Executive branch agencies face an ever-evolving policy, regulatory, and technological landscape when seeking to share or combine individual-level data across organizational or programmatic boundaries. Congress has deliberated and legislated the use of data integration for more than 50 years, aiming to promote the efficient administration of government programs while protecting individual privacy and maintaining the country's trust in how the federal government uses information on individuals.
The Computer Matching and Privacy Protection Act (P.L. 100-503; CMPPA) is a significant part of the statutory and policy landscape shaping how agencies can share and combine data sources. First passed in 1988, the CMPPA has been amended 10 times, most recently in 2014.
The CMPPA addresses how agencies may do specific types of computer matching. This term refers to using a computer for the comparison of information on individuals from two or more systems of records for either of two purposes:
The CMPPA emerged from congressional concerns that the oversight of agency computer matching was inadequate. In particular, the extent of computer matching in the executive branch was unknown, and the due process rights of individuals were not adequately protected from adverse actions by an agency using inaccurate information.
This In Focus describes the CMPPA's scope, procedural requirements, mechanisms to promote agency oversight, and due process protections. The CMPPA establishes some boundaries on the use of computer matching and procedures for protecting individuals. Federal efforts to share and combine data for decisionmaking, and for benefit program administration specifically, implicate the CMPPA in important ways, which may create ongoing and new issues for Congress.
Scope of the CMPPA
Matching programs. The CMPPA amended provisions originally enacted in the Privacy Act of 1974 (5 U.S.C. §552a). The Privacy Act generally restricts how executive agencies may disclose or share records that identify individuals in the absence of written consent, with certain exceptions. The CMPPA identifies the specific, narrow purposes under which an executive agency may share, receive, and compare identifiable, individual-level data for matching. A matching of records for one of the CMPPA's two purposes establishes a matching program (5 U.S.C. §§552a(8)(A), 552a(o)). The CMPPA further requires an agency with a matching program to ensure an individual is afforded with due process prior to taking any adverse action against that individual, including suspending, terminating, reducing, or making a final denial of payment or assistance.
Certain matching activities excluded from the CMPPA. The CMPPA specifically excludes several types of matching from its procedural and oversight requirements. These include matches to support research and statistical projects, the specific data of which may not be used to make adverse decisions affecting the rights, benefits, or privileges of a specific individual. Other matching activities that are excluded from the CMPPA's coverage are specified in Title 5, Section 552a(8)(B), of the U.S. Code and in other laws.
Major Procedural Requirements
The CMPPA sets forth multiple procedural requirements an agency must meet when matching for one of the act's covered purposes. In addition to specifying agency responsibilities, the law requires the Office of Management and Budget (OMB) to develop guidelines and regulations for agencies and to continually assist and oversee agencies' implementation (5 U.S.C. §552a(v)).
Agency Responsibilities
Source and recipient agencies. The CMPPA authorizes the matching of data between a federal government agency and another federal, state, or local government entity (P.L. 100-503, §9; 5 U.S.C. §552a note). The CMPPA identifies two parties to a matching program: a source agency that discloses records and a recipient agency that receives those records. A source agency is defined as either a federal executive branch agency or a state or local government agency (5 U.S.C. §552a(a)(11)). A recipient agency is defined as a federal executive branch agency or a contractor of one.
The CMPPA does not include nonfederal agencies in the definition of recipient agency. Certain federal benefit programs may, however, address circumstances when a federal agency may disclose records to a nonfederal agency. OMB's Circular No. A-108, Federal Agency Responsibilities for Review, Reporting, and Publication under the Privacy Act, describes some processes executive branch agencies should use when a nonfederal agency is a recipient of records for a matching program. An executive agency may establish a regulation to require a nonfederal recipient agency to comply with provisions of the CMPPA.
Written agreement. A source and recipient agency are required to enter into a detailed computer matching agreement (CMA) before records can be disclosed and matched. CMAs must include, among other details, the legal authority, justification, and anticipated results of the matching program; a description of the records and data elements that will be matched; the procedures for ensuring the administrative, technical, and physical security of the matched records and results; and the procedures for providing notice to individuals and verifying information produced in a matching program (5 U.S.C. §552a(o)). CMAs are valid for 18 months as a default in the CMPPA. They may be extended for one year so long as compliance with the original agreement is certified by the agency receiving the records and the agency sourcing the records believes the receiving agency to be in compliance with the agreement.
Agency decisionmaking. The CMPPA requires an agency that discloses or receives individual records for the purposes of a matching program to establish a Data Integrity Board of senior officials and the agency's inspector general, if the agency has one (5 U.S.C. §552a(u)). An agency's Data Integrity Board acts as a decisionmaking body for approving or declining a proposed matching program and executes CMAs. It also reviews on an annual basis any existing matching programs in which the agency participates and assesses the continued justification for the agency's participation.
Reports to OMB and Congress. The CMPPA requires an agency to report certain information on its matching activities to OMB and Congress. When an agency considers a new or significantly modified matching program, it must provide advance notice to OMB, the Senate Committee on Homeland Security and Governmental Affairs, and the House Committee on Oversight and Reform (5 U.S.C. §552a(r)). This allows for evaluation of the effects of the matching program on individual privacy and other rights. In addition, copies of CMAs that have been entered into by agencies are to be submitted to Congress (5 U.S.C. §552a(o)(2)(A)). An agency's Data Integrity Board must also submit an annual report to the head of the agency and OMB describing specific aspects of its matching activities. While the CMPPA included a requirement for OMB to report to Congress on matching programs and on OMB's implementation of the Privacy Act more generally, the requirement was effectively terminated in 2000 (P.L. 104-66, §3003; 31 U.S.C. §1113 note).
Due Process and Individual Rights
Consent and notice. A source agency must obtain an individual's consent as a condition of disclosing that individual's records to a receiving agency in a matching program (OMB's Final Guidance Interpreting the Provisions of P.L. 100-503). The agency disclosing records can either (1) obtain written consent directly from the individual or (2) use an exception to consent as permitted in Title 5, Section 552a(b).
OMB's Final Guidance also directs an agency to provide notice in advance to individuals that they are the subject of a computer match before the matching of records begins. An agency must provide periodic notice of matching to individuals when determining continued eligibility for a federal benefit program or during the periods of time when the match is authorized to take place. OMB's Final Guidance advises that public notice through the Federal Register may serve as "constructive" notice in the absence of direct notice to an individual (e.g., direct notice to an individual at the time of his or her application for benefits). OMB's Circular No. A-108 indicates the agency receiving records bears the responsibility of publishing a notice in the Federal Register of its intent to conduct a matching program. If a nonfederal agency is the recipient, the federal agency providing the records is required to publish the notice.
Opportunity to contest information. The CMPPA requires an agency to provide the subject of a computer match the chance to address and correct information that will be used to deny, suspend, or terminate a federal benefit (5 U.S.C. §552a(p)). An agency has two options to satisfy this requirement. Both options seek to establish the accuracy of the information on the individual. The first option is independent verification and confirmation of information through manual investigative processes (5 U.S.C. §552a(p)(2)). The second option allows an agency's Data Integrity Board to waive the independent verification requirement if the board is confident in the accuracy of records (5 U.S.C. §552a(p)(1)(A)(ii)). Regardless of which option an agency chooses, it must notify the individual that an adverse decision is pending based on the information it has and explain the process and timeline for the individual to challenge the decision.
Issues for Congress
The CMPPA brings into focus several potential questions in data matching policy that Congress might consider, including the following:
Congress may also want to better understand (1) matching programs that depend on direct written consent and notice to individuals and (2) when agencies use exceptions to direct consent and make use of constructive notice.
Document ID: IF12053