[Federal Register Volume 59, Number 139 (Thursday, July 21, 1994)]
[Unknown Section]
[Page 0]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 94-17780]
[[Page Unknown]]
[Federal Register: July 21, 1994]
=======================================================================
-----------------------------------------------------------------------
POSTAL SERVICE
39 CFR Parts 262 and 266
Conforming Postal Regulations to the Computer Matching and
Privacy Protection Act of 1988
AGENCY: Postal Service.
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: The Postal Service is amending its Privacy Act regulations to
incorporate changes made by the Computer Matching and Privacy
Protection Act of 1988 (Pub. L. 100-503). That Act amended the Privacy
Act of 1974 to establish procedures affecting agencies' use of Privacy
Act records in performing certain types of computerized matching
programs. The rules follow the guidelines issued by the Office of
Management and Budget (54 FR 25818, June 19, 1989). Because the
proposed rule (59 FR 30739, June 15, 1994) generated no comments, the
final rule is published unchanged.
EFFECTIVE DATE: August 15, 1994.
ADDRESSES: Copies of the documents relevant to this action are
available for inspection and photocopying between 8:15 a.m. and 4:45
p.m., Monday through Friday, at the Records Office, U.S. Postal
Service, 475 L'Enfant Plaza SW., room 8831, Washington, DC 20260-5240.
FOR FURTHER INFORMATION CONTACT: Sheila Allen, (202) 268-4869.
SUPPLEMENTARY INFORMATION: The Computer Matching and Privacy Protection
Act of 1988 requires an agency to meet certain procedural requirements
when using one or more of its Privacy Act systems of records in
conducting computer matching programs. Included is the requirement that
an agency Data Integrity Board agency. The following changes define
computer matching under the Act; incorporate some of the Act's
procedural requirements, including Federal Register publication,
submission of matching proposals to the Postal Service, and execution
of matching agreements; and describe the responsibilities and makeup of
the USPS Data Integrity Board.
List of Subjects in 39 CFR Parts 262 and 266
Definitions, Privacy, Records and information management.
For the reasons set out in this notice, the Postal Service is
amending parts 262 and 266 of title 39 of the Code of Federal
Regulations as follows:
PART 262--RECORDS AND INFORMATION MANAGEMENT DEFINITIONS
1. The authority citation for part 262 continues to read as
follows:
Authority: 39 U.S.C. 401; 5 U.S.C. 552a.
2. Paragraphs (c) and (d) are added to Sec. 262.5 as follows:
Sec. 262.5 Systems (Privacy).
* * * * *
(c) Computer matching program. A ``matching program,'' as defined
in the Privacy Act, 5 U.S.C. 552a(a)(8), is subject to the matching
provisions of the Act, published guidance of the Office of Management
and Budget, and these regulations. The term ``matching program''
includes any computerized comparison of:
(1) A Postal Service automated system of records with an automated
system of records of another Federal agency, or with non-Federal
records, for the purpose of:
(i) Establishing or verifying the eligibility of, or continuing
compliance with statutory and regulatory requirements by, applicants
for, recipients or beneficiaries of, participants in, or providers of
services with respect to, cash or in-kind assistance or payments under
Federal benefit programs, or
(ii) Recouping payments or delinquent debts under such Federal
benefit programs;
(2) A Postal Service automated personnel or payroll system of
records with another automated personnel or payroll system of records
of the Postal Service or other Federal Agency or with non-Federal
records.
(d) Other computer matching activities. (1) The following kinds of
computer matches are specifically excluded from the term ``matching
program'':
(i) Statistical matches whose purpose is solely to produce
aggregate data stripped of personal identifiers.
(ii) Statistical matches whose purpose is in support of any
research or statistical project.
(iii) Law enforcement investigative matches whose purpose is to
gather evidence against a named person or persons in an existing
investigation.
(iv) Tax administration matches.
(v) Routine administrative matches using Federal personnel records,
provided that the purpose is not to take any adverse action against an
individual.
(vi) Internal matches using only records from Postal Service
systems of records, provided that the purpose is not to take any
adverse action against any individual.
(vii) Matches performed for security clearance background checks or
for foreign counterintelligence.
(2) Although these and other matching activities that fall outside
the definition of ``matching program'' are not subject to the matching
provisions of the Privacy Act or OMB guidance, other provisions of the
Act and of these regulations may be applicable. No matching program or
other matching activity may be conducted without the prior approval of
the Records Officer.
PART 266--PRIVACY OF INFORMATION
3. The authority citation for part 266 continues to read as
follows:
Authority: 39 U.S.C. 401; 5 U.S.C. 552a.
Sec. 266.2 [Amended]
4. Section 266.2 is amended by removing ``and'' before ``(f)'' and
the period at the end of the paragraph and adding ``; and (g) of the
establishment or revision of a computer matching program.''
5. Paragraph (d) is added to Sec. 266.3 as follows:
Sec. 266.3 Responsibility.
* * * * *
(d) Data Integrity Board--(1) Responsibilities. The Data Integrity
Board oversees Postal Service computer matching activities. Its
principal function is to review, approve, and maintain all written
agreements for use of Postal Service records in matching programs to
ensure compliance with the Privacy Act and all relevant statutes,
regulations, and guidelines. In addition, the Board annually reviews
matching programs and other matching activities in which the Postal
Service has participated during the preceding year to determine
compliance with applicable laws, regulations, and agreements; compiles
a biennial matching report of matching activities; and performs review
and advisement functions relating to records accuracy, recordkeeping
and disposal practices, and other computer matching activities.
(2) Composition. The Privacy Act requires that the senior official
responsible for implementation of agency Privacy Act policy and the
Inspector General serve on the Board. The Records Officer, as
administrator of Postal Service Privacy Act policy, serves as Secretary
of the Board and performs the administrative functions of the Board.
The Board is composed of these and other members designated by the
Postmaster General, as follows:
(i) Vice President/Controller (Chairman).
(ii) Chief Postal Inspector in his or her capacity as Inspector
General.
(iii) Vice President, Employee Relations.
(iv) General Counsel.
(v) Records Officer (Secretary).
6. Paragraph (b)(6) is added to Sec. 266.4 as follows:
Sec. 266.4 Collection and disclosure of information about individuals.
* * * * *
(b) * * *
(6) Computer matching purposes. Records from a Postal Service
system of records may be disclosed to another agency for the purpose of
conducting a computer matching program or other matching activity as
defined in paragraphs (c) and (d) of Sec. 262.5, but only after a
determination by the Data Integrity Board that the procedural
requirements of the Privacy Act, the guidelines issued by the Office of
Management and Budget, and these regulations as may be applicable are
met. These requirements include:
(i) Routine use. Disclosure is made only when permitted as a
routine use of the system of records. The USPS Records Officer
determines the applicability of a particular routine use and the
necessity for adoption of a new routine use.
(ii) Notice. Publication of new or revised matching programs in the
Federal Register and advance notice to Congress and the Office of
Management and Budget must be made pursuant to paragraph (f) of
Sec. 266.5.
(iii) Computer matching agreement. The participants in a computer
matching program must enter into a written agreement specifying the
terms under which the matching program is to be conducted (see
Sec. 266.10). The Records Officer may require that other matching
activities be conducted in accordance with a written agreement.
(iv) Data Integrity Board approval. No record from a Postal Service
system of records may be disclosed for use in a computer matching
program unless the matching agreement has received approval by the
Postal Service Data Integrity Board (see Sec. 266.10). Other matching
activities may, at the discretion of the Records Officer, be submitted
for Board approval.
* * * * *
7. Paragraph (f) is added to Sec. 266.5 as follows:
Sec. 266.5 Notification.
* * * * *
(f) Notification of computer matching program. The Postal Service
publishes in the Federal Register and forwards to Congress and the
Office of Management and Budget advance notice of its intent to
establish, substantially revise, or renew a matching program, unless
such notice is published by another participant agency. In those
instances in which the Postal Service is the ``recipient'' agency, as
defined in the Act, but another participant agency sponsors and derives
the principal benefit from the matching program, the other agency is
expected to publish the notice. The notice must be sent to Congress and
OMB 40 days, and published at least thirty (30) days, prior to (1)
initiation of any matching activity under a new or substantially
revised program, or (2) expiration of the existing matching agreement
in the case of a renewal of a continuing program.
8. Paragraph (e) is added to Sec. 266.8 as follows:
Sec. 266.8 Schedule of fees.
* * * * *
(e) The Postal Service may, at its discretion, require
reimbursement of its costs as a condition of participation in a
computer matching program or activity with another agency. The agency
to be charged is notified in writing of the approximate costs before
they are incurred. Costs are calculated in accordance with the schedule
of fees at Sec. 265.9.
9. Section 266.10 is added as follows:
Sec. 266.10 Computer matching.
(a) General. Any agency or Postal Service component that wishes to
use records from a Postal Service automated system of records in a
computerized comparison with other postal or non-postal records must
submit its proposal to the USPS Records Officer. Computer matching
programs as defined in paragraph (c) of Sec. 262.5 must be conducted in
accordance with the Privacy Act, implementing guidance issued by the
Office of Management and Budget and these regulations. Records may not
be exchanged for a matching program until all procedural requirements
of the Act and these regulations have been met. Other matching
activities must be conducted in accordance with the Privacy Act and
with the approval of the Records Officer. See paragraph (b)(6) of
Sec. 266.4.
(b) Procedure for submission of matching proposals. A proposal must
include information required for the matching agreement discussed in
paragraph (d)(1) of this section. The Inspection Service must submit
its proposals for matching programs and other matching activities to
the USPS Records Officer through: Independent Counsel, Inspection
Service, U.S. Postal Service, 475 L'Enfant Plaza SW, Rm 3417,
Washington, DC 20260-2181.
All other matching proposals, whether from postal organizations or
other government agencies, must be mailed directly to: USPS Records
Officer, U.S. Postal Service, 475 L'Enfant Plaza SW, Rm 8831,
Washington, DC 20260-5240.
(c) Lead time. Proposals must be submitted to the USPS Records
Officer at least 3 months in advance of the anticipated starting date
to allow time to meet Privacy Act publication and review requirements.
(d) Matching agreements. The participants in a computer matching
program must enter into a written agreement specifying the terms under
which the matching program is to be conducted. The Records Officer may
require similar written agreements for other matching activities.
(1) Content. Agreements must specify:
(i) The purpose and legal authority for conducting the matching
program;
(ii) The justification for the program and the anticipated results,
including, when appropriate, a specific estimate of any savings in
terms of expected costs and benefits, in sufficient detail for the Data
Integrity Board to make an informed decision;
(iii) A description of the records that are to be matched,
including the data elements to be used, the number of records, and the
approximate dates of the matching program;
(iv) Procedures for providing notice to individuals who supply
information that the information may be subject to verification through
computer matching programs;
(v) Procedures for verifying information produced in a matching
program and for providing individuals an opportunity to contest the
findings in accordance with the requirement that an agency may not take
adverse action against an individual as a result of information
produced by a matching program until the agency has independently
verified the information and provided the individual with due process;
(vi) Procedures for ensuring the administrative, technical, and
physical security of the records matched; for the retention and timely
destruction of records created by the matching program; and for the use
and return or destruction of records used in the program;
(vii) Prohibitions concerning duplication and redisclosure of
records exchanged, except where required by law or essential to the
conduct of the matching program;
(viii) Assessments of the accuracy of the records to be used in the
matching program; and
(ix) A statement that the Comptroller General may have access to
all records of the participant agencies in order to monitor compliance
with the agreement.
(2) Approval. Before the Postal Service may participate in a
computer matching program or other computer matching activity that
involves both USPS and non-USPS records, the Data Integrity Board must
have evaluated the proposed match and approved the terms of the
matching agreement. To be effective, the matching agreement must
receive approval by each member of the Board. Votes are collected by
the USPS Records Officer. Agreements are signed on behalf of the Board
by the Chairman. If a matching agreement is disapproved by the Board,
any party may appeal the disapproval in writing to the Director, Office
of Management and Budget, Washington, DC 20503-0001, within 30 days
following the Board's written disapproval.
(3) Effective dates. No matching agreement is effective until 40
days after the date on which a copy is sent to Congress. The agreement
remains in effect only as long as necessary to accomplish the specific
matching purpose, but no longer than 18 months, at which time the
agreement expires unless extended. The Data Integrity Board may extend
an agreement for one additional year, without further review, if within
3 months prior to expiration of the 18-month period it finds that the
matching program is to be conducted without change, and each party to
the agreement certifies that the program has been conducted in
compliance with the matching agreement. Renewal of a continuing
matching program that has run for the full 30-month period requires a
new agreement that has received Data Integrity Board approval.
Stanley F. Mires,
Chief Counsel, Legislative.
[FR Doc. 94-17780 Filed 7-20-94; 8:45 am]
BILLING CODE 7710-12-P