U.S. Department of Agriculture

Washington, D.C. 20250

 

 DEPARTMENTAL REGULATION

 Number:

3450-001

 SUBJECT: Computer Matching Projects Involving Individual Privacy Data

 DATE:

April 17, 1984

 OPI:

Office of Information Resource Management

 

 1 PURPOSE

This regulation establishes policy and procedures related to conducting computerized matching projects. Appendix A contains the OMB memorandum (M-84-6) dated December 29, 1983, which explains the requirement and procedures for completion of the Computer Match Checklist.

Appendix B contains the OMB memorandum (M-82-5) dated May 11, 1982, which transmits the revised guidelines on conducting computerized matching projects.

Appendix C contains guidance based on OMB's Model Control System for Computer Matching Projects.

 

2 POLICY

When conducting computerized matching projects, agencies and staff offices will assure that requirements of the Privacy Act of 1974 are met and implementing instructions from the Office of Management and Budget are followed.

 

3 PROCEDURES

a Specific procedures required for conducting computer matching projects and completing the computer match checklist are defined in the OMB memoranda, Appendix A and Appendix B.

b The specific steps taken in the conduct of a computer matching project are left to the discretion of each agency. However, OMB has provided guidelines in the form of a model Control System for Computer Matching to assist agencies. These guidelines (Appendix C) should be followed unless there is some justification for using alternative methods.

c Specific examples taken from past computer matching programs are available from OMB if more guidance is required. This additional assistance is available from the Interagency Activities Division, Office of Information and Regulatory Affairs, OMB.

 

END

 

EXECUTIVE OFFICE OF THE PRESIDENT

OFFICE OF MANAGEMENT AND BUDGET

WASHINGTON. D.C.

December 29, 1983

M-84-6

 

MEMORANDUM TO: HEADS OF EXECUTIVE DEPARTMENTS, ESTABLISHMENT

AND INDEPENDENT AGENCIES

 

FROM: Joseph R. Wright, Jr.

Deputy Director

 

SUBJECT: Computer Match Checklist and Model Control System and Resource Document for Conducting Computer Matching Projects Involving Individual Privacy Data

The purpose of this memorandum is to provide instructions for

the preparation of a Computer Match Checklist to be completed

by each department and agency engaging in or providing data for

computer matching of Federal data records conducted by Federal,

State or local entities. This Checklist and the 'Model Control

System and Resource Document for Conducting Computer Matching

Projects Involving Individual Privacy Data" transmitted by this

memorandum are intended to assist agencies in complying with the

requirements of the Privacy Act of 1974 and the OMB Computer

Matching Guidelines issued May 11, 1982.

 

The Computer Match Checklist must be completed for each agency

computer match and maintained on file within the agency for

review by OMB, GAO or other Federal entities. The Model

Control System is intended to provide guidance to agencies in

developing and maintaining adequate internal agency controls

over the approval and conduct of computer matching activities.

 

The Computer Match Checklist is a requirement and applies to

all agencies subject to the Privacy Act of 1974 (5 U.S.C..

552a), and to all matching programs:

 

a. Performed by a Federal agency, whether the personal records used in the match are Federal or non-Federal.

 

b. For which a Federal agency discloses any personal records for use in a matching program performed by any other Federal agency or any non-Federal organization.

The Model Control System is the recommended approach for

agencies to follow in approving and overseeing proposed

computer matching activities. The model procedure outlined is

recommended, not required. However, there should be a suitable

rationale whenever an agency does not follow the model approach.

 

Agency Computer Match Checklist

 

This Checklist shall be completed for each department or agency

computer match (including those in which the department or agency is the source of personal data for a non-Federal match) immediately following publication of the matching report in the Federal Register (or release of data for a non-Federal match). This Checklist is to be maintained on file for review by OMB, GAG and other Federal entities.

 

a. Has the agency sent a new/altered Privacy Act System Report to UMB and Congress? (check one)

 

Yes ________. Date sent: _____________________________

 

No ________. A report is not required why? __________

____________________________________________________________

____________________________________________________________

 

b. Has the agency published in the Federal Register a

new/altered system notice?

 

Yes ________. Published on:

 

No ________. A notice is not required. Why?

 

____________________________________________________________

 

____________________________________________________________

 

c. Have all participating sources and matching agencies pub-

lished routine use notices in the Federal Register?

 

Yes _____.

 

 

 

 

 

Date of Routine

Agencies: Use Notice Publication:

 

__________________ _________________________

__________________ _________________________

__________________ _________________________

 

No _____. (attach explanation).

 

d. Have written agreements between the Federal source agencies and Federal or non-Federal matching agencies been exchanged listing conditions for the match and safeguards for individual records (OMB Matching Guidelines - Section 5b)?

 

Yes _____.

 

No _____. Reason and date when agreements will be

exchanged:___________________________________

 

e. When was the Agency Computer Match Report published in the Federal Register (not applicable if a Federal agency is only a source for the match).

 

Date of Federal Register publication: ____________________

 

Date sent to OMB and Congress: _________________________

(attach Federal Register notice)

 

f. What is the estimated number of individuals whose records are to be matched (by the following categories)?

 

o benefit records: ___________________________________

 

o personal/employment records: _________________________

 

o indebtedness/accounts receivable records: __________

 

o provider records: ___________________________________

 

o other: (describe): ___________________________________

 

g. If contractors are being used, have proper controls been instituted as outlined in Section 5g, of OMB's Computer Matching Guidelines, issued May 11, 1982?

 

Yes __________. Date of Agreement: ____________________

(attach copy of contract clause).

 

No __________. (include an estimate when contract or revisions will be signed and assurances that contractors will not participate until that time.)

 

 

h. When will cost/benefit analysis on the computer match be available?

 

Date:_______________________________________________________

 

 

Estimated cost/benefit figures are required to be attached to this form and be made available to OMB upon request.

 

 

 

 

_____________________________________________

Signature of Completing Official

 

 

 

 

APPENDIX B

 

EXECUTIVE OFFICE OF THE PRESIDENT

 

OFFICE OF MANAGEMENT AND BUDGET

 

WASHINGTON. O.C. 3

 

M-82-5 May 11, 1982

 

 

MEMORANDUM FOR THE EXECUTIVE DEPARTMENTS AND ESTABLISHMENTS

 

FROM: David A. Stockman

Director

 

SUBJECT: Revised Supplemental Guidance for Conducting

Matching Programs

 

I am attaching a copy of our revised Guidelines on conducting

computerized matching programs. This revision updates and

simplifies earlier guidance issued on March 30, 1979. It is

effective immediately.

 

The revision is the result of our evaluation of agencies'

operating experiences under the original Guidelines. The

new Guidelines incorporate many agency recommendations for

clarifications and changes. In addition, they greatly simplify

the notice and reporting requirements of the earlier version.

 

Direct comments or questions on these Guidelines to OMB's Office

of Information and Regulatory Affairs.

 

Attachment

 

 

Matching Guidelines

 

1. Purpose - These Guidelines supplement and should be used in conjunction with the "OMB guidelines on the Administration of the Privacy Act of 1974," issued on July 1, 1975 and supplemented on November 21, 1975. The replace earlier guidance on conducting computerized matching programs issued on March 30, 1979. They are intended to help agencies relate the procedural requirements of the Privacy Act to the operational requirements of computerized matching. They are designed to address the concerns expressed by the Congress in the Privacy Act of 1974 that "the increasing use of computers and sophisticated information technology, while essential to the efficient operations of the Government, has greatly magnified the harm to individual privacy that can occur form any collection, maintenance, use, or dissemination of personal information." These Guidelines do not authorize activities which are not permitted by law; nor do they prohibit activities expressly required to be performed by law. Complying with these Guidelines, however, does not relieve a Federal agency of the obligation to comply with the provisions of the Privacy Act, including any provisions not cited in these Guidelines.

 

2. Scope - These guidelines apply to all agencies subject the Privacy Act of 1974 (5 U.S.C. 552a), and to all matching programs:

 

a. Performed by a Federal agency, whether the personal records used in the match are Federal or non-Federal.

 

b. For which a Federal agency discloses any personal records used in the match program performed by any other Federal agency or any non-Federal organization.

 

3. Effective Date - These guidelines are effective on their date of issuance - May 11, 1982.

 

4. Definitions - For the purposes of these Guidelines:

 

a. All the terms defined in the Privacy Act of 1974 apply.

 

b. A "personal record" means any information pertaining to an individual that is stored in an automated system of records, e.g., a data base which contains information about individuals that is retrieved by name or some other personal identifier.

 

c. A "matching program" is a procedure in which a computer is used to compare two or more automated systems of records or a system of records with a set of non-Federal records to find individuals who are common to more than one system or set. The procedure includes all of the steps associated with the match, including obtaining the records to be matched, actual use of the computer administrative and investigative action on the hits, and disposition of the personal records maintained in connection with the match. It should be noted that a single matching program may involve several matches among a number of participants.

 

Matching Programs do not include the following:

 

(1) Matches which do not compare a substantial number of records, e,g,, comparison of the Department of Education's Defaulted Student Loan data base with the Office of Personnel Management's Federal Employee data base would be covered; comparison of six individual student loan defaultees with the OPM file would not be covered.

 

(2) Checks on specific individuals to verify data in an application for benefits done reasonably soon after the application is received.

 

(3) Checks on specific individuals based on information which raises questions about an individual's eligibility for benefits or payments done reasonably soon after the information is received.

 

(4) Matches done to produce aggregate statistical data without any personal identifiers.

 

(5) Matches done to support any research or statistical project where the specific data are not to be used to make decisions about the rights, benefits, or privileges of specific individuals.

 

(6) Matches done by an agency using its own records.

 

d. A "matching agency" is the Federal agency which actually performs the match.

 

e. A "source agency" is the Federal agency which discloses records from a system of records to be used in the match. Note that in some circumstances, a source agency may be the instigator and ultimate beneficiary of the matching program, as when an agency lacking computer resources uses another agency to perform the match. The disclosure of records to the matching agency and any subsequent disclosure of "hits" (by either the matching or the source agencies) must be done in accordance with the provisions of paragraph (b) of the Privacy Act.

 

f. A "hit" is the identification, through a matching program, of a specific individual.

 

 

5. Guidelines for Agencies Participating in Matching Programs - Agencies should acquire and disclose matching records and conduct matching programs in accordance with the provisions of this section and the Privacy Act.

 

a. Disclosing Personal Records for Matching Programs

 

(1) To Another Federal Agency - source agencies are responsible for determining whether or not to disclose personal records from their systems and for making sure they meet the necessary Privacy Act disclosure provisions when they do. Among the factors source agencies should consider are:

 

(a) Legal authority for the match;

 

(b) Purpose and description of the match;

 

(c) Description of the records to be matched;

 

(d) Whether the record subjects have consented to the match; or whether disclosure of records for the match would be compatible with the purpose for which the records were originally collected, i.e., whether disclosure under a "routine use" would be appropriate; whether the soliciting agency is seeking the records for a legitimate law enforcement activity - whichever is appropriate; or any other provision of the Privacy Act under which disclosure may be made;

 

(e) Description of additional information which may be disclosed in relation to "hits"

 

(f) Subsequent actions expected of the sources (e.q., verification of the identity of the "hits" or follow-up with individuals who are "hits").

 

(g) Safeguards to be afforded the records involved, including disposition.

 

If the agency is satisfied that disclosure of the records would not violate its responsibilities under the Privacy Act, it may

proceed to make the disclosure to the matching agency. It should

ensure that only the minimum information necessary to conduct the

match is provided. If disclosure is to be made pursuant to a

"routine use" (Section (b)(3) of the Privacy Act), it should

ensure that the system Of records contains such a use, or it

should publish a routine use notice in the Federal Register.

The agency should also be sure to maintain an accounting of the

disclosures pursuant to Section (c) of the Privacy Act.

 

(2) To a Non-Federal Entity - Prior to disclosing records to a non-Federal entity for a matching program to be carried out by that entity; a source agency should, in addition to all of the consid- erations in 5a(l) above also make reasonable efforts pursuant to Section (e)(6) of the Privacy Act, to assure that such records are accurate, complete, timely and relevant for agency purposes."

 

b. Written Agreements - Prior to disclosing to either a Federal or non-Federal entity, the source agency should require the matching entity to agree in writing to certain conditions governing the use of the matching file, e.g.: that the matching file will remain the property of the source agency and be returned at the end of the matching program (or destroyed as appropriate); that the file will be used and accessed only to match the file(s) previously agreed to; that it will not be used to extract information concerning "non-hit" individuals for any purpose; and that it will not be duplicated or disseminated within or outside the matching agency unless authorized in writing by the source agency.

 

c. Performing Matching Programs -

 

(1) Matching agencies should maintain reasonable administrative, technical and physical security safeguards on all files involved in the matching program.

 

(2) Matching agencies should insure that they have appropriate systems of records including those containing "'hits," and that such systems and any routine uses have been appropriately noticed in the Federal Register and reported to OMB and the Congress as appropriate.

 

d. Disposition of Records -

 

(1) Matching agencies will return or destroy source matching files (by mutual agreement) immediately after the match.

 

(2) Records relating to hits will be kept only so long as an investigation, either criminal or administrative, is active and will be disposed of in accordance with the requirements of the Privacy Act and the Federal Records Schedule.

 

e. Publication Requirements -

 

(1) Agencies, prior to disclosing records outside the agency, publish appropriate "routine use" notices in the Federal Register, if necessary.

(2) If the matching program will result in the creation of a new or the substantial alteration of an existing system of records, the agency involved should publish the appropriate Federal Register notice and submit the request report to OMB and the congress pursuant to OMB Circular no. A-108.

 

f. Reporting Requirements -

 

(1) As close to the imitation of the matching program as possible, matching agencies shall publish in the Federal Register a brief public notice describing the matching program. The notice should include:

 

(a) The legal authority under which the match is being conducted;

 

(b) A description of the matching program including whether the program is one time or continuing, the organizations involved, the purpose(s) for which the program is being conducted, and the procedures to be used in matching and following up on the "hits";

 

(c) A complete description of the personal records to be matched, including the source(s), system of records identifying data, date(s) and page number(s) of the most recent Federal Register full text publication where appropriate;

 

(d) The projected start and ending dates of the program;

 

(e) The security safeguards to be used to protect against unauthorized access or disclosure of the personal records; and

 

(f) Plans for disposition of the source records and "hits."

 

Agencies should send a copy of this notice to the Congress and to the Office of Management and Budget and at the same time it is sent to the Federal Register.

 

(2) Agencies should report new or altered systems of records as described in e (2) above as necessary.

 

(3) Agencies should also be prepared to report on matching programs pursuant to the reporting requirements of either the Privacy Act or the Paperwork Reduction Act. Reports will be solicited by the Office of Information and Regulatory Affairs and will focus on both the protection of individual privacy and the government .s effective use of information technology. Reporting instructions will be disseminated to the agencies as part of either the reports required by Section (p) of the Privacy Act or Section 3514 of P.L. 96-511.

 

g. Use of Contractors - Matching programs should, as far as practicable, be.conducted 'in-house' by Federal agencies using agency personnel, rather than by contract. When contractors are used, however,

 

(1) The matching agency should, consistent with subsection (m) of the Privacy Act, cause the requirements of that Act to be applied to the contractor's performance of the matching program. The contract should include the Privacy Act clause required by FPR Amdt. 155, 41 CFR 1- 1.337-5;

 

(2) The terms of the contract should include appropriate privacy and security provisions consistent with policies, regulations, standards and guidelines issued by OMB, GSA, and the Department of Commerce;

 

(3) The terms of the contract should preclude the contractor from using, disclosing, copying, or retaining records associated with the matching program for the contractor's own use;

 

(4) Contractor personnel involved in the matching program should be made explicitly aware of their obligations under the Act, and of these guidelines, agency rules and any special safeguards in relation to each specific match performed.

 

(5) Any disclosures of records by the agency to the contractor should be made pursuant to a "routine use" (Section (b) (3) of 5 U.S.C. 552a) .

 

6. Implementation and oversight - the Office of Management and Budget will oversee the implementation of these Guidelines and shall interpret and advise upon agency proposals and actions within their scope, consistent with Section 6 of the Privacy Act.

 

APPENDIX C

 

 

 

 

 

 

 

 

 

 

 

 

MODEL CONTROL SYSTEM AND RESOURCE DOCUMENT

 

FOR

 

CONDUCTING COMPUTER MATCHING PROJECTS

 

INVOLVING INDIVIDUAL PRIVACY DATA

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Office of Management and Budget

President's Council on Integrity and Efficiency

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Model Control System and Resource Document

 

for

 

Conducting Computer Matching Projects

 

Involving Individual Privacy Data

 

I. Introduction

 

Computer matching is being used by most Inspectors General and

program managers to identify fraud, waste and abuse. Regarded as

an effective management tool, matching techniques can be used to

examine extremely large amounts of computerized data quickly and

efficiently.

 

Two of the most important ingredients of most computer matching

projects are protecting the privacy of individuals and complying

with the legal/policy requirements of the 'Revised Supplemental

Guidance for Conducting Matching Programs" (OMB Memorandum M-82-5)

dated May 11, 1982, hereinafter referred to as the OMB Matching

Guidelines. Generally, these guidelines apply to all match

projects using automated files which contain individual privacy

data. Compliance with the OMB Matching Guidelines is critical for

the protection of personal privacy and the avoidance of

unwarranted harassment of individuals.

 

This document provides an approach to conducting computer matching

projects which meets the requirements of the OMB Matching

Guidelines. Specifically, it:

 

- Provides background and definitive information pertaining to computer matching.

 

- Provides a methodology for assuring that adequate protection is afforded privacy data used during computer matching.

 

- Presents a model control system, i.e., a set of processes and procedures for successfully undertaking computer matching programs involving individual privacy data.

 

The model control system is intended to assist in the preparation

for and conduct of computer matching programs involving personal-

data files from any element of the Executive Branch of the Federal

Government. Though each and every individual document or process

step may not be applicable for a particular matching program, use

of the model should assure compliance with privacy and procedural

requirements of the Privacy Act and the OMB Matching Guidelines

and thus help to ensure a successful matching program.

 

 

 

 

II. Definitions

 

For the purpose of this document:

 

- A computer match is the computerized comparison of two or more automated systems of records, at least one of which is a Federal system, to identify individuals common to two or more of the record systems or unique to one of record systems.

 

- All the terms defined in the Privacy Act of 1974 apply.

 

- All the terms defined in the OMB Matching Guidelines apply.

 

III. Background

 

In the Privacy Act of 1974, Congress expressed concern the "the increasing use of computers and sophisticated information technology, while essential to the efficient operations of the Government, has greatly magnified the harm to individual privacy that can occur from any collection, maintenance, use, or dissemination of personal information." The Act, therefore, makes any system of records from which information is retrieved using personal identifiers (such as name, SSN, or claim number) subject or implementing guidelines and instructions pertaining to the Act. For computer matching, the significant supplemental or implementing documents are (1) OMB Matching Guidelines; (2) OMB Circular No. A-108, July 1, 1975, as amended; and (3) OMB Guidelines on the Relationship Between the Privacy Act of 1974 and the Debt Collection Act of 1982.

 

The Privacy Act of 1974

 

The Privacy Act provides specific guidance concerning privacy protection of personal data and identifies actions required of agencies maintaining such data.

 

The Privacy Act also establishes the right of each individual to have some control over the information which the Federal government maintains about him or her in a personally identifiable and retrieval format. Within limitations defined by law, an individual can: determine what records are collected, maintained, used, or disseminated; prevent disclosure of information for any purposes other than the ones for which collected; gain access to the information maintained; and sue for damages which occur as a result of willful or intentional agency action which violates his or her rights under the Act.

 

OMB Matching Guidelines

 

The OMB Matching Guidelines provide guidance for federal agencies

participating in computer matching programs. Procedures and

reporting requirements are given for both the agency performing

the match (matching agency) and the agency(ies) disclosing records

to the matching agency for use in the match (source agency(ies)).

 

Paragraph 4.c. of the OMB Matching Guidelines defines the term

"matching program" and describes six types of matches which are

not matching programs as defined. Those six types are not subject

to the guidelines. Any computer match or related series of

matches meeting the definition of a matching program must be

conducted in accordance with the OMB Matching Guidelines.

 

OMB Circular No. A-108, as amended.

 

OMB Circular No. A-108 provides guidance -to Federal agencies for

implementing the Privacy Act. Like the Privacy Act, Circular A-

108 is applicable to the creation and -maintenance of systems of

records containing individually-identifiable, personal informa-

tion.

 

Of particular importance for computer matching is Transmittal

Memorandum (TM) No. 1 to Circular A-108, September 30, 1975, as

amended by TM No. 3, May 17, 1976. TH No. 1 contains instructions

for preparing the *Report of Intention to Establish or Alter

Systems of Personnel Records.* This report must be prepared

whenever the results of a computer matching program create or

significantly alter a system of records subject to the Privacy

Act. In addition, a System of Records Notice must be printed in

the Federal Register. Samples of system notices are at Attachment

B. A sample notice of intent to establish a new system of records

is at Attachment C.

 

OMB Guidelines on the Relationship Between the Privacy Act of 1974

and the Debt Collection Act of 1982

 

These OMB guidelines address in detail the following changes and

conditions created by the Debt Collection Act. The Debt

Collection Act:

 

- Amends the Privacy Act of 1974 to provide a new general disclosure authority, subsection (b)(12), which lets agencies disclose personal information to consumer reporting agencies.

 

- Creates a statutory authority to satisfy the conditions established by the Privacy Act whereby agencies can make disclosures under subsection (b)(3) "for a routine use." The Privacy Act requires that such disclosures be compatible with the purpose for which the information was taxpayer mailing addresses in certain instances, as will as disclosures of debtor information to effect administrative or salary offsets.

 

- Creates statutory authority for agencies to collect the Social Security Account Number from applicants in certain Federal loan programs.

- Amends the Privacy Act to exempt consumer reporting agencies from the "contractor" provisions of the Privacy Act.

 

IV. The Model Control System

 

The objective of the model control system is to provide a procedural guide for conducting computer matching projects while complying with the Privacy Act and the OMB Matching Guidelines. Agencies do not have to adopt the model per se, but should use it as guidance. The main purpose of the model is to achieve a successful project conclusion with due regard for personal privacy and individual rights.

 

The model control system is presented in flow chart form with narrative statements keyed to critical action points at various stages in the project. The narrative statements provide suggested approaches for accomplishing a computer matching project. References to specific OMB Matching Guidelines requirements are indicated for each document/process step.

 

The Model Control System Flow Chart and the narratives for the ten document/process steps are at Attachment A.

 

 

 

Attachment A

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Model System Flow Chart and Document Process Narratives

 

 

 

 

 

PLEASE SEE HARD COPY OR CONTACT OIRM, IMD ON 202-447-8799 FOR THE PAPER COPY OF THE FOLLOWING IMAGE(S):

 

 

Document/Process No. 1

 

Define

Match

Program

 

 

Description; A determination must be made as to whether your

project is associated with automated records and is susceptible to

computer matching techniques. If you determine that your task can

be expedited or your scope expanded through the use of matching

techniques, then you must determine the applicability of the OMB

Matching Guidelines and ensure compliance therewith.

 

OMB Matching Guidelines Reference: Paragraph 4.c.

 

Suggested Approach:

 

- Determine the goals or desired results of the match.

 

- Identify the information or source data required and determine if these data are automated.

 

- Identify sources of the automated data; e.g., Federal agencies, nongovernmental agencies.

 

- Determine whether these automated files contain privacy data and are protected by the Privacy Act and the provisions of OMB Circular A-108.

 

- Determine whether the match program is subject to the OMB Matching Guidelines.

 

 

 

 

Document/Process No. 2

 

Determine

Feasibility

of Matching

 

 

Description: Once you have determined that your project involves matching of automated records, you should identify various alternatives of accomplishment. The most effective method of accomplishing your objectives should be your primary goal, giving full consideration to a comparison of costs versus benefits for each alternative.

 

OMB Matching Guidelines Reference: Paragraph 4.f.

 

Suggested Approach:

- Determine the feasibility of a manual comparison of records.

 

- Determine if desired information is available form some source agency in a usable format which could eliminate the need for a matching program.

 

- Estimate the benefits of the match results.

 

- Establish the feasibility of an automated approach.

 

- Select the most appropriate method.

 

 

 

 

Document/Process No. 3

 

 

Establish

Matching &

Followup

Procedures

 

 

 

Description: This process develops the foundation on which the

match project rests. The procedures established, subject to

refinement as the project progresses, will govern the actions

necessary for data collection, computer processing, analysis of

hits, and followtip actions, including recoupment and civil and

criminal litigation. The procedures provide a major portion of

the content of.the! matching report.

 

OMB Matching Guide.,lines Reference: Paragraph 5.

 

Suggested Approach:

 

- Establish and refine match criteria which will reduce errors in the project and provide greater integrity to your match results.

 

- Determine what information will be needed from the source agency or agencies.

 

- Define the processes for data collection to include file formats, data content, data sources, and methods of acquisition.

 

- Establish data handling procedures to include all privacy and computer security considerations for transporting, storing, processing, and disposing of data files whether acquired from source agencies or created during the match.

- Establish procedures for analysis, validation, and purification of hits to preclude harassment and invasion of the privacy of individuals identified as raw hits but not found to be valid hits.

 

- Design followup actions which will terminate benefits and/or initiate collection and recoupment giving full regard to protection of the innocent. The Debt Collection Act of 1982 should be considered during this step.

 

- Design a process for collecting matching program costs and results and developing cost/benefit information for use in after-action reports and in planning for subsequent matches.

 

 

Document/Process No. 4

 

 

Confer

with

Source

Agencies

 

 

Description: This step permits the matching agency to present its matching and followup plans to the source agencies and obtain a consensus about how the various parties will interact during the project. The need for routine use notice publication by Federal source agencies should be discussed. Other publication by Federal source agencies must perform to provide the source data files should be defined and agreement reached for them to be initiated.

 

OMB Matching Guidelines Reference: Paragraphs 4.d., 4.e., 5.a., 5.b., 5.e.

 

Suggested Approach:

 

- Present the ground rules for the project to all source agencies. The "ground rules" are the procedures established in Process No. 3.

 

- Obtain general agreement with the ground rules from each source agency. Where disagreements arise, attempt to modify the procedures, if possible, so that agreement can be reached.

 

- Establish the types of coordination and cooperation which will be required as the project progresses.

 

- Discuss privacy restrictions on data needed for the match. If dealing with a Federal agency, determine if an existing routine use permits disclosure of required data.

 

- If a new routine use is required for a Federal source agency data file, identify the routine use needs and obtain agreement from the source agency's system manager to initiate publication actions.

 

- Provide each source agency with the format and specifications which you wish to be used for preparation of the source agency data files. A sample record format and file specification is at Attachment D.

 

- Establish the processes by which each source agency will obtain the written agreements outlined in paragraph 5.b. of the OMB Matching Guidelines.

 

 

Document/Process No. 5

 

Routine Use

Notice

 

Description: If existing Federal privacy system notices do not

include a routine use which permits disclosure, new routine uses

should be established. The routine use notices required for each

participating agency are developed and released for publication in

the Federal Register. A minimum of 60 days should be allowed from

star of this procedure through the 30-day waiting period after

initial publication. If any significant challenges to a notice

are received, 30 more additional days may be required before

data can be released to or by the matching agency.

 

OMB Matching Guidelines Reference: Paragraphs 5. a. (1) (d) , 5. b. 5.c., 5.e.

 

Suggested Approach:

 

- Submit a formal, written request to each source agency for publication of routine use notices. In this letter, tb(a matching agency should provide all information which the source agencies require to prepare the routine use notices. Sample source-agency routine use notices are at Attachment E.

 

- Publish routine use notices governing release of data generated by the match. A request from the official in charge of the match to the department responsible for the files to be matched might be required. A sample of such a request, which could also be a guide for letters to the source agencies, along with a sample matching-agency routine use notice are at Attachment F.

 

If the matching program will create a new system of records as

defined in OMB Circular A-108, a systems notice must be published

in the Federal Register and notices sent to OMB and both Houses of

Congress as required by TM No. I of that Circular.

 

Document/Process No. 6

 

 

Matching

Report

 

 

Description: A matching report which meets all the requirements of the OMB Matching Guidelines is prepared by the matching agency. The report is then submitted tot he Federal Register for publication, with formal copies of the report sent to OMB and both Houses of Congress.

 

OMB Matching Guidelines Reference: Paragraph 5.f.

 

Suggested Approach:

 

- Prepare the matching report, insuring that all requirements of the OMB Matching Guidelines are covered.

 

- Submit the report to the Federal Register for publication. It is preferable that this be done at least 30 days prior to the initiation of the match to allow those affected by the match to review the report and submit comments. A sample copy of a matching report as submitted for Federal Register publication is at Attachment G-1. Copies of matching reports as published in the Federal Register are at Attachment H.

 

- At the same time that the report is released for publication, copies must be sent to OMB and both houses for Congress. Copies of a transmittal letter (to the Speaker of the House) and a matching report as sent to OMB and Congress are at Attachment G-2.

 

- Comments received should be considered and modifications to the matching report made as necessary.

 

 

Document/Process No. 7

 

Obtain

Source

Agency

Data Files

 

Description: Once the source agency routine use notices are

final, the source agency data files to be used in the match can be

obtained. Since all data elements within the source agency files

are not usually required, an extract of data essential to the

match should be requested to limit the amount of data provided by

a source agency.

 

OMB Matching Guidelines Reference: Paragraphs 5.a.(l), 5.b., 5.d.

Suggested Approach:

 

- Following the previously established procedures, the matching agency requests and receives source agency data files. Precise methodology for transferring data files to and from the matching agency should be covered in previous agreements between matching and source agencies.

- Matching agency stores and handles data files in accordance with Privacy Act provisions interagency agreements, and computer security requirements.

 

- Matching agency disposes of the data files by destruction or return to the source agencies as previously agreed upon.

 

 

Document/Process No. 8

 

 

Conduct

Computer

Matching

 

 

Description: The heart of the project, computer matching, involves file preparation, automated comparison of two or mare files and selection of individual records based on pre-established criteria, automated purification and validation of selected records, and presentation of the resulting hit records in a form which can be used for followup actions. If necessary or beneficial, matches may be performed by outside or organizations under contract to the matching agency.

 

OMB Matching Guidelines Reference: Paragraphs 5.c.(1), 5.d., 5.g.

 

Suggested Approach:

 

- If any of the data files to be matched are not in the proper format or specifications, reformat them so that they may be used.

 

- Produce and test the computer programs which will accomplish the matching.

 

- Perform the computer match, producing a file of "raw hits."

 

- Using available testing and purifying criteria, computer validate the raw hits to the extent possible.

 

- Produce a set of hit records which can be referred to program staffs for further action.

- Store and/or dispose of the source agency data files as agreed upon.

 

- Store and control the file of hit records until no longer needed, then dispose of it as planned.

 

 

 

Document/Process No. 9

 

Analyze

and Refine

Raw Hits

 

 

Description: Matching agency program staffs receive the file of

hits from compute!r matching. The staffs conduct such analyses and

validations as necessary to insure the accuracy of the match data.

The validating process should identify hits caused by program

errors which need to receive different analysis from those caused

by suspected program abuse. Prior to initiating any actions

against identified individuals, the staffs should be reasonably

sure that the individuals identified as hits are the same

individuals suspected of program abuse. Close coordination with

program staffs is essential when refining raw hits. Pursuing the

hits is the most time-consuming and expensive phase of your match.

The best purification of hits will lead to more successful

results.

 

OMB Matching Guidelines Reference: Paragraphs 5.a.(l)(f), 5.c.(2),

5.d.(2)

 

Suggested Approach:

 

- Analyze hits to verify data with source agency or other program files, and try to determine: (1) if the individual identified by the match is the same individual suspected of program abuse, and (2) whether the hit is the result of program abuse or program error. For large matches, analysis of a sample of the hits might be used to assure integrity and validity of the matching process before embarking on extensive detailed analyses. This would include determination of the cause(s) of erroneous or excessive payments of benefits.

 

- Establish a file of validated hits for use in followup procedures.

 

- Destroy all match records of individuals eliminated from further consideration.

 

 

 

 

Document/Process No. 10

 

 

Perform

Followup

Procedures

 

Description: Followup activities include, but are not limited to: benefit payment termination, debt and overpayment collections, program error corrections, and legal actions. The circumstances involved will dictate that followup procedures should be used for each matching project; however, followup procedures should parallel the followup process described in your match report. Corrective actions are, in most instances, the responsibility of program officials who administer the programs involved.

 

OMB Matching Guidelines Reference: Paragraphs 5.a (1)(f), 5.d. (2), 5.f (1)(f).

 

Suggested Approach:

 

- In cooperation with program staffs, verify abuse or identify error causes and initiate corrective measures. Eliminate or proceed very cautiously against any individual where doubt exists.

 

- Initiate administrative remedies including collection and recoupment actions in accordance with the Debt Collection Act of 1982 before considering civil court actions.

 

- When administrative remedies fail, initiate civil actions to recoup the funds due if appropriate.

 

- If criminal activity such as fraud is involved, initiate criminal action as appropriate.

 

- Institute a tracking system which will follow the various actions and monitor progress and effectiveness of the collection and litigation processes. This system should include accumulation of results for developing cost/benefit statistics.

 

- After completion of followup procedures, all records containing privacy data which are no longer required should be destroyed or returned to the sources of origin, as appropriate.