[Federal Register Volume 59, Number 114 (Wednesday, June 15, 1994)] [Unknown Section] [Page 0] From the Federal Register Online via the Government Publishing Office [www.gpo.gov] [FR Doc No: 94-14561] [[Page Unknown]] [Federal Register: June 15, 1994] ======================================================================= ----------------------------------------------------------------------- POSTAL SERVICE 39 CFR Parts 262 and 266 Conforming Postal Regulations to the Computer Matching and Privacy Protection Act of 1988 AGENCY: Postal Service. ACTION: Proposed rule. ----------------------------------------------------------------------- SUMMARY: The Postal Service proposes to amend its Privacy Act regulations to incorporate changes made by the Computer Matching and Privacy Protection Act of 1988 (Pub. L. 100-503). That Act amended the Privacy Act of 1974 to establish procedures affecting agencies' use of Privacy Act records in performing certain types of computerized matching programs. The proposed rules follow the guidelines issued by the Office of Management and Budget (54 FR 25818, June 19, 1989). DATES: Comments must be received on or before July 15, 1994. ADDRESSES: Comments may be mailed or delivered to: Records Office, U.S. Postal Service, 475 L'Enfant Plaza SW., room 8831, Washington, DC 20260-5240. Comments may also be delivered to Room 8831 at the above address between 8:15 a.m. and 4:45 p.m., Monday through Friday. Copies of all written comments will be available for inspection and photocopying during the above hours in Room 8831. FOR FURTHER INFORMATION CONTACT: Sheila Allen, (202) 268-4869. SUPPLEMENTARY INFORMATION: The Computer Matching and Privacy Protection Act of 1988 requires an agency to meet certain procedural requirements when using one or more of its Privacy Act systems of records in conducting computer matching programs. Included is the requirement that an agency Data Integrity Board review and approve certain computer matching activities of the agency. The following changes define computer matching under the Act; incorporate some of the Act's procedural requirements, including Federal Register publication, submission of matching proposals to the Postal Service, and execution of matching agreements; and describe the responsibilities and makeup of the USPS Data Integrity Board. List of Subjects in 39 CFR Parts 262 and 266 Definitions, Privacy, Records and information management. For the reasons set out in this notice, the Postal Service proposes to amend parts 262 and 266 of Title 39 of the Code of Federal Regulations as follows: PART 262--RECORDS AND INFORMATION MANAGEMENT 1. The authority citation for part 262 continues to read as follows: Authority: 39 U.S.C. 401; 5 U.S.C. 552a. 2. Paragraphs (c) and (d) are added to Sec. 262.5 as follows: Sec. 262.5 Systems (Privacy). * * * * * (c) Computer matching program. A ``matching program,'' as defined in the Privacy Act, 5 U.S.C. 552a(a)(8), is subject to the matching provisions of the Act, published guidance of the Office of Management and Budget, and these regulations. The term ``matching program'' includes any computerized comparison of: (1) A Postal Service automated system of records with an automated system of records of another Federal agency, or with non-Federal records, for the purpose of: (i) Establishing or verifying the eligibility of, or continuing compliance with, statutory and regulatory requirements by, applicants for, recipients or beneficiaries of, participants in, or providers of, services with respect to cash or in-kind assistance or payments under Federal benefit programs; or (ii) Recouping payments or delinquent debts under such Federal benefit programs; (2) A Postal Service automated personnel or payroll system of records with another automated personnel or payroll system of records of the Postal Service or other Federal Agency or with non-federal records. (d) Other computer matching activities. (1) The following kinds of computer matches are specifically excluded from the term ``matching program'': (i) Statistical matches whose purpose is solely to produce aggregate data stripped of personal identifiers. (ii) Statistical matches whose purpose is in support of any research or statistical project. (iii) Law enforcement investigative matches whose purpose is to gather evidence against a named person or persons in an existing investigation. (iv) Tax administration matches. (v) Routine administrative matches using Federal personnel records, provided that the purpose is not to take any adverse action against an individual. (vi) Internal matches using only records from Postal Service systems of records, provided that the purpose is not to take any adverse action against any individual. (vii) Matches performed for security clearance background checks or for foreign counterintelligence. (2) While these and other matching activities that fall outside the definition of ``matching program'' are not subject to the matching provisions of the Privacy Act or OMB guidance, other provisions of the Act and of these regulations may be applicable. No matching program or other matching activity may be conducted without the prior approval of the Records Officer. * * * * * PART 266--PRIVACY OF INFORMATION 3. The authority citation for part 266 continues to read as follows: Authority: 39 U.S.C. 401; 5 U.S.C. 552a. Sec. 266.2 [Amended] 4. Section 266.2 is amended by removing ``and'' before ``(f)'' and the period at the end of the paragraph and adding ``, and (g) of the establishment or revision of a computer matching program.'' 5. Paragraph (d) is added to Sec. 266.3 as follows: Sec. 266.3 Responsibility. * * * * * (d) Data Integrity Board--(1) Responsibilities. The Data Integrity Board oversees Postal Service computer matching activities. Its principal function is to review, approve, and maintain all written agreements for use of Postal Service records in matching programs to ensure compliance with the Privacy Act and all relevant statutes, regulations, and guidelines. In addition, the Board annually reviews matching programs and other matching activities in which the Postal Service has participated during the preceding year to determine compliance with applicable laws, regulations, and agreements; compiles a biennial matching report of matching activities; and performs review and advisement functions relating to records accuracy, recordkeeping and disposal practices, and other computer matching activities. (2) Composition. The Privacy Act requires that the senior official responsible for implementation of agency Privacy Act policy and the Inspector General serve on the Board. The Records Officer, as administrator of Postal Service Privacy Act policy, serves as Secretary of the Board and performs the administrative functions of the Board. The Board is composed of these and other members designated by the Postmaster General, as follows: (i) Vice President/Controller (Chairman). (ii) Chief Postal Inspector in his or her capacity as Inspector General. (iii) Vice President, Employee Relations. (iv) General Counsel. (v) Records Officer (Secretary). 6. Paragraph (b)(6) is added to Sec. 266.4 as follows: Sec. 266.4 Collection and disclosure of information about individuals. * * * * * (b) * * * (6) Computer matching purposes. Records from a Postal Service system of records may be disclosed to another agency for the purpose of conducting a computer matching program or other matching activity as defined in paragraphs (c) and (d) of Sec. 262.5, but only after a determination by the Data Integrity Board that the procedural requirements of the Privacy Act, the guidelines issued by the Office of Management and Budget, and these regulations as may be applicable are met. These requirements include: (i) Routine use. Disclosure is made only when permitted as a routine use of the system of records. The USPS Records Officer determines the applicability of a particular routine use and the necessity for adoption of a new routine use. (ii) Notice. Publication of new or revised matching programs in the Federal Register and advance notice to Congress and the Office of Management and Budget must be made pursuant to paragraph (f) of Sec. 266.5. (iii) Computer matching agreement. The participants in a computer matching program must enter into a written agreement specifying the terms under which the matching program is to be conducted (see Sec. 266.10). The Records Officer may require that other matching activities be conducted in accordance with a written agreement. (iv) Data Integrity Board approval. No record from a Postal Service system of records may be disclosed for use in a computer matching program unless the matching agreement has received approval by the Postal Service Data Integrity Board (Sec. 266.10). Other matching activities may, at the discretion of the Records Officer, be submitted for Board approval. * * * * * 7. Paragraph (f) is added to Sec. 266.5 as follows: Sec. 266.5 Notification. * * * * * (f) Notification of computer matching program. The Postal Service publishes in the Federal Register and forwards to Congress and the Office of Management and Budget advance notice of its intent to establish, substantially revise, or renew a matching program, unless such notice is published by another participant agency. In those instances in which the Postal Service is the ``recipient'' agency, as defined in the Act, but another participant agency sponsors and derives the principal benefit from the matching program, the other agency is expected to publish the notice. The notice must be published at least 30 days, and sent to Congress and OMB 40 days, prior to (1) initiation of any matching activity under a new or substantially revised program, or (2) expiration of the existing matching agreement in the case of a renewal of a continuing program. 8. Paragraph (e) is added to Sec. 266.8 as follows: Sec. 266.8 Schedule of fees. * * * * * (e) The Postal Service may, at its discretion, require reimbursement of its costs as a condition of participation in a computer matching program or activity with another agency. The agency to be charged is notified in writing of the approximate costs before they are incurred. Costs are calculated in accordance with the schedule of fees at Sec. 265.9. * * * * * 9. Section 266.10 is added as follows: Sec. 266.10 Computer matching. (a) General. Any agency or Postal Service component that wishes to use records from a Postal Service automated system of records in a computerized comparison with other postal or non-postal records must submit its proposal to the USPS Records Officer. Computer matching programs as defined in paragraph (c) of Sec. 262.5 must be conducted in accordance with the Privacy Act, implementing guidance issued by the Office of Management and Budget and these regulations. Records may not be exchanged for a matching program until all procedural requirements of the Act and these regulations have been met. Other matching activities must be conducted in accordance with the Privacy Act and with the approval of the Records Officer. See paragraph (b)(6) of Sec. 266.4. (b) Procedure for submission of matching proposals. A proposal must include information required for the matching agreement discussed in paragraph (d)(1) of this section. The Inspection Service must submit its proposals for matching programs and other matching activities to the USPS Records Officer through: Independent Counsel, Inspection Service, U.S. Postal Service, 475 L'Enfant Plaza SW., Rm. 3417, Washington DC 20260-2181. All other matching proposals, whether from postal organizations or other government agencies, must be mailed directly to: USPS Records Officer, U.S. Postal Service, 475 L'Enfant Plaza SW., Rm. 8831, Washington DC 20260-5240. (c) Lead time. Proposals must be submitted to the USPS Records Officer at least 3 months in advance of the anticipated starting date to allow time to meet Privacy Act publication and review requirements. (d) Matching agreements. The participants in a computer matching program must enter into a written agreement specifying the terms under which the matching program is to be conducted. The Records Officer may require similar written agreements for other matching activities. (1) Content. agreements must specify: (i) The purpose and legal authority for conducting the matching program; (ii) The justification for the program and the anticipated results, including, when appropriate, a specific estimate of any savings in terms of expected costs and benefits, in sufficient detail for the Data Integrity Board to make an informed decision; (iii) A description of the records that are to be matched, including the data elements to be used, the number of records, and the approximate dates of the matching program; (iv) Procedures for providing notice to individuals who supply information that the information may be subject to verification through computer matching programs; (v) Procedures for verifying information produced in a matching program and for providing individuals an opportunity to contest the findings in accordance with the requirement that an agency may not take adverse action against an individual as a result of information produced by a matching program until the agency has independently verified the information and provided the individual with due process; (vi) Procedures for ensuring the administrative, technical, and physical security of the records matched; for the retention and timely destruction of records created by the matching program; and for the use and return or destruction of records used in the program; (vii) Prohibitions concerning duplication and redisclosure of records exchanged, except where required by law or essential to the conduct of the matching program; (viii) Assessments of the accuracy of the records to be used in the matching program; and (ix) A statement that the Comptroller General may have access to all records of the participant agencies in order to monitor compliance with the agreement. (2) Approval. Before the Postal Service may participate in a computer matching program or other computer matching activity that involves both USPS and non-USPS records, the Data Integrity Board must have evaluated the proposed match and approved the terms of the matching agreement. To be effective, the matching agreement must receive approval by each member of the Board. Votes are collected by the USPS Records Officer. Agreements are signed on behalf of the Board by the Chairman. If a matching agreement is disapproved by the Board, any party may appeal the disapproval in writing to the Director, Office of Management and Budget, Washington, DC 20503-0001, within 30 days following the Board's written disapproval. (3) Effective dates. No matching agreement is effective until 40 days after the date on which a copy is sent to Congress. The agreement remains in effect only as long as necessary to accomplish the specific matching purpose, but no longer than 18 months, at which time it expires unless extended. The Data Integrity Board may extend an agreement for one additional year, without further review, if within 3 months prior to expiration of the 18-month period it finds that the matching program is to be conducted without change, and each party to the agreement certifies that the program has been conducted in compliance with the matching agreement. Renewal of a continuing matching program that has run for the full 30-month period requires a new agreement that has received Data Integrity Board approval. Stanley F. Mires, Legislative Division. [FR Doc. 94-14561 Filed 6-14-94; 8:45 am] BILLING CODE 7710-12-P