94-17780. Conforming Postal Regulations to the Computer Matching and Privacy Protection Act of 1988  

  • [Federal Register Volume 59, Number 139 (Thursday, July 21, 1994)]
    [Unknown Section]
    [Page 0]
    From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
    [FR Doc No: 94-17780]
    
    
    [[Page Unknown]]
    
    [Federal Register: July 21, 1994]
    
    
    =======================================================================
    -----------------------------------------------------------------------
    
    POSTAL SERVICE
    
    39 CFR Parts 262 and 266
    
     
    
    Conforming Postal Regulations to the Computer Matching and 
    Privacy Protection Act of 1988
    
    AGENCY: Postal Service.
    
    ACTION: Final rule.
    
    -----------------------------------------------------------------------
    
    SUMMARY: The Postal Service is amending its Privacy Act regulations to 
    incorporate changes made by the Computer Matching and Privacy 
    Protection Act of 1988 (Pub. L. 100-503). That Act amended the Privacy 
    Act of 1974 to establish procedures affecting agencies' use of Privacy 
    Act records in performing certain types of computerized matching 
    programs. The rules follow the guidelines issued by the Office of 
    Management and Budget (54 FR 25818, June 19, 1989). Because the 
    proposed rule (59 FR 30739, June 15, 1994) generated no comments, the 
    final rule is published unchanged.
    
    EFFECTIVE DATE: August 15, 1994.
    
    ADDRESSES: Copies of the documents relevant to this action are 
    available for inspection and photocopying between 8:15 a.m. and 4:45 
    p.m., Monday through Friday, at the Records Office, U.S. Postal 
    Service, 475 L'Enfant Plaza SW., room 8831, Washington, DC 20260-5240.
    
    FOR FURTHER INFORMATION CONTACT: Sheila Allen, (202) 268-4869.
    
    SUPPLEMENTARY INFORMATION: The Computer Matching and Privacy Protection 
    Act of 1988 requires an agency to meet certain procedural requirements 
    when using one or more of its Privacy Act systems of records in 
    conducting computer matching programs. Included is the requirement that 
    an agency Data Integrity Board agency. The following changes define 
    computer matching under the Act; incorporate some of the Act's 
    procedural requirements, including Federal Register publication, 
    submission of matching proposals to the Postal Service, and execution 
    of matching agreements; and describe the responsibilities and makeup of 
    the USPS Data Integrity Board.
    
    List of Subjects in 39 CFR Parts 262 and 266
    
        Definitions, Privacy, Records and information management.
    
        For the reasons set out in this notice, the Postal Service is 
    amending parts 262 and 266 of title 39 of the Code of Federal 
    Regulations as follows:
    
    PART 262--RECORDS AND INFORMATION MANAGEMENT DEFINITIONS
    
        1. The authority citation for part 262 continues to read as 
    follows:
    
        Authority: 39 U.S.C. 401; 5 U.S.C. 552a.
    
        2. Paragraphs (c) and (d) are added to Sec. 262.5 as follows:
    
    
    Sec. 262.5  Systems (Privacy).
    
    * * * * *
        (c) Computer matching program. A ``matching program,'' as defined 
    in the Privacy Act, 5 U.S.C. 552a(a)(8), is subject to the matching 
    provisions of the Act, published guidance of the Office of Management 
    and Budget, and these regulations. The term ``matching program'' 
    includes any computerized comparison of:
        (1) A Postal Service automated system of records with an automated 
    system of records of another Federal agency, or with non-Federal 
    records, for the purpose of:
        (i) Establishing or verifying the eligibility of, or continuing 
    compliance with statutory and regulatory requirements by, applicants 
    for, recipients or beneficiaries of, participants in, or providers of 
    services with respect to, cash or in-kind assistance or payments under 
    Federal benefit programs, or
        (ii) Recouping payments or delinquent debts under such Federal 
    benefit programs;
        (2) A Postal Service automated personnel or payroll system of 
    records with another automated personnel or payroll system of records 
    of the Postal Service or other Federal Agency or with non-Federal 
    records.
        (d) Other computer matching activities. (1) The following kinds of 
    computer matches are specifically excluded from the term ``matching 
    program'':
        (i) Statistical matches whose purpose is solely to produce 
    aggregate data stripped of personal identifiers.
        (ii) Statistical matches whose purpose is in support of any 
    research or statistical project.
        (iii) Law enforcement investigative matches whose purpose is to 
    gather evidence against a named person or persons in an existing 
    investigation.
        (iv) Tax administration matches.
        (v) Routine administrative matches using Federal personnel records, 
    provided that the purpose is not to take any adverse action against an 
    individual.
        (vi) Internal matches using only records from Postal Service 
    systems of records, provided that the purpose is not to take any 
    adverse action against any individual.
        (vii) Matches performed for security clearance background checks or 
    for foreign counterintelligence.
        (2) Although these and other matching activities that fall outside 
    the definition of ``matching program'' are not subject to the matching 
    provisions of the Privacy Act or OMB guidance, other provisions of the 
    Act and of these regulations may be applicable. No matching program or 
    other matching activity may be conducted without the prior approval of 
    the Records Officer.
    
    PART 266--PRIVACY OF INFORMATION
    
        3. The authority citation for part 266 continues to read as 
    follows:
    
        Authority: 39 U.S.C. 401; 5 U.S.C. 552a.
    
    
    Sec. 266.2  [Amended]
    
        4. Section 266.2 is amended by removing ``and'' before ``(f)'' and 
    the period at the end of the paragraph and adding ``; and (g) of the 
    establishment or revision of a computer matching program.''
        5. Paragraph (d) is added to Sec. 266.3 as follows:
    
    
    Sec. 266.3  Responsibility.
    
    * * * * *
        (d) Data Integrity Board--(1) Responsibilities. The Data Integrity 
    Board oversees Postal Service computer matching activities. Its 
    principal function is to review, approve, and maintain all written 
    agreements for use of Postal Service records in matching programs to 
    ensure compliance with the Privacy Act and all relevant statutes, 
    regulations, and guidelines. In addition, the Board annually reviews 
    matching programs and other matching activities in which the Postal 
    Service has participated during the preceding year to determine 
    compliance with applicable laws, regulations, and agreements; compiles 
    a biennial matching report of matching activities; and performs review 
    and advisement functions relating to records accuracy, recordkeeping 
    and disposal practices, and other computer matching activities.
        (2) Composition. The Privacy Act requires that the senior official 
    responsible for implementation of agency Privacy Act policy and the 
    Inspector General serve on the Board. The Records Officer, as 
    administrator of Postal Service Privacy Act policy, serves as Secretary 
    of the Board and performs the administrative functions of the Board. 
    The Board is composed of these and other members designated by the 
    Postmaster General, as follows:
        (i) Vice President/Controller (Chairman).
        (ii) Chief Postal Inspector in his or her capacity as Inspector 
    General.
        (iii) Vice President, Employee Relations.
        (iv) General Counsel.
        (v) Records Officer (Secretary).
    
        6. Paragraph (b)(6) is added to Sec. 266.4 as follows:
    
    
    Sec. 266.4  Collection and disclosure of information about individuals.
    
    * * * * *
        (b) * * *
        (6) Computer matching purposes. Records from a Postal Service 
    system of records may be disclosed to another agency for the purpose of 
    conducting a computer matching program or other matching activity as 
    defined in paragraphs (c) and (d) of Sec. 262.5, but only after a 
    determination by the Data Integrity Board that the procedural 
    requirements of the Privacy Act, the guidelines issued by the Office of 
    Management and Budget, and these regulations as may be applicable are 
    met. These requirements include:
        (i) Routine use. Disclosure is made only when permitted as a 
    routine use of the system of records. The USPS Records Officer 
    determines the applicability of a particular routine use and the 
    necessity for adoption of a new routine use.
        (ii) Notice. Publication of new or revised matching programs in the 
    Federal Register and advance notice to Congress and the Office of 
    Management and Budget must be made pursuant to paragraph (f) of 
    Sec. 266.5.
        (iii) Computer matching agreement. The participants in a computer 
    matching program must enter into a written agreement specifying the 
    terms under which the matching program is to be conducted (see 
    Sec. 266.10). The Records Officer may require that other matching 
    activities be conducted in accordance with a written agreement.
        (iv) Data Integrity Board approval. No record from a Postal Service 
    system of records may be disclosed for use in a computer matching 
    program unless the matching agreement has received approval by the 
    Postal Service Data Integrity Board (see Sec. 266.10). Other matching 
    activities may, at the discretion of the Records Officer, be submitted 
    for Board approval.
    * * * * *
        7. Paragraph (f) is added to Sec. 266.5 as follows:
    
    
    Sec. 266.5  Notification.
    
    * * * * *
        (f) Notification of computer matching program. The Postal Service 
    publishes in the Federal Register and forwards to Congress and the 
    Office of Management and Budget advance notice of its intent to 
    establish, substantially revise, or renew a matching program, unless 
    such notice is published by another participant agency. In those 
    instances in which the Postal Service is the ``recipient'' agency, as 
    defined in the Act, but another participant agency sponsors and derives 
    the principal benefit from the matching program, the other agency is 
    expected to publish the notice. The notice must be sent to Congress and 
    OMB 40 days, and published at least thirty (30) days, prior to (1) 
    initiation of any matching activity under a new or substantially 
    revised program, or (2) expiration of the existing matching agreement 
    in the case of a renewal of a continuing program.
    
        8. Paragraph (e) is added to Sec. 266.8 as follows:
    
    
    Sec. 266.8  Schedule of fees.
    
    * * * * *
        (e) The Postal Service may, at its discretion, require 
    reimbursement of its costs as a condition of participation in a 
    computer matching program or activity with another agency. The agency 
    to be charged is notified in writing of the approximate costs before 
    they are incurred. Costs are calculated in accordance with the schedule 
    of fees at Sec. 265.9.
    
        9. Section 266.10 is added as follows:
    
    
    Sec. 266.10  Computer matching.
    
        (a) General. Any agency or Postal Service component that wishes to 
    use records from a Postal Service automated system of records in a 
    computerized comparison with other postal or non-postal records must 
    submit its proposal to the USPS Records Officer. Computer matching 
    programs as defined in paragraph (c) of Sec. 262.5 must be conducted in 
    accordance with the Privacy Act, implementing guidance issued by the 
    Office of Management and Budget and these regulations. Records may not 
    be exchanged for a matching program until all procedural requirements 
    of the Act and these regulations have been met. Other matching 
    activities must be conducted in accordance with the Privacy Act and 
    with the approval of the Records Officer. See paragraph (b)(6) of 
    Sec. 266.4.
        (b) Procedure for submission of matching proposals. A proposal must 
    include information required for the matching agreement discussed in 
    paragraph (d)(1) of this section. The Inspection Service must submit 
    its proposals for matching programs and other matching activities to 
    the USPS Records Officer through: Independent Counsel, Inspection 
    Service, U.S. Postal Service, 475 L'Enfant Plaza SW, Rm 3417, 
    Washington, DC 20260-2181.
        All other matching proposals, whether from postal organizations or 
    other government agencies, must be mailed directly to: USPS Records 
    Officer, U.S. Postal Service, 475 L'Enfant Plaza SW, Rm 8831, 
    Washington, DC 20260-5240.
        (c) Lead time. Proposals must be submitted to the USPS Records 
    Officer at least 3 months in advance of the anticipated starting date 
    to allow time to meet Privacy Act publication and review requirements.
        (d) Matching agreements. The participants in a computer matching 
    program must enter into a written agreement specifying the terms under 
    which the matching program is to be conducted. The Records Officer may 
    require similar written agreements for other matching activities.
        (1) Content. Agreements must specify:
        (i) The purpose and legal authority for conducting the matching 
    program;
        (ii) The justification for the program and the anticipated results, 
    including, when appropriate, a specific estimate of any savings in 
    terms of expected costs and benefits, in sufficient detail for the Data 
    Integrity Board to make an informed decision;
        (iii) A description of the records that are to be matched, 
    including the data elements to be used, the number of records, and the 
    approximate dates of the matching program;
        (iv) Procedures for providing notice to individuals who supply 
    information that the information may be subject to verification through 
    computer matching programs;
        (v) Procedures for verifying information produced in a matching 
    program and for providing individuals an opportunity to contest the 
    findings in accordance with the requirement that an agency may not take 
    adverse action against an individual as a result of information 
    produced by a matching program until the agency has independently 
    verified the information and provided the individual with due process;
        (vi) Procedures for ensuring the administrative, technical, and 
    physical security of the records matched; for the retention and timely 
    destruction of records created by the matching program; and for the use 
    and return or destruction of records used in the program;
        (vii) Prohibitions concerning duplication and redisclosure of 
    records exchanged, except where required by law or essential to the 
    conduct of the matching program;
        (viii) Assessments of the accuracy of the records to be used in the 
    matching program; and
        (ix) A statement that the Comptroller General may have access to 
    all records of the participant agencies in order to monitor compliance 
    with the agreement.
        (2) Approval. Before the Postal Service may participate in a 
    computer matching program or other computer matching activity that 
    involves both USPS and non-USPS records, the Data Integrity Board must 
    have evaluated the proposed match and approved the terms of the 
    matching agreement. To be effective, the matching agreement must 
    receive approval by each member of the Board. Votes are collected by 
    the USPS Records Officer. Agreements are signed on behalf of the Board 
    by the Chairman. If a matching agreement is disapproved by the Board, 
    any party may appeal the disapproval in writing to the Director, Office 
    of Management and Budget, Washington, DC 20503-0001, within 30 days 
    following the Board's written disapproval.
        (3) Effective dates. No matching agreement is effective until 40 
    days after the date on which a copy is sent to Congress. The agreement 
    remains in effect only as long as necessary to accomplish the specific 
    matching purpose, but no longer than 18 months, at which time the 
    agreement expires unless extended. The Data Integrity Board may extend 
    an agreement for one additional year, without further review, if within 
    3 months prior to expiration of the 18-month period it finds that the 
    matching program is to be conducted without change, and each party to 
    the agreement certifies that the program has been conducted in 
    compliance with the matching agreement. Renewal of a continuing 
    matching program that has run for the full 30-month period requires a 
    new agreement that has received Data Integrity Board approval.
    Stanley F. Mires,
    Chief Counsel, Legislative.
    [FR Doc. 94-17780 Filed 7-20-94; 8:45 am]
    BILLING CODE 7710-12-P
    
    
    

Document Information

Published:
07/21/1994
Department:
Postal Service
Entry Type:
Uncategorized Document
Action:
Final rule.
Document Number:
94-17780
Dates:
August 15, 1994.
Pages:
0-0 (1 pages)
Docket Numbers:
Federal Register: July 21, 1994
CFR: (8)
39 CFR 266.10)
39 CFR 262.5
39 CFR 266.2
39 CFR 266.3
39 CFR 266.4
More ...