AGENCY:

Office of Management and Budget, Executive Office of the President.

ACTION:

Notice of decision.

SUMMARY:

The Confidential Information Protection and Statistical Efficiency Act of 2002 (CIPSEA) can provide strong confidentiality protections for statistical information collections, such as surveys and censuses, as well as for other statistical activities, such as data analysis, modeling, and sample design, that are sponsored or conducted by Federal agencies. The Office of Management and Budget (OMB) is issuing Implementation Guidance for Title V of the E-Government Act, the Confidential Information Protection and Statistical Efficiency Act of 2002 (Pub. L. 107-347). The purpose of the CIPSEA implementation guidance is to inform agencies about the requirements for using CIPSEA and to clarify the circumstances under which CIPSEA can be used.

Authority: 31 U.S.C. 1104(d); 44 U.S.C. 3504 (specifically (a)(1)(B)(iii) and (v), (e)(1), (3) and (5), and (g)(1)); Pub. L. 107-347 section 503(a), 44 U.S.C. 3501 note.

FOR FURTHER INFORMATION CONTACT:

Brian Harris-Kojetin, Ph.D., Statistical and Science Policy Office, Office of Information and Regulatory Affairs, Office of Management and Budget, NEOB, Room 10201, 725 17th Street, NW., Washington, DC 20503. Telephone: 202-395-3093.

SUPPLEMENTARY INFORMATION:

A. Background

Statistics collected and published by the Federal Government constitute a significant portion of the available information about the United States' economy, population, natural resources, environment, and public and private institutions. There are more than 70 Federal agencies or organizational units that carry out statistical activities as their principal mission or in conjunction with other program missions, such as providing services or enforcing regulations. In addition to these 70 agencies, many other Federal agencies or units may collect statistical information to use for specific program needs.

Prior to the enactment of CIPSEA, a patchwork of legislative protections governed the confidentiality of data gathered for statistical purposes by the different agencies and units. Some agencies had strong statutory authority to protect the confidentiality of the data they gathered for statistical purposes, while other agencies had weak or no legislative authority to protect confidentiality. In addition, the ability of the designated statistical agencies to share information to improve the efficiency of the Federal statistical system was limited by statutory constraints affecting those agencies.

By establishing a uniform policy for all Federal statistical collections, this law will reduce public confusion, uncertainty, and concern about the treatment of confidential statistical information by different Federal agencies. By establishing consistent rational principles and processes to buttress confidentiality pledges, the guidance that implements the law will harmonize confidentiality claims and set minimum standards for safeguarding confidential statistical information. Such consistent protection of confidential statistical information will, in turn, reduce the perceived risks of more efficient working relationships among statistical agencies, relationships that can reduce both the cost and reporting burden imposed by statistical programs.

B. Development and Review

In 2003, OMB and the other members of the Interagency Council on Statistical Policy (ICSP) formed an interagency group to discuss issues that OMB and the agencies anticipated would arise in the implementation of CIPSEA. OMB was particularly interested in understanding the questions and concerns that these statistical agencies had about the new law and how it would affect their activities. OMB also sought to incorporate the best practices of these agencies for handling confidential statistical information.

An initial draft of this implementation guidance was reviewed by the ICSP members, and OMB revised the draft guidance in response to the comments that we received. Based on the use of the law by agencies over the past three years, OMB has also addressed in the guidance specific issues that have arisen, such as nonstatistical agencies' use of CIPSEA.

C. Summary of and Response to Comments Received in Response to the October 16, 2006 Federal Register Notice

OMB issued proposed Implementation Guidance for Title V of the E-Government Act, Confidential Information Protection and Statistical Efficiency Act of 2002 (CIPSEA)(Pub. L. 107-347) in October 2006 (71 FR 60,772-60,773). Five public comments were received in response to OMB's request. OMB reviewed the public comments on the guidance and made some modifications in response to the comments. The complete text of the public comments and this document are available on the OMB Web site at http://www.whitehouse.gov/​omb/​inforeg/​statpolicy.html.

General Comments

One commenter expressed support for the guidance and stated that “the proposed guidelines establish principles and policies that will protect the confidentiality of the data provided by respondents to federal statistical surveys” and noted that the guidance provides “reasonable approaches to protecting confidentiality, and thereby will reduce the costs and reporting burdens imposed by statistical programs.” The commenter also noted that it was “especially useful to see guidelines for statistical agency interactions with outside analysts (e.g., contractors) authorized to see the confidential data.”

I. Introduction

Identifiability

One commenter believed the discussion of the identifiability of personal information in the proposed guidance was insufficient. Although the commenter noted the technical references to Statistical Policy Working Paper #22 ^[1] and to the Federal Committee on Statistical Methodology's Confidentiality and Data Access Committee's disclosure review checklist,^[2] she asked for “more specific guidance about the meaning of the terms reasonably inferred and direct or indirect means” [emphasis in original] and “how the CIPSEA standard specifically relates to the HIPAA standards of no reasonable basis to believe and risk is very small [emphasis in original] * * * “whether a risk assessment is required, how to conduct that risk assessment, what data sources (public and private) must be considered in assessing identifiability” as well as how much effort and cost are reasonable.

In response to this comment, OMB has included a definition of “personally identifiable information” in footnote 21 and provided an example of indirect identification in footnote 23, as follows:

²¹ “personally identifiable information” refers to information which can be used to distinguish or trace an individual's identity, such as his or her name, social security number, biometric records, etc., alone, or when combined with other personal or identifying information that is linked or linkable to a specific individual, such as date and place of birth, mother's maiden name, etc.

²³ Indirect identification refers to using information in conjunction with other data elements to reasonably infer the identity of a respondent. For example, data elements such as a combination of gender, race, date of birth, geographic indicators, or other descriptors may be used to identify an individual respondent.

However, it is beyond the scope of this implementation guidance to provide lists of other data sources that could be used to reidentify respondents or specific risk assessment techniques agencies must employ. As the commenter noted, OMB does provide references to more technical resources that address these issues, such as Statistical Policy Working Paper #22, and a citation to the HIPAA privacy rule has been added. Federal statistical agencies are in the best position to know about the sensitivity of their confidential statistical information and to take appropriate steps to assess and mitigate the risks of reidentification. Because this area is a “moving target,” as the commenter noted, OMB, through its Federal Committee on Statistical Methodology, sponsors the Confidentiality and Data Access Committee, which facilitates the sharing and adoption of best practices and latest techniques in disclosure avoidance across Federal agencies.

Relation of CIPSEA to Other Laws

One commenter noted that “subsection (b) of the Privacy Act of 1974 authorizes numerous disclosures, many of which are inappropriate for CIPSEA records. For example, disclosures for law enforcement purposes” as well as many routine uses. The commenter asked OMB to “elaborate on the intersection between CIPSEA and the Privacy Act of 1974.”

As OMB has noted in the guidance, agencies are responsible for ensuring that information protected under CIPSEA is used exclusively for statistical purposes. OMB recognizes that the Privacy Act does permit routine uses that are nonstatistical; these uses are not permitted for CIPSEA-protected information. OMB believes that the minimum standards in the guidance for safeguarding confidential information make clear that agencies need to develop appropriate policies and procedures for CIPSEA-protected information that go beyond those that exist for Privacy Act systems of records; however, we have added the following language to make this explicit in Part I.F. of the guidance:

On the other hand, if an agency pledges to use the information for only for statistical purposes, then the agency shall not use any other authorities it has available to use the information for non-statistical purposes, because those uses would be contrary to the agency's pledge. For example, if information is protected by CIPSEA and the Privacy Act, some of the routine uses permitted under the Privacy Act would no longer be allowed because they are not for statistical purposes.

Agencies Authorized To Designate Agents

One commenter cited Footnote 31 on page 11 of the proposed guidance ^[3] that tells agencies that they should consult with OMB regarding use of agents and stated that the use of agents should be subject to public notice and comment. In this footnote, OMB was referring specifically to the review and legal interpretation of a nonstatistical agency's statute and whether that would meet the requirements of CIPSEA and permit the agency to designate agents under CIPSEA. Generally, legal analysis and interpretation are accomplished by the agency. However, when agencies are applying a new statute that OMB has responsibility for, agencies should consult with OMB to ensure a government-wide perspective.

Commenters also had questions about other specific matters that will be addressed during implementation.

II. Requirements for Agencies Collecting or Acquiring Information Protected Under CIPSEA

Non-CIPSEA Pledges

One commenter objected to agencies being restricted from using both the terms “confidential” and “statistical purposes” together if CIPSEA did not cover the collection. The commenter noted that these terms have meaning independent of CIPSEA and agencies should be able to use them as they see fit. The commenter suggested that “Rather than prohibit the use of the terms ‘confidential’ and ‘exclusively statistical purposes,’ we suggest that OMB advise agencies, as it has in prior guidance, to ensure that they do not use terms that are confusing. OMB could also prohibit the mention of CIPSEA when it is not applicable and require that agencies invoke coverage by CIPSEA only by the mention of that law directly to survey respondents.”

OMB agrees that the terms “confidential” and “statistical purposes” have meaning independent of CIPSEA; however, when used together in a pledge to respondents, they clearly meet the requirements of CIPSEA and the protection of this law. Sec. 512 of CIPSEA simply requires that the information be “acquired by an agency under a pledge of confidentiality and for exclusively statistical purposes.” The law does not require that CIPSEA be mentioned explicitly, and OMB would certainly prohibit an agency from mentioning the law if it did not apply. It would clearly be confusing to respondents for different protections to be implied by two different agencies both pledging that the information would be confidential and used for exclusively statistical purposes. Thus, it is necessary to ensure that CIPSEA protections or greater protections apply when an agency makes this pledge to respondents.

CIPSEA Pledges

One commenter supported the shorter version of the pledge, but expressed concerns about its comprehensibility. The commenter then suggested that OMB consider developing a formal statistical confidentiality seal that would provide an identifiable marker that would tell individuals what level of protection the information they provide will receive under the law. Specifically the commenter suggested as an example that OMB consider a green-yellow-red color scheme: Green would mean respond with confidence because answers receive the highest level of legal confidentiality protection; yellow would mean respond with caution because answers receive some confidentiality protection but less than the highest level of legal protection; and red would mean no legal confidentiality protections at all.

The CIPSEA pledge was based on a pledge that was thoroughly tested; however, OMB has encouraged further cognitive testing of this pledge by agencies. OMB agrees that it would also be helpful to have more testing on a shortened version. OMB also appreciates the commenter's suggestions regarding potential “seals” that would be easy for respondents to understand and recognize, and agrees that this idea is worthy of further investigation and testing. We also agree that this will require a considerable amount of research not only to develop a recognizable seal but also to figure out appropriate ways to present it in different modes. If this research proves fruitful, OMB will consider revising this Start Printed Page 33364implementation guidance and/or issuing other guidance for use of a seal.

III. Minimum Standards for Safeguarding Confidential Information Acquired Under CIPSEA

Costs and Burden of Security Requirements

One commenter noted that during a time of reduced funding resources the implementation requirements call for annual recertification of employees, increased physical and information security, additional record keeping requirements, and additional staff time (to ensure that appropriate confidentiality and security protocols are followed). Providing appropriate security for agency information and information systems does require resources. As with any ongoing program, agencies need to incorporate into their budgets the costs for protecting confidential information throughout the lifecycle of the statistical activities.

Security of Confidential Information in Laptop Computers

One commenter noted that “recent events have highlighted the particular vulnerability of laptop computers to loss and theft,” and suggested that additional information be included in the guidance about the security of laptops, PDAs, or other types of devices. OMB agrees with the comment and has modified language in the section on physical and information systems security in Part III. B, which also applies to Part IV. D of the proposed guidance referenced on page 22, so that it now reads:

Agencies are required to establish appropriate administrative and technical safeguards to ensure that the security of all media containing confidential information is protected against unauthorized disclosures and anticipated threats or hazards to their security or integrity. For example, agencies must ensure that security requirements are followed for reports, documents, printouts, information collection instruments, laptops, PDA's, zip drives, floppy disks, CD-ROMs, or any other IT devices that contain confidential information to prevent access by unauthorized persons.

VII. Data Sharing Under Subtitle B of CIPSEA

Data Linking and Data Sharing

One comment requested that OMB include administrative data as well as other agencies under the data sharing provisions of Subtitle B of CIPSEA to further improve efficiency. OMB notes that Subtitle B is limited in statute to the three designated statistical agencies (BLS, BEA, and Census) and applies only to business data. While OMB appreciates the potential benefits suggested in this comment, CIPSEA does not authorize any other data sharing or authorize additional agencies to share data. However, CIPSEA did not alter other existing authorities for data sharing among Federal agencies.

VIII. Annual Reporting and Review Requirements

Annual Reports to OMB

One commenter requested that the annual reports that agencies provide to OMB be made public and posted on agency Web sites. In the interest of transparency, agencies will now be required to post their reports on their Web sites.

Implementation Guidance for Title V of the E-Government Act, Confidential Information Protection and Statistical Efficiency Act of 2002 (CIPSEA)

I. Introduction

A. Overview

Issues of privacy and confidentiality are of increasing concern to respondents to Federal government surveys. Agencies often seek to assuage these concerns by pledging to respondents that the agency will protect the information that respondents provide, and by using whatever statutory authority that the agency has to substantiate this pledge. However, many agencies do not have strong confidentiality provisions in their authorizing statutes. In this case, agencies may be able to use government-wide statutes such as the Privacy Act or exemptions under the Freedom of Information Act as the basis for a pledge to respondents, but these statutes still do not apply to many Federal surveys.

The Confidential Information Protection and Statistical Efficiency Act of 2002 (CIPSEA) is a new government-wide law that can provide strong confidentiality protections to many Federal agencies conducting statistical information collections, such as surveys and censuses as well as other statistical activities including data analysis and modeling, sample design, etc. The purpose of this guidance is to inform agencies about the requirements for using CIPSEA and clarify the circumstances under which CIPSEA can be used.

There are several key definitions and distinctions in CIPSEA regarding statistical and nonstatistical agencies, and statistical and nonstatistical purposes, that affect whether CIPSEA can be used by an agency to acquire and protect information. Below is a brief description of these major definitions and distinctions, as well as of issues related to data sharing under CIPSEA, and additional requirements for using CIPSEA that are addressed in greater detail in this guidance.

1. Is the agency a statistical or nonstatistical agency? CIPSEA distinguishes between statistical and nonstatistical agencies or units and imposes different requirements and privileges on these different types of agencies. Briefly, statistical agencies or units are those whose activities are predominantly the collection, compilation, processing, or analysis of information for statistical purposes. More detail and a listing of statistical agencies and units is provided in section I., part G of this section of the guidance.

2. Is the information used for statistical or nonstatistical purposes? CIPSEA provides protection for information acquired for statistical purposes under a pledge of confidentiality. Under CIPSEA, a statistical purpose includes the description, estimation, or analysis of the characteristics of groups, without identifying the individuals or organizations that comprise such groups, while nonstatistical purposes include any administrative, regulatory, law enforcement, adjudicatory, or other purpose that affects the rights, privileges, or benefits of a particular respondent. Information acquired and protected under CIPSEA may only be used for statistical purposes.

3. Is the information being acquired by the Federal agency itself? Agencies acquire information in different ways from a wide variety of respondents. Agencies often acquire information directly from a respondent to a Federal survey. In some cases, these respondents are local or State governments that have themselves collected the information from a respondent. Any agency that directly acquires information from a respondent, including a local or State government, under a pledge of confidentiality for exclusively statistical purposes, is bound by CIPSEA. However, CIPSEA does not restrict or diminish confidentiality protections in law that otherwise apply to a collection of statistical data or information. Agencies protecting information under CIPSEA must follow the requirements specified in section II of this guidance and include an appropriate pledge to respondents. All agencies that have information protected under CIPSEA Start Printed Page 33365must also follow the procedures in section III for safeguarding the security of this information.

4. Is the information being acquired for the Federal agency by contractors or others acting on behalf of the agency? Many agencies acquiring information from respondents do not directly collect the information themselves from respondents but do so through intermediaries such as contractors or researchers who are operating under cooperative agreements or grants at the direction of the agency. CIPSEA defines contractors and their employees, researchers, and employees of private organizations or institutions of higher learning who have a contract or agreement with a Federal agency as “agents” and authorizes only some agencies to use agents to acquire information that will be protected under CIPSEA or access CIPSEA-protected information.

5. How can statistical agencies use CIPSEA? Statistical agencies or units that directly acquire information from respondents, including State and local governments, may protect the confidentiality of that information under CIPSEA. Statistical agencies or units may also designate agents to acquire information for the agency under CIPSEA as well as perform other exclusively statistical activities for the agency on CIPSEA-protected information. Statistical activities include the collection, compilation, processing, or analysis of data for the purposes of describing or making estimates concerning the whole, or relevant groups or components within, the economy, society, or the natural environment. Statistical activities also include the development of methods or resources that support these activities, such as measurement methods, models, statistical classifications, or sampling frames. More information is provided in section IV about the requirements for statistical agencies designating agents under CIPSEA.

6. How can nonstatistical agencies use CIPSEA? Nonstatistical agencies can use CIPSEA to protect information they are authorized to acquire directly themselves from respondents, including State and local governments. However, nonstatistical agencies or units are not permitted to designate agents under CIPSEA. Therefore, nonstatistical agencies or units may not protect information under CIPSEA if they are using a contractor or other persons who fall under the CIPSEA definition of agents to acquire that information unless they have the authority to designate agents to collect information or perform other statistical activities under some other statute. More information on how nonstatistical agencies can acquire and protect information under CIPSEA is provided in section VI of this guidance.

7. What if a statistical agency acquires information for nonstatistical purposes? OMB expects that the vast majority of information collections conducted by statistical agencies or units will be subject to CIPSEA because these agencies generally collect information for exclusively statistical purposes and pledge confidentiality. Statistical agencies or units that are collecting information that may be used for nonstatistical purposes need to ensure that respondents understand these nonstatistical uses and that CIPSEA does not apply to the specific collection. Requirements for statistical agencies collecting information that may be used for nonstatistical purposes are covered in section V.

8. What data sharing does CIPSEA authorize? Subtitle B of CIPSEA explicitly provides the ability for three designated statistical agencies, the Bureau of Economic Analysis, the Bureau of Labor Statistics, and the Bureau of the Census to share business data. Requirements for data sharing among these designated statistical agencies are outlined in section VII.

9. What other requirements are there for using CIPSEA? Agencies should carefully review this guidance to determine whether CIPSEA applies to any of their information collections or statistical activities. Agencies using CIPSEA are responsible for following all requirements in this guidance. In addition, OMB is requiring agencies that use CIPSEA to report annually to OMB on their use of this law in order to effectively monitor the implementation of CIPSEA across Federal agencies. All agencies that use CIPSEA for their collections are asked to report to OMB annually the information collections CIPSEA applies to and affirm that all of the requirements in this guidance are being met. Statistical agencies protecting information under CIPSEA are further required to report on their use of agents, and the three designated statistical agencies in Subtitle B of CIPSEA are required to report annually on their data sharing activities under CIPSEA. Further information on the reporting requirements is in section VIII of this guidance.

B. Purposes of CIPSEA

The Confidential Information Protection and Statistical Efficiency Act of 2002 (CIPSEA), Title V of the E-Government Act of 2002 (Pub. L. 107-347), has two subtitles.

Subtitle A, Confidential Information Protection, concerns confidentiality and statistical uses of information. The purposes of Subtitle A are:

1. To ensure that information supplied by individuals or organizations to an agency for statistical purposes under a pledge of confidentiality is used exclusively for statistical purposes;

2. To ensure that individuals or organizations who supply information under a pledge of confidentiality to agencies for statistical purposes will neither have that information disclosed in identifiable form to anyone not authorized by this title nor have that information used for any purpose other than a statistical purpose; and

3. To safeguard the confidentiality of individually identifiable information acquired under a pledge of confidentiality for statistical purposes by controlling access to, and uses made of, such information.^[4]

CIPSEA Subtitle A protects information that is acquired for exclusively statistical purposes under a pledge of confidentiality. This subtitle of the law applies to all Federal agencies that acquire information under these carefully prescribed conditions. The protection of information collected under this law is supported by a penalty of a Class E Felony for a knowing and willful disclosure of confidential information. This includes imprisonment for up to five years and fines up to $250,000.^[5] Thus, for many agencies this law strengthens the protections afforded to confidential statistical information.

CIPSEA Subtitle B promotes statistical efficiency through limited sharing of business data among three designated statistical agencies, the Bureau of the Census (Census), the Bureau of Economic Analysis (BEA), and the Bureau of Labor Statistics (BLS). The purposes of Subtitle B are:

1. To authorize the sharing of business data among Census, BEA, and BLS for exclusively statistical purposes;

2. To reduce the paperwork burdens imposed on businesses that provide requested information to the Federal Government;

3. To improve the comparability and accuracy of Federal economic statistics by allowing Census, BEA, and BLS to update sample frames, develop consistent classifications of establishments and companies into industries, improve coverage, and reconcile significant differences in data produced by the three agencies; and Start Printed Page 33366

4. To increase understanding of the United States economy, especially for key industry and regional statistics, to develop more accurate measures of the impact of technology on productivity growth, and to enhance the reliability of the Nation's most important economic indicators, such as the National Income and Product Accounts.^[6]

The remainder of this section of the guidance provides background information on CIPSEA and its applicability to Federal agencies. Sections II through VI provide implementation guidance on CIPSEA Subtitle A, and Section VII provides implementation guidance on Subtitle B. Section VIII covers agency reporting requirements to OMB on the implementation of CIPSEA.

C. Background

There are more than 70 Federal agencies or organizational units that carry out statistical activities as their principal mission or in conjunction with other program missions, such as providing services or enforcing regulations.^[7] In addition to these 70 agencies, many other Federal agencies or units may collect statistical information to use for specific program needs. Prior to the enactment of CIPSEA, a patchwork of legislative protections governed the confidentiality of data gathered for statistical purposes by the different agencies and units. Some agencies had strong statutory authority to protect the confidentiality of the data they gathered for statistical purposes, while other agencies had weak or no legislative authority to protect confidentiality. In addition, the ability of the designated statistical agencies to share information to improve the efficiency of the Federal statistical system was limited by statutory constraints affecting those agencies.

Over the years, there have been numerous attempts both to shore up legal protection for the confidentiality of statistical information, and to permit some limited sharing of data for statistical purposes. Strengthening and standardizing statutory protections for the confidentiality of individually identifiable data that are collected for statistical purposes as well as enhancing the capability of Federal agencies to share information for exclusively statistical purposes have always been goals.

In 1971, the President's Commission on Federal Statistics recommended that the term confidential should always mean that disclosure of data in a manner that would allow public identification of the respondent or would in any way be harmful to him should be prohibited. In addition, the Commission recommended that a promise to hold data in confidence should not be made unless the agency has legal authority to uphold such a promise, and that legislation should be enacted authorizing agencies collecting data for statistical purposes to promise confidentiality as the term was defined by the Commission.^[8]

In July 1977, the Privacy Protection Study Commission stated that “no record or information * * * collected or maintained for a research or statistical purpose under Federal authority * * * may be used in individually identifiable form to make any decision or take any action directly affecting the individual to whom the record pertains * * *” ^[9]

In October 1977, the President's Commission on Federal Paperwork endorsed the confidentiality and “functional separation” concepts, but applied them directly and simply to statistical programs, saying that:

• Information collected or maintained for statistical purposes must never be used for administrative or regulatory purposes or disclosed in identifiable form, except to another statistical agency with assurances that it will be used solely for statistical purposes; and
• Information collected for administrative and regulatory purposes must be made available for statistical use, with appropriate confidentiality and security safeguards, when assurances are given that the information will be used solely for statistical purposes.^[10]

The policy discussions generated by the three Commissions came together in a bipartisan outpouring of support for the Paperwork Reduction Act of 1980, which largely addressed the efficiency recommendations of the Paperwork Commission. The legislative history of that Act recognized the unfinished work of fitting the “functional separation” of statistical information into the overall scheme.

In 1993, a National Academy of Sciences panel on confidentiality and data access recommended that “Statistical records across all federal agencies should be governed by a consistent set of statutes and regulations meeting standards for the maintenance of such records, including the following features of fair statistical information practices: (a) A definition of statistical data that incorporates the principle of functional separation as defined by the Privacy Protection Study Commission, (b) a guarantee of confidentiality for data, * * * (g) legal sanctions for those who violate confidentiality requirements.” ^[11]

To clarify and make consistent government policy protecting the privacy and confidentiality interests of individuals and organizations who furnish data for Federal statistical programs, OMB issued an “Order Providing for the Confidentiality of Statistical Information” in June 1997.^[12] This order applied the principles of functional separation and protection of confidential information gathered for statistical purposes to twelve principal statistical agencies.

CIPSEA builds upon these and other efforts of the Executive and Legislative branches including H.R. 2885 (the Statistical Efficiency Act of 1999, originally offered by Representative Stephen Horn, and unanimously passed by the House of Representatives) and H.R. 2136 (the Confidential Information Protection Act, originally offered by Representative Tom Sawyer in 2001). Introducing CIPSEA, H.R. 5215, on July 25, 2002, Representative Horn indicated,

“The bill's enhanced confidentiality protections will improve the quality of Federal statistics by encouraging greater cooperation on the part of respondents. Even more important, these protections ensure that the Federal Government does not abuse the trust of those who provide data to it under a pledge of confidentiality. * * * the Confidential Information Protection and Statistical Efficiency Act of 2002 makes important, common sense and long overdue improvements in our Nation's statistical programs. It is a bipartisan, good Government measure that has the Administration's strong support. I urge my colleagues to join with us to achieve prompt enactment of the bill.” ^[13]

In this guidance, OMB is establishing a uniform policy for all Federal statistical collections to reduce public confusion, uncertainty, and concern about the application of the newly-enacted confidentiality requirements associated with protected statistical information acquired by different Federal agencies. By establishing consistent rational principles and Start Printed Page 33367processes to buttress confidentiality pledges, the law codifies confidentiality claims and sets minimum standards for safeguarding confidential statistical information. Establishing consistent protection of confidential statistical information will, in turn, reduce the perceived risks of more efficient working relationships among statistical agencies, relationships that can reduce both the cost and reporting burden imposed by statistical programs.

D. Authority

The Paperwork Reduction Act (PRA) of 1980 (as amended in 1986 and 1995) requires the Office of Information and Regulatory Affairs (OIRA) within OMB to develop policies, principles, standards, and guidelines for privacy and confidentiality generally; the integrity of confidentiality pledges; and the confidentiality of information collected for statistical purposes.^[14] In addition, the Act tasks OIRA to oversee agency compliance with related requirements of the Act and with the policies referenced above.^[15] For example, agencies are required to “inform respondents fully and accurately about the sponsors, purposes, and uses of statistical surveys and studies.” ^[16]

With respect to statistical policy and coordination, the PRA directs OMB to:

• Coordinate the activities of the Federal statistical system to ensure—

○ The efficiency and effectiveness of the system; and

○ The integrity, objectivity, impartiality, utility, and confidentiality of information collected for statistical purposes; * * *

• Develop and oversee the implementation of Governmentwide policies, principles, standards, and guidelines * * *
• Promote the sharing of information collected for statistical purposes consistent with privacy rights and confidentiality pledges; ^[17]

In addition, Title V of the E-Government Act of 2002 authorizes the Director of the Office of Management and Budget to coordinate and oversee the confidentiality and disclosure policies established by CIPSEA. The Director is authorized to promulgate rules or provide other guidance to ensure the consistent interpretation of this title by the affected agencies.^[18]

E. Affected Agencies

Executive agencies as defined in 31 U.S.C. 102 or 44 U.S.C. 3502 ^[19] are subject to the provisions and penalties in CIPSEA Subtitle A if they (1) Acquire information for exclusively statistical purposes under a pledge of confidentiality, or (2) they possess or access information protected by CIPSEA, unless even stronger confidentiality protections apply.^[20] CIPSEA also imposes additional requirements on statistical agencies or units, which are defined to include “an agency or organizational unit of the executive branch whose activities are predominantly the collection, compilation, processing, or analysis of information for statistical purposes.” ^[21] CIPSEA Subtitle B applies only to the designated statistical agencies, i.e., the Bureau of the Census of the Department of Commerce, the Bureau of Economic Analysis of the Department of Commerce, and the Bureau of Labor Statistics of the Department of Labor.^[22]

F. Applicability of CIPSEA

Federal agencies collect and acquire information for a wide variety of purposes and uses, including benefit determinations, program planning and management, program evaluation, measurement of compliance with laws and regulations, and research, as well as for general purpose statistics. When acquiring information, an agency must inform the person or organization being asked to provide information whether or not it will be treated as confidential and the purpose(s) for which the information will be used.^[23]

CIPSEA protection applies to any identifiable information acquired by the agency under a pledge of confidentiality for exclusively statistical purposes. For purposes of CIPSEA, this information includes personally identifiable information ^[24] as well as information that permits the identity of any respondent, such as business establishments, institutions, or State or local governments,^[25] to be reasonably inferred by either direct or indirect means.^[26] In this guidance, the terms confidential information and confidential data refer to information that is protected by CIPSEA.

CIPSEA can apply only when an agency pledges both to protect the confidentiality of the information it acquires and to use the information only for statistical purposes. CIPSEA defines a statistical purpose to include the description, estimation, or analysis of the characteristics of groups, without identifying the individuals or organizations that comprise such groups and includes the development, implementation, or maintenance of methods, technical or administrative procedures, or information resources that support the above purposes.^[27] If information is collected or acquired for any nonstatistical purpose, then CIPSEA shall not be used to protect the confidentiality of the information.^[28]

A nonstatistical purpose means the use of information in identifiable form for anything other than a statistical Start Printed Page 33368purpose, including any administrative, regulatory, law enforcement, adjudicative, or other purpose that affects the rights, privileges or benefits of a particular identifiable respondent. Providing confidential information in response to a Freedom of Information Act (FOIA) request is also considered a nonstatistical purpose.^[29] Since the CIPSEA statute is a (b)(3) statute under FOIA, confidential information covered under CIPSEA is exempt from release pursuant to a FOIA request (5 U.S.C. 552(b)(3)).

Agencies acquire information in different ways from a wide variety of respondents. An agency may collect information directly (e.g., surveys) from individuals, households, businesses, organizations, or institutions, or the agency may acquire information through secondary sources (e.g., from State government agencies).^[30] This guidance, in accordance with the law, will use as the more general term, “acquire,” to include both agency collections of information directly from respondents, and acquisitions of information from secondary sources.

In many cases, agencies acquire information directly from respondents (including local or State governments) to a Federal survey; in other cases, agencies do not themselves directly acquire information from respondents but do so through intermediaries, such as contractors or researchers who are operating under cooperative agreements or grants at the direction of the agency. CIPSEA defines contractors and their employees, researchers, and employees of private organizations or institutions of higher learning that have a contract or agreement with a Federal agency as “agents.” ^[31]

Any agency that directly acquires information from a respondent, including a local or State government, under a pledge of confidentiality for exclusively statistical purposes, can use CIPSEA to protect the information. However, if an agency is using an agent, such as a contractor, to acquire information for exclusively statistical purposes, the agency may not be able to protect the information under CIPSEA unless it is a statistical agency (see part G). In these situations, nonstatistical agencies should use their existing statutory authority to protect the confidentiality of this information.

Generally, the applicable statute with the strongest confidentiality protections for the information governs the use and disclosure of the information. CIPSEA does not restrict or diminish any other confidentiality protections or penalties for unauthorized disclosure that an agency may otherwise have for information collected for statistical purposes.^[32] Accordingly, if an agency has any stronger protections in its statutes, these protections would remain in effect. For example, the more restrictive use and disclosure provisions of the Census Act and the International Investment and Trade in Services Survey Act would take precedence over the broader statistical uses permitted under CIPSEA. In another example, if an agency's authorizing statute prohibited disclosure with informed consent, the agency would not be able to disclose the information with informed consent, which could be permissible under CIPSEA under certain circumstances.^[33]

On the other hand, if an agency pledges to use the information for only statistical purposes, then the agency shall not use any other authorities it has available to use the information for non-statistical purposes, because those uses would be contrary to the agency's pledge. For example, if information is protected by CIPSEA and the Privacy Act, some of the routine uses permitted under the Privacy Act would no longer be allowed because they are not for statistical purposes.

G. Use of CIPSEA by Statistical and Nonstatistical Agencies or Units

Although any Federal agency can acquire and protect information under CIPSEA, CIPSEA provides additional authority and imposes additional requirements on statistical agencies or units. These additional provisions have implications for how and whether an agency can use CIPSEA to acquire information; these provisions are discussed in later sections of this guidance.

CIPSEA defines a statistical agency or unit as “an agency or organizational unit of the executive branch whose activities are predominantly the collection, compilation, processing, or analysis of information for statistical purposes.” ^[34]

OMB shall determine whether an agency or unit can be considered a statistical agency or unit for purposes of CIPSEA.

OMB recognized 12 statistical agencies or units in its 1997 Confidentiality Order: ^[35]

• Department of Agriculture

○ Economic Research Service

○ National Agricultural Statistics Service

• Department of Commerce

○ Bureau of Economic Analysis

○ Census Bureau

• Department of Education

○ National Center for Education Statistics

• Department of Energy

○ Energy Information Administration

• Department of Health and Human Services

○ National Center for Health Statistics

• Department of Justice

○ Bureau of Justice Statistics

• Department of Labor

○ Bureau of Labor Statistics

• Department of Transportation

○ Bureau of Transportation Statistics

• Department of the Treasury

○ Statistics of Income Division of the Internal Revenue Service

• National Science Foundation

○ Division of Science Resources Statistics

Since this guidance was issued in proposed form in October 2006, OMB has recognized two statistical organizational units: the Office of Applied Studies within the Substance Abuse and Mental Health Services Administration in the Department of Health and Human Services, and the Microeconomic Surveys Unit of the Board of Governors of the Federal Reserve. Other agencies or units that wish to be recognized as statistical agencies or units for purposes of CIPSEA must send a request to the Chief Statistician at OMB. The request must come from the head of the agency or unit and have the concurrence of the larger organization within which the agency or unit resides. This request should include a statement of the organizational definition of the agency or unit, its mission, statistical activities, and any nonstatistical activities, and demonstrate that its activities are predominantly statistical. Statistical activities include the collection, compilation, processing, or analysis of data for the purpose of describing the characteristics of groups or making estimates concerning the whole or relevant groups, or components within, the economy, society, or the natural environment. Statistical activities also include the development of methods or resources that support these activities, such as measurement methods, models, statistical classifications, or sampling frames. A listing of OMB recognized statistical agencies and units will be posted and maintained on OMB's Web site.

Both statistical and nonstatistical agencies can use CIPSEA to protect information they acquire directly from Start Printed Page 33369respondents, including State and local governments. However, only statistical agencies or units are authorized under CIPSEA to designate agents to perform exclusively statistical activities, which include data collection, subject to CIPSEA limitations and penalties.^[36] Because data collection contractors are agents under CIPSEA,^[37] only statistical agencies may designate contractors to acquire information that will be protected under CIPSEA. In order for the collections of nonstatistical agencies to fall within the protections of CIPSEA, nonstatistical agencies must acquire the information themselves directly from respondents. Nonstatistical agencies cannot empower contractors or other agents to acquire information or carry out any other statistical activities for the agency under CIPSEA.^[38]

The following sections II and III of this guidance describe in detail the requirements for all agencies using CIPSEA. Additional requirements for statistical agencies or units designating agents are covered in section IV. Because it is generally expected that statistical agencies or organizational units will be collecting information for exclusively statistical purposes under a pledge of confidentiality, statistical agencies or units that conduct or sponsor a collection that will not be for exclusively statistical purposes must follow additional requirements as described in section V. Additional requirements for nonstatistical agencies or units are provided in section VI.

II. Requirements for Agencies Collecting or Acquiring Information Protected Under CIPSEA

CIPSEA provides strong protection for information obtained for exclusively statistical purposes under a pledge of confidentiality. For CIPSEA to have its intended effect of reinforcing public confidence in Federal confidentiality pledges, all Federal agencies that make the CIPSEA pledge must provide CIPSEA protection to that information. A Federal agency should not make a CIPSEA pledge unless the agency is fully committed to taking all the actions that are necessary to provide CIPSEA level protection; making the CIPSEA pledge means giving CIPSEA level protection to the collected information.

To faithfully maintain this commitment requires that agencies meet a number of minimum requirements that are described in detail in the remainder of this guidance. Specifically, agencies must:

• Inform the respondents about the confidentiality protection and use of the information (section II.);
• Collect and handle confidential information to minimize risk of disclosure, including properly training employees (section III.);
• Ensure the information is used only for statistical purposes (section III. A.);
• Review information to be disseminated to prevent identifiable information from being reasonably inferred by either direct or indirect means (section III. F.); and
• Supervise and control agents who have access to confidential information (section IV.).

A. Requirements for Public Notice Prior to Data Collection

Agencies are required under the PRA to:

• Publish a notice in the Federal Register allowing 60 days for the public to comment on information collections and otherwise consult with members of the public and affected agencies concerning each proposed collection of information; ^[39]

• Publish a notice in the Federal Register at the time OMB approval is being sought, and allow the public 30 days to comment; and
• “Describe any assurance of confidentiality provided to respondents and the basis for the assurance in statute, regulation, or agency policy” in their PRA supporting statements submitted to OMB.^[40]

When agencies are acquiring information that will be protected under CIPSEA, they shall: ^[41]

• State that the information will be protected under CIPSEA, and cite any other authority they have to protect the confidentiality of the data in their PRA supporting statements; and
• State in their Federal Register notices if there is a substantive change in the confidentiality protection of the information being collected, such as using CIPSEA to protect the information for an ongoing collection when similar protection was not available previously.

B. Requirements for Informing Respondents at the Time of Information Collection

At the time of the information collection, agencies are required under the PRA to adequately inform potential respondents about the uses of the information they provide.^[42] This description must include the following information related to the confidentiality of their responses:

• The reasons the information is planned to be and/or has been collected;
• The way such information is planned to be and/or has been used to further the proper performance of the functions of the agency; and
• The nature and extent of confidentiality protection to be provided, if any.^[43]

When agencies are collecting information that they want to be protected under CIPSEA, they are required by law at the time of collection to do the following:^[44]

• Pledge to keep the data or information confidential, and
• Pledge that the information will be used for exclusively statistical purposes.

Agencies that are not protecting information under CIPSEA must ensure that the public is able to distinguish easily between pledges that reflect the protections provided by CIPSEA and those affording less protection than CIPSEA. In particular, the pledge for collections not protected to the extent afforded by CIPSEA shall not contain all the elements related to CIPSEA found in the pledges below—specifically, the pledge shall not state both that the data are confidential and that they are for exclusively statistical use (in such cases CIPSEA would apply even if not stated).^[45] The degree to which the Start Printed Page 33370pledge differs from the CIPSEA pledge needs to be based on the laws and regulations governing the collection and determined in collaboration with the agency legal staff, agency confidentiality officer, and PRA clearance officer. A pledge of confidentiality for collections not protected by CIPSEA must specifically cite the statutory authorization protecting the confidentiality of the data being collected and accurately describe the extent of that protection. If an agency elects to collect information under laws affording less protection than CIPSEA, OMB will not approve an agency's proposed non-CIPSEA pledge that is too similar to the CIPSEA pledge (e.g., one that includes the term ‘confidential' and states that the information will be used for exclusively statistical purposes).

The following examples of confidentiality pledges under CIPSEA are sufficient to inform respondents of the protections afforded. Agencies shall use the following model and customize the wording in accordance with their needs. Parentheses indicate options and italics are instructions. Comparable pledge language may be substituted, but that alternative wording shall be included in the PRA supporting statements to OMB and should be cognitively tested. A complete confidentiality pledge shall be developed from the following:

The information (choose one—you, your household, your establishment—as needed) provide(s) will be used for statistical purposes only. In accordance with the Confidential Information Protection provisions of Title V, Subtitle A, Public Law 107-347 (option to add or substitute laws that are stronger or more restrictive than CIPSEA) and other applicable Federal laws (option to list them, but it is not necessary to be exhaustive), your responses will be kept confidential and will not be disclosed in identifiable form to anyone other than employees (option to add “or agents” if applicable, or another term the agency uses) (option to add— without your consent).^[46] By law, every (your agency here) employee (optional— including the Director ), (if applicable, option to add “as well as every agent such as then list as appropriate— contractors, field representatives, telephone interviewers, authorized researchers,^[47] etc”.^[48] ), (optional— has taken an oath and ) is subject to a jail term (optional— of up to 5 years ), a fine (optional— of up to $250,000 ), or both if he or she willfully discloses ANY identifiable information about (choose one— you, your household, your establishment ).

The above pledge may be placed on the survey instrument (e.g., form), in the instructions, or on the back side of the cover letter. A shorter, more user-friendly version may be used in introductory statements, on the cover of the instrument, or in the body of the cover letter as long as there is a reference to the full pledge. In addition, the agency may place the full pledge on the agency's web site and point respondents to that site.

To illustrate the actual pledge wording, an agency could implement this pledge as follows:

The information you provide will be used for statistical purposes only. In accordance with the Confidential Information Protection provisions of Title V, Subtitle A, Public Law 107-347 and other applicable Federal laws, your responses will be kept confidential and will not be disclosed in identifiable form to anyone other than employees or agents. By law, every ABC employee as well as every agent has taken an oath and is subject to a jail term of up to 5 years, a fine of up to $250,000, or both if he or she willfully discloses ANY identifiable information about you.

Agencies may choose to employ a shortened version of the pledge, such as the following, when conducting telephone surveys or in other similar circumstances as long as respondents are given access to the longer version in some other manner such as posting on the agency's Web site:

The information you provide about (choose one— yourself, household, establishment ) will be used for statistical purposes only. In accordance with the Confidential Information Protection provisions in Public Law 107-347 (option to add and other applicable Federal laws ), your responses will be kept confidential and will not be disclosed in identifiable form (optional— without your consent).⁴⁹ By law, everyone working on this (your agency here) survey is subject to a jail term, a fine, or both if he or she willfully discloses ANY information that could identify you.

Agencies whose statutory authority provides confidentiality protections more restrictive than CIPSEA for information acquired for exclusively statistical purposes under a pledge of confidentiality may use the CIPSEA pledge or their existing pledges that are similar as long as they make clear what confidentiality protections cover the information and the statutory authority for those protections. In such cases, the resemblance of an agency's pledge to the CIPSEA pledge does not imply that any provisions in CIPSEA would overrule the agency's stronger confidentiality statute. CIPSEA does not restrict or diminish any other confidentiality protections or penalties for unauthorized disclosure that an agency may otherwise have for information collected for statistical purposes, and any stronger protections would remain in effect.^[50]

III. Minimum Standards for Safeguarding Confidential Information Acquired Under CIPSEA

These standards for safeguarding confidential information apply to information protected under CIPSEA. Federal agencies shall follow the minimum standards in this section. In addition, some best practices are provided that agencies are encouraged to adopt but are not required to implement. ^[51]

The central objective of these standards is to ensure that a Federal agency that pledges confidentiality for statistical information honors that pledge. Each Federal agency remains ultimately responsible and accountable for the confidential information that the agency acquires under a CIPSEA pledge. Any inappropriate use or disclosure of CIPSEA-protected information violates the law and can undermine public trust. Therefore, there is no “acceptable” level of non-compliance with the CIPSEA pledge.

These minimum standards have been developed according to the principle of disclosure risk, which considers both the probability of an unauthorized disclosure and the expected harm from such a disclosure. These minimum standards apply to data for which the disclosure risk has been deemed relatively low by the Federal agency responsible for the information. Federal agencies shall set higher standards as the disclosure risk increases.

At a minimum, such standards shall make clear that each person having Start Printed Page 33371access to confidential information understands his/her responsibility related to maintaining the confidentiality of that information. In addition, these standards shall make clear who is accountable for each part of the information protection, including:

• Determining and monitoring procedures for collection and release;
• Evaluating the reason for accessing the information and controlling access to the information; and
• Maintaining physical and information systems security.

A. Principles and Procedures for Protecting Confidential Information

Agencies or organizational units protecting information under CIPSEA shall incorporate the costs for protecting confidential information throughout the lifecycle of the statistical activity. This will ensure that sufficient resources are available to develop and implement procedures to ensure that:

• The confidentiality of the information is protected;
• Confidential information is used exclusively for statistical purposes;
• Access to confidential information is controlled, and only authorized persons have access to the information;
• All persons having access to confidential information understand

○ The obligations of confidentiality protection,

○ That unauthorized access to confidential information is prohibited, and

○ The penalties for unauthorized access to and unauthorized use of confidential information; and

• A person or persons are designated to oversee all procedures for handling confidential information, and that such persons are responsible for all agency confidentiality procedures, reviews, and compliance with confidentiality laws.

B. Physical and Information Systems Security

Each agency shall ensure the physical security and information systems security where data protected under CIPSEA are accessed and stored.

Agencies are required to establish appropriate administrative and technical safeguards to ensure the security of all media containing confidential information is protected against unauthorized disclosures and anticipated threats or hazards to their security or integrity. For example, agencies must ensure that security requirements are followed for reports, documents, printouts, information collection instruments, laptops, PDA's, zip drives, floppy disks, CD-ROMs, or any other IT devices that contain confidential information to prevent access by unauthorized persons. Agencies must also ensure that only persons authorized by the head of the statistical agency or unit are permitted access to confidential information stored in information systems.

Agencies are required to assess and secure their information and information systems in accord with the Federal Information Security Management Act (FISMA) which appears as Title III of the E-Government Act of 2002. OMB has issued guidance on implementing FISMA, and the National Institute of Standards and Technology (NIST) has issued compulsory and binding standards used to identify the level of impact and controls for maintaining the confidentiality, integrity, and availability of all information collected or maintained on behalf of an agency.^[52]

One of three security objectives for information and information systems that FISMA defines is confidentiality. The security category of an information type is determined by its potential impact on agencies should there be a breach of security, i.e., a loss of confidentiality.^[53] Because agencies handle many different types of information, an agency should determine what the potential impact of a security breach on the agency is (including mission, function, image, and reputation), and take into account CIPSEA requirements that the information be used for exclusively statistical purposes as well as the penalties that CIPSEA imposes for disclosure.

Privacy Impact Assessments (PIAs) are also required of agencies developing or procuring information systems or projects that maintain or handle confidential information in identifiable form about members of the public, and agencies initiating new electronic collections of information in identifiable form.^[54]

C. Confidentiality Training

Each agency with information protected under CIPSEA shall ensure that all individuals having access to such confidential information have a current understanding of confidentiality rules and procedures. Confidentiality training shall include at a minimum:

• An overview of information protection procedures,
• The importance of “need to know” for an authorized purpose in accessing confidential information,
• Physical and information systems security procedures, and
• The penalties for unauthorized access, use and disclosures.

Employees who have access to confidential information shall be recertified annually to ensure their understanding of confidentiality requirements.

D. Record Keeping

Agencies shall establish and maintain a system of records ^[55] that identifies individuals accessing confidential information. Agencies shall also be prepared to document their compliance with the safeguard principles to OMB.^[56]

E. Information Collection, Processing, or Analysis Contracts

Prior to award, agencies shall review any contracts that involve CIPSEA protected information to ensure language is included that informs the contractor of the requirements of CIPSEA and of the contractor's obligations under the law and penalties for noncompliance (see Section IV).

F. Guidelines for Review of Information Prior to Dissemination

For CIPSEA protected information, the agency as well as any agent accessing the information shall ensure that any dissemination of information based on confidential information is done in a manner that preserves the confidentiality of the information. To accomplish this, agencies shall:

• Review their information products prior to public release for disclosures of confidential information, and
• Apply appropriate statistical disclosure limitation (SDL) techniques Start Printed Page 33372to preserve the confidentiality of the information.

For further guidance on SDL techniques, agencies can refer to practices described in Statistical Policy Working Paper #22, Report on Statistical Disclosure Limitation Methodology ^[57] and utilize other resources such as the disclosure review checklist provided by the Federal Committee on Statistical Methodology's Confidentiality and Data Access Committee.^[58]

Additional guidelines are provided below for handling confidential information protected under CIPSEA in conjunction with information not protected by CIPSEA.

Tabular Information

When a table includes both data protected under CIPSEA and other data not protected under CIPSEA, all data shall be treated as confidential, and identifiable respondent information shall not be present in the table.

When a table includes both data protected under CIPSEA and nonconfidential data, the agency:

• Shall apply SDL techniques to ensure protection of any table cells based on information protected under CIPSEA;
• May have a table cell that reveals nonconfidential identifiable respondent information. However, the agency shall take special care to ensure that the presentation of the nonconfidential information in no way jeopardizes confidential information.

○ If the table includes any identifiable nonconfidential respondent information, the agency shall distinguish what information is protected under CIPSEA in the accompanying text or notes to the table.

○ If the table does not include any identifiable nonconfidential respondent information, there is no need to distinguish these data from those protected under CIPSEA.

• A special case exists when a table cell value reflects a combination of CIPSEA protected data and nonconfidential data (e.g., a ratio or weighted average). In this case, these data elements are considered confidential and shall not be disseminated in a manner where any respondent could be identified.

The agency shall determine how the disclosure limitation methods used on the data affect the users and thus what information about confidentiality protection shall be included with tabular presentation.

Microdata ^[59]

The confidentiality provisions and limits on uses of microdata shall be completely discussed in the documentation or mentioned with a reference for details. For microdata protected under CIPSEA, SDL techniques shall be applied prior to public release.

There are two possible scenarios to consider for the dissemination of microdata in which some elements are protected under CIPSEA and other elements are not (e.g., not confidential or confidential under other laws/authorities).

• If variables protected under CIPSEA are linked to other variables that are not, the most restrictive law (in terms of promising confidentiality and limiting the use of the information) shall apply. For example:

○ If an agency links data protected under CIPSEA with nonconfidential administrative data from another source and releases a linked public use microdata file, the restrictions of CIPSEA apply.

○ If an agency links data protected under CIPSEA with confidential administrative data from another source (e.g., IRS data) and releases a linked public use microdata file, the most restrictive law (in terms of promising confidentiality and limiting the use of the information) shall prevail.

• If data from some respondents are protected under CIPSEA and data from other respondents are not, an agency may keep the data in separate files or combine the data sets and include a variable that tells the source for each record. Keeping the data in separate files may be the best choice because it would help highlight the difference in confidentiality provisions and limits on uses.

IV. Requirements and Guidelines for Statistical Agencies or Organizational Units When Designating Agents to Acquire or Access Confidential Information Protected Under CIPSEA

Statistical agencies or organizational units may under CIPSEA designate agents by contract or by entering into a special agreement to perform exclusively statistical activities that are subject to CIPSEA limitations and penalties.^[60] To ensure that the protections of CIPSEA apply to the information that a statistical agency or unit acquires, the agency shall follow the requirements in this section when designating agents to acquire information for the agency for exclusively statistical purposes under a pledge of confidentiality.

Because CIPSEA has a broad definition of agents, statistical agencies and organizational units may use CIPSEA to designate a variety of individuals as agents to allow them to access confidential information for exclusively statistical purposes.^[61] A statistical agency may designate agents to perform exclusively statistical activities, at its discretion, subject to the agency's needs, resources, and other requirements. The agency that possesses the confidential information shall ensure that all agents comply with the agency's confidentiality procedures and shall follow the requirements in this section when designating agents to access confidential information for exclusively statistical purposes.

Information protected under CIPSEA must be used only for statistical purposes. When entering into contracts or special agreements with agents to acquire or access confidential information, an agency shall consider:

• The sensitivity of the confidential information,
• The risk of disclosure, and
• The resources required to maintain supervision and control of agents.

Agencies are responsible for protecting the confidentiality of their data and may establish standards beyond those in this guidance. This section thus provides the minimum requirements as well as additional guidelines for statistical agencies or units to designate agents to perform exclusively statistical activities, including data collection.

It is important to note that neither CIPSEA nor this guidance requires any statistical agency or unit to designate agents; the decision to enter into these agreements is at the discretion of the statistical agency or unit. Therefore, an agency may decline to designate agents in accordance with its authorities or practices.^[62] If a statistical agency or unit chooses to designate agents, the agency remains responsible for all confidential information protected under CIPSEA, and statistical agencies or units should not designate agents unless the agencies Start Printed Page 33373or units are able to ensure that all CIPSEA requirements in this guidance will be met and faithfully carried out by their agents. Carrying out these responsibilities will take agency resources, and thus, will limit the extent to which a statistical agency or unit should consider designating agents.

A. Designating Agents

Under CIPSEA, a statistical agency or unit may designate as an agent ^[63] any of the following:

• An employee of a private organization or a researcher affiliated with an institution of higher learning;
• Someone who is working under the authority of a government entity;
• Someone who is a self-employed researcher, a consultant, a contractor, or an employee of a contractor; or
• Someone who is a contractor or an employee of a contractor, and who is engaged by the agency to design or maintain the systems for handling or storage of data received under this title.^[64]

Statistical agencies or units designating agents must do so through contracts or other agreements that require the agent to agree in writing to comply with all provisions of law that affect information acquired by that agency.^[65] Any statistical agencies or units that designate agents shall exercise supervision and/or control of the agents to ensure the confidentiality and appropriate use of the information.

B. Requirements for Agents To Request Access to Confidential Information Protected Under CIPSEA

Some statistical agencies and units receive requests from outside researchers and others who wish to obtain access to confidential data for statistical purposes as agents of the statistical agency. Most agencies that receive these kinds of requests have found it useful to first obtain a written proposal from the prospective agent. Agencies may require prospective agents to submit a proposal that includes some or all of the following in order to properly evaluate the proposed access and use of their confidential data:

• A clear and detailed description of the purpose of the access,
• The specific confidential information needed,
• How the information will be used,
• Plans for disseminating information as well as the products planned for public distribution,
• A list of persons involved in the project who will have access to the information,
• A security plan (information systems and physical security) for protecting the information [applicable only for off-site access arrangements], and
• A timeframe for access.

After an agency receives the proposal and reviews it, the agency may provide comments and may request changes or may request the prospective agent to complete a written agreement (see section IV.C).^[66] Agencies shall deny any proposal that does not meet the requirements described in this guidance.

Whether or not a prospective agent has submitted a proposal to an agency, access to confidential information shall not be granted until the agency has entered into a written agreement with the agent, and the agent has met the requirements contained in this guidance and in agency standards for accessing the data.

Prior to the enactment of CIPSEA, some statistical agencies and units had statutory authority to authorize agents to access confidential information. Agencies have developed a variety of mechanisms that balance permitting access to confidential data, while controlling that access. This area is evolving rapidly, and the following examples are included only as illustrations:

• Onsite at Agency: An external analyst works at an agency as an agent to participate in statistical activities involving confidential data. This work shall be done either in collaboration with or otherwise under the direct control and supervision of agency staff, per the terms of a written agreement. The agent's work is subject to review by the supervising staff.
• Data Center: An agent visits a controlled access secure facility maintained by the agency or unit to conduct analyses on confidential data held by the agency. The facility must be equipped with secure computers and staffed by agency personnel who review all outputs for the purposes of confidentiality. There may be additional constraints on what the agent may bring to or remove from the center.
• Off-site License Agreement: An agent is granted access to confidential information from an agency or unit for use at the agent's facility. The organization the agent is affiliated with shall enter into a legally binding written agreement as described in section IV.C with the agency that possesses the confidential information.

C. Written Agreements for Agent Access to Confidential Information Protected Under CIPSEA

Some statistical agencies or units use contractors to acquire information and/or perform other statistical activities. Under CIPSEA, the contractor and the contractor's employees are considered agents. For any data that will be acquired by the contractor under CIPSEA, or if the contractor will have access to any confidential information protected by CIPSEA, the legally binding contract shall include the provisions shown in the Appendix.

If a statistical agency or unit provides designated agents access to confidential information protected under CIPSEA for exclusively statistical purposes, then all such access shall require a written, legally binding contract or other agreement between the agency and the responsible management level official from the institution with which the agent(s) is(are) affiliated.^[67] The information required as part of that written agreement is shown in the Appendix.

D. Physical and Information Systems Security for Confidential Information Protected Under CIPSEA: On-Site and Off-Site

Agencies have the responsibility to ensure the security of physical and information systems for on-site as well as off-site access (if applicable) to confidential information and must follow applicable OMB Guidance and NIST standards and publications.^[68] In addition to the security requirements described in section III.B, agencies allowing agents access to confidential information protected under CIPSEA Start Printed Page 33374outside of the collecting agency or a facility under the agency's control shall require that the written access agreement, described in section IV.C, stipulate the agency's right to conduct inspections of the off-site facility.

In order to ensure the physical and information systems security of the confidential information, agencies shall conduct inspections of any off-site facility that harbors confidential information protected under CIPSEA. (If the off-site facility is another Federal statistical agency or unit, agencies may at their option conduct inspections but are not required to inspect these facilities.) These inspections shall be conducted according to the following principles:

• The inspections shall assess and document whether the protection procedures outlined in the written agreement and in the agent's security plan are being implemented.
• While an inspection of the off-site facility is encouraged prior to release of the information to the agent, it is not required. (The inspection may occur any time during the access agreement period, preferably as soon as possible.)
• Inspections shall be conducted at all off-site facilities at some time during the timeframe of access. Agencies may prioritize their selection of sites for inspections based on risk, but must still inspect all off-site facilities; however, agencies may coordinate and collaborate on inspections of off-site facilities that harbor confidential data from multiple agencies. Agencies may choose not to inform the agent of the timing of such inspections.

E. Confidentiality Training

All persons with access to confidential information protected under CIPSEA shall participate in agency-provided confidentiality training (see section III.(C) prior to accessing the confidential information as stipulated in the written agreement (section IV.C) between the agency and the agent's organization or institution.^[69]

The agency possessing the confidential data shall certify or receive notification that each project staff member has undergone the training. Agents shall also be required to be recertified annually.

F. Record Keeping

Agencies shall establish and maintain a system of records ^[70] that identifies designated agents accessing confidential information protected under CIPSEA and the project for which the information was authorized.

V. Requirements for Statistical Agencies or Organizational Units Acquiring Information That May Be Used for Nonstatistical Purposes

CIPSEA defines a statistical agency or unit to be “an agency or organizational unit of the executive branch whose activities are predominantly the collection, compilation, processing, or analysis of information for statistical purposes.” ^[71]

Because the public should expect that a statistical agency or unit will be collecting information for exclusively statistical purposes, CIPSEA requires a statistical agency to “clearly distinguish any data or information it collects for nonstatistical purposes (as authorized by law) and provide notice to the public, before the data or information is collected, that the data or information could be used for nonstatistical purposes.” ^[72]

A. Requirements for Public Notice

If a statistical agency or unit will collect information that may be subject to use for nonstatistical purposes, the statistical agency or unit shall use the notices in the Federal Register that are required under the PRA to inform the public about the nonstatistical uses of the information during the process of requesting OMB approval of the information collection.

As noted in section II.A, OMB's regulations for Controlling Paperwork Burdens on the Public ^[73] set forth public notification requirements for agencies conducting or sponsoring an information collection. Agencies are required under the PRA to:

• Publish a notice in the Federal Register allowing 60 days for the public to comment on information collections and otherwise consult with members of the public and affected agencies concerning each proposed collection of information; ^[74]

• Publish a notice in the Federal Register at the time OMB approval is being sought, and allow the public 30 days to comment; and
• “Describe any assurance of confidentiality provided to respondents and the basis for the assurance in statute, regulation, or agency policy” in their PRA supporting statements submitted to OMB.^[75]

Both Federal Register notices (i.e., the initial one seeking public comments for consideration by the agency and the later one seeking public comments for consideration by OMB) must explicitly address what information the statistical agency or unit plans to collect that may be used for nonstatistical purposes.

B. Requirements for Informing and Making Pledges to Respondents

As noted in section II.B, at the time of the information collection, agencies are required under the PRA to adequately inform potential respondents about the uses of the information they provide.^[76]

This description must include the following information related to the confidentiality of their responses:

• The reasons the information is planned to be and/or has been collected;
• The way such information is planned to be and/or has been used; and
• The nature and extent of confidentiality to be provided, if any.^[77]

The statistical agency or unit must clearly explain the confidentiality provisions, if any, for all information not protected under CIPSEA. As appropriate, the explanation shall include:

• What information will be treated as confidential and the basis (e.g., laws) for any confidentiality pledge;
• What information will be treated as nonconfidential;
• What information, if any, is limited to use for exclusively statistical purposes and the agency's basis (e.g., laws) for such assurances;
• What information, if any, is not limited to use for exclusively statistical purposes and may be used for nonstatistical purposes; and
• Any limitations on the confidentiality provisions (e.g., the information will be kept confidential only to the extent that it satisfies a criterion for exemption in the Freedom of Information Act (FOIA), the information may be shared with other Federal government agencies for official uses, etc.).

Agencies must ensure that the public is able to distinguish easily between their CIPSEA pledge and any non-CIPSEA pledge covering information Start Printed Page 33375that will be used for nonstatistical purposes. The degree to which the pledge differs from the CIPSEA pledge needs to be based on the laws and regulations governing the collection and determined in collaboration with the agency legal staff, agency confidentiality officer, and PRA clearance officer. The pledge shall be in compliance with section 512(c) of CIPSEA—requiring notice that any data could be used for nonstatistical purposes. The approach a statistical agency or unit uses in crafting wording for confidentiality pledges for information not protected under CIPSEA must be done with care and take into account the laws governing the particular agency, and the agency is strongly encouraged to test changes from currently used wording. In particular, the pledge for collections not protected under CIPSEA (because, for example, the information would be used for nonstatistical purposes) shall not contain all the elements related to CIPSEA found in the pledges given in section II—for example, the pledge shall not state both that the data are confidential and that they are for exclusively statistical use (in such cases CIPSEA would apply even if not stated).

For example, a pledge for data that are legally permitted to be accessed for nonstatistical purposes may state:

The information you provide will be protected to the fullest extent allowable under (name the law). This law allows for the (name specific nonstatistical uses). Information will be protected from public disclosure by (your agency). Results from this survey will be reported publicly only in statistical summaries, so that individuals cannot be identified.

To illustrate the actual pledge wording, an agency could implement this pledge as follows:

The information you provide will be protected and will not be disclosed to the public to the extent that it satisfies the criteria for exemption under the Freedom of Information Act (FOIA), 5 U.S.C. Sec. 552, and the Trade Secrets Act, 18 U.S.C. Sec. 1905.

To ensure public understanding and avoid confusion (about whether the agency will provide CIPSEA protection to the data), the above pledges do not use the word “confidential” because use of this term could give rise to confusion.

VI. Requirements and Guidelines for Nonstatistical Agencies or Units Acquiring and Handling Information Protected Under CIPSEA

Nonstatistical agencies seeking to acquire information that will be protected under CIPSEA can take two general approaches: (1) They can directly acquire the information themselves from respondents, or (2) they can enter into an agreement with a statistical agency to acquire the information.

As noted in Section I. G., Subtitle A of CIPSEA may be used by any Federal agency that directly acquires information from respondents for exclusively statistical purposes under a pledge of confidentiality. Nonstatistical agencies that acquire information in this manner must follow all of the requirements in sections II and III of this guidance for confidential information protected by CIPSEA.

Nonstatistical agencies or units that will not collect the information themselves directly from respondents will need to carefully consider their plans for acquiring and using information if they want to use CIPSEA to protect the information. Although nonstatistical agencies and units do acquire information directly from respondents, they frequently use contractors or other agencies to acquire information for them that is used for statistical purposes. CIPSEA did not authorize nonstatistical agencies or units to designate agents, such as contractors, university researchers, or others included within the definition of agents,^[78] to perform exclusively statistical activities, including data collection. Because nonstatistical agencies or units are not empowered under CIPSEA to designate agents, who are subject to CIPSEA limitations and penalties, they will not be able to protect the information under CIPSEA if they employ contractors or other agents to acquire the information or if they plan to allow access to the information by anyone outside of authorized agency employees, even if they intend to use the information for exclusively statistical purposes and want to keep it confidential.^[79]

As an alternative to collecting the data directly themselves, nonstatistical agencies or units that wish to acquire information with CIPSEA protection may want to consider entering into an agreement with a Federal statistical agency or unit. Because the statistical agency or unit would be responsible for protecting all confidential information acquired under the CIPSEA pledge, carrying out these responsibilities will take resources that non-statistical agencies should be prepared to provide to the statistical agency. Statistical agencies or units may designate agents under CIPSEA, but must follow the requirements in Section IV of this guidance to do so. Employees within a nonstatistical agency or unit may serve as agents for a statistical agency or unit to perform exclusively statistical activities on confidential information and be bound by CIPSEA provided that the statistical agency or unit and the agents have followed all of the requirements given in section IV.

An agreement between the statistical agency and the nonstatistical agency could be used to make the statistical agency or unit responsible for the control of the confidential information. The statistical agency could then designate a contractor to acquire the information and perform other exclusively statistical activities. The statistical agency could also designate as agents select employees of the nonstatistical agency or unit to have access to the information for exclusively statistical purposes. As noted earlier, all requirements in sections II, III, and IV would have to be met; and, therefore, all agents would be subject to penalties under CIPSEA for any disclosure.

VII. Data Sharing Under Subtitle B of CIPSEA

Subtitle B, Statistical Efficiency, provides only for the sharing of business data for exclusively statistical purposes and provides for that sharing only among three statistical agencies designated in Subtitle B. Subtitle B of CIPSEA does not authorize the sharing of confidential business data among any Federal agencies other than the three designated statistical agencies, nor does it authorize any sharing of demographic or other types of data among any Federal agencies.^[80]

The following brief guidance in this section applies to the three designated statistical agencies sharing business data. These three agencies are currently working to implement the data sharing provisions of CIPSEA. OMB is working closely with them and may issue additional guidance to these three agencies as needed to implement the data sharing provisions of CIPSEA. Start Printed Page 33376

A. Designated Statistical Agencies

The three designated statistical agencies permitted by Subtitle B to share business data for exclusively statistical purposes are the Bureau of the Census, the Bureau of Economic Analysis, and the Bureau of Labor Statistics.^[81]

B. Requirements When the Designated Statistical Agencies Share Data

Prior to sharing any business data under CIPSEA, the designated statistical agencies shall inform respondents about their intentions to share the business data. If, prior to collection, the designated agencies anticipate that they will share business data, the agencies shall:

• Include in their Federal Register notices required under the PRA notification that the business data may be shared with designated statistical agencies, and
• Also include in their CIPSEA confidentiality pledges notification that the data may be shared with designated statistical agencies.

When a designated statistical agency plans to share data that was collected under a legal requirement to supply the information without notice of the intent to share that information with one or more designated statistical agencies, the agency shall publish a notice of the proposed data sharing activity in the Federal Register and specify the business data to be shared and the statistical purposes for which the business data are to be used. This notice shall allow a minimum of 60 days for public comment,^[82] and a copy of this notice shall be sent to OMB when it is published.

C. Requirements for Written Agreements for Data Sharing Among Designated Statistical Agencies

Designated statistical agencies shall enter into a written agreement before sharing any business data. The written agreement shall specify:

• The business data to be shared;
• The statistical purposes for which the business data are to be used;
• The officers, employees, and agents authorized to examine the business data to be shared; and
• Appropriate security procedures to safeguard the confidentiality of the business data.

A copy of the written agreement shall be provided to OMB ten days prior to execution.

VIII. Annual Reporting and Review Requirements

A. Reporting Requirements

To coordinate and oversee the confidentiality and disclosure policies established under CIPSEA, the Office of Management and Budget is authorized under CIPSEA to require reports and other information regarding the implementation of this legislation by Federal agencies.^[83] In order to effectively monitor Federal agencies' use of the different provisions in CIPSEA, all agencies shall report to OMB on (1) The use of the CIPSEA pledge, (2) the use of the CIPSEA agents provision, and (3) data sharing activities under Subtitle B.

Use of the CIPSEA pledge. Any Federal agency acquiring data under CIPSEA Subtitle A shall report to OMB on an annual basis on those collections it has conducted under CIPSEA and affirm that the agency has followed the procedures in this guidance to ensure the confidentiality of the information is protected.

Use of the agents provision in CIPSEA. Statistical agencies and units are authorized under Subtitle A of CIPSEA to designate agents, who may perform exclusively statistical activities, including data collection, and are bound to the same legal requirements as agency employees for maintaining the confidentiality of the information. Statistical agencies or units that choose to designate agents shall report to OMB on an annual basis on the number of agents designated; the kinds of statistical activities performed by agents, e.g., data collection, analysis, etc.; the different types of arrangements for access to confidential information (if applicable), e.g., on-site at the statistical agency, through an agency-controlled research data center, or off-site licensing agreement; and the kind of written agreement that is required for each type of access.

Use of data sharing provisions under Subtitle B of CIPSEA. CIPSEA directs that the three designated agencies shall report annually to the Director of the Office of Management and Budget, the Committee on Government Reform of the House of Representatives, and the Committee on Governmental Affairs of the Senate on the actions taken to implement the sections of the law on sharing of business data. Designated agency reports shall be prepared on a calendar year basis, and shall include a summary of activities carried out under this law including the statistical purposes for sharing, any anticipated improvements to quality, and any anticipated or achieved reductions in cost or respondent burden due to the sharing of business data. The report shall include copies of each written agreement for the sharing of business data for the applicable year.

The initial report to OMB shall cover any collections since the enactment of the legislation in December 2002 through December 2006, and subsequent reports shall cover a calendar year. Agencies shall submit their initial reports to OMB by May 30, 2007. Subsequent reports shall be submitted annually to OMB by April 30th of each year. Agencies shall also post copies of this report on their Web sites.

B. OMB Review of Agency Rules

Agencies are authorized to promulgate rules to implement CIPSEA.^[84] Agencies proposing rules to implement CIPSEA shall submit these proposed rules to OMB for review and approval.^[85]

Appendix Requirements for Contracts and Written Agreements for Agents Acquiring or Accessing Confidential Information Under CIPSEA

The following information shall be included in the contract or written agreement:

• The identity and affiliation of both the legally responsible agent (e.g., contractor or requestor seeking access to confidential data) and agency official signing the agreement;
• Whether the agent will be acquiring confidential information on behalf of the agency or only accessing confidential information the agency possesses;
• A clear and detailed description of the purpose of the access;
• The specific confidential information needed;
• How the information will be used;
• Any plans for disseminating information as well as the products planned for public distribution;
• Legally binding signature lines for the agency, and the responsible management level official from the institution with which the agent(s) is (are) affiliated. When the agent is operating independently for these purposes and is unaffiliated with an institution, the agent will sign;
• The legal authority under which the information was collected or acquired;
• The legal authority from CIPSEA and other laws for providing the agent the ability to acquire or to access the information; Start Printed Page 33377
• Penalties for violating confidentiality or unauthorized use of the information;
• The timeframe for access;
• A requirement that the agent provide and update as necessary a list of persons involved in the project who will have access to the information;
• The agent's responsibility to notify agency when

○ The agent no longer needs the information,

○ The agent plans a change in site access, and/or

○ The project purpose changes (agency approval must be obtained first);

• Confidentiality training requirement for all persons who have access to confidential information;
• The requirement that each person with access to confidential information sign a non-disclosure form that signifies an understanding of and agreement to the terms of access and agreement to comply with CIPSEA and any other applicable laws (see below for options on where to include this information);
• The requirement that the agent submit any project information products to the agency for disclosure review (agencies may also include or reference reporting requirements or standards);
• For off-site access arrangements

○ A security plan (information systems and physical security) for protecting the information,

○ Procedures regarding the return or destruction of information when access is no longer necessary (may precede project's end), and

○ The requirement that the agent allows the agency to carry out a physical and IT security inspection of the agent's workplace;

• Conditions requiring modification of the agreement;
• Termination clause for the agreement;
• Listing of contact persons for the agency and the responsible management level official from the institution with which the agent is affiliated. (When the agent is operating independently and is unaffiliated with an institution, the agent will designate a contact person.); and
• As applicable, information on funding of project work, including any between the agency, agent(s), and/or agents' institution.

The following information may be included in the body of the agreement, added to the agreement as appendices, or made part of the agency's official files for the actual agreement:

• Copy of the agency-approved proposal (if required);
• Copies of all laws cited in the agreement;
• The list of persons with access to confidential information;
• Certification that all persons who have access to confidential information have completed confidentiality training;
• Signed non-disclosure forms for all persons with access to confidential information; and
• For each person with data access, a copy of the background certification supporting such access—details to be determined by agency (options could include fingerprinting, a sworn affidavit of nondisclosure, work history checks, etc.).

Agencies may also include additional requirements in their written agreements. Examples of written agreements used by some agencies that conform to the above requirements will be available on the OMB Web site.^[86]

Footnotes