§ 317.94 - Conducting matching programs.  

(a) Source and recipient agencies. The agency, if undertaking a matching program, should consider if it will be a “source agency” or a “recipient agency” for the match and be prepared to meet the following requirements:

(1) The recipient agency does the matching. It receives the data from system of records of other Federal agencies or data from state and local governments and actually performs the match by computer.

(2) The recipient agency is responsible for publishing a notice in the Federal Register of the matching program. Where a state or local agency is the recipient, the Federal source agency is responsible for publishing the notice.

(3) A Federal source agency discloses the data from a system of records for the match. A non-Federal agency may also be a source, but the record data will not be from a system of records. The “system of records” concept under the Privacy Act does not apply to the recordkeeping practices of state or local governmental agencies.

(4) The recipient Federal agency, or the Federal source agency in a match performed by a non-Federal agency, is responsible for reporting the match. This agency must contact the other participants to gather the information necessary to make a unified report as required by § 317.100.

(5) In some circumstances, a source agency may be the instigator and ultimate beneficiary of the matching program, as when an agency lacking computer resources uses another agency to perform the match; or when as a practical matter, an agency may not wish to release and disclose its data base to another agency as a source because of privacy safeguard considerations.

(b) Compliance with the system of records and disclosure provisions. (1) The agency must ensure that it identifies the system(s) of records involved in the matching program and has published the necessary notice(s) in the Federal Register.

(2) The Privacy Act does not itself authorize disclosures from system of records for the purpose of conducting a matching program. The agency must justify any disclosures outside the Department of Defense under subsection (b) of the Act. This means obtaining the written consent of the subjects of record for the disclosure or relying on one of the 12 non-consensual disclosures exceptions to the written consent rule. To rely on the routine use exception (b)(3), the agency must have already established the routine use (published in the Federal Register), or in the alternative, must comply with subsections (e)(4)(d) and (e)(11) of the Act which means amending the record system notice to add an appropriate routine use for the match. An amendment requires publication in the Federal Register with a 30 day waiting period for public comment.

(3) The routine use permitting disclosure for the match must be compatible with and related to the purpose for which the record was initially compiled.

(4) The routine use for the match in a record system notice shall clearly indicate that it entails a computer matching program with a specific agency for an established purpose and intended objective. For purposes of matching, a routine use must state that a disclosure may be made for a matching program. The agency may not rely on an existing established routine use to meet the requirements of the Act unless it expressly permits disclosure for matching purposes.

(c) Prior notice to record subjects. Subjects of record must receive prior notice that their records may be matched. This may be done by direct and/or constructive notice.

(1) Direct notice may be given when there is some form of contact between the government and the subject. Information can be furnished to individuals on the application form when they apply for a benefit, in a notice that arrives with a benefit, or in correspondence they receive in the mail. Use of the advisory Privacy Act Statement is an acceptable manner to provide direct notice to subjects of record at the time of application. The agency shall provide direct notice for front-end eligibility verification matching programs whose purpose is to validate an applicant's initial eligibility for a benefit and later to determine continued eligibility using the Privacy Act Statement on the application form. Providers of services should be given notice (Privacy Act Statement) on the form on which they apply for reimbursement for services provided. Providing notice of matching programs using the Privacy Act Statement shall be part of the normal process of implementing a Federal benefits program. The agency shall insure records contain appropriate revisions.

(2) Constructive notice can only be given by an appropriate routine use disclosure provision of the affected system of records to be used in the match. For purely internal matching program uses, amend the “Purpose(s)” element of the record system notice to specifically reflect those internal computer matches performed. The constructive notice method requires publication in the Federal Register. Examples of when constructive notice may be used:

(i) For matching programs whose purpose is to locate individuals in order to recoup payments improperly granted to former beneficiaries, direct notice may well be impossible and constructive notice may have to suffice.

(ii) The agency that discloses records to a state or local government in support of a non-Federal matching program is not obligated to provide direct notice to each subject of record. Federal Register publication in this instance is sufficient.

(iii) Investigative matches where direct notice immediately prior to a match would provide the subject an opportunity to alter behavior.

(3) The agency shall also provide periodic notice whenever an application is renewed, or at the least during the period the match is authorized to take place by providing notice accompanying the benefit as approved by the Defense Data Integrity Board.

(d) Publication of the matching notice. (1) The matching agency is required to publish in the Federal Register a notice of any proposed matching program or alteration of an established program at least 30 days prior to conducting the match for any public comment. Only one notice is required. When a non-Federal agency is the matching agency, the source agency shall be responsible for the publication. The proposed matching notice for publication shall be submitted in Federal Register format and included in the agency report. The notice shall contain the customary preamble and contain the required information in sufficient detail describing the match so that the reader will easily understand the nature and purpose of the match, including any adverse consequences.

(2) The preamble to the notice shall be prepared by the Defense Privacy Office, DA&M, and shall contain:

(i) The date the transmittal letters to OMB and Congress are signed.

(ii) A statement that the matching program is subject to review by OMB and Congress and shall not become effective until that review period has elapsed.

(iii) A statement that a copy of the agreement shall be available upon request to the public.

(3) The agency shall provide:

(i) Name of participating agency or agencies.

(ii) Identity of the source agency and the recipient agency, or in the case of an internal DoD matching, the Component(s) involved.

(iii) Purpose of the match being conducted to include a description of the matching program and whether the program is a one-time or a continuing program.

(iv) Legal authority for conducting the matching program. Do not cite the Privacy Act as it provides no independent authority for carrying out any matching activity. If at all possible, use the U.S. Code citations rather than the Public Law as access to the Public Laws is more difficult. Avoid citing housekeeping statutes such as 5 U.S.C. 301, but rather cite the underlying programmatic authority for collecting, maintaining, and using the information even if it results in citing the Code of Federal Regulations or a DoD directive or regulation. Whenever possible, the popular name or subject of the authority should be given, as well as a statute, public law, U.S. Code, or Executive Order number; for example: The Debt Collection Act of 1982 (Pub. L. 97-365) 5 U.S.C. 5514, Installment deduction of indebtedness.

(v) A complete description of the system(s) of records that will be used in the match. Include the system identification, name, and the official Federal Register citation, date published, including any published amendments thereto. Provide a positive statement that the system(s) contains an appropriate routine use provision authorizing the disclosure of the records for the purpose of conducting the computer matching program. (Note: In the case of internal DoD matches, the “purpose(s)” element of the system(s) involved.) If non-Federal records are involved, a complete description to include the specific source, address, and category of records to be used, e.g., Human Resources Administration Medicaid File, City of New York, Human Resources Administration, 250 Church Street, New York, NY 10013.

(vi) A complete description of the category of records and individuals covered from the record system(s) to be used, the specific data elements to be matched, and the approximate number of records that will be matched.

(vii) The projected start and ending dates for a one-time match or the inclusive dates for a continuing match.

(viii) The address for receipt of any public comment or inquiries concerning the notice shall indicate: Director, Defense Privacy Office, 400 Army Navy Drive, Room 205, Arlington, VA 22202-2884.