[Federal Register Volume 59, Number 139 (Thursday, July 21, 1994)]
[Unknown Section]
[Page 0]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 94-17780]


[[Page Unknown]]

[Federal Register: July 21, 1994]


=======================================================================
-----------------------------------------------------------------------

POSTAL SERVICE

39 CFR Parts 262 and 266

 

Conforming Postal Regulations to the Computer Matching and 
Privacy Protection Act of 1988

AGENCY: Postal Service.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The Postal Service is amending its Privacy Act regulations to 
incorporate changes made by the Computer Matching and Privacy 
Protection Act of 1988 (Pub. L. 100-503). That Act amended the Privacy 
Act of 1974 to establish procedures affecting agencies' use of Privacy 
Act records in performing certain types of computerized matching 
programs. The rules follow the guidelines issued by the Office of 
Management and Budget (54 FR 25818, June 19, 1989). Because the 
proposed rule (59 FR 30739, June 15, 1994) generated no comments, the 
final rule is published unchanged.

EFFECTIVE DATE: August 15, 1994.

ADDRESSES: Copies of the documents relevant to this action are 
available for inspection and photocopying between 8:15 a.m. and 4:45 
p.m., Monday through Friday, at the Records Office, U.S. Postal 
Service, 475 L'Enfant Plaza SW., room 8831, Washington, DC 20260-5240.

FOR FURTHER INFORMATION CONTACT: Sheila Allen, (202) 268-4869.

SUPPLEMENTARY INFORMATION: The Computer Matching and Privacy Protection 
Act of 1988 requires an agency to meet certain procedural requirements 
when using one or more of its Privacy Act systems of records in 
conducting computer matching programs. Included is the requirement that 
an agency Data Integrity Board agency. The following changes define 
computer matching under the Act; incorporate some of the Act's 
procedural requirements, including Federal Register publication, 
submission of matching proposals to the Postal Service, and execution 
of matching agreements; and describe the responsibilities and makeup of 
the USPS Data Integrity Board.

List of Subjects in 39 CFR Parts 262 and 266

    Definitions, Privacy, Records and information management.

    For the reasons set out in this notice, the Postal Service is 
amending parts 262 and 266 of title 39 of the Code of Federal 
Regulations as follows:

PART 262--RECORDS AND INFORMATION MANAGEMENT DEFINITIONS

    1. The authority citation for part 262 continues to read as 
follows:

    Authority: 39 U.S.C. 401; 5 U.S.C. 552a.

    2. Paragraphs (c) and (d) are added to Sec. 262.5 as follows:


Sec. 262.5  Systems (Privacy).

* * * * *
    (c) Computer matching program. A ``matching program,'' as defined 
in the Privacy Act, 5 U.S.C. 552a(a)(8), is subject to the matching 
provisions of the Act, published guidance of the Office of Management 
and Budget, and these regulations. The term ``matching program'' 
includes any computerized comparison of:
    (1) A Postal Service automated system of records with an automated 
system of records of another Federal agency, or with non-Federal 
records, for the purpose of:
    (i) Establishing or verifying the eligibility of, or continuing 
compliance with statutory and regulatory requirements by, applicants 
for, recipients or beneficiaries of, participants in, or providers of 
services with respect to, cash or in-kind assistance or payments under 
Federal benefit programs, or
    (ii) Recouping payments or delinquent debts under such Federal 
benefit programs;
    (2) A Postal Service automated personnel or payroll system of 
records with another automated personnel or payroll system of records 
of the Postal Service or other Federal Agency or with non-Federal 
records.
    (d) Other computer matching activities. (1) The following kinds of 
computer matches are specifically excluded from the term ``matching 
program'':
    (i) Statistical matches whose purpose is solely to produce 
aggregate data stripped of personal identifiers.
    (ii) Statistical matches whose purpose is in support of any 
research or statistical project.
    (iii) Law enforcement investigative matches whose purpose is to 
gather evidence against a named person or persons in an existing 
investigation.
    (iv) Tax administration matches.
    (v) Routine administrative matches using Federal personnel records, 
provided that the purpose is not to take any adverse action against an 
individual.
    (vi) Internal matches using only records from Postal Service 
systems of records, provided that the purpose is not to take any 
adverse action against any individual.
    (vii) Matches performed for security clearance background checks or 
for foreign counterintelligence.
    (2) Although these and other matching activities that fall outside 
the definition of ``matching program'' are not subject to the matching 
provisions of the Privacy Act or OMB guidance, other provisions of the 
Act and of these regulations may be applicable. No matching program or 
other matching activity may be conducted without the prior approval of 
the Records Officer.

PART 266--PRIVACY OF INFORMATION

    3. The authority citation for part 266 continues to read as 
follows:

    Authority: 39 U.S.C. 401; 5 U.S.C. 552a.


Sec. 266.2  [Amended]

    4. Section 266.2 is amended by removing ``and'' before ``(f)'' and 
the period at the end of the paragraph and adding ``; and (g) of the 
establishment or revision of a computer matching program.''
    5. Paragraph (d) is added to Sec. 266.3 as follows:


Sec. 266.3  Responsibility.

* * * * *
    (d) Data Integrity Board--(1) Responsibilities. The Data Integrity 
Board oversees Postal Service computer matching activities. Its 
principal function is to review, approve, and maintain all written 
agreements for use of Postal Service records in matching programs to 
ensure compliance with the Privacy Act and all relevant statutes, 
regulations, and guidelines. In addition, the Board annually reviews 
matching programs and other matching activities in which the Postal 
Service has participated during the preceding year to determine 
compliance with applicable laws, regulations, and agreements; compiles 
a biennial matching report of matching activities; and performs review 
and advisement functions relating to records accuracy, recordkeeping 
and disposal practices, and other computer matching activities.
    (2) Composition. The Privacy Act requires that the senior official 
responsible for implementation of agency Privacy Act policy and the 
Inspector General serve on the Board. The Records Officer, as 
administrator of Postal Service Privacy Act policy, serves as Secretary 
of the Board and performs the administrative functions of the Board. 
The Board is composed of these and other members designated by the 
Postmaster General, as follows:
    (i) Vice President/Controller (Chairman).
    (ii) Chief Postal Inspector in his or her capacity as Inspector 
General.
    (iii) Vice President, Employee Relations.
    (iv) General Counsel.
    (v) Records Officer (Secretary).

    6. Paragraph (b)(6) is added to Sec. 266.4 as follows:


Sec. 266.4  Collection and disclosure of information about individuals.

* * * * *
    (b) * * *
    (6) Computer matching purposes. Records from a Postal Service 
system of records may be disclosed to another agency for the purpose of 
conducting a computer matching program or other matching activity as 
defined in paragraphs (c) and (d) of Sec. 262.5, but only after a 
determination by the Data Integrity Board that the procedural 
requirements of the Privacy Act, the guidelines issued by the Office of 
Management and Budget, and these regulations as may be applicable are 
met. These requirements include:
    (i) Routine use. Disclosure is made only when permitted as a 
routine use of the system of records. The USPS Records Officer 
determines the applicability of a particular routine use and the 
necessity for adoption of a new routine use.
    (ii) Notice. Publication of new or revised matching programs in the 
Federal Register and advance notice to Congress and the Office of 
Management and Budget must be made pursuant to paragraph (f) of 
Sec. 266.5.
    (iii) Computer matching agreement. The participants in a computer 
matching program must enter into a written agreement specifying the 
terms under which the matching program is to be conducted (see 
Sec. 266.10). The Records Officer may require that other matching 
activities be conducted in accordance with a written agreement.
    (iv) Data Integrity Board approval. No record from a Postal Service 
system of records may be disclosed for use in a computer matching 
program unless the matching agreement has received approval by the 
Postal Service Data Integrity Board (see Sec. 266.10). Other matching 
activities may, at the discretion of the Records Officer, be submitted 
for Board approval.
* * * * *
    7. Paragraph (f) is added to Sec. 266.5 as follows:


Sec. 266.5  Notification.

* * * * *
    (f) Notification of computer matching program. The Postal Service 
publishes in the Federal Register and forwards to Congress and the 
Office of Management and Budget advance notice of its intent to 
establish, substantially revise, or renew a matching program, unless 
such notice is published by another participant agency. In those 
instances in which the Postal Service is the ``recipient'' agency, as 
defined in the Act, but another participant agency sponsors and derives 
the principal benefit from the matching program, the other agency is 
expected to publish the notice. The notice must be sent to Congress and 
OMB 40 days, and published at least thirty (30) days, prior to (1) 
initiation of any matching activity under a new or substantially 
revised program, or (2) expiration of the existing matching agreement 
in the case of a renewal of a continuing program.

    8. Paragraph (e) is added to Sec. 266.8 as follows:


Sec. 266.8  Schedule of fees.

* * * * *
    (e) The Postal Service may, at its discretion, require 
reimbursement of its costs as a condition of participation in a 
computer matching program or activity with another agency. The agency 
to be charged is notified in writing of the approximate costs before 
they are incurred. Costs are calculated in accordance with the schedule 
of fees at Sec. 265.9.

    9. Section 266.10 is added as follows:


Sec. 266.10  Computer matching.

    (a) General. Any agency or Postal Service component that wishes to 
use records from a Postal Service automated system of records in a 
computerized comparison with other postal or non-postal records must 
submit its proposal to the USPS Records Officer. Computer matching 
programs as defined in paragraph (c) of Sec. 262.5 must be conducted in 
accordance with the Privacy Act, implementing guidance issued by the 
Office of Management and Budget and these regulations. Records may not 
be exchanged for a matching program until all procedural requirements 
of the Act and these regulations have been met. Other matching 
activities must be conducted in accordance with the Privacy Act and 
with the approval of the Records Officer. See paragraph (b)(6) of 
Sec. 266.4.
    (b) Procedure for submission of matching proposals. A proposal must 
include information required for the matching agreement discussed in 
paragraph (d)(1) of this section. The Inspection Service must submit 
its proposals for matching programs and other matching activities to 
the USPS Records Officer through: Independent Counsel, Inspection 
Service, U.S. Postal Service, 475 L'Enfant Plaza SW, Rm 3417, 
Washington, DC 20260-2181.
    All other matching proposals, whether from postal organizations or 
other government agencies, must be mailed directly to: USPS Records 
Officer, U.S. Postal Service, 475 L'Enfant Plaza SW, Rm 8831, 
Washington, DC 20260-5240.
    (c) Lead time. Proposals must be submitted to the USPS Records 
Officer at least 3 months in advance of the anticipated starting date 
to allow time to meet Privacy Act publication and review requirements.
    (d) Matching agreements. The participants in a computer matching 
program must enter into a written agreement specifying the terms under 
which the matching program is to be conducted. The Records Officer may 
require similar written agreements for other matching activities.
    (1) Content. Agreements must specify:
    (i) The purpose and legal authority for conducting the matching 
program;
    (ii) The justification for the program and the anticipated results, 
including, when appropriate, a specific estimate of any savings in 
terms of expected costs and benefits, in sufficient detail for the Data 
Integrity Board to make an informed decision;
    (iii) A description of the records that are to be matched, 
including the data elements to be used, the number of records, and the 
approximate dates of the matching program;
    (iv) Procedures for providing notice to individuals who supply 
information that the information may be subject to verification through 
computer matching programs;
    (v) Procedures for verifying information produced in a matching 
program and for providing individuals an opportunity to contest the 
findings in accordance with the requirement that an agency may not take 
adverse action against an individual as a result of information 
produced by a matching program until the agency has independently 
verified the information and provided the individual with due process;
    (vi) Procedures for ensuring the administrative, technical, and 
physical security of the records matched; for the retention and timely 
destruction of records created by the matching program; and for the use 
and return or destruction of records used in the program;
    (vii) Prohibitions concerning duplication and redisclosure of 
records exchanged, except where required by law or essential to the 
conduct of the matching program;
    (viii) Assessments of the accuracy of the records to be used in the 
matching program; and
    (ix) A statement that the Comptroller General may have access to 
all records of the participant agencies in order to monitor compliance 
with the agreement.
    (2) Approval. Before the Postal Service may participate in a 
computer matching program or other computer matching activity that 
involves both USPS and non-USPS records, the Data Integrity Board must 
have evaluated the proposed match and approved the terms of the 
matching agreement. To be effective, the matching agreement must 
receive approval by each member of the Board. Votes are collected by 
the USPS Records Officer. Agreements are signed on behalf of the Board 
by the Chairman. If a matching agreement is disapproved by the Board, 
any party may appeal the disapproval in writing to the Director, Office 
of Management and Budget, Washington, DC 20503-0001, within 30 days 
following the Board's written disapproval.
    (3) Effective dates. No matching agreement is effective until 40 
days after the date on which a copy is sent to Congress. The agreement 
remains in effect only as long as necessary to accomplish the specific 
matching purpose, but no longer than 18 months, at which time the 
agreement expires unless extended. The Data Integrity Board may extend 
an agreement for one additional year, without further review, if within 
3 months prior to expiration of the 18-month period it finds that the 
matching program is to be conducted without change, and each party to 
the agreement certifies that the program has been conducted in 
compliance with the matching agreement. Renewal of a continuing 
matching program that has run for the full 30-month period requires a 
new agreement that has received Data Integrity Board approval.
Stanley F. Mires,
Chief Counsel, Legislative.
[FR Doc. 94-17780 Filed 7-20-94; 8:45 am]
BILLING CODE 7710-12-P