort and expense on the part of em- ployers particularly in the case of small- and medium-sized companies which do not have the advantage of computer- ized payroll systems. An April 17, 1973 report issued by the Select Committee on Small Business stated that its Subcommittee on Government Regulation had found stud- ies indicating that the annual cost to small employers of submitting this form might total as much as $235 mil- lion.81 In 1982, it was estimated that quarterly wage reporting in New York State alone could be costing employers as much as $30 mil- lion annually.82 The savings to employers in current dollars could be much higher. The problem with annual wage reporting is that the data is too old to be useful for matching.83 As a result, pressures arose to re- store quarterly reporting. For example, New York reinstituted quarterly reporting in 1978.84 By 1985, 41 States required quarter- ly wage reporting." In the Deficit Reduction Act of 1984, Congress reimposed a form of quarterly wage reporting on employers." Thus, the reform of 1976 was entirely reversed. As a result, employers once again faced millions of dollars of ad- ditional costs?and probably hundreds of millions of dollars?in order to fuel the computer matching system. While these costs are impossible to allocate when calculating the costs and benefits of any particular computer match, the costs are just as real as they are hidden.8 7 Another example illustrates a different aspect of the cost-benefit issue. In support of the proposition that computer matching is cost effective, proponents sometimes cite a study conducted by research- ers David Greenberg and Douglas Wolf.88 For the matching projects, Greenberg and Wolf concluded that the benefits out- weighed the costs by "substantial amounts." For the four projects studied, the ratio of benefits to costs ranging from a low of 1.19 to a high of 2.67.89 80 Act of January 2, 1976, Public Law 94-202, 89 Stat. 1135. 81 Senate Rept. No. 94-550, 94th Cong., 1st Sess. (1975), reprinted in 1975 U.S. Code Cong. & Ad. News 2347, 2355. 82 NYCLU Foundation, An Evaluation of New York State's Wage Reporting System: The Real Cost of Computer Matching 14 (1982) [hereinafter cited as "NYCLU Matching Report ], reprint- ed in 1982 Senate Hearings at 421, 434. 83 See General Accounting Office, A Central Wage File for Use by Federal Agencies: Benefits and Concerns 3 (1985) (GAO/HRD-85-31) [hereinafter cited as "GAO Central Wage File Report"]. 84 NYCLU Matching Report at 7. 85 GAO Central Wage File Report at 5. 86 Public Law No. 98-369, 98 Stat. 1147-8 (1984). 87 Since the quarterly wage reporting was being done at the State level, it was inevitable that a proposal would be made to create a national data bank containing the shared information. See GAO Central Wage File Report. For a discussion of concerns about the establishment of national data banks in general, see text accompanying notes 99-109. 88 "Is Wage Matching Worth All the Trouble?", 43 Public Welfare 13 (1985) [hereinafter cited as "Greenberg/Wolf"]. 89 Id at 18. Declassified and Approved For Release 2013/01/17: .01A-RDP91B00390R000200200009-7 Declassified and Approved For Release 2013/01/17: DIA-RDP91B00390R000200200009-7 18 This study is the most professional and complete of all existing cost-benefit analyses of matching. But even this study has short- comings. For example, the stream of future benefits from matching was not discounted to reflect the time value of money. This is a standard technique in cost-benefit studies.9? Regardless of the importance of discounting to the study's conclu- sions, it is difficult to extrapolate from the study to other matching activities. The authors recognized that they only reviewed pro- grams that were functioning well: For example, the employer-reported data used by these systems clearly were adequate in terms of coverage, con- tent, and timeliness. Equally important: follow-up proce- dures were well-structured, adequate resources were avail- able for follow-up, and supervisors were genuinely commit- ted to the program. Without such conditions, it certainly is possible that wage matching could prove ineffective." Thus, it is possible that a computer match found to be cost effective in one jurisdiction or agency might not be cost effective in another. Only a separate evaluation will tell. The ratios reported in the Greenberg/Wolf study raise another issue. All four matching programs were found to be cost effective. The margin in one was very narrow (1.19). The best had a ratio of only 2.67. Even accepting these numbers as wholly accurate, the return on the computer matching investment is not necessarily as impressive as it appears at first glance." A particular computer match may be cost-effective when evaluat- ed independently. But this does not mean that the match is the best investment of Government money. For example, every dollar spent by the Internal Revenue Service yields a return of $14.93 This compares with the highest return found by Greenberg and Wolf of less than $3. Given the large amount of management inefficiency in many Government programs," a high return can be expected from any investment in improved management. The impressive yield from an investment in IRS enforcement may not be unusual. Based on the Greenberg and Wolf study, a dollar spent on matching returns only a quarter as much. The real issue is what is the best use of scarce management dol- lars. Matching is not the only alternative. The Government cannot always fund every activity, even if the net return will be positive. Only the most productive activities should be funded. Cost-benefit analysis is an objective way to make choices. There is a special need for a more formal evaluation of computer matching. GAO has demonstrated that decisions to conduct matches have been made casually in the past." More careful selec- 9? 1987 House Matching Hearing at 66 (testimony of Eleanor Chelimsky, Director, Program Evaluation and Methodology Division, General Accounting Office). 91 Greenberg/Wolf. 92 The subtitle of the Greenberg/Wolf article is "The Results are Not Spectacular But . . .". 93 Frank Malanga, Director, Research Division, Internal Revenue Service. 94 See text accompanying note 58. 95 GAO Decisionmaking Report. Declassified and Approved For Release 2013/01/17: CIA-RDP91B00390R000200200009-7 Declassified and Approved For Release 2013/01/17: IA-RDP91B00390R000200200009-7 19 tion of matching programs should increase the overall efficiency of Government. The GAO study done for Representative Ted Weiss contains the most comprehensive approach to determining the costs and bene- fits of computer matching.96 GAO was asked to develop a method- ology. Eleanor Chelimsky, Director of the GAO Division that pro- duced the report, declined to call the results a formal methodolo- gy.97 Nevertheless, the GAO guidelines are a thorough and consist- ent approach to calculating a cost-benefit ratio. They allow a sys- tematic analysis of many costs and benefits relevant to the differ- ent purposes of computer matching.9 8 F. OTHER ISSUES There are other concerns about computer matching that are not addressed in the legislation except in the rules of construction in section 9. The rules of construction provide that nothing in the amendments made by H.R. 4699 shall be construed to authorize the establishment of a national data bank or the direct linking of com- puter systems. In addition, the bill should not be construed to au- thorize the computer matching of records not otherwise authorized by law, or the disclosure of records for computer matching except to a Federal, State, or local agency. 1. Establishment of a National Data Bank and Computer Link- age.?Public opinion polls have consistently found that privacy is a significant and enduring concern of Americans.99 About half of the public views computers as a threat to privacy.1" Americans have a more negative view of centralized files and data banks: 78 per- cent believe that a master computer file would violate their priva- cy). These poll results are relevant because an underlying issue with computer matching is the linkage of computers and the de facto creation of a national data bank.'" Much matching involves the regular exchange of large computerized files by Government agen- cies. But for the match, these records would remain entirely sepa- rate. The maintenance of separate records systems is an important element in the protection of privacy. The Privacy Act of 1974 was passed in part in order to maintain the separation of disparate records. Because personal information is necessary to the operation of government programs, the separation of systems of records pro- 96GAO Cost Benefit Report. 97 1987 House Matching Hearings at 66. 98 H.R. 4699 recognizes that cost-benefit analysis may not be necessary before every computer match. The bill authorizes the Director of OMB to issue guidelines on the issue. See new subsec- tion (u)(4) of the bill. 99 See, for example, Privacy and 1984: Public Opinions of Privacy Issues: Hearing before a Subcommittee of the House Committee on Government Operations, 98th Cong., 1st Sess. (1984); OTA Report, at 26-29; Public Reaction to Privacy Issues: Hearing before a Subcommittee of the House Committee on Government Operations, 96th Cong., 1st Sess. (1979). 1" A summary of recent polls can be found in OTA Report at 27. 1" Id. at 28. 102 An earlier proposal for the establishment of a national data bank?a centralized govern- ment-wide computer and communications network?was killed in the mid-1970s as a result of strong congressional and other opposition. The project was known as FEDNET, and the opposi- tion was principally based on privacy grounds. See General Accounting Office, Improved Plan- ning?A Must Before A Department-wide Automatic Data Processing System is Acquired for the Department of Agriculture (1975) (LCD-75-108). Declassified and Approved For Release 2013/01/17: CIA-RDP91B00390R000200200009-7 Declassified and Approved For Release 2013/01/17: -2,1A-RDP91B00390R000200200009-7 20 vides some protection against the accumulation of excessive and unnecessary amounts of personal data. The Privacy Protection Study Commission pointed out in 1977 the consequences of the establishment of personal profiles of indi- viduals: The possession of such profiles invites the use of them for marketing, research, and law enforcement, and, in an electronic funds transfer environment, could provide a way of tracking an individual's current movements. The dra- matic shift in the balance of power between government and the rest of society that such a development could por- tend has persuaded the Commission of the compelling need to single it out for special public-policy attention and action.1?3 Opponents of matching have also objected because matching vio- lates the Fourth Amendment protections against unreasonable searches and seizures and the presumption of innocence. 04 Iron- ically, one of the responses to these concerns?front-end verifica- tion?has exacerbated the problems of computer linkage. Front-end verification involves checking the eligibility of a particular individ- ual at the time of application for a benefit program rather than a general search of computer records. 1?5 Since fewer records are involved, front-end verification appears less intrusive. But front-end verification can result in the direct, on-line linking of computers and record systems that might other- wise be unconnected. A witness from the American Civil Liberties Union elaborated: The current Government trend is to increase frontend verification of applicant information for all government benefit programs. Frontend verification reduces benefit payment "errors" by detecting noneligibility before rather than after a citizen receives benefits. Although some argue that it also constitutes a lesser intrusion on citizen privacy because the procedure involves a search through a particu- lar citizen's file rather than a "general search" through all files, the ACLU believes that the unchecked growth of verification systems linking various data bases of personal information on every citizen poses a serious danger to indi- vidual autonomy and privacy.106 OTA's recent report on computers and privacy included several specific findings about front-end verification. The most striking finding is that use of front-end verification is creating a de facto national data base covering nearly all Americans.'" 103 Privacy Protection Study Commission, Personal Privacy in an Information Society 9 (1977). 104 see, for example, 1982 Senate Hearings at 100-102 (testimony of John Shattuck, national legislative director, American Civil Liberties Union). 06 OTA Report at 67-8. 106 1987 House Matching Hearings at 110 (statement of Janlori Goldman, staff attorney, American Civil Liberties Union). 107 OTA Report at 68. A more recent OTA background paper raises similar issues. See Office of Technology Assessment, Electronic Delivery of Public Assistance Benefits: Technology Options and Policy Issues 28-30 (1988) (OTA-BP-CIT-47). Declassified and Approved For Release 2013/01/17: CIA-RDP91B00390R000200200009-7 Declassified and Approved For Release 2013/01/17: CIA-RDP91B00390R000200200009-7 21 The committee agrees that concerns about increased linkage of Government computers are legitimate. However, verifying the eli- gibility of program applicants at the front end is a reasonable ap- proach and one that the committee is not prepared to discourage. The issues raised by computer linkage are much broader than are encompassed in computer matching. Restricting or prohibiting front-end verification is not practical, and no one has formally pro- posed such limitations. The concerns are real, but other solutions to computer linkage problems will have to be found. The problem of computer and record linkage was very well stated in a report recently issued by a committee of the Canadian Parliament. In a discussion of computer matching, the committee stated: The process of government would indeed be more effi- cient if we were all watched and monitored; the problem is to establish acceptable and tolerable limits to computer matching. There is an especially strong resistance to far- flung matching operations that involve access to a broad array of personal data from various government institu- tions. The current mechanisms to regulate such practices are inadequate. In particular, a balance must be achieved between the privacy interests of individuals and other soci- etal values, such as the reduction of fraud and waste.'" H.R. 4699 is not intended to create any specific barriers to com- puter linkage. But the committee does not want the bill to be con- strued as supporting, encouraging, or directing the linkage of com- puters or the establishment of any type of national data bank that combines, merges, or links information on individuals maintained in systems of records. H.R. 4699 is intended to leave the law and policy in this area alone. The policies, procedures, and provisions of the Privacy Act that prevent the establishment of interagency data banks in the name of efficiency and that prevent unwarranted sharing of personal information remain in force. 2. Legal Questions. ?The legality of some disclosures that are necessary to support computer matching has been questioned since 1977. A primary question revolves around the "routine use" provi- sion of the Privacy Act.'" Where records are disclosed by one agency to another for use in matching, the normal legal authority for the disclosure comes from a routine use."0 A routine use may only be established if the disclosure is compat- ible with the purpose for which the information was collected." For example, if a match proposes to use records about Federal em- ployees to identify welfare recipients, is the disclosure of the per- sonnel records compatible with the purpose for which the person- nel records were collected? 108 Canadian Parliament Report at 43. 1" See text accompany notes 15. 110 See, for example, 1982 OMB Matching Guidelines at 5.a.(1) ("If disclosure is to be made pursuant to a 'routine use' (section (bX3) of the Privacy Act), [the agency] should ensure that the system of records contains such a use, or [the agency] should publish a routine use notice in the Federal Register.") l5 U.S.C. ?552a(aX7). Declassified and Approved For Release 2013/01/17: CIA-RDP91B00390R000200200009-7 Declassified and Approved For Release 2013/01/17: CIA-RDP91 B00390R000200200009-7 22 In 1977, the general counsel to the Civil Service Commission an- swered this question in the negative."" While this matter was de- bated and reconsidered within the executive branch, the pressures to undertake matching projects intensified. These pressures may have been fueled in part by the undocumented claims of savings re- sulting from computer matching."3 Eventually, with OMB's ap- proval and 1979 Guidelines, any legal barriers placed in the way of matching by the Privacy Act were overridden."4 Later legislation authorizing or requiring specific matching programs resolved ques- tions of the legality of routine uses by providing a legislative pur- pose for the disclosures. However, there has been no formal legal resolution of the Privacy Act issue in other areas, and some dispute remains."5 The Senate bill (S. 496) proposed to add new language to the Pri- vacy Act that would authorize all disclosures made pursuant to a written matching agreement. This language may have been includ- ed because of the Senate perception that there is some doubt about the legality of disclosures needed for some computer matches that do not have specific statutory authorization. H.R. 4699 does not include this language. The committee believes that the compatibility standard of the Privacy Act still has mean- ing and purpose, and the committee does not wish to give blanket authorization to all disclosures for all computer matches regardless of purpose, scope, agency, or level of government involved. In order to make it clear that H.R. 4699 does not provide independent au- thority for disclosures necessary to support matching, section 9 pro- vides that nothing in the act shall be construed to authorize the computer matching of records not otherwise authorized by law. In other words, H.R. 4699 leaves the legal questions surrounding matching and the Privacy Act alone. Provided that the new proce- dures in H.R. 4699 have been complied with, any computer match that was lawful before passage of the bill will continue to be lawful after passage.'16 DISCUSSION There are three key concepts in the regulation of computer matching under H.R. 4699. Matching programs must be established by means of matching agreements, and the agreements must be ap- proved by agency Data Integrity Boards. The bill has other provi- sions, but the understanding of these concepts is central to under- standing how the legislation should be implemented. Matching Programs. ?"Matching programs" are defined in sec- tion 5 of the bill to include a broad range of agency matching ac- tivities. The scope of the bill is then narrowed by the exclusion of six specific types of matches. "utter from Carl F. Goodman, General Counsel, United States Civil Service Commission, to Charles Ruff, Acting Deputy Inspector General, Department of Health, Education and Wel- fare (July 27, 1977), reprinted in 1982 Senate Hearings at 122 ("[lit is evident that this informa- tion on employees was not collected with a view toward detecting welfare abuses.") 113 See, for example, text accompanying notes 78-79. "4 See note 18. 115 See, for example, 1987 House Matching Hearing at 97-101 (statement of Janlori Goldman, staff attorney, American Civil Liberties Union). 116 For another Privacy Act legal issue raised by computer matching, see text accompanying note 27. Declassified and Approved For Release 2013/01/17: CIA-RDP91 B00390R000200200009-7 Declassified and Approved For Release 2013/01/17: CIA-RDP91B00390R000200200009-7 23 A matching program must involve a Privacy Act system of records as a source of records used in matching. Under the Privacy Act of 1974, a "system of records" is defined as "a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the in- dividual." 5 U.S.C. ? 552a(5). Most records about individuals main- tained by Federal agencies are kept in systems of records. Except for a relatively small number of systems of records main- tained by Federal agency contractors, systems of records are main- tained only by Federal agencies. This means that matching pro- grams will generally not include any matching activities that do not involve a Federal agency as a source or recipient of informa- tion. As a result, H.R. 4699 does not affect matching activities that are conducted by State or local governments using State, local records, or private records. A matching activity becomes a matching pro- gram within the meaning of H.R. 4699 only when Federal records from a Privacy Act system of records are involved. There are two basic types of computerized comparisons of records that fall within the general definition of matching programs. First, a matching program includes the computerized comparison of any automated systems of records for the purpose of establishing or verifying eligibility of, or continuing compliance with statutory and regulatory compliance by, applicants for, recipients or beneficiaries of, participants in, or providers of services with respect to, cash or in-kind assistance or payments under Federal benefit programs. Federal employees are intended to be treated as recipients of pay- ments under a Federal benefit program. The comparison of records for the purpose of recouping payments or delinquent debts under Federal benefit programs also qualifies as a matching program. A matching program includes matches between two Federal systems of records as well as matches between a Federal system of records and non-Federal records. Matches conducted by the Federal Parent Locator Service do not fall under this definition because the matches are performed for the purpose of locating absent parents who are not paying child support in order to take action against them to secure such child support payments. The committee does not intend the bill to be construed to apply to matches performed by the Federal Parent Lo- cator Service to locate absent parents even though such payments may result in a recoupment of payments made by a Federal benefit program such as Aid to Families with Dependent Children. The Federal benefit recoupment is not the principal purpose of the matching activity. For a matching program that meets the primary definition, the applicability of H.R. 4699 is determined by the purpose of the match. A matching activity conducted for a nonqualifying purpose will not be subject to H.R. 4699. Second, all computerized comparisons using Federal personnel or payroll systems of records are matching programs. When Federal payroll or personnel records are used in a matching activity, the activity falls within the general definition of matching programs regardless of purpose. This includes matches between two Federal Declassified and Approved For Release 2013/01/17: CIA-RDP91B00390R000200200009-7 Declassified and Approved For Release 2013/91/17: .7,1A-RDP91B00390R000200200009-7 24 systems of records as well as matches between a Federal system of records and non-Federal records. There are six categories of matching activities that are specifical- ly excluded from the scope of the bill. First, a match performed to produce aggregate statistical data without any,personal identifiers is excluded from the definition of matching programs. To qualify under this exclusion, no information resulting from the match may be produced or retained in individually identifiable form or may be used in any way to affect the rights, benefits, or privileges of any individual. Second, a match performed to support any research or statistical project is excluded if no information resulting from the matching activity is used to make decisions concerning the rights, benefits, or privileges of specific individuals. The difference between research or statistical matching (the first exclusion category) and aggregate statistical matching (the second exclusion category) is that identifi- able information may be produced and retained during a research or statistical match/. No identifiable information may result from aggregate statistical matches. In neither case may any information be used in any adverse or other way to affect an individual. Disclo- sure of any identifiable information produced during a research or statistical match may be made otherwise in accordance with the conditions of disclosure in the Privacy Act. The third exclusion can only be invoked by an agency or compo- nent which performs as its principal function any activity pertain- ing to the enforcement of criminal laws. The exclusion covers matches conducted by such an agency or component subsequent to the initiation of a specific criminal or civil law enforcement investi- gation of a named person or persons for the purpose of gathering evidence against such person or persons. This exclusion is intended to be narrowly construed. First, not every agency is eligible to use the exclusion. The agency's (or com- ponent's) principal function must pertain to the enforcement of criminal laws. The Federal Bureau of Investigation is an example of such an agency. However, if an agency has a number of different functions, one of which is a criminal law enforcement activity, the agency does not qualify unless the criminal law enforcement activity has been clearly identified by statute or otherwise as the principal function of the agency. A regulatory agency that spends most of its time and resources implementing a scheme of regulation will not qualify just because the law it oversees has criminal penalties. The crimi- nal law enforcement function must be the principal function for the agency to qualify. An agency that is not principally a law enforcement agency may still have a component that can utilize the third exclusion. For ex- ample, an audit office will typically have a number of functions, one of which is the initiation of criminal law enforcement investi- gations. The office as a whole will normally not qualify because the criminal law enforcement activity is not its principal activity. How- ever, a clearly identifiable investigation subunit that performs as its principal function investigations that may lead to criminal re- ferrals can qualify. Investigative offices do not know at the com- mencement of an investigation whether the matter under investi- Declassified and Approved For Release 2013/01/17: CIA-RDP91B00390R000200200009-7 Declassified and Approved For Release 2013/01/17: CIA-RDP91B00390R000200200009-7 25 gation will result in civil or criminal charges. This uncertainty does not make the law enforcement exclusion unavailable to crimi- nal investigative units. As long as criminal referrals or indictments may result from the investigative activity, and the investigative ac- tivity is the principal function of the office, the exclusion will be available. An example is the Criminal Investigations Division of the Internal Revenue Service which will qualify even though the IRS as a whole does not. An office that is eligible to use the third exclusion can only use it subsequent to the initiation of a specific criminal or civil investiga- tion of a named person or persons for the purpose of gathering evi- dence against such person or persons. In order to rely on the third exclusion, an agency or component must be gathering evidence for an existing, ongoing investigation whose targets must already be identified. This requirement is intended to distinguish computer match- ing?which is typically initiated without any evidence or suspicion about specific individuals?from the later stages of a law enforce- ment investigation where specific, named suspects have already been identified. Once the specific targets of an investigation have been identified, the protections of H.R. 4699 may no longer be ap- propriate. The bill is intended to regulate general records searches rather than to interfere with well-defined law enforcement oper- ations. The phrase "named person or persons" is intended to mean that the investigation sponsoring the excluded matching activity has al- ready identified the specfic individual or individuals who are the targets of the investigation. A generic description of the targets (such as "program beneficiaries" or "program beneficiaries who are also on the Federal payroll") is not adequate. In addition, there must be a reasonable basis for believing that each of the identified targets of the investigation has engaged in improper conduct that is subject to investigation by the agency or component. These limi- tations are intended to assure that the law enforcement exclusion will not be a loophole which will allow general matching oper- ations to be transferred to criminal law enforcement agencies or components in order to evade the procedural requirements for com- puter matching. At the same time, the exclusion is intended to allow matching to be done without undue procedural interference for legitimate law enforcement purposes. The fourth exclusion covers several matching activities conduct- ed by the Internal Revenue Service. Disclosures of tax returns and tax return information to State officials pursuant to 26 U.S.C. ? 6103(d) are excluded from the requirements of H.R. 4699. Also excluded are matches of tax information for purposes of tax administration as defined in 26 U.S.C. ? 6103(b)(4). This exclusion will permit IRS to continue without interference the matching of tax returns with notices of interest, dividend, and similar pay- ments. Finally, the fourth exclusion also covers matches of tax informa- tion for the purpose of intercepting a tax refund due to an individ- ual under authority granted by the Deficit Reduction Act of 1984. The tax refund offset programs authorized by DEFRA already con- tain due process procedures. To subject these offset programs to the Declassified and Approved For Release 2013/01/17: CIA-RDP91B00390R000200200009-7 Declassified and Approved For Release 2013/01/17: CIA-RDP91B00390R000200200009-7 26 computer matching bill would only result in duplicative notice to affected individuals and duplicative hearings. The fifth exclusion is designed to allow most internal agency matching activities to be conducted without following the matching procedures. The purpose is twofold. First, the general scheme of the Privacy Act allows agencies to make reasonable internal uses of in- formation without unnecessary complexity. See, for example, 5 U.S.C. ? 552a(b)(1). The fifth exclusion continues that policy. Second, the broad definition of matching programs includes some routine agency operations that do not warrant the additional con- trols imposed by the bill. Two different types of matches can qualify under the fifth exclu- sion. First, the exclusion covers matches performed for routine ad- ministrative purposes that use records predominantly relating to Federal personnel. A routine administrative purpose includes ac- tivities such as: (a) a computer search for an agency employee with specific skills who can carry out a specific assignment; (b) matching of agency payroll records with Treasury Department records for the purpose of preparing payroll checks; and (c) standard internal auditing of agency travel records. The Director of the Office of Management and Budget is required to issue guidance to clarify and standardize the concept of "routine administrative purpose." Second, the exclusion also covers matches that are performed using only records from systems of records maintained by an agency. The term "agency" is defined term under the Privacy Act, and the committee intends that it be interpreted in accordance with the OMB Privacy Act Guidelines, 40 Federal Register 28950 (July 9, 1975), and the Justice Department letter quoted therein. An internal or administrative match does not necessarily qualify for the fifth exclusion. The match only qualifies if the purpose is not to take any adverse financial, personnel, disciplinary, or other adverse action against Federal personnel. Thus, a match of Federal employees for waste, fraud, abuse, or debt collection purposes does not qualify for exclusion. Such matches are identical in purpose to matches involving non-Federal employee populations, and Federal employees are entitled to the same protections that H.R. 4699 af- fords to others. However, routine administrative matches conduct- ed as part of normal accounting or auditing controls and that are not specifically intended to result in adverse action against Federal personnel can qualify for exclusion. The sixth and final exclusion for the matches is performed to produce background checks for security clearances of Federal per- sonnel or for foreign counterintelligence purposes. This is intended to allow all required security clearance investigations without ap- plication of the matching procedures. Matching Agreements.?H.R. 4699 requires that most computer matching involving Federal data be conducted pursuant to match- ing agreements. The bill enforces this requirement by prohibiting the disclosure by a Federal agency of any record contained in a system of records to another Federal agency or to a non-Federal agency for use in a computer matching program except pursuant to a written matching agreement. Declassified and Approved For Release 2013/01/17: CIA-RDP91B00390R000200200009-7 Declassified and Approved For Release 2013/01/17: CIA-RDP91B00390R000200200009-7 27 There are eleven required elements in a matching agreement. First, the agreement must specify the purpose and legal authority for conducting the matching program. Second, the agreement must specify the justification for the pro- gram and the anticipated results, including a specific estimate of any savings. This information is required because of a concern by the committee that some computer matching may not be cost effec- tive. Data Integrity Boards are required to disapprove a matching program unless a cost-benefit analysis has been completed and the analysis demonstrates that the program is likely to be cost effec- tive. The General Accounting Office has developed guidelines for as- sessing the costs and benefits of computer matching. The report was issued in November 1986 (GAO/PEMD-87-2). The GAO guide- lines are the first attempt to set out a comprehensive, realistic, and objective approach to the assessment of the costs and benefits of matching. When an agency prepares estimated results of matching and esti- mates of savings, the committee intends that the elements relating to cost-benefit assessment identified in the GAO report be em- ployed to the greatest extent practical. All identifiable cost ele- ments should be included in the analysis, and a realistic assess- ment of the benefits?suitably discounted to reflect the time value of money?is also required. Third, a matching agreement must include a description of the records that will be matched, including each data element that will be used, the approximate number of records that will be matched, and the projected starting and completion dates of the matching program. Fourth, an agreement must describe the procedures for providing individualized notice to applicants for and recipients of financial assistance or payments under federal benefit programs and to ap- plicants for and holders of positions as Federal personnel. Individ- ualized notice means that each individual affected by the match must receive a notice. Notice through publication in the Federal Register will not meet the requirement of individualized notice. In- dividualized notice must be provided at the time of application and periodically thereafter that any information provided by appli- cants, recipients, and others may be subject to verification through matching programs. The Data Integrity Board may direct procedures for periodic notice for each matching program. The Director of the Office of Management and Budget is required to issue guidance on periodic notice for the use of the Boards. In general, the committee intends that all individuals receive meaningful notice. Agencies will nor- mally be able to accomplish this by providing matching notices to individuals at the same time that other information is conveyed. Unless determined by OMB to be necessary in some circumstances, the committee does not expect that agencies will be required to keep a receipt for the notice from each individual receiving the notice. Each agency need only take reasonable steps to assure that affected individuals have been notified. In the case of the initial notice, matching information can be in- cluded on an application form or with other notices provided to ap- Declassified and Approved For Release 2013/01/17: CIA-RDP91B00390R000200200009-7 Declassified and Approved For Release 2013/01/17: .01A-RDP91B00390R000200200009-7 28 plicants. The periodic notice requirements can be met in a similar way. The mailing of separate periodic notices is not required as a matter of law, but could be required in specific instances either by a Data Integrity Board or under OMB guidance. Fifth, a matching agreement must specify procedures for verify- ing information produced in the matching program. Verification requirements are discussed elsewhere in this report. Sixth, a matching agreement must specify procedures for the timely destruction of identifiable records created by a recipient agency or non-Federal agency during the course of a matching pro- gram. All records generated during the course of a matching pro- gram should be destroyed as soon as the records are no longer needed. The timely destruction of unnecessary personal informa- tion provides an important privacy protection. Seventh, a matching agreement must specify procedures for en- suring the administrative, technical, and physical security of the records matched and the results of the matching program. This re- quirement is similar to an existing Privacy Act provision in subsec- tion (e)(10). The existing requirement is for appropriate safeguards for protecting the security and confidentiality. The committee in- tends that a standard of appropriateness also be applied to the pro- tection of matching records. The degree of protection should be commensurate with the sensitivity of the records. Matching records will normally not require the same degree of protection as classi- fied information. Eighth, a matching agreement must specify applicable prohibi- tions on duplication and redisclosure of records provided by the source agency within or outside the recipient agency or the non- Federal agency, except where required by law or essential to the conduct of the matching program. The prohibition on duplication and redisclosure is another impor- tant privacy protection. Records made available for a matching program may be used only for the program and may not be dupli- cated or redisclosed for any other purpose. This will be the prohibi- tion on duplication and redisclosure normally specified in the matching agreement. There are two exceptions to the general prohibition. Records may be duplicated or redisclosed for a purpose that is required by law. An example is the law requiring disclosure of records to the Comp- troller General. Records may also be duplicated or redisclosed where duplication or redisclosure is essential to the conduct of the matching program. The "essential" standard is a strict test, and the committee intends it to be much more restrictive than the "campatibility" standard for routine uses under the Privacy Act. See 5 U.S.C. ? 552a(7). In general, the stricter restrictions on dupli- cation and redisclosure reflect a concern that records used in matching programs be tightly controlled. A disclosure is essential only when a matching program cannot be carried out without it. The results of a match may be disclosed for followup and verification as an essential part of the program. Also, when a matching program uncovers activity that warrants civil or criminal investigation or prosecution, the disclosure or du- plication of information to support the investigation or prosecution is an essential purpose. Declassified and Approved For Release 2013/01/17: CIA-RDP91B00390R000200200009-7 Declassified and Approved For Release 2013/01/17: CIA-RDP91B00390R000200200009-7 29 Ninth, a matching agreement must specify procedures governing the use by a recipient agency or non-Federal agency of records pro- vided by a source agency, including procedures governing return of the records to the source agency or destruction of records used in the matching program. Records should be destroyed or returned to the source agency at the earliest possible opportunity. Tenth, a matching agreement must include information on as- sessments that have been made on the accuracy of the records that will be used in the matching program. The accuracy of data is im- portant in any matching activity, and there have been serious problems in the past when inaccurate information has been used. Finally, matching agreements must provide that the Comptroller General may have access to all records of a recipient agency or non-Federal agency that the Comptroller General deems necessary in order to monitor or verify compliance with the agreement. Since the Comptroller General already has a statutory right to access to Federal agency records, this provision is primarily intended to allow the Comptroller General to have access to records of state or local governments. A copy of each matching agreement must be provided to the Senate Committee on Governmental Affairs and to the House Com- mittee on Government Operations, and the agreement will not become effective until 30 days after copies are sent to the Commit- tees. A copy of a matching agreement must be made available to the public on request. The committee intends that copies of matching agreements should be provided upon request, without charge, and without the necessity for the filing of a formal request under the Freedom of Information Act. No agency may hide its matching ac- tivities from public view by holding requests for matching agree- ments in a lengthy FOIA queue. Matching agreements may remain in effect for the period deter- mined to be appropriate by the Data Integrity Board. The Board will make its determination in light of the purpose and length of time necessary for the conduct of the matching program. The maxi- mum length of time for a matching agreement is 18 months. How- ever, the Board may renew an existing matching agreement for up to an additional year if the program will be conducted without any change for the additional period and if each party to the agreement certifies in writing that the program has been conducted in compli- ance with the agreement. The vast majority of matching programs subject to H.R. 4699 will involve two different Federal agencies or one Federal agency and a non-Federal agency. This is because the fifth exclusion of the defi- nition of matching programs excludes most internal agency matches. However, there will be some matches wholly internal to an agency that will be subject to the requirements of H.R. 4699. In these instances, the same agency will be both the source and the recipient agency, and the agency will have to effectuate a matching agreement with itself. If the source and recipient agencies are dif- ferent components with the agency, an agreement can be signed by the two components. If the same component is both the source and the recipient of the matching information, the head of the compo- Declassified and Approved For Release 2013/01/17: CIA-RDP91B00390R000200200009-7 Declassified and Approved For Release 2013/01/17: CIA-RDP91B00390R000200200009-7 30 nent or agency should prepare and submit to the agency's Data In- tegrity Board a memorandum which can serve as the equivalent of a matching agreement. Data Integrity Boards. ?Each Federal agency conducting or par- ticipating in a matching program is required to establish a Data In- tegrity Board to oversee and coordinate implementation of H.R. 4699. A Federal agency must have a Data Integrity Board if the agency is a source agency or a recipient agency. No non-Federal agency is required to establish a Data Integrity Board. Each agency's Data Integrity Board must be composed of senior officials designated by the head of the agency. The only members of the Board designated by law are the senior agency official designat- ed by the head of the agency as responsible for implementation of the Privacy Act of 1974, and the inspector general of the agency, if any. The agency head can determine how many additional mem- bers to appoint to the Board. A small agency with limited matching activities may have only a few members on its board. A larger agency with active matching programs may have a need to have a large number of agency components represented on its board. The bill specifically provides that no inspector general may serve as chairman of the Data Integrity Board. The agency head may select another member as chairman or may allow the Board to select its own chairman. The reason for the limitation on inspec- tors general is because of the prominent role played by inspectors general and the President's Council on Integrity and Efficiency in promoting the use of computer matching. The committee is con- cerned that a Board chaired by an inspector general may not exer- cise sufficiently detached judgment regarding computer matching. The committee intends that neither an agency inspector general nor any employee of an inspector general serve as chairman of the Board, chair meetings of the Board, or provide staff to the Board. Membership on the Board should not be a full-time job for anyone. In fact, except at a large agency with a considerable amount of matching activities, the Board may not neet to have any permanent, full-time staff. However, during the initial implementa- tion period for H.R. 4699, there is likely to be more effort required than will be necessary for continuing operations, and some full- time staff may be assigned initially. It is likely that the members of the Board will contribute staff as needed to carry out the Board's functions or that the agency's Privacy Act officer may be assigned additional matching-related activities. The Committee en- visions that most agency Data Integrity Boards will meet several times each year to consider matching agreements and to review on- going matches. The bill sets out eight specific functions for Data Integrity Boards. First, each Board will review, approve, and maintain all written agreements for receipt or disclosure of agency matching programs. Each Board will also maintain copies of all relevant stat- utes, regulations, and guidelines as a resource for the agency. Second, each Board must review all matching program in which the agency has participated during the year, either as a source agency or recipient agency. The purpose of the review is to deter- mine compliance with applicable laws, regulations, guidelines, and Declassified and Approved For Release 2013/01/17: CIA-RDP91B00390R000200200009-7 Declassified and Approved For Release 2013/01/17: CIA-RDP91B00390R000200200009-7 4 31 agency agreements, and to assess the cost and benefits of such pro- grams. The committee does not envision that Boards will routinely un- dertake active investigations of matching programs. When there are reports or other indications of problems with a matching pro- gram's operations or of a lack of compliance with law or the match- ing agreement, an active investigation may be warranted. Other- wise, the Board's role will normally be more limited and may in- clude collection and review of information about matching pro- grams and occasional spot audits. The Boards will have to take positive action to ensure that the assessement of costs and benefits for each matching program is fairly and accurately presented. Third, each Board must review all recurring matching programs in which the agency has participated during the year, whether as a source agency or recipient agency, for continued justification. This requirement has been included in order to make sure that special attention will be paid to matching programs that are done on a continuing basis. The Committee is concerned that these matches may be renewed automatically long after the need for the match has passed. This is most likely to be a problem with front-end veri- fication matches. Fourth, each Board must prepare an annual report on matching for submission to the head of the agency and to Office of Manage- ment and Budget. The report of each Board must also be made available to the public upon request. OMB will consolidate the re- ports for the various Boards and file a single report with the Con- gress. Reports by the Boards must describe the matching activities of the agency and must include: (i) a description of all matching pro- grams in which the agency participated as a source or recipient agency; (ii) a description of any matching agreements that were proposed but disapproved by the Board; (iii) a description of any changes in the membership or structure of the Board in the preced- ing year; (iv) the reasons for any waiver of the requirement for the completion and submission of a cost-benefit analysis prior to the approval of a matching program; (v) information about any viola- tions of matching agreements that have been alleged or identified and any corrective action taken; (vi) any other information re- quired by the Director of OMB to be included in the report. Fifth, each Board is required to serve as a clearinghouse for re- ceiving and providing information on the accuracy, completeness, and reliability of records used in matching programs. Sixth, each Board is required to provide interpretation and guid- ance to agency components and personnel on the Privacy Act's matching requirements. Seventh, each Board is required to review agency recordkeeping and disposal policies and practices for matching programs to assure compliance with the Privacy Act. Finally, each Board may review and report on any agency match- ing activities that are not matching programs. This authority allows the Boards to consider any aspect of agency matching oper- ations that fall outside of the definition of matching programs be- cause of the exclusions. Declassified and Approved For Release 2013/01/17: CIA-RDP91B00390R000200200009-7 Declassified and Approved For Release 2013/01/17: CIA-RDP91B00390R000200200009-7 32 The Senate bill assigned the Data Integrity Boards responsibility for reviewing and coordinating privacy training programs. This has been left out of the House bill because the responsibilities of the Boards are specifically focused on computer matching rather than the whole Privacy Act or broader privacy issues. This change from the Senate bill should not be taken as any indication of lack of in- terest in or support for privacy training. The Committee strongly supports Privacy Act training' but believes that the responsibility should not rest with Data Integrity Boards. Existing training pro- grams?such as those sponsored by the Defense Privacy Board? should continue to be utilized. One of the major elements of H.R. 4699 is the focus on the cost- effectiveness of computer matching. The Data Integrity Boards have been given a central assignment in this area. In general, no Board may approve any matching agreement unless the agency has cmpleted and submitted a cost-benefit analysis of the proposed matching program and the analysis demonstrates that the program is likely to be cost-effective. The General Accounting Office has developed guidelines for as- sessing the costs and benefits of computer matching. The report was issued in November 1986 (GAO/PEMD-87-2). The GAO guide- lines are the first attempt to set out a comprehensive, realistic, and objective approach to the assessment of the costs and benefits of matching. When an agency prepares estimated results of matching and esti- mates of savings, the committee intends that the elements relating to cost-benefit assessment identified in the GAO report be em- ployed to the greatest extent practical. All identifiable cost ele- ments should be included in the analysis, and a realistic assess- ment of the benefits?suitably discounted to reflect the time value of money?is also required. The Board will enforce this require- ment by reviewing the cost-benefit analysis submitted along with each proposed matching agreement. The committee is aware that an exact cost-benefit analysis cannot be prepared for every proposed match. H.R. 4699 reflects this uncertainty by requiring only that the analysis demonstrate that a matching program is likely to be cost-effective. The commit- tee expects that a good faith effort will be made to be as realistic as possible. A considerable amount of matching has been done, and informa- tion from past matches should be consulted whenever possible in the preparation of cost-benefit analyses. For recurring matches, specific evidence can be collected during the first year of operation and then used to prepare a realistic cost-benefit analysis for the future. As experience with developing cost-benefit analyses increases, es- timates should rapidly improve in quality over time. The require- ment that an actual assessment of costs and benefits be included in annual reports will permit a comparison of estimates with actual results. The committee will review the annual reports to determine how good a job the Boards are doing in overseeing the cost-benefit analysis provisions of H.R. 4699. The preparation of a cost-benefit analysis will not be possible for every proposed matching program. While most matches done to Declassified and Approved For Release 2013/01/17: CIA-RDP91B00390R000200200009-7 Declassified and Approved For Release 2013/01/17: CIA-RDP91B00390R000200200009-7 33 reduce fraud, abuse, or waste can be measured on a cost-effective- ness scale, other matches have objectives that cannot effectively be measured in monetary terms. For example, it may not be possible to prepare a complete cost-benefit analysis for a match that is con- ducted to improve the quality of health care. For other matches? particularly front-end verification matches?cost-benefit criteria are not sufficiently developed to permit a cost-effectiveness evalua- tion at this time. The committee recognizes that there are some limitations on cost-benefit analysis, and H.R. 4699 allows Data Integrity Boards to waive the requirement for the preparation of a cost-benefit analy- sis. In order to grant a waiver, the Board must make a determina- tion in writing that a cost-benefit analysis is not required. The de- termination must be made in accordance with guidelines pre- scribed by the Director of OMB. It is the committee's intent that waiver be granted sparingly and only where the preparation of a cost-benefit analysis is impossible or would be completely fruitless. The flexibility included by grant- ing authority to waive the cost-benefit requirement should not be abused. For example, Data Integrity Boards may not grant routine waivers on the excuse that the purpose of a matching program is "deterrence of fraud and abuse" and that deterrence is difficult to measure. The experience with computer matching during the last ten years should provide a basis for realistically estimating any benefits attributable to "deterrence". The requirement that Boards annually assess the costs and benefits of matching programs will rapidly provide a more precise basis for determining whether esti- mates of deterrence benefits have been accurate. When one Federal agency is the source agency and another Fed- eral agency is the recipient agency for a matching program, the Data Integrity Boards of both agencies will have the responsibility to review and approve the program. Both boards will have to be satisfied that the proposed matching program meets the standards of the law. Any disagreements will have to be resolved before the matching program can proceed. Appeals. ?If a matching agreement is disapproved by a Data In- tegrity Board, any party to the agreement may appeal the disap- proval to the Director of OMB. The appeal has been added to the Senate bill because of the possibility that some of the members of the Data Integrity Board considering a matching agreement might have a conflict of interest. It is possible, for example, that an agency operating a benefit program might resist a proposed match- ing project because of concern that the results might show that the program was being poorly run. An appeal allows for an independ- ent review of the decision of the Board. The committee anticipates that appeals will be rare and primarily because of conflicts of inter- est. When an appeal is filed with OMB, notice must be provided by OMB to the Senate Committee on Governmental Affairs and the House Committee on Government Operations. OMB may prescribe whatever procedural rules for appeals that it finds necessary. OMB will have limited authority to overrule a Data Integrity Board and approve a matching agreement. An appeal may be granted only if the Director of OMB determines that: (i) the match- Declassified and Approved For Release 2013/01/17: CIA-RDP91B00390R000200200009-7 Declassified and Approved For Release 2013/01/17: CIA-RDP91B00390R000200200009-7 34 ing program will be consistent with all applicable legal, regulatory, and policy requirements; (ii) there is adequate evidence that the matching agreement will be cost effective; and (iii) the matching program is in the public interest. The public interest standard does not grant OMB any authority to approve a matching program that is not in full compliance with statutory requirements. Instead, it is an additional standard that gives OMB authority to disapprove a matching program that com- plies with the law but that is not an appropriate use of federal funds or information. When OMB approves a matching agreement, the decision must be reported to the Senate Committee on Governmental Affairs and to the House Committee on Government Operations. The notice to the committees should include a detailed statement of the reasons for granting the appeal. Any matching agreement so approved may not take effect until 30 days after the committees are notified. If a matching program proposed by the inspector general of an agency is disapproved by the Data Integrity Board and by the Di- rector of OMB, the inspector general may report the disapproval to the head of the agency and to the Congress. If the Congress deter- mines that the matching program was improperly disapproved, the Congress can take appropriate action. Verification.?Before a recipient agency, non-Federal agency, or source agency can suspend, terminate, reduce, or make a final denial of any financial assistance under a Federal benefit program or take other adverse action against an individual as a result of in- formation produced by a matching program, an officer or employee of the agency must independently verify the information. Independent verification may be satisfied in either of two ways. First, information may be verified in accordance with the require- ments governing the Federal benefit program. This assumes that the benefit program has specific verification requirements. Alternatively, information about an individual uncovered through a matching program can be independently verified through independent investigation and confirmation of: (A) the amount of the asset or income involved; (B) whether the individual actually has or had access to the asset or income for the individ- ual's own use; (C) the period or periods when the individual actual- ly had the asset or income; and (D) any other information used as a basis for an adverse action against an individual. The purpose of the independent verification requirement is to assure that the rights of individuals are not determined automati- cally by computers without human involvement and without check- ing that the information relied upon is accurate, complete, and timely. No one should be denied any right, benefit, or privilege simply because his or her name was identified in a match as a "raw hit". There can be no presumption that information obtained from a computer is necessarily correct or that correct data has been correctly interpreted. Computerized data is just as likely to be incorrect as information that comes from other sources. The confirmation that is required means that the underlying data elements used in the computer match have been found to be correct. It is not enough to confirm that the specific data on the computer tape used in the matching operation is the same as the Declassified and Approved For Release 2013/01/17: CIA-RDP91B00390R000200200009-7 Declassified and Approved For Release 2013/01/17: CIA-RDP91B00390R000200200009-7 35 data contained in the source computer for the tape. Confirmation means that the data is, in fact, correct. This may be determined by asking the individual involved for confirmation of the information or by checking the data with another data source that obtained the information independently of the first source. In most instances, the individual will be the best source of confir- mation and explanation. An existing Privacy Act provision already requires that Federal agencies collect information to the greatest extent practicable directly from the subject individual when the in- formation may be used in a way that results in an adverse determi- nation about an individual's rights, benefits, or privileges. See 5 U.S.C. ? 552a(e)(2). Contacting the individual for an explanation of the information in question is important because there may be more than one in- terpretation of the facts. The 1982 Massachusetts bank match, which is discussed elsewhere in this report, demonstrates why. Some welfare recipients were found to have bank accounts with assets in excess of the legal amounts. But while the basic informa- tion was correct, further investigation revealed that in some cases, the money in the account did not belong to the welfare recipient or was being held for a legal purpose. The independent verification requirement is not intended to erect a complex or rigid barrier to the use of the results of comput- er matching. It should be interpreted using a rule of reason. If there is a reasonable independent confirmation that the informa- tion from a computer match is correct and a reasonable basis for taking action, then an agency may act upon that information. Due Process. ?H.R. 4699 also requires that due process be afford- ed to individuals before any action can be taken on the results of computer matching. No recipient agency, non-Federal agency, or source agency may suspend, terminate, reduce, or make a final denial of any financial assistance or payment under the Federal benefit program to any individual as a result of information pro- duced by a computer match until 60 days after the individual re- ceives a notice from the agency. The notice must contain a state- ment of the findings and must inform the individual of the oppor- tunity to contest the findings. The opportunity may be satisfied by notice, hearing, and appeal rights governing the Federal benefit program. The exercise of any such rights shall not affect any rights available under the Privacy Act of 1974. These due process procedures are similar in purpose and design to existing requirement for computer matching that is authorized under the Deficit Reduction Act of 1984. As a result, the proce- dures should not be difficult or expensive for any agency to follow. Most, if not all, affected agencies will already have in place similar procedures. For these agencies, the additional costs of complying with the due process requirements of H.R. 4699 will be minimal. Notwithstanding the due process procedures required under H.R. 4699, an agency may take any appropriate action that might other- wise be prohibited if the agency determines that the public health or public safety may be adversely affected or significantly threat- ened during the 60-day notice period. For example, an agency might discover as a result of a computer match that a person not licensed to practice medicine was working as a physician. Under Declassified and Approved For Release 2013/01/17: CIA-RDP91B00390R000200200009-7 Declassified and Approved For Release 2013/01/17: ICIA-RDP91B00390R000200200009-7 36 the public health or safety exception, the agency could take imme- diate action to prevent the unauthorized person from continuing to practice medicine. Due process should still have to be provided, but in such a case it could be provided after rather than before the fact. While it is not anticipated that the public health or safety ex- ception will be used often, it will prevent H.R. 4699 from restrict- ing Government action needed to protect human life or limb. Report to Congress.?The Director of OMB will file a report with the Congress on matching activity. The report must be filed annu- ally during the first 3 years after the date of enactment and bienni- ally thereafter. The report will consolidate the information con- tained in the reports from the Data Integrity Boards. The report must include detailed information about the costs and benefits of matching programs and must identify each waiver granted by a Data Integrity Board of the requirement for completion and sub- mission of a cost-benefit analysis and the reasons for granting the waiver. The OMB report may contain such other information about matching programs and matching activities as the Director deter- mines to be relevant to executive or congressional oversight. Reports to OMB from the Data Integrity Boards are required to include information about matching activities that are not match- ing programs under the definition in H.R. 4699. Some of these matching activities are matches conducted for law enforcement purposes. In order to protect any sensitive, ongoing matching ac- tivities connected with law enforcement investigations that might be jeopardized by premature publicity, the reports by the Boards and by OMB may present information about such matching activi- ties on an aggregate basis. Other Privacy Act Amendments.?H.R. 4699 makes several minor amendments to the Privacy Act. First, the uncodified provisions of section 6 of the Privacy Act of 1974, Public Law 93-579, relating to the responsibilities of the Director of OMB to provide guidelines, assistance, and oversight of the Privacy Act are codified in new subsection (v) of the Privacy Act. This is a technical amendment, and no change in the function of OMB is made or intended by the codification of this authority. Existing OMB Privacy Act guidance remains in effect. A conforming amendment repeals section 6 of the Privacy Act of 1974. Second, the requirement in subsection (f) of the Privacy Act that the Office of Federal Register annually publish a compilation of Privacy Act rules and system notices is changed to a biennial re- quirement. In making this change, the committee notes that the current form of the compilation may not be the most effective means of informing the public about government records about in- dividuals. The committee urges the Office of Federal Register to de- velop indexes and other tools that will make the publication more useful to a broader community. Alternative publication formats should also be studied by the Office of Federal Register and by OMB. Third, H.R. 4699 modifies the requirement that the President submit to the Congress an annual report on the administration of the Privacy Act of 1974. The report will be required biennially in the future rather than annually. The current requirement is in Declassified and Approved For Release 2013/01/17: CIA-RDP91B00390R000200200009-7 Declassified and Approved For Release 2013/01/17: -2,IA-RDP91B00390R000200200009-7 37 subsection (p) of the Act which becomes subsection (s) as redesig- nated by H.R. 4699. Fourth, existing subsection (o) of the Privacy Act (subsection (r) as redesignated) requires agencies to file a report on new systems of records with OMB and with the Congress. This requirement is revised in several ways: (a) Not all changes to existing system notices must be reported. The new language requires reports only for significant changes. The purpose of this amendment is to eliminate the suggestion in the law that reports must be filed to reflect changes that are insig- nificant and have no effect on the exercise of rights by individuals. Any change in the categories of individuals on whom records are maintained, the categories of records maintained, access proce- dures, exemptions, or the routine uses for a system will always con- stitute a significant change that requires a report. Nonsignificant changes include a change in the name or title of the system man- ager and minor procedural changes that will not affect an individ- ual's exercise of rights granted by the Privacy Act in any way. The committee is aware that OMB has issued guidance to agencies on when an agency is required to file reports on changes in system no- tices. The OMB guidance reflects the intent of this change in the reporting requirement. See OMB Circular A-130, 50 Fed. Reg. 52740 (December 29, 1987). (b) Current law requires that reports be provided to the Congress. The new language requires instead that two copies of the reports be provided directly to the Senate Committee on Governmental Af- fairs and to the House Committee on Government Operations. (c) Current law requires that the report proposing new or changed systems include information about the effect of the propos- al on "personal or property rights of individuals or the disclosure of information relating to such individuals, and its effect on the preservation of the constitutional principles of federalism and sepa- ration of powers." This language is eliminated in the revised sub- section. Instead, the reports are simply required to provide infor- mation in order to permit an evaluation of the probable or poten- tial effect of the proposal on the privacy or other rights of individ- uals. The committee has determined that the information required under the existing provision is only occasionally relevant to the evaluation of a new or changed system of records. The new lan- guage gives OMB and the agencies broader discretion to determine what information is necessary to assist in the evaluation of the pro- posal. The change does not reflect any lessened interest in the con- tent of the system reports, and the committee intends that agencies provide a full and fair evaluation of the consequences of the estab- lishment or alteration of any system of record. This includes, but only where appropriate, information on the effect of any Privacy Act systems on preservation of the constitutional principles of fed- eralism and separation of powers. Fifth, a new paragraph 12 is added to subsection (e) of the Priva- cy Act. The new paragraph requires source and recipient agencies to publish notices of the establishment or revision of matching pro- grams in the Federal Register at least 30 days prior to conducting such programs. Declassified and Approved For Release 2013/01/17: CIA-RDP91B00390R000200200009-7 Declassified and Approved For Release 2013/01/17: CIA-RDP91B00390R000200200009-7 38 Effective Date.?Most of the provisions of the bill affecting matching activities take effect 9 months after the date of enact- ment. The minor changes to the Privacy Act made by sections 6, 7, and 8 are effective upon enactment. The Director of OMB is direct- ed to develop guidelines and regulations for the use of agencies in implementing the amendments made by H.R. 4699 not later than 8 months after the date of enactment. This should allow sufficient time for agencies to establish Data Integrity Boards and to bring existing and proposed matching activities into compliance with the new law. SECTION-BY-SECTION ANALYSIS SECTION 1-SHORT TITLE This section provides that the act may be cited as the "Computer Matching and Privacy Protection Act of 1988." SECTION 2-MATCHING AGREEMENTS This section adds three new subsections to the Privacy Act of 1974, 5 U.S.C. ? 552a. The new subsections are designated as sub- section (o), (p), and (q), and existing subsections (o), (p), and (q) are redesignated as subsections (r), (s), and (t). Subsection (o)?Matching Agreements Matching Agreements (Paragraph 1).?No record contained in a Privacy Act system of records may be disclosed to a recipient agency or a non-Federal agency for use in a computer matching program except pursuant to a written agreement between the source agency and the recipient agency or non-Federal agency. The matching agreement must specify: (A) the purpose and legal authority for conducting the pro- gram. (B) the justification for the program and the anticipated re- sults, including a specific estimate of any savings. (C) a description of the records that will be matched, includ- ing each data element that will be used, the approximate number of records that will be matching, and the projected starting and completion dates of the matching program. (D) procedures for providing individualized notice at the time of application, and periodically thereafter as directed by the agency's Data Integrity Board, to (i) applicants for and recipi- ents of financial assistance or payments under Federal benefit programs, and (ii) applicants for and holders of positions as Federal personnel. The notice must indicate that any informa- tion provided by the applicants, recipients, holders, and indi- viduals may be subject to verification through matching pro- grams. Procedures for providing notice must be established subject to guidance from the Director of OMB. (E) procedures for verifying information produced in such matching program as required by subsection (p) [verification and opportunity to contest findings]. (F) procedures for the timely destruction of identifiable records created by a recipient agency or non-Federal agency. Declassified and Approved For Release 2013/01/17: CIA-RDP91B00390R000200200009-7 Declassified and Approved For Release 2013/01/17: CIA-RDP91B00390R000200200009-7 39 (G) procedures for ensuring the administrative, technical, and physical security of the records matched and the results of the matching programs. (H) prohibitions on duplication and redisclosure of records provided by the source agency within or outside the recipient agency or the non-Federal agency, except where duplication or ? redisclosure is required by law or is essential to the conduct of the matching program. (I) procedures governing the use by a recipient agency or a non-Federal agency of records provided in a matching program by a source agency. These procedures must include rules gov- erning return of the records to the source agency or the de- struction of records used in the matching program. (J) information on assessments that have been made on the accuracy of the records that will be used in matching pro- grams. (K) that the Comptroller General may have access to all records of a recipient agency or a non-Federal agency that the Comptroller General deems necessary in order to monitor or verify compliance with the agreement. Transmittal of Copies and Effective Date (Paragraph 2).?A copy of each matching agreement must be sent to the Senate Committee on Governmental Affairs and the House Committee on Govern- ment Operations. Matching agreements must be available upon re- quest to the public. No matching agreement shall be effective until 30 days after a copy is transmitted to the House and Senate committees. Matching agreements shall remain effective for a period not to exceed 18 months. The Data Integrity Board shall determine an ap- propriate period for an agreement in light of the purposes and length of time necessary for the conduct of the matching program. The Data Integrity Board may, without additional review, renew a matching agreement for a current, ongoing matching program for up to a year if the program will be conducted without any change and each party to the agreement certifies to the Board in writing that the program has been conducted in compliance with the agreement. Subsection (p)?Verification and Opportunity to Contest Findings Verfication Requirements (Paragraph 1).?No recipient agency, no Federal agency, or source agency may suspend, terminate, reduce, or make a final denial or any financial assistance under a federal benefit program to any individual, or take any other ad- verse action against an individual as a result of information pro- duced by a matching program, until an office or employee of the agency has independently verified the information. The independ- ent verification requirement may be satisfied either by verification in accordance with requirements governing the federal benefit pro- gram or by verification in accordance with paragraph (2) of this subsection. Independent Verification (Paragraph 1).?Independent verifica- tion shall include independent investigation and confirmation of? (A) the amount of the asset or income involved; Declassified and Approved For Release 2013/01/17: CIA-RDP91B00390R000200200009-7 Declassified and Approved For Release 2013/01/17: CIA-RDP91B00390R000200200009-7 40 (B) whether the individual actually has or had access to such asset or income for the individual's own use; (C) the period or periods when the individual actually had such asset or income; and (D) any other information used as a basis for an adverse action against an individual. Notice (Paragraph 3).?No recipient agency, non-Federal agency, or source agency may suspend, terminate, reduce, or make a final denial of any financial assistance or payment under a Federal ben- efit program to any individual whose records are used in a match- ing program, or may take other adverse action against the individ- ual as a result of information produced by a matching program, until 60 days after the individual receives notice from the agency. The notice must include a statement of the agency's findings and must inform the individual of the opportunity to contest such find- ings. The opportunity to contest may be satisfied by notice, hear- ing, and appeal rights governing the Federal benefit program. The exercise of any such rights shall not affect any rights available under this section. Health and Safety (Paragraph 4).?Notwithstanding the limita- tion in paragraph (3), an agency may take any appropriate action otherwise prohibited by such paragraph if the agency determines that the public health or public safety may be adversely affected or significantly threatened during the 60-day notice period otherwise required. Subsection (q)?Sanctions Notwithstanding any other provision of law, no source agency may disclose any record which is contained in a system of records to a recipient agency or non-Federal agency for a matching pro- gram if the source agency has reason to believe that the verifica- tion requirements of subsection (p) or any matching agreement en- tered into pursuant to subsection (o) are not being met by the recip- ient agency. No source agency may renew a matching agreement unless (1) the recipient agency or non-Federal agency has certified that it has complied with the provisions of the agreement; and (2) the source agency has no reason to believe that the certification is inaccurate. SECTION 3-NOTICE OF MATCHING PROGRAMS Subsection (a) amends subsection (e) of the Privacy Act by adding new paragraph (12). The new paragraph requires source and recipi- ent agencies to publish in the Federal Register notice of the estab- lishment or revision of a matching program at least 30 days prior to conducting the program. Subsection (b) amends subsection (r) (as redesignated) of the Pri- vacy Act regarding reporting on new or changed systems of records. The new language (1) extends the existing reporting re- quirement to matching programs; (2) eliminates reporting for minor changes; (3) provides that reports go directly to congressional committees; and (4) eliminates several less important report ele- ments. Declassified and Approved For Release 2013/01/17: CIA-RDP91B00390R000200200009-7 Declassified and Approved For Release 2013/01/17: CIA-RDP91B00390R000200200009-7 41 SECTION 4-DATA INTEGRITY BOARD This section adds a new subsection (u) regarding Data Integrity Boards to the Privacy Act. Establishment (Paragraph 1).?Every agency conducting or par- ticipating in a matching program shall establish a Data Integrity Board to oversee and coordinate the agency's implementation of the Privacy Act. Membership (Paragraph 2).?Each Data Integrity Board shall consist of senior officals designated by the head of the agency and shall include any senior official designated by the head of the agency as responsible for implementation of the Privacy Act. The inspector general of the agency, if any, shall be a member of the Board, but the inspector general shall not serve as chairman of the Board. Functions (Paragraph 3).?Each Data Integrity Board? (A) shall review, approve, and maintain all written agree- ments for receipt or disclosure of agency records for matching programs to ensure compliance with the Privacy Act and all relevant statutes, regulations, and guidelines. (B) shall review all matching programs in which the agency has participated during the year, either as a source agency or recipient agency; determine compliance with applicable laws, regulations, guidelines, and agency agreements; and assess the costs and benefits of such programs. (C) shall review all recurring matching program in which the agency has participated during the year, either as a source agency or recipient agency, for continued justification for such disclosures. (D) shall compile an annual report, which shall be submitted to the head of the agency and the Office of Management and Budget and made available to the public on request, describing the matching activities of the agency, including: (i) matching programs in which the agency participated as a source or re- cipient agency; (ii) matching agreements that were disap- proved; (iii) any changes in the membership or structure of the Board in the preceding year; (iv) the reasons for any waiver of the requirement for completion and submission of a cost-bene- fit analysis prior to the approval of a matching program; (v) any violations of matching agreements that have been alleged or identified and any corrective action taken; and (vi) any other information required by the Director of OMB to be in- cluded. (E) shall serve as a clearinghouse for receiving and providing information on the accuracy, completeness, and reliability of records used in matching programs; (F) shall provide interpretation and guidance to agency com- ponents and personnel on the requirements of the Privacy Act for matching programs; (G) shall review agency recordkeeping and disposal policies and practices for matching programs to assure compliance with the Privacy Act. (H) may review and report on any agency matching activities that are not matching programs. Declassified and Approved For Release 2013/01/17: IA-RDP91B00390R000200200009-7 Declassified and Approved For Release 2013/01/17: CIA-RDP91B00390R000200200009-7 42 Cost-Benefit Analysis (Paragraph 4).?A Data Integrity Board shall not approve any written agreement for a matching program unless the agency has completed and submitted a cost-benefit anal- ysis of the proposed program and the analysis demonstrates that the program is likely to be cost effective. The Board may waive the requirements of this paragraph if it determines, in writing and in accordance with guidelines prescribed by the Director of OMB, that a cost-benefit analysis is not required. Appeals (Paragraph 5).?If a matching agreement is disapproved by a Data Integrity Board, any party to the agreement may appeal the disapproval to the Director of OMB. Notice of the appeal must be provided to the House Committee on Government Operations and to the Senate Committee on Governmental Affairs. The Direc- tor of OMB may approve a matching agreement notwithstanding the disapproval of a Data Integrity Board if the Director deter- mines that (i) the matching program will be consistent with all ap- plicable legal, regulatory, and policy requirements; (ii) there is ade- quate evidence that the matching agreement will be cost effective; and (iii) the matching program is in the public interest. The deci- sion of the OMB Director to approve a matching agreement shall not take effect until 30 days after it is reported to the House Com- mittee on Government Operations and the Senate Committee on Governmental Affairs. If the Data Integrity Board and the Director of the Office of Management and Budget disapprove a matching program proposed by an inspector general of an agency, the inspec- tor general may report the disapproval to the head of the agency and to the Congress. OMB Report (Paragraph 6).?The Director of OMB shall consoli- date in a report to Congress the information contained in the re- ports from the Data Integrity Boards. The OMB report shall be made annually during the first 3 years after the data of enactment of the Computer Matching and Privacy Protection Act of 1988, and biennially thereafter. The OMB report shall include detailed infor- mation about costs and benefits of matching programs and shall identify each waiver granted by a Data Integrity Board of the re- quirement for completion and submission of a cost-benefit analysis as well as the reasons for granting the waiver. Aggregate Reporting (Paragraph 7).?Agency matching activities that are not matching programs may be reported on an aggregate basis if necessary to protect ongoing law enforcement investiga- tions. SECTION 5-DEFINITIONS This section adds new definitions to the Privacy Act. "Matching program" means any computerized comparison of (i) two or more automated systems of records or a system of records with non-Federal records for the purpose of (I) establishing or veri- fying the eligibility of, or continuing compliance with statutory and regulatory requirements by, applicants for, recipients or benefici- aries of, participants in, or providers of services with respect to, cash or in-kind assistance or payments under Federal benefit pro- grams, or (II) recouping payments or delinquent debts under Feder- al benefit programs, or (ii) two or more automated Federal person- Declassified and Approved For Release 2013/01/17: CIA-RDP91B00390R000200200009-7 I Declassified and Approved For Release 2013/01/17: CIA-RDP91B00390R000200200009-7 43 nel or payroll systems of records or a system of Federal personnel or payroll records with non-Federal records. A matching program does not include: (i) matches performed to produce aggregate statistical data without any personal identifiers; (ii) matches performed to support any research or statistical project, the specific data of which may not be used to make deci- sions concerning the rights, benefits, or privileges of specific indi- viduals; (iii) matches performed, by an agency or component which performs as its principal function any activity pertaining to the en- forcement of criminal laws, subsequent to the initiation of a specif- ic criminal or civil law enforcement investigation of a named person or persons for the purpose of gathering evidence against such person or persons; (iv) matches of tax information (I) pursuant to section 6103(d) of the Internal Revenue Code of 1986 (pertaining to disclosures to State and local officials); (II) for purposes of tax administration as defined in section 6103(b)(4), or (III) for the pur- pose of intercepting a tax refund due an individual under authority granted by the Deficit Reduction Act of 1984; (v) matches whose purpose is not to take any adverse financial, personnel, discipli- nary, or other adverse action against Federal personnel, (I) using records predominantly relating to Federal personnel, that are per- formed for routine administrative purposes (subject to guidance provided by the Director of OMB); or (II) conducted by an agency using only records from systems of records maintained by that agency; or (vi) matches performed to produce background checks for security clearance of Federal personnel or for foreign counterin- telligence purposes. The term "recipient agency" means any agency, or contractor thereof, receiving records contained in a system of records from a source agency for use in a matching program. - The term 'non-Federal agency" means any State or local govern- ment, or agency thereof, which receives records contained in a system of records from a source agency for use in a matching pro- gram. The term "source agency" means any agency which discloses records contained in a system of records to be used in a matching program, or any State or local government, or agency thereof, which discloses records to be used in a matching program. The term "Federal benefit program" means any program admin- istered or funded by the Federal Government or any agent thereof, providing cash or in-kind assistance in the form of payments, grants, loans, or loan guarantees to individuals. The term "Federal personnel" means officers and employees of the Government of the United States, members of the uniformed services (including members of the Reserve components), individ- uals entitled to received immediate or deferred retirement benefits under any retirement program of the Government of the United States (including survivor benefits). SECTION 6-FUNCTIONS OF THE DIRECTOR OF OMB This section adds a new subsection (v) to the Privacy Act to con- solidate and codify the functions of the Director of OMB under the Privacy Act. Declassified and Approved For Release 2013/01/17: CIA-RDP91B00390R000200200009-7 Declassified and Approved For Release 2013/01/17: CIA-RDP91B00390R000200200009-7 44 Subsection (v) requires the Director of OMB to (1) develop and (after notice and opportunity for public comment) prescribe guide- lines and regulations for the use of agencies in implementing the provisions of the Privacy Act; and (2) provide continuing assistance to and oversight of the implementation of the Privacy Act by agen- cies. Section 6 of the Privacy Act of 1974, which is codified in subsec- tion (v), is repealed. SECTION 7 ?COMPILATION OF RULES AND NOTICES The requirement for publication of a compilation of Privacy Act system notices is changed from annual to biennial publication. SECTION 8-ANNUAL REPORT The current requirement in the Privacy Act for a report by OMB is changed to from annual to biennial. SECTION 9-RULES OF CONSTRUCTION This section provides that nothing in the amendments made by the Computer Matching and Privacy Protection Act of 1988 shall be construed to authorize: (1) the establishment or maintenance by any agency of a national data bank that combines, merges, or links information on individuals maintained in systems of records by other Federal agencies; (2) the direct linking of computerized sys- tems of records maintained by Federal agencies; (3) the computer matching of records not otherwise authorized by law; or (4) the dis- closure of records for computer matching except to a Federal, State, or local agency. SECTION 10?EFFECTIVE DATES The amendments made by this act shall take effect 9 months after the date of enactment, except that the amendments made by sections 6, 7, and 8 shall take effect upon enactment. ESTIMATE OF THE CONGRESSIONAL BUDGET OFFICE The following estimate prepared by the Congressional Budget Office is submitted as required by clause (2)(1)(3)(C) of House Rule XI. U.S. CONGRESS, CONGRESSIONAL BUDGET OFFICE, Washington, DC, July 6, 1988. Hon. JACK BROOKS, Chairman, Committee on Government Operations, House of Representatives, Washington, DC. DEAR MR. CHAIRMAN: The Congressional Budget Office has re- viewed H.R. 4699, the Computer Matching and Privacy Protection Act of 1988, as ordered reported by the House Committee on Gov- ernment Operations, June 9, 1988. Based on information provided by the Department of Health and Human Services (HHS), the Department of Defense and a number of other agencies, CBO estimates that enacting this bill would result in costs to the federal government of up to $2 million during Declassified and Approved For Release 2013/01/17: CIA-RDP91B00390R000200200009-7 Declassified and Approved For Release 2013/01/17: CIA-RDP91B00390R000200200009-7 45 the first year after enactment, and less than $1 million annually thereafter. A greater budget impact would occur if matching pro- grams operated by the Office of Child Support Enforcement (OCSE) and the Federal Parent Locator Service (FPLS) are affected by the bill, in which case the federal government and state governments could lose substantial collection. H.R. 4699 would establish procedures to regulate the use of com- puter matching by federal agencies or by nonfederal agencies with federal records. These procedures would include preparing match- ing agreements with agencies when sharing data, providing the right to appeal to individuals affected by information obtained in a match, and establishing data integrity boards to oversee matching activities. Most of the costs associated the bill would result from preparing matching agreements required by section 2 of the bill. Although agencies currently have agreements covering some matching activi- ties, H.R. 4699 would require more extensive agreements, and would require them for all matches. The agreements would specify the purpose and legal authority of the match, the methodology to be used, and expected results; they would also include notification and verification procedures for individuals affected by a match. The magnitude of the first-year costs is difficult to predict. If ex- isting matching agreements would satisfy the requirements of the bill, then there would be little additional cost to the government. However, if the existing agreements would need substantial addi- tional work, CBO estimates that costs would be around $1 million during the first year after enactment. Costs in future years would be much lower, because the agreements would problably need only minor updating. Another potential cost associated with enacting H.R. 4699 would be establishing data integrity boards required by Section 4. These boards would oversee an agency's matching activities, and would review the matching agreements required by Section 2. Many agen- cies already have some type of formal or informal group similar to a data integrity board. Nevertheless, because many agencies would probably devote more time to these activities, there would be some additional cost to the government, probably less than $1 million an- nually. Section 4 would also require agencies to prepare cost/benefit analyses for all proposed matches, which would be reviewed by the data integrity boards. Preparing these analyses would probably result in some additional costs, but they would also discourage agencies from attempting some matches that would not be cost ef- fective. CBO expects that these two effects would probably offset each other and, therefore, would result in no significant costs or savings to the government. CBO does not expect other sections of H.R. 4699 to have a signifi- cant effect on the federal budget. These sections would, among other things, require federal agencies to publish in the Federal Register notice of matching programs with nonfederal entities and require that an Office of Management and Budget report on com- puter matching be submitted biennially instead of annually. The enactment of H.R. 4699 would also result in additional costs both to the federal government and to state governments if the Declassified and Approved For Release 2013/01/17: CIA-RDP91B00390R000200200009-7 Declassified and Approved For Release 2013/01/17: CIA-RDP91B00390R000200200009-7 46 FPLS and the Federal Income Tax Refund Offset Program of the OCSE would receive fewer collections through their enforcement activities. These programs use computer matching to locate or es- tablish the identity of non-custodial parents who are failing to make child support payments. In fiscal year 1987, the federal share of these collections was $400 million and the state government share was $202 million. Although the committee staff has indicated that the bill is not intended to cover these programs, information provided by HHS indicates that these programs might be subject to H.R. 4699 because of their involvement with Aid to Families with Dependent Children and tax refunds. The issue may be resolved in the courts. The reduction in collections could occur in two ways. First, the verification and appeal procedures mandated by H.R. 4699 could result in less computer matching, and therefore fewer collections, because some agencies could elect not to let OCSE use their records for matching rather than institute the new procedures. Second, no- tifying parents found through FPLS of court actions to be taken against them may give such parents an opportunity to evade legal proceedings, and to continue to avoid making child support pay- ments. Either of these outcomes would result in fewer collections, but we cannot predict the likelihood of either or the amount by which the collections might decrease. Estimated Cost to State and Local Governments. CBO expects that enacting H.R. 4699 would require state and local agencies in- volved in computer matching with federal agencies to adopt some new procedures to comply with the verification and notification re- quirements of the bill, and to expand matching agreements with federal agencies. Based on information provided by the American Public Welfare Association and the National Association of State Information Systems, CBO estimates that the costs associated with these activities would not be significant. Previous CI30 Estimate. On September 17, 1987, CBO prepared an estimate for S. 496, the Computer Matching and Privacy Protec- tion Act of 1987, as passed by the Senate on May 21, 1987. In that earlier analysis, CBO estimated that enacting S. 496 would result in recurring costs to the federal government of $2 million to $3 mil- lion annually, and in non-recurring costs of $2 million during the first year after enactment. The difference between this estimate and the earlier one reflects new information provided by several agencies and a reexamination of our earlier findings. If you wish further details on this estimate, we will be pleased to provide them. Sincerely, JAMES L. BLUM, Acting Director. COMMITTEE ESTIMATE OF COST The committee accepts the cost estimate of the Congressional Budget Office. Declassified and Approved For Release 2013/01/17: CIA-RDP91B00390R000200200009-7 Declassified and Approved For Release 2013/01/17: CIA-RDP91B00390R000200200009-7 47 INFLATIONARY IMPACT In accordance with clause (2)(1)(4) of House Rule XI, it is the opinion of the committee that the provisions of this bill will have no inflationary impact on prices and costs in the operations of the national economy. OVERSIGHT FINDINGS The committee has made no detailed findings or recommenda- tions other than those contained elsewhere in this report. NEW BUDGET AUTHORITY AND TAX EXPENDITURES No new budget authority or tax expenditures are required by this legislation. CHANGES IN EXISTING LAW MADE BY THE BILL, AS REPORTED In compliance with clause 3 of rule XIII of the Rules of the House of Representatives, changes in existing law made by the bill, as reported, are shown as follows (existing law proposed to be omit- ted is enclosed in black brackets, new matter is printed in italic, existing law in which no change is proposed is shown in roman): TITLE 5, UNITED STATES CODE PART I?THE AGENCIES GENERALLY CHAPTER 5?ADMINISTRATIVE PROCEDURE SUBCHAPTER II?ADMINISTRATIVE PROCEDURE ? 552a. Records maintained on individuals (a) DEFINITIONS.?For purposes of this section? (1) * * * (6) the term "statistical record" means a record in a system of records maintained for statistical research or reporting pur- poses only and not used in whole or in part in making any de- termination about an identifiable individual, except as provid- ed by section 8 of title 13; [and] (7) the term "routine use" means, with respect to the disclo- sure of a record, the use of such record for a purpose which is compatible with the purpose for which it was collected [.]; (8) the term "matching program"? (A) means any computerized comparison of? (i) two or more automated systems of records or a system of records with non-Federal records for the pur- pose of? Declassified and Approved For Release 2013/01/17: CIA-RDP91B00390R000200200009-7 Declassified and Approved For Release 2013/01/17: CIA-RDP91B00390R000200200009-7 48 (I) establishing or verifying the eligibility of or continuing compliance with statutory and regula- tory requirments by, applicants for, recipients or beneficiaries of paticipants in, or providers of serv- ices with respect to, cash or in-kind assistance or payments under Federal benefit programs, or (II) recouping payments or delinquent debts under such Federal benefit programs, or (ii) two or more automated Federal personnel or pay- roll systems of records or a system of Federal personnel or payroll records with non-Federal records, (B) but does not include? (i) matches performed to produce aggregate statistical data without any personal identifiers; (ii) matches performed to support any research or sta- tistical project, the specific data of which may not be used to make decisions concerning the rights, benefits or privileges of specific individuals; (iii) matches performed, by an agency (or component thereof) which performs as its principal function any activity pertaining to the enforcement of criminal laws, subsequent to the initiation of a specific criminal or civil law enforcement investigation of a named person or persons for the purpose of gathering evidence against such person or persons; (iv) matches of tax information (I) pursuant to sec- tion 6103(d) of the Internal Revenue Code of 1986, (II) for purposes of tax administration as defined in section 6103(b)(4) of such Code, or (III) for the purpose of inter- cepting a tax refund due an individual under author- ity granted by the Deficit Reduction Act of 1984; (v) matches? (I) using records predominantly relating to Fed- eral personnel, that are performed for routine ad- ministrative purposes (subject to guidance provided by the Director of the Office of Management and Budget pursuant to subsection (v)); or (II) conducted by an agency using only records from systems of records maintained by that agency; if the purpose of the match is not to take any adverse financial, personnel, disciplinary, or other adverse action against Federal personnel; or (vi) matches performed to produce background checks for security clearances of Federal personnel or for for- eign counterintelligence purposes; (9) the term "recipient agency" means any agency, or contrac- tor thereof receiving records contained in a system of records from a source agency for use in a matching program; (10) the term "non-Federal agency" means any State or local government, or agency thereof which receives records contained in a system of records from a source agency for use in a match- ing program; (11) the term "source agency" means any agency which dis- closes records contained in a system of records to be used in a Declassified and Approved For Release 2013/01/17: CIA-RDP91B00390R000200200009-7 Declassified and Approved For Release 2013/01/17: CIA-RDP91B00390R000200200009-7 49 matching program, or any State or local government, or agency thereof which discloses records to be used in a matching pro- gram; (12) the term "Federal benefit program" means any program administered or funded by the Federal Government, or any agent thereof providing cash or in-kind assistance in the form of payments, grants, loans, or loan guarantees to individuals; and (13) the term "Federal personnel" means officers and employ- ees of the Government of the United States, members of the uni- formed services (including members of the Reserve Components), individuals entitled to receive immediate or deferred retirement benefits under any retirement program of the Government of the United States (including survivor benefits). (f) AGENCY RULES.?In order to carry out the provisions of this section, each agency that maintains a system of records shall pro- mulgate rules, in accordance with the requirements (including gen- eral notice) of section 553 of this title, which shall? (1) establish procedures whereby an individual can be noti- fied in response to his request if any system of records named by the individual contains a record pertaining to him; (2) define reasonable times, places, and requirements for identifying an individual who requests his record or informa- tion pertaining to him before the agency shall make the record or information available to the individual; (3) establish procedures for the disclosure to an individual upon his request of his record or information pertaining to him, including special procedure, if deemed necessary, for the disclosure to an individual of medical records, including psy- chological records pertaining to him; (4) establish procedures for reviewing a request from an indi- vidual concerning the amendment of any record or information pertaining to the individual, for making a determination on the request, for an appeal within the agency of an initial ad- verse agency determination, and for whatever additional means may be necessary for each individual to be able to exer- cise fully his rights under this section; and (5) establish fees to be charged, if any, to any individual for making copies of his record, excluding the cost of any search for and review of the record. The Office of the Federal Register shall [annually] biennially compile and publish the rules promulgated under this subsection and agency notices published under subsection (e)(4) of this section in a form available to the public at low cost. (0) MATCHING AGREEMENTS.-(1) No record which is contained in a system of records may be disclosed to a recipient agency or non- Federal agency for use in a computer matching program except pur- suant to a written agreement between the source agency and the re- cipient agency or non-Federal agency specifying? Declassified and Approved For Release 2013/01/17: CIA-RDP91B00390R000200200009-7 Declassified and Approved For Release 2013/01/17: CIA-RDP91B00390R000200200009-7 50 (A) the purpose and legal authority for conducting the pro- gram; (B) the justification for the program and the anticipated re- sults, including a specific estimate of any savings; (C) a description of the records that will be matched, includ- ing each data element that will be used, the approximate number of records that will be matched, and the projected start- ing and completion dates of the matching program; (D) procedures for providing individualized notice at the time of application, and periodically thereafter as directed by the Data Integrity Board of such agency (subject to guidance pro- vided by the Director of the Office of Management and Budget pursuant to subsection (v)), to? (i) applicants for and recipients of financial assistance or payments under Federal benefit programs, and (ii) applicants for and holders of positions as Federal per- sonnel, that any information provided by such applicants, recipients, holders, and individuals may be subject to verification through matching programs; (E) procedures for verifying information produced in such matching program as required by subsection (p); (F) procedures for the timely destruction of identifiable records created by a recipient agency or non-Federal agency in such matching program; (G) procedures for ensuring the administrative, technical, and physical security of the records matched and the results of such programs; (H) prohibitions on duplication and redisclosure of records provided by the source agency within or outside the recipient agency or the non-Federal agency, except where required by law or essential to the conduct of the matching program; (I) procedures governing the use by a recipient agency or non- Federal agency of records provided in a matching program by a source agency, including procedures governing return of the records to the source agency or destruction of records used in such program; (J) information on assessments that have been made on the accuracy of the records that will be used in such matching pro- gram; and (K) that the Comptroller General may have access to all records of a recipient agency or a non-Federal agency that the Comptroller General deems necessary in order to monitor or verify compliance with the agreement. (2)(A) A copy of each agreement entered into pursuant to para- graph (1) shall? (i) be transmitted to the Committee on Governmental Affairs ,of the Senate and the Committee on Government Operations of the House of Representatives; and (ii) be available upon request to the public. (B) No such agreement shall be effective until 30 days after the date on which such a copy is transmitted pursuant to subparagraph (A)(i). Declassified and Approved For Release 2013/01/17: CIA-RDP91B00390R000200200009-7 Declassified and Approved For Release 2013/01/17: CIA-RDP91B00390R000200200009-7 51 (C) Such an agreement shall remain in effect only for such period, not to exceed 18 months, as the Data Integrity Board of the agency determine is appropriate in light of the purposes, and length of time necessary for the conduct, of the matching program. (D) Within 3 months prior to the expiration of such an agreement pursuant to subparagraph (C), the Data Integrity Board of the agency may, without additional review, renew the matching agree- ment for a current, ongoing matching program for not more than one additional year if? (i) such program will be conducted without any change; and (ii) each party to the agreement certifies to the Board in writ- ing that the program has been conducted in compliance with the agreement. (p) VERIFICATION AND OPPORTUNITY To CONTEST FINDINGS.?(1) In order to protect any individual whose records are used in match- ing programs, no recipient agency, non-Federal agency, or source agency may suspend, terminate, reduce, or make a final denial of any financial assitance under a Federal benefit program to such in- dividual, or take other adverse action against such individual as a result of information produced by such matching programs, until an officer or employee of such agency has independently verified such information. Such independent verification may be satisfied either (A) by verification in accordance with the requirements governing such Federal benefit program, or (B) by verification in accordance with the requirements of paragraph (2). (2) Independent verification required by paragraph (1)(B) shall in- clude independent investigation and confirmation of? (A) the amount of the asset or income involved, (B) whether such individual actually has or had access to such asset or income for such individual's own use, (C) the period or periods when the individual actually had such asset or income, and (D) any other information used as a basis for an adverse action against an individual. (3) No recipient agency, non-Federal agency, or source agency may suspend, terminate, reduce, or make final denial or any financial assistance or payment under a Federal benefit program to any indi- vidual described in paragraph (1), or take other adverse action against such individual as a result of information produced by a matching program, until 60 days after such individual receives a notice from such agency containing a statement of its findings and informing the individuals of the opportunity to contest such find- ings. Such opportunity may be satisfied by notice, hearing, and appeal rights governing such Federal benefit program. The exercise of any such rights shall not affect any rights available under this section. (4) Notwithstanding paragraph (3), an agency may take any appro- priate action otherwise prohibited by such paragraph if the agency determines that the public health or public safety may be adversely affected or significantly threatened during the 60-day notice period required by such paragraph. (q) SANCTI0NS.?(1) Notwithstanding any other provision of law, no source agency may disclose any record which is contained in a system of records to a recipient agency or non-Federal agency for a Declassified and Approved For Release 2013/01/17: CIA-RDP91B00390R000200200009-7 Declassified and Approved For Release 2013/01/17: CIA-RDP91B00390R000200200009-7 52 matching program if such source agency has reason to believe that the requirements of subection (p), or any matching agreement en- tered into pursuant to subsection (o), or both, are not being met by such recipient agency. (2) No source agency may renew a matching agreement unless? (A) the recipient agency or non-Federal agency has certified that it has complied with the provisions of that agreement; and (B) the source agency has no reason to believe that the certifi- cation is inaccurate. ((0) REPORT ON NEW SYSTEMS.?Each agency shall provide ade- quate advance notice to Congress and the Office of Management and Budget of any proposal to establish or alter any system of records in order to permit an evaluation of the probable or poten- tial effect of such proposal on the privacy and other personal or property rights of individuals or the disclosure of information relat- ing to such individuals, and its effect on the preservation of the constitutional principles of federalism and separation of powers.] (r) REPORT ON NEW SYSTEMS AND MATCHING PROGRAMS.?Each agency that proposes to establish or make a significant change in a system of records or a matching program shall provide adequate ad- vance notice of any such proposal (in duplicate) to the Committee on Government Operations of the House of Representatives, the Com- mittee on Governmental Affairs of the Senate, and the Office of Management and Budget in order to permit an evaluation of the probable or potential effect of such proposal on the privacy or other rights of individuals. [(p) ANNUAL] (S) BIENNIAL REPORT.?The President shall [an- nually] biennially submit to the Speaker of the House of Repesen- tatives and the President pro tempore of the Senate a report? (1) describing the actions of the Director of the Office of Management and Budget pursuant to section 6 of the Privacy Act of 1974 during the preceding [year] 2 years; (2) describing the exercise of individual rights of access and amendment under this section during such [year;] years; (3) identifying changes in or additions to systems of records; (4) containing such other information concerning administra- tion of this section as many be necessary or useful to the Con- gress in reviewing the effectiveness of this section in carrying out the purposes of the Privacy Act of 1974. [(14)] (t)(1) EFFECT OF OTHER LAWS.?No agency shall rely OR any exemption contained in section 552 of this title to withhold from an individual any record which is otherwise accessible to such individ- ual under the provisions of this section. (2) No agency shall rely on any exemption in this section to with- hold from an individual any record which is otherwise accessible to such individual under the provisions of section 552 of this title. (u) DATA INTEGRITY B0ARDS.?(1) Every agency conducting or par- ticipating in a matching program shall establish a Data Integrity Board to oversee and coordinate among the various components of such agency the agency's implementation of this section. (2) Each Data Integrity Board shall consist of senior officials des- ignated by the head of the agency, and shall include any senior offi- cial designated by the head of the agency as responsible for imple- mentation of his section, and the inspector general of the agency, if Declassified and Approved For Release 2013/01/17: CIA-RDP91B00390R000200200009-7 Declassified and Approved For Release 2013/01/17: CIA-RDP91B00390R000200200009-7 53 any. The inspector general shall not serve as chairman of the Data Integrity Board. (3) Each Data Integrity Board? (A) shall review, approve, and maintain all written agree- ments for receipt or disclosure of agency records for matching programs to ensure compliance with subsection (o), and all rele- vant statutes, regulations, and guidelines; (B) shall review all matching programs in which the agency has participated during the year, either as a source agency or recipient agency, determine compliance with applicable laws, regulations, guidelines, and agency agreements, and assess the costs and benefits of such programs; (C) shall review all recurring matching programs in which the agency has participated during the year, either as a source agency or recipient agency, for continued justification for such disclosures; (D) shall compile an annual report, which shall be submitted to the head of the agency and the Office of Management and Budget and made available to the public on request, describing the matching activities of the agency, including? (i) matching programs in which the agency has partici- pated as a source agency or recipient agency; (ii) matching agreements proposed under subsection (o) that were disapproved by the Board; (iii) any changes in membership or structure of the Board in the preceding year; (iv) the reasons for any waiver of the requirement in paragraph (4) of this section for completion and submission of a cost-benefit analysis prior to the approval of a match- ing program; (v) any violations of matching agreements that have been alleged or identified and any corrective action taken; and (vi) any other information required by the Director of the Office of Management and Budget to be included in such report; (E) shall serve as a clearinghouse for receiving and providing information on the accuracy, completeness, and reliability of records used in matching programs; (F) shall provide interpretation and guidance to agency com- ponents and personnel on the requirements of this section for matching programs; (G) shall review agency recordkeeping and disposal policies and practices for matching programs to assure compliance with this section; and (H) may review and report on any agency matching activities that are not matching programs. (4) A Data Integrity Board shall not approve any written agree- ment for a matching program unless the agency has completed and submitted a cost-benefit analysis of the proposed program and such analysis demonstrates that the program is likely to be cost effective. The Board may waive the requirements of this paragraph if it deter- mines in writing, in accordance with guidelines prescribed by the Director of the Office of Management and Budget, that a cost-bene- fit analysis is not required. Declassified and Approved For Release 2013/01/17: CIA-RDP91B00390R000200200009-7 Declassified and Approved For Release 2013/91/17: CIA-RDP91B00390R000200200009-7 54 (5)(A) If a matching agreement is disapproved by a Data Integrity Board, any party to such agreement may appeal the disapproval to the Director of the Office of Management and Budget. Notice of the appeal must be provided to the Committee on Governmental Affairs of the Senate and the Committee on Government Operations of the House of Representatives. (B) The Director of the Office of Management and Budget may ap- prove a matching agreement notwithstanding the disapproval of a Data Integrity Board if the Director determines that? (i) the matching program will be consistent with all applica- ble legal, regulatory, and policy requirements; (ii) there is adequate evidence that the matching agreement will be cost-effective; and (iii) the matching program is in the public interest. (C) The decision of the Director to approve a matching agreement shall not take effect until 30 days after it is reported to committees described in subparagraph (A). (D) If the Data Integrity Board and the Director of the Office of Management and Budget disapprove a matching program proposed by the inspector general of an agency, the inspector general may report the disapproval to the head of the agency and to the Con- gress. (6) The Director of the Office of Management and Budget shall, annually during the first 3 years after the date of enactment of this subsection and biennially thereafter, consolidate in a report to the Congress the information contained in the reports from the various Data Integrity Boards under paragraph (3)(D). Such report shall in- clude detailed information about costs and benefits of matching programs that are conducted during the period covered by such con- solidated report, and shall identify each waiver granted by a Data Integrity Board of the requirement for completion and submission of a cost-benefit analysis and the reasons for granting the waiver. (7) In the reports required by paragraphs (3)(D) and (6), agency matching activities that are not matching programs may be reported on an aggregate basis, if and to the extent necessary to protect ongo- ing law enforcement investigations. (V) OFFICE OF MANAGEMENT AND BUDGET RESPONSIBILITIES.?The Director of the Office of Management and Budget shall? (1) develop and, after notice and opportunity for public com- ment, prescribe guidelines and regulations for the use of agen- cies in implementing the provisions of this section; and (2) provide continuing assistance to and oversight of the im- plementation of this section by agencies. SECTION 6 OF THE PRIVACY ACT OF 1974 (SEC. 6. The Office of Management and Budget shall? E(1) develop guidelines and regulations for the use of agen- cies in implementing the provisions of section 552a of title 5, United States Code, as added by section 3 of this Act; and 1[(2) provide continuing assistance to and oversight of the im- plementation of the provisions of such section by agencies.] 0 Declassified and Approved For Release 2013/01/17: CIA-RDP91B00390R000200200009-7