The Creating Advanced Streamlined Electronic Services for Constituents Act of 2019, or the CASES Act (P.L. 116-50, 5 U.S.C. 101 note), is designed to improve access to, and efficiency of, government services and agencies for individuals by updating the process of authorizing access to certain government information in a nearly ubiquitous digital environment. As described in S.Rept. 116-50, the act is intended to modernize and simplify what had become an inconsistent and variable process of obtaining an individual's written consent for information disclosure. The CASES Act aims to enable individuals to provide electronic authorization to additional parties, including Members of Congress assisting with casework matters. It does so by amending the Privacy Act of 1974 (5 U.S.C. 552a) to amend paper-based requirements and "wet" signatures on paper forms with a requirement that agencies provide means to accept digital authorizations.
The CASES Act required the Office of Management and Budget (OMB) to issue guidance requiring agencies to accept electronic identity proofing and authentication processes for individuals to consent to gaining personal access to, or the disclosure of, an individual's records in possession of a federal agency to another party; create templates for electronic consent and access forms and require posting of the templates on agency websites; and accept electronic consent and access forms.
OMB issued guidance in Memorandum M-21-04, "Modernizing Access to and Consent for Disclosure of Records Subject to the Privacy Act," on November 12, 2020, and required agencies to accept remote identity proofing and authentication to allow an individual to request access to their records or to provide prior written consent authorizing disclosure of their records under the Privacy Act; post on the agency website's privacy program page (www.[agency].gov/privacy) the forms developed using OMB-provided templates, as customized by the agency; update all relevant portions of the agency website that pertain to obtaining access to records with forms and instructions on how to submit requests digitally; and accept the access and consent forms from any properly identity-proofed individual for the purpose of individual access to records or for authorizing disclosure of the individual's records to another person or entity, including a congressional office.
CASES Act Implementation
Agencies were required by November 2021 to comply with OMB implementation guidance. The extent to which agencies have complied with congressional and OMB requirements related to the CASES Act varies.
On January 12, 2022, Representatives Gerald E. Connolly and Jody Hice, then chair and ranking member, respectively, of the Subcommittee on Government Operations of the House Committee on Oversight and Reform, sent joint letters requesting information about the implementation of the CASES Act. The letters were sent to the heads of five federal agencies that frequently interact with congressional offices regarding constituent service issues: Department of Veterans Affairs (VA); Internal Revenue Service (IRS); United States Citizenship and Immigration Services (USCIS); Social Security Administration (SSA); and Centers for Medicare and Medicaid Services (CMS). The Congressional Research Service (CRS) has not identified any publicly available response from the agencies to the letters.
On January 17, 2023, CRS made a preliminary assessment of the websites of 85 federal entities that typically have interactions with congressional offices seeking casework assistance on behalf of constituents to examine the extent of compliance with congressional and OMB instructions. Entities included all departments; selections of department subentities (e.g., for the Department of Defense, the military branches and other DOD civilian subentities; for DHS, USCIS, U.S. Immigration and Customs Enforcement (USICE), and U.S. Secret Service (USSS)); and selections of independent agencies (e.g., SSA and the U.S. Consumer Product Safety Commission). A list of entities assessed is available to congressional offices upon request.
Of the 85 entities assessed
Of the 83 entities with privacy landing pages, none appeared to provide direct access to CASES Act-mandated forms there. Ten entities appeared to require paper-only submission for Privacy Act releases at other web addresses. Six entities provide CASES Act-mandated forms or similar templates, but require different processes to submit requests; two of those agencies require applicants to provide written signatures, while another responds to all requests via the U.S. Postal Service.
CRS reassessed the same entities' privacy websites on April 1, 2024, and did not identify any changes.
Congressional Considerations
The extent of apparent compliance with congressional requirements and OMB guidance might raise questions about the CASES Act's capacity to streamline privacy authorizations in a digital environment. This might also raise questions about the act's capacity to make congressional casework processes more efficient. Congress might consider the following matters if it were to engage in further legislative or oversight endeavors related to the CASES Act.
Getting Authorizations to the Right Places
The CASES Act is intended to streamline access authorization for constituents seeking casework assistance from congressional offices. In order to start a case, congressional offices interact with agencies through legislative liaison offices. These agency offices take complete casework files, including a statement of the constituent's problem and a Privacy Act waiver or other releases discussed below, which then travel together to the appropriate office elsewhere within the agency for response. In its current implementation, the CASES Act would appear to separate a constituent's Privacy Act release from a statement of the problem for which they are asking congressional assistance. It is unclear how the release and statement of the problem might be reunited, or how an agency privacy office or other entity that addresses privacy concerns might be best positioned to support that effort.
Under the CASES Act and related OMB guidance, the process of a citizen providing digital authorization to release information provides no designated mechanism to move a digital privacy release within the agency from the privacy management offices to legislative liaison offices. In addition to intra-agency communications concerns, there appears to be no designated process for the agency to provide evidence of a completed, identity-verified authorization to a congressional office or the constituent making the request. This may raise questions about the ability of a congressional office to initiate a case with an agency when using a digital privacy release.
Taken together, these concerns might limit the extent to which the CASES Act, under current implementation guidance, streamlines the privacy release process in casework matters. These limitations could also affect the ability of congressional offices to monitor cases in their offices, or for citizens to know where their requests stand.
A potential solution might be to direct privacy authorizations related to casework through agency legislative liaison offices. At the same time, digital authorizations for individuals to see records about them held by government entities that are not related to congressional casework might not be appropriate for handling through legislative liaison offices. Separate processes for casework and other inquiries might cause misunderstandings between agencies, congressional offices, and individuals. This might be of particular concern in agencies where privacy management activities are colocated with entities responsible for responding to Freedom of Information Act queries or other government information requests.
Congress might consider technical and administrative options to improve the efficiency and effectiveness of digital authorization procedures through legislative and administrative means.
Uniform Privacy Landing Pages
Among the agencies that provide CASES Act-mandated forms or similar templates, the web addresses for each are not consistent, or readily identifiable through search. Similarly, despite OMB guidance for access to CASES Act-mandated forms at (www.[agency].gov/privacy), other OMB guidance makes that address the destination of other privacy-related policies that do not appear to have a direct connection to digital privacy authorizations. These include some agency policies regarding the agency website, including types of personal information collected or web cookie policy. Some agencies also note prohibitions of use of their agency name, seal, or emblems. In addition, agency privacy pages are not addressed or accessible in a consistent manner.
These challenges might dissuade users from identifying or engaging the websites or accessing CASES Act-mandated forms or similar templates on websites where they are available. On sites where CASES Act-mandated forms or similar templates do not appear to be available, the lack of consistent website addressing might raise questions about the availability of required digital access to forms. This could potentially limit the CASES Act's ability to better support Congress's constituent service activities.
While OMB has already published guidance requiring consistent web availability of CASES Act forms in Memorandum M-21-04 and general website standards in M-17-06, "Policies for Federal Agency Public Websites and Digital Services," the lack of implementation consistency may suggest a role for Congress in conducting oversight of OMB or agencies, or future avenues for legislation to statutorily require agency privacy pages and content.
Other Privacy Policies Related to Constituent Service
The CASES Act authorizes the electronic release of information protected by the Privacy Act for some matters, including constituent service. It does not appear to provide similar processes to authorize electronic release of protected information pursuant to other privacy provisions. These include the Health Insurance Portability and Accountability Act (HIPAA), which provides in part for the protection of individuals' health care information, or USCIS and other Department of Homeland Security (DHS) entities' protection of information related to immigration cases, all of which may be needed for constituent service purposes, and could present congressional offices with multiple methods to obtain privacy authorizations from constituents. As executive agencies continue to implement the CASES Act, Congress might consider legislative and oversight options for expanding the scope of electronic authorizations to incorporate other privacy policies.
For further consideration of casework and the CASES Act, see CRS In Focus IF12159, The CASES Act: Implementation and Issues for Congress; and CRS Report RL33209, Casework in a Congressional Office.