Privacy

Computer Matching Agreements (CMA)

Purpose

Public Law (P.L.) 100-503, the Computer Matching and Privacy Protection Act of 1988, hereinafter referred to as the Computer Matching Act (CMA), amends the Privacy Act of 1974 to establish procedural safeguards affecting agencies' use of Privacy Act records in performing certain types of computerized matching programs.  The Act requires agencies to conclude written agreements specifying the terms under which matches are to be done.  It also provides due process rights for record subjects to prevent agencies from taking adverse actions unless they have independently verified the results of a match and given the subject 30 days advance notice.  Oversight is accomplished in a variety of ways, by having agencies:

  1. publish matching agreements,
  2. report matching programs to the Office of Management and Budget (OMB) and Congress, and
  3. establish internal boards to approve their matching activity.

Background

One of the forces driving the Privacy Act of 1974 into existence was Congressional concern about the government's use of computers in which to keep records about individuals.  The Act's preamble points out the possibility of automated record keeping greatly magnifying the potential harm to record subjects.  Due to the steady automation of government programs, automated records play a significant and pervasive role in Federal record keeping.  The CMA is the first amendment to the Privacy Act to attempt to deal with the issue of automated records and their use.  

Scope

  1. The Computer Matching Act:
    1. applies primarily to all Federal agencies subject to the Privacy Act of 1974
    2. brings non-Federal agencies within the ambit of the Privacy Act when they are engaging in certain types of matching activities in conjunction with a Federal agency that is subject to the Privacy Act and a Federal system of records is involved in the match
  2. The computer matching provisions of the Privacy Act apply to a broad range of Federal agency computer matching activities when the objective is to affect an individual's rights, benefits and/or privileges.
  3. The Act is not intended to prevent the match of any computerized data for which there exists legal authority and which is deemed the most appropriate method of achieving a desired objective.  The administrative controls established are intended to ensure privacy, integrity and verification of data disclosed for computer matching.

    Note:  The CMA does not extend Privacy Act coverage to those not originally included.

Definitions

  1. Matching Agreement - written agreement between the source agency and the recipient agency (or non-Federal agency) specifying the terms of the matching program. There are three categories of matching agreement: new, extension and renewal.
    1. New Agreement - A new agreement is used the first time a matching agreement is developed for a matching program. The matching program itself may have been in existence prior to P.L. 100–503. The agreement may exist for up to 18 months and may be extended 12 additional months. A new agreement must be reviewed by the Data Integrity Board (DIB) and requires development of a cost/benefit analysis.
    2. Extension Agreement - An extension agreement allows the continuation of an existing agreement (new or renewal) for an additional 12 months, without additional review by the DIB, provided certain conditions are met. The participating agencies must certify to the Chairperson of the DIB that the matching program will be continued in full compliance with the existing agreement and requested within the last 90 days of the existing agreement. Notices and reports are not required.
    3. Renewal Agreement - When the initial matching agreement (including any extension) has expired, a renewal agreement permits the matching program to continue and may exist for up to 18 months. This agreement must be approved by the DIB within the last 90 days of the existing agreement. Requires the same review, reports and notices as a new agreement.
  2. The CMA requires that a cost/benefit analysis be a part of an agency decision to conduct or participate in a matching program. It must be included in matching agreements as justification of the proposed matching program and include a "specific estimate of any savings. " The analysis is also used by the DIB in review process.
  3. The Data Integrity Board (DIB) is located at the departmental level. It consists of senior agency officials and is responsible for review and approval (or disapproval) of matching agreements and proposed matching programs.
  4. A matching program is the computerized comparison of two or more automated systems of records, or of a system of records with non-Federal records. The records must exist in automated form or be converted to automated form to perform the match.
  5. A non-Federal agency is a State or local governmental agency that receives records contained in a system of records from a Federal agency.
  6. The recipient agency is the Federal agency (or its contractor) that receives records from a Privacy Act system of records of another Federal agency or from State and/or local government to be used in a matching program.
  7. The source agency is the Federal agency that discloses records from a system of records to another Federal agency or to a State or local governmental agency to be used in a matching program. It can also be a non Federal agency that discloses records to a Federal agency to be used in a matching program.

Categories of Subjects Covered by CMA

  1. Applicants for Federal benefit programs (individuals initially applying for benefits).

    Note: The Congress intends that Federal employees be treated as beneficiaries of a Federal benefit program because of their employment by the Government.

  2. Federal program beneficiaries (individuals who are actually receiving benefits).
  3. Providers of services to assistance programs (those who are not the primary beneficiaries of Federal benefits programs, but may derive income from them, e.g., health care providers).
  4. Federal employees in danger of adverse and/or disciplinary action.

Requirements for Covered Computer Matching Programs

  1. Prior to the implementation of a covered matching program, the office planning to initiate the matching program must:
    • Develop, execute and obtain approval of a written agreement, prepared in conformance with 5 USC 552a(o), with the other agency or the other IRS function
    • Provide notice of the matching program to record subjects
    • Prepare a report to Congress on the new matching program
    • Prepare any Federal Register notice and report required (unless prepared by the recipient agency)

    Caution: No system of records may be included in a matching program unless the matching activity is provided for in the system's routine uses. The system notice may have to be revised to enable the matching activity.

Matching Program Notice

  1. Agencies participating in matching programs that are subject to CMA must publish a notice in the Federal Register describing new or altered matching programs at least 30 days prior the implementation of the matching program.

    Note: Agencies wishing to renew a matching program must also publish a notice.

  2. The recipient Federal agency (or the source Federal agency in a match conducted with a non-Federal agency) is responsible for publishing the notice describing the matching program and citing the systems of records involved.
  3. Matching program participants need only publish a notice when there is a change that significantly alters the terms of the agreement covering the matching program. Examples of significant changes are cited in OMB Circular A-130, Appendix I, November 28, 2000.
  4. Publication of the new or altered matching program notice must occur at least 30 days prior to the initiation of any matching activity carried out under such program.
  5. Publication for renewals of programs, must occur at least 30 days prior to the expiration of the existing matching agreement.

    Note: A report to OMB and Congress is also required at least 40 days prior to the initiation of a new or altered matching program.

  6. Generally, the recipient Federal agency (or the Federal source agency) is responsible for publishing in the Federal Register. However, in matching programs involving only Federal agencies, the agencies may assign responsibility. In the case of matching programs conducted with a non-Federal agency, the Federal agency is responsible for publishing.

    Note: The matching program notice may be published in the Federal Register at the same time the matching program report is forwarded to OMB and Congress. The period for OMB and congressional review and the notice and comment period will then run concurrently.

Notice to Record Subjects

  1. Federal agencies undertaking a matching program covered by CMA must notify record subjects that their records may be matched prior to the actual conduct of the matching program.
  2. The recipient agency (or Federal agency when the matching program is conducted with a non-Federal agency) shall publish constructive notice in the Federal Register informing record subjects of the proposed matching program.
  3. The notice shall be prepared in accordance with 5 USC 552a(e).

    Note: This notice must be published at least 30 days prior to implementation of the matching program.

  4. The agencies participating in a matching program must ensure that a direct notice of the match is provided to each individual in the match population. This may be accomplished by a statement on an application form or by separate document and will ordinarily be done by the agency that will act on the results of the match. In most instances, amending the Privacy Act statement on an application form will meet CMA requirements.

    Note: The notice must be provided prior to the implementation of the matching program and periodically thereafter.

  5. For matching programs designed to detect fraud and/or illegal acts of agency employees, the participating agencies shall ensure that direct notice is provided to each record subject. While the agency's Standards of Conduct universally prohibit fraud or inappropriate actions on the part of its employees, a specific notice to each record subject regarding the matching program shall be provided prior to the implementation of the matching program and, at the least, an annual notice during the period the matching program is authorized.

Related Links