[Federal Register Volume 72, Number 115 (Friday, June 15, 2007)]
[Notices]
[Pages 33362-33377]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: E7-11542]
[[Page 33361]]
-----------------------------------------------------------------------
Part IV
Office of Management and Budget
-----------------------------------------------------------------------
Implementation Guidance for Title V of the E-Government Act,
Confidential Information Protection and Statistical Efficiency Act of
2002 (CIPSEA); Notice
��Federal Register / Vol. 72, No. 115 / Friday, June 15, 2007 /
Notices��
[[Page 33362]]
-----------------------------------------------------------------------
OFFICE OF MANAGEMENT AND BUDGET
Implementation Guidance for Title V of the E-Government Act,
Confidential Information Protection and Statistical Efficiency Act of
2002 (CIPSEA)
AGENCY: Office of Management and Budget, Executive Office of the
President.
ACTION: Notice of decision.
-----------------------------------------------------------------------
SUMMARY: The Confidential Information Protection and Statistical
Efficiency Act of 2002 (CIPSEA) can provide strong confidentiality
protections for statistical information collections, such as surveys
and censuses, as well as for other statistical activities, such as data
analysis, modeling, and sample design, that are sponsored or conducted
by Federal agencies. The Office of Management and Budget (OMB) is
issuing Implementation Guidance for Title V of the E-Government Act,
the Confidential Information Protection and Statistical Efficiency Act
of 2002 (Pub. L. 107-347). The purpose of the CIPSEA implementation
guidance is to inform agencies about the requirements for using CIPSEA
and to clarify the circumstances under which CIPSEA can be used.
Authority: 31 U.S.C. 1104(d); 44 U.S.C. 3504 (specifically
(a)(1)(B)(iii) and (v), (e)(1), (3) and (5), and (g)(1)); Pub. L.
107-347 section 503(a), 44 U.S.C. 3501 note.
FOR FURTHER INFORMATION CONTACT: Brian Harris-Kojetin, Ph.D.,
Statistical and Science Policy Office, Office of Information and
Regulatory Affairs, Office of Management and Budget, NEOB, Room 10201,
725 17th Street, NW., Washington, DC 20503. Telephone: 202-395-3093.
SUPPLEMENTARY INFORMATION:
A. Background
Statistics collected and published by the Federal Government
constitute a significant portion of the available information about the
United States' economy, population, natural resources, environment, and
public and private institutions. There are more than 70 Federal
agencies or organizational units that carry out statistical activities
as their principal mission or in conjunction with other program
missions, such as providing services or enforcing regulations. In
addition to these 70 agencies, many other Federal agencies or units may
collect statistical information to use for specific program needs.
Prior to the enactment of CIPSEA, a patchwork of legislative
protections governed the confidentiality of data gathered for
statistical purposes by the different agencies and units. Some agencies
had strong statutory authority to protect the confidentiality of the
data they gathered for statistical purposes, while other agencies had
weak or no legislative authority to protect confidentiality. In
addition, the ability of the designated statistical agencies to share
information to improve the efficiency of the Federal statistical system
was limited by statutory constraints affecting those agencies.
By establishing a uniform policy for all Federal statistical
collections, this law will reduce public confusion, uncertainty, and
concern about the treatment of confidential statistical information by
different Federal agencies. By establishing consistent rational
principles and processes to buttress confidentiality pledges, the
guidance that implements the law will harmonize confidentiality claims
and set minimum standards for safeguarding confidential statistical
information. Such consistent protection of confidential statistical
information will, in turn, reduce the perceived risks of more efficient
working relationships among statistical agencies, relationships that
can reduce both the cost and reporting burden imposed by statistical
programs.
B. Development and Review
In 2003, OMB and the other members of the Interagency Council on
Statistical Policy (ICSP) formed an interagency group to discuss issues
that OMB and the agencies anticipated would arise in the implementation
of CIPSEA. OMB was particularly interested in understanding the
questions and concerns that these statistical agencies had about the
new law and how it would affect their activities. OMB also sought to
incorporate the best practices of these agencies for handling
confidential statistical information.
An initial draft of this implementation guidance was reviewed by
the ICSP members, and OMB revised the draft guidance in response to the
comments that we received. Based on the use of the law by agencies over
the past three years, OMB has also addressed in the guidance specific
issues that have arisen, such as nonstatistical agencies' use of
CIPSEA.
C. Summary of and Response to Comments Received in Response to the
October 16, 2006 Federal Register Notice
OMB issued proposed Implementation Guidance for Title V of the E-
Government Act, Confidential Information Protection and Statistical
Efficiency Act of 2002 (CIPSEA)(Pub. L. 107-347) in October 2006 (71 FR
60,772-60,773). Five public comments were received in response to OMB's
request. OMB reviewed the public comments on the guidance and made some
modifications in response to the comments. The complete text of the
public comments and this document are available on the OMB Web site at
http://www.whitehouse.gov/omb/inforeg/statpolicy.html.
General Comments
One commenter expressed support for the guidance and stated that
``the proposed guidelines establish principles and policies that will
protect the confidentiality of the data provided by respondents to
federal statistical surveys'' and noted that the guidance provides
``reasonable approaches to protecting confidentiality, and thereby will
reduce the costs and reporting burdens imposed by statistical
programs.'' The commenter also noted that it was ``especially useful to
see guidelines for statistical agency interactions with outside
analysts (e.g., contractors) authorized to see the confidential data.''
I. Introduction
Identifiability
One commenter believed the discussion of the identifiability of
personal information in the proposed guidance was insufficient.
Although the commenter noted the technical references to Statistical
Policy Working Paper 22 \1\ and to the Federal Committee on
Statistical Methodology's Confidentiality and Data Access Committee's
disclosure review checklist,\2\ she asked for ``more specific guidance
about the meaning of the terms reasonably inferred and direct or
indirect means'' [emphasis in original] and ``how the CIPSEA standard
specifically relates to the HIPAA standards of no reasonable basis to
believe and risk is very small [emphasis in original] * * * ``whether a
risk assessment is required, how to conduct that risk assessment, what
data sources (public and private) must be considered in assessing
identifiability'' as well as how much effort and cost are reasonable.
---------------------------------------------------------------------------
\1\ Available at http://www.fcsm.gov/reports/.
\2\ Available at http://www.fcsm.gov/committees/cdac/cdac.html.
---------------------------------------------------------------------------
In response to this comment, OMB has included a definition of
``personally identifiable information'' in footnote 21 and provided an
example of indirect identification in footnote 23, as follows:
[[Page 33363]]
\21\ ``personally identifiable information'' refers to
information which can be used to distinguish or trace an
individual's identity, such as his or her name, social security
number, biometric records, etc., alone, or when combined with other
personal or identifying information that is linked or linkable to a
specific individual, such as date and place of birth, mother's
maiden name, etc.
\23\ Indirect identification refers to using information in
conjunction with other data elements to reasonably infer the
identity of a respondent. For example, data elements such as a
combination of gender, race, date of birth, geographic indicators,
or other descriptors may be used to identify an individual
respondent.
However, it is beyond the scope of this implementation guidance to
provide lists of other data sources that could be used to reidentify
respondents or specific risk assessment techniques agencies must
employ. As the commenter noted, OMB does provide references to more
technical resources that address these issues, such as Statistical
Policy Working Paper 22, and a citation to the HIPAA privacy
rule has been added. Federal statistical agencies are in the best
position to know about the sensitivity of their confidential
statistical information and to take appropriate steps to assess and
mitigate the risks of reidentification. Because this area is a ``moving
target,'' as the commenter noted, OMB, through its Federal Committee on
Statistical Methodology, sponsors the Confidentiality and Data Access
Committee, which facilitates the sharing and adoption of best practices
and latest techniques in disclosure avoidance across Federal agencies.
Relation of CIPSEA to Other Laws
One commenter noted that ``subsection (b) of the Privacy Act of
1974 authorizes numerous disclosures, many of which are inappropriate
for CIPSEA records. For example, disclosures for law enforcement
purposes'' as well as many routine uses. The commenter asked OMB to
``elaborate on the intersection between CIPSEA and the Privacy Act of
1974.''
As OMB has noted in the guidance, agencies are responsible for
ensuring that information protected under CIPSEA is used exclusively
for statistical purposes. OMB recognizes that the Privacy Act does
permit routine uses that are nonstatistical; these uses are not
permitted for CIPSEA-protected information. OMB believes that the
minimum standards in the guidance for safeguarding confidential
information make clear that agencies need to develop appropriate
policies and procedures for CIPSEA-protected information that go beyond
those that exist for Privacy Act systems of records; however, we have
added the following language to make this explicit in Part I.F. of the
guidance:
On the other hand, if an agency pledges to use the information
for only for statistical purposes, then the agency shall not use any
other authorities it has available to use the information for non-
statistical purposes, because those uses would be contrary to the
agency's pledge. For example, if information is protected by CIPSEA
and the Privacy Act, some of the routine uses permitted under the
Privacy Act would no longer be allowed because they are not for
statistical purposes.
Agencies Authorized To Designate Agents
One commenter cited Footnote 31 on page 11 of the proposed guidance
\3\ that tells agencies that they should consult with OMB regarding use
of agents and stated that the use of agents should be subject to public
notice and comment. In this footnote, OMB was referring specifically to
the review and legal interpretation of a nonstatistical agency's
statute and whether that would meet the requirements of CIPSEA and
permit the agency to designate agents under CIPSEA. Generally, legal
analysis and interpretation are accomplished by the agency. However,
when agencies are applying a new statute that OMB has responsibility
for, agencies should consult with OMB to ensure a government-wide
perspective.
---------------------------------------------------------------------------
\3\ This footnote appears as footnote 40 in this final document.
---------------------------------------------------------------------------
Commenters also had questions about other specific matters that
will be addressed during implementation.
II. Requirements for Agencies Collecting or Acquiring Information
Protected Under CIPSEA
Non-CIPSEA Pledges
One commenter objected to agencies being restricted from using both
the terms ``confidential'' and ``statistical purposes'' together if
CIPSEA did not cover the collection. The commenter noted that these
terms have meaning independent of CIPSEA and agencies should be able to
use them as they see fit. The commenter suggested that ``Rather than
prohibit the use of the terms `confidential' and `exclusively
statistical purposes,' we suggest that OMB advise agencies, as it has
in prior guidance, to ensure that they do not use terms that are
confusing. OMB could also prohibit the mention of CIPSEA when it is not
applicable and require that agencies invoke coverage by CIPSEA only by
the mention of that law directly to survey respondents.''
OMB agrees that the terms ``confidential'' and ``statistical
purposes'' have meaning independent of CIPSEA; however, when used
together in a pledge to respondents, they clearly meet the requirements
of CIPSEA and the protection of this law. Sec. 512 of CIPSEA simply
requires that the information be ``acquired by an agency under a pledge
of confidentiality and for exclusively statistical purposes.'' The law
does not require that CIPSEA be mentioned explicitly, and OMB would
certainly prohibit an agency from mentioning the law if it did not
apply. It would clearly be confusing to respondents for different
protections to be implied by two different agencies both pledging that
the information would be confidential and used for exclusively
statistical purposes. Thus, it is necessary to ensure that CIPSEA
protections or greater protections apply when an agency makes this
pledge to respondents.
CIPSEA Pledges
One commenter supported the shorter version of the pledge, but
expressed concerns about its comprehensibility. The commenter then
suggested that OMB consider developing a formal statistical
confidentiality seal that would provide an identifiable marker that
would tell individuals what level of protection the information they
provide will receive under the law. Specifically the commenter
suggested as an example that OMB consider a green-yellow-red color
scheme: Green would mean respond with confidence because answers
receive the highest level of legal confidentiality protection; yellow
would mean respond with caution because answers receive some
confidentiality protection but less than the highest level of legal
protection; and red would mean no legal confidentiality protections at
all.
The CIPSEA pledge was based on a pledge that was thoroughly tested;
however, OMB has encouraged further cognitive testing of this pledge by
agencies. OMB agrees that it would also be helpful to have more testing
on a shortened version. OMB also appreciates the commenter's
suggestions regarding potential ``seals'' that would be easy for
respondents to understand and recognize, and agrees that this idea is
worthy of further investigation and testing. We also agree that this
will require a considerable amount of research not only to develop a
recognizable seal but also to figure out appropriate ways to present it
in different modes. If this research proves fruitful, OMB will consider
revising this
[[Page 33364]]
implementation guidance and/or issuing other guidance for use of a
seal.
III. Minimum Standards for Safeguarding Confidential Information
Acquired Under CIPSEA
Costs and Burden of Security Requirements
One commenter noted that during a time of reduced funding resources
the implementation requirements call for annual recertification of
employees, increased physical and information security, additional
record keeping requirements, and additional staff time (to ensure that
appropriate confidentiality and security protocols are followed).
Providing appropriate security for agency information and information
systems does require resources. As with any ongoing program, agencies
need to incorporate into their budgets the costs for protecting
confidential information throughout the lifecycle of the statistical
activities.
Security of Confidential Information in Laptop Computers
One commenter noted that ``recent events have highlighted the
particular vulnerability of laptop computers to loss and theft,'' and
suggested that additional information be included in the guidance about
the security of laptops, PDAs, or other types of devices. OMB agrees
with the comment and has modified language in the section on physical
and information systems security in Part III. B, which also applies to
Part IV. D of the proposed guidance referenced on page 22, so that it
now reads:
Agencies are required to establish appropriate administrative
and technical safeguards to ensure that the security of all media
containing confidential information is protected against
unauthorized disclosures and anticipated threats or hazards to their
security or integrity. For example, agencies must ensure that
security requirements are followed for reports, documents,
printouts, information collection instruments, laptops, PDA's, zip
drives, floppy disks, CD-ROMs, or any other IT devices that contain
confidential information to prevent access by unauthorized persons.
VII. Data Sharing Under Subtitle B of CIPSEA
Data Linking and Data Sharing
One comment requested that OMB include administrative data as well
as other agencies under the data sharing provisions of Subtitle B of
CIPSEA to further improve efficiency. OMB notes that Subtitle B is
limited in statute to the three designated statistical agencies (BLS,
BEA, and Census) and applies only to business data. While OMB
appreciates the potential benefits suggested in this comment, CIPSEA
does not authorize any other data sharing or authorize additional
agencies to share data. However, CIPSEA did not alter other existing
authorities for data sharing among Federal agencies.
VIII. Annual Reporting and Review Requirements
Annual Reports to OMB
One commenter requested that the annual reports that agencies
provide to OMB be made public and posted on agency Web sites. In the
interest of transparency, agencies will now be required to post their
reports on their Web sites.
Susan E. Dudley,
Administrator, Office of Information and Regulatory Affairs.
Implementation Guidance for Title V of the E-Government Act,
Confidential Information Protection and Statistical Efficiency Act of
2002 (CIPSEA)
I. Introduction
A. Overview
Issues of privacy and confidentiality are of increasing concern to
respondents to Federal government surveys. Agencies often seek to
assuage these concerns by pledging to respondents that the agency will
protect the information that respondents provide, and by using whatever
statutory authority that the agency has to substantiate this pledge.
However, many agencies do not have strong confidentiality provisions in
their authorizing statutes. In this case, agencies may be able to use
government-wide statutes such as the Privacy Act or exemptions under
the Freedom of Information Act as the basis for a pledge to
respondents, but these statutes still do not apply to many Federal
surveys.
The Confidential Information Protection and Statistical Efficiency
Act of 2002 (CIPSEA) is a new government-wide law that can provide
strong confidentiality protections to many Federal agencies conducting
statistical information collections, such as surveys and censuses as
well as other statistical activities including data analysis and
modeling, sample design, etc. The purpose of this guidance is to inform
agencies about the requirements for using CIPSEA and clarify the
circumstances under which CIPSEA can be used.
There are several key definitions and distinctions in CIPSEA
regarding statistical and nonstatistical agencies, and statistical and
nonstatistical purposes, that affect whether CIPSEA can be used by an
agency to acquire and protect information. Below is a brief description
of these major definitions and distinctions, as well as of issues
related to data sharing under CIPSEA, and additional requirements for
using CIPSEA that are addressed in greater detail in this guidance.
1. Is the agency a statistical or nonstatistical agency? CIPSEA
distinguishes between statistical and nonstatistical agencies or units
and imposes different requirements and privileges on these different
types of agencies. Briefly, statistical agencies or units are those
whose activities are predominantly the collection, compilation,
processing, or analysis of information for statistical purposes. More
detail and a listing of statistical agencies and units is provided in
section I., part G of this section of the guidance.
2. Is the information used for statistical or nonstatistical
purposes? CIPSEA provides protection for information acquired for
statistical purposes under a pledge of confidentiality. Under CIPSEA, a
statistical purpose includes the description, estimation, or analysis
of the characteristics of groups, without identifying the individuals
or organizations that comprise such groups, while nonstatistical
purposes include any administrative, regulatory, law enforcement,
adjudicatory, or other purpose that affects the rights, privileges, or
benefits of a particular respondent. Information acquired and protected
under CIPSEA may only be used for statistical purposes.
3. Is the information being acquired by the Federal agency itself?
Agencies acquire information in different ways from a wide variety of
respondents. Agencies often acquire information directly from a
respondent to a Federal survey. In some cases, these respondents are
local or State governments that have themselves collected the
information from a respondent. Any agency that directly acquires
information from a respondent, including a local or State government,
under a pledge of confidentiality for exclusively statistical purposes,
is bound by CIPSEA. However, CIPSEA does not restrict or diminish
confidentiality protections in law that otherwise apply to a collection
of statistical data or information. Agencies protecting information
under CIPSEA must follow the requirements specified in section II of
this guidance and include an appropriate pledge to respondents. All
agencies that have information protected under CIPSEA
[[Page 33365]]
must also follow the procedures in section III for safeguarding the
security of this information.
4. Is the information being acquired for the Federal agency by
contractors or others acting on behalf of the agency? Many agencies
acquiring information from respondents do not directly collect the
information themselves from respondents but do so through
intermediaries such as contractors or researchers who are operating
under cooperative agreements or grants at the direction of the agency.
CIPSEA defines contractors and their employees, researchers, and
employees of private organizations or institutions of higher learning
who have a contract or agreement with a Federal agency as ``agents''
and authorizes only some agencies to use agents to acquire information
that will be protected under CIPSEA or access CIPSEA-protected
information.
5. How can statistical agencies use CIPSEA? Statistical agencies or
units that directly acquire information from respondents, including
State and local governments, may protect the confidentiality of that
information under CIPSEA. Statistical agencies or units may also
designate agents to acquire information for the agency under CIPSEA as
well as perform other exclusively statistical activities for the agency
on CIPSEA-protected information. Statistical activities include the
collection, compilation, processing, or analysis of data for the
purposes of describing or making estimates concerning the whole, or
relevant groups or components within, the economy, society, or the
natural environment. Statistical activities also include the
development of methods or resources that support these activities, such
as measurement methods, models, statistical classifications, or
sampling frames. More information is provided in section IV about the
requirements for statistical agencies designating agents under CIPSEA.
6. How can nonstatistical agencies use CIPSEA? Nonstatistical
agencies can use CIPSEA to protect information they are authorized to
acquire directly themselves from respondents, including State and local
governments. However, nonstatistical agencies or units are not
permitted to designate agents under CIPSEA. Therefore, nonstatistical
agencies or units may not protect information under CIPSEA if they are
using a contractor or other persons who fall under the CIPSEA
definition of agents to acquire that information unless they have the
authority to designate agents to collect information or perform other
statistical activities under some other statute. More information on
how nonstatistical agencies can acquire and protect information under
CIPSEA is provided in section VI of this guidance.
7. What if a statistical agency acquires information for
nonstatistical purposes? OMB expects that the vast majority of
information collections conducted by statistical agencies or units will
be subject to CIPSEA because these agencies generally collect
information for exclusively statistical purposes and pledge
confidentiality. Statistical agencies or units that are collecting
information that may be used for nonstatistical purposes need to ensure
that respondents understand these nonstatistical uses and that CIPSEA
does not apply to the specific collection. Requirements for statistical
agencies collecting information that may be used for nonstatistical
purposes are covered in section V.
8. What data sharing does CIPSEA authorize? Subtitle B of CIPSEA
explicitly provides the ability for three designated statistical
agencies, the Bureau of Economic Analysis, the Bureau of Labor
Statistics, and the Bureau of the Census to share business data.
Requirements for data sharing among these designated statistical
agencies are outlined in section VII.
9. What other requirements are there for using CIPSEA? Agencies
should carefully review this guidance to determine whether CIPSEA
applies to any of their information collections or statistical
activities. Agencies using CIPSEA are responsible for following all
requirements in this guidance. In addition, OMB is requiring agencies
that use CIPSEA to report annually to OMB on their use of this law in
order to effectively monitor the implementation of CIPSEA across
Federal agencies. All agencies that use CIPSEA for their collections
are asked to report to OMB annually the information collections CIPSEA
applies to and affirm that all of the requirements in this guidance are
being met. Statistical agencies protecting information under CIPSEA are
further required to report on their use of agents, and the three
designated statistical agencies in Subtitle B of CIPSEA are required to
report annually on their data sharing activities under CIPSEA. Further
information on the reporting requirements is in section VIII of this
guidance.
B. Purposes of CIPSEA
The Confidential Information Protection and Statistical Efficiency
Act of 2002 (CIPSEA), Title V of the E-Government Act of 2002 (Pub. L.
107-347), has two subtitles.
Subtitle A, Confidential Information Protection, concerns
confidentiality and statistical uses of information. The purposes of
Subtitle A are:
1. To ensure that information supplied by individuals or
organizations to an agency for statistical purposes under a pledge of
confidentiality is used exclusively for statistical purposes;
2. To ensure that individuals or organizations who supply
information under a pledge of confidentiality to agencies for
statistical purposes will neither have that information disclosed in
identifiable form to anyone not authorized by this title nor have that
information used for any purpose other than a statistical purpose; and
3. To safeguard the confidentiality of individually identifiable
information acquired under a pledge of confidentiality for statistical
purposes by controlling access to, and uses made of, such
information.\4\
---------------------------------------------------------------------------
\4\ Sec. 511(b).
---------------------------------------------------------------------------
CIPSEA Subtitle A protects information that is acquired for
exclusively statistical purposes under a pledge of confidentiality.
This subtitle of the law applies to all Federal agencies that acquire
information under these carefully prescribed conditions. The protection
of information collected under this law is supported by a penalty of a
Class E Felony for a knowing and willful disclosure of confidential
information. This includes imprisonment for up to five years and fines
up to $250,000.\5\ Thus, for many agencies this law strengthens the
protections afforded to confidential statistical information.
---------------------------------------------------------------------------
\5\ Sec. 513.
---------------------------------------------------------------------------
CIPSEA Subtitle B promotes statistical efficiency through limited
sharing of business data among three designated statistical agencies,
the Bureau of the Census (Census), the Bureau of Economic Analysis
(BEA), and the Bureau of Labor Statistics (BLS). The purposes of
Subtitle B are:
1. To authorize the sharing of business data among Census, BEA, and
BLS for exclusively statistical purposes;
2. To reduce the paperwork burdens imposed on businesses that
provide requested information to the Federal Government;
3. To improve the comparability and accuracy of Federal economic
statistics by allowing Census, BEA, and BLS to update sample frames,
develop consistent classifications of establishments and companies into
industries, improve coverage, and reconcile significant differences in
data produced by the three agencies; and
[[Page 33366]]
4. To increase understanding of the United States economy,
especially for key industry and regional statistics, to develop more
accurate measures of the impact of technology on productivity growth,
and to enhance the reliability of the Nation's most important economic
indicators, such as the National Income and Product Accounts.\6\
---------------------------------------------------------------------------
\6\ Sec. 521(b).
---------------------------------------------------------------------------
The remainder of this section of the guidance provides background
information on CIPSEA and its applicability to Federal agencies.
Sections II through VI provide implementation guidance on CIPSEA
Subtitle A, and Section VII provides implementation guidance on
Subtitle B. Section VIII covers agency reporting requirements to OMB on
the implementation of CIPSEA.
C. Background
There are more than 70 Federal agencies or organizational units
that carry out statistical activities as their principal mission or in
conjunction with other program missions, such as providing services or
enforcing regulations.\7\ In addition to these 70 agencies, many other
Federal agencies or units may collect statistical information to use
for specific program needs. Prior to the enactment of CIPSEA, a
patchwork of legislative protections governed the confidentiality of
data gathered for statistical purposes by the different agencies and
units. Some agencies had strong statutory authority to protect the
confidentiality of the data they gathered for statistical purposes,
while other agencies had weak or no legislative authority to protect
confidentiality. In addition, the ability of the designated statistical
agencies to share information to improve the efficiency of the Federal
statistical system was limited by statutory constraints affecting those
agencies.
---------------------------------------------------------------------------
\7\ Statistical Programs of the U.S. Government FY 2007, Office
of Management and Budget, Washington, DC.
---------------------------------------------------------------------------
Over the years, there have been numerous attempts both to shore up
legal protection for the confidentiality of statistical information,
and to permit some limited sharing of data for statistical purposes.
Strengthening and standardizing statutory protections for the
confidentiality of individually identifiable data that are collected
for statistical purposes as well as enhancing the capability of Federal
agencies to share information for exclusively statistical purposes have
always been goals.
In 1971, the President's Commission on Federal Statistics
recommended that the term confidential should always mean that
disclosure of data in a manner that would allow public identification
of the respondent or would in any way be harmful to him should be
prohibited. In addition, the Commission recommended that a promise to
hold data in confidence should not be made unless the agency has legal
authority to uphold such a promise, and that legislation should be
enacted authorizing agencies collecting data for statistical purposes
to promise confidentiality as the term was defined by the
Commission.\8\
---------------------------------------------------------------------------
\8\ Federal Statistics--Report of the President's Commission,
Volume 1, p. 222, September, 1971.
---------------------------------------------------------------------------
In July 1977, the Privacy Protection Study Commission stated that
``no record or information * * * collected or maintained for a research
or statistical purpose under Federal authority * * * may be used in
individually identifiable form to make any decision or take any action
directly affecting the individual to whom the record pertains * * *''
\9\
---------------------------------------------------------------------------
\9\ Personal Privacy in an Information Society--Report of the
Privacy Protection Study Commission, p. 574, July, 1977.
---------------------------------------------------------------------------
In October 1977, the President's Commission on Federal Paperwork
endorsed the confidentiality and ``functional separation'' concepts,
but applied them directly and simply to statistical programs, saying
that:
Information collected or maintained for statistical
purposes must never be used for administrative or regulatory purposes
or disclosed in identifiable form, except to another statistical agency
with assurances that it will be used solely for statistical purposes;
and
Information collected for administrative and regulatory
purposes must be made available for statistical use, with appropriate
confidentiality and security safeguards, when assurances are given that
the information will be used solely for statistical purposes.\10\
---------------------------------------------------------------------------
\10\ Statistics--A Report of the Commission on Federal
Paperwork, p. 128, October, 1977.
---------------------------------------------------------------------------
The policy discussions generated by the three Commissions came
together in a bipartisan outpouring of support for the Paperwork
Reduction Act of 1980, which largely addressed the efficiency
recommendations of the Paperwork Commission. The legislative history of
that Act recognized the unfinished work of fitting the ``functional
separation'' of statistical information into the overall scheme.
In 1993, a National Academy of Sciences panel on confidentiality
and data access recommended that ``Statistical records across all
federal agencies should be governed by a consistent set of statutes and
regulations meeting standards for the maintenance of such records,
including the following features of fair statistical information
practices: (a) A definition of statistical data that incorporates the
principle of functional separation as defined by the Privacy Protection
Study Commission, (b) a guarantee of confidentiality for data, * * *
(g) legal sanctions for those who violate confidentiality
requirements.'' \11\
---------------------------------------------------------------------------
\11\ Private Lives and Public Policies, 1993, National Academy
Press, Washington, DC.
---------------------------------------------------------------------------
To clarify and make consistent government policy protecting the
privacy and confidentiality interests of individuals and organizations
who furnish data for Federal statistical programs, OMB issued an
``Order Providing for the Confidentiality of Statistical Information''
in June 1997.\12\ This order applied the principles of functional
separation and protection of confidential information gathered for
statistical purposes to twelve principal statistical agencies.
---------------------------------------------------------------------------
\12\ 62 FR 35,044-35,050.
---------------------------------------------------------------------------
CIPSEA builds upon these and other efforts of the Executive and
Legislative branches including H.R. 2885 (the Statistical Efficiency
Act of 1999, originally offered by Representative Stephen Horn, and
unanimously passed by the House of Representatives) and H.R. 2136 (the
Confidential Information Protection Act, originally offered by
Representative Tom Sawyer in 2001). Introducing CIPSEA, H.R. 5215, on
July 25, 2002, Representative Horn indicated,
``The bill's enhanced confidentiality protections will improve the
quality of Federal statistics by encouraging greater cooperation on
the part of respondents. Even more important, these protections
ensure that the Federal Government does not abuse the trust of those
who provide data to it under a pledge of confidentiality. * * * the
Confidential Information Protection and Statistical Efficiency Act
of 2002 makes important, common sense and long overdue improvements
in our Nation's statistical programs. It is a bipartisan, good
Government measure that has the Administration's strong support. I
urge my colleagues to join with us to achieve prompt enactment of
the bill.'' \13\
---------------------------------------------------------------------------
\13\ Congressional Record, July 25, 2002, p. E1397.
In this guidance, OMB is establishing a uniform policy for all
Federal statistical collections to reduce public confusion,
uncertainty, and concern about the application of the newly-enacted
confidentiality requirements associated with protected statistical
information acquired by different Federal agencies. By establishing
consistent rational principles and
[[Page 33367]]
processes to buttress confidentiality pledges, the law codifies
confidentiality claims and sets minimum standards for safeguarding
confidential statistical information. Establishing consistent
protection of confidential statistical information will, in turn,
reduce the perceived risks of more efficient working relationships
among statistical agencies, relationships that can reduce both the cost
and reporting burden imposed by statistical programs.
D. Authority
The Paperwork Reduction Act (PRA) of 1980 (as amended in 1986 and
1995) requires the Office of Information and Regulatory Affairs (OIRA)
within OMB to develop policies, principles, standards, and guidelines
for privacy and confidentiality generally; the integrity of
confidentiality pledges; and the confidentiality of information
collected for statistical purposes.\14\ In addition, the Act tasks OIRA
to oversee agency compliance with related requirements of the Act and
with the policies referenced above.\15\ For example, agencies are
required to ``inform respondents fully and accurately about the
sponsors, purposes, and uses of statistical surveys and studies.'' \16\
---------------------------------------------------------------------------
\14\ 44 U.S.C. 3504(e)(1), 3504(e)(5), and 3504(g)(1).
\15\ 44 U.S.C. 3506(b)(1)(C), 3506(e)(2)-(4), and 3506(g)(1).
\16\ 44 U.S.C. 3506(e)(2).
---------------------------------------------------------------------------
With respect to statistical policy and coordination, the PRA
directs OMB to:
Coordinate the activities of the Federal statistical
system to ensure--
[cir] The efficiency and effectiveness of the system; and
[cir] The integrity, objectivity, impartiality, utility, and
confidentiality of information collected for statistical purposes; * *
*
Develop and oversee the implementation of Governmentwide
policies, principles, standards, and guidelines * * *
Promote the sharing of information collected for
statistical purposes consistent with privacy rights and confidentiality
pledges; \17\
---------------------------------------------------------------------------
\17\ 44 U.S.C. 3504(e).
---------------------------------------------------------------------------
In addition, Title V of the E-Government Act of 2002 authorizes the
Director of the Office of Management and Budget to coordinate and
oversee the confidentiality and disclosure policies established by
CIPSEA. The Director is authorized to promulgate rules or provide other
guidance to ensure the consistent interpretation of this title by the
affected agencies.\18\
---------------------------------------------------------------------------
\18\ Sec. 503(a).
---------------------------------------------------------------------------
E. Affected Agencies
Executive agencies as defined in 31 U.S.C. 102 or 44 U.S.C. 3502
\19\ are subject to the provisions and penalties in CIPSEA Subtitle A
if they (1) Acquire information for exclusively statistical purposes
under a pledge of confidentiality, or (2) they possess or access
information protected by CIPSEA, unless even stronger confidentiality
protections apply.\20\ CIPSEA also imposes additional requirements on
statistical agencies or units, which are defined to include ``an agency
or organizational unit of the executive branch whose activities are
predominantly the collection, compilation, processing, or analysis of
information for statistical purposes.'' \21\ CIPSEA Subtitle B applies
only to the designated statistical agencies, i.e., the Bureau of the
Census of the Department of Commerce, the Bureau of Economic Analysis
of the Department of Commerce, and the Bureau of Labor Statistics of
the Department of Labor.\22\
---------------------------------------------------------------------------
\19\ Sec. 502(1).
\20\ Sec. 512(a) and 512(b). Agencies may also be governed by
other statutes that may have additional restrictions on the use and
disclosure of confidential statistical information that apply beyond
CIPSEA (Sec. 504(h); Sec. 512(b)(3)).
\21\ Sec. 502(8).
\22\ Sec. 522.
---------------------------------------------------------------------------
F. Applicability of CIPSEA
Federal agencies collect and acquire information for a wide variety
of purposes and uses, including benefit determinations, program
planning and management, program evaluation, measurement of compliance
with laws and regulations, and research, as well as for general purpose
statistics. When acquiring information, an agency must inform the
person or organization being asked to provide information whether or
not it will be treated as confidential and the purpose(s) for which the
information will be used.\23\
---------------------------------------------------------------------------
\23\ 5 CFR 1320.8(b)(3).
---------------------------------------------------------------------------
CIPSEA protection applies to any identifiable information acquired
by the agency under a pledge of confidentiality for exclusively
statistical purposes. For purposes of CIPSEA, this information includes
personally identifiable information \24\ as well as information that
permits the identity of any respondent, such as business
establishments, institutions, or State or local governments,\25\ to be
reasonably inferred by either direct or indirect means.\26\ In this
guidance, the terms confidential information and confidential data
refer to information that is protected by CIPSEA.
---------------------------------------------------------------------------
\24\ The term ``personally identifiable information'' refers to
information that can be used to distinguish or trace an individual's
identity, such as his or her name, social security number, biometric
records, etc., alone, or when combined with other personal or
identifying information that is linked or linkable to a specific
individual, such as date and place of birth, mother's maiden name,
etc.
\25\ Statistical agencies may collect information from a State
or local government that is in the public domain, and, therefore,
the statistical agency would typically not pledge to keep that
information confidential under CIPSEA or other legal authorities.
\26\ Sec. 502(4). Indirect identification refers to using
information in conjunction with other data elements to reasonably
infer the identity of a respondent. For example, data elements such
as a combination of gender, race, date of birth, geographic
indicators, or other descriptors may be used to identify an
individual respondent.
---------------------------------------------------------------------------
CIPSEA can apply only when an agency pledges both to protect the
confidentiality of the information it acquires and to use the
information only for statistical purposes. CIPSEA defines a statistical
purpose to include the description, estimation, or analysis of the
characteristics of groups, without identifying the individuals or
organizations that comprise such groups and includes the development,
implementation, or maintenance of methods, technical or administrative
procedures, or information resources that support the above
purposes.\27\ If information is collected or acquired for any
nonstatistical purpose, then CIPSEA shall not be used to protect the
confidentiality of the information.\28\
---------------------------------------------------------------------------
\27\ Sec. 502(9).
\28\ There are some authorized, nonstatistical uses of
information collected for statistical purposes, such as the use of
Decennial Census information for genealogical research, that are
noted in Section 504 of CIPSEA. CIPSEA was intended to apply to
these collections that are intended for statistical purposes and
have only very narrow exceptions for specific nonstatistical uses
that do not result in any actions directly affecting the respondent.
Agencies acquiring or protecting information under CIPSEA with
similar nonstatistical uses of the information should consult with
OMB on the applicability of CIPSEA for the information collection.
Unless there is a specific exception noted in Section 504 of CIPSEA,
CIPSEA clearly prohibits disclosures for administrative, regulatory,
law enforcement, or adjudicatory purposes that affect the rights,
privileges, or benefits of a particular identifiable respondent
absent informed consent. Since some State or Federal laws may
require notification of authorities if, for example, child abuse is
reported by the respondent, agencies collecting such information
shall inform respondents at the time of collection that revelations
of this type of information must be reported to legal authorities.
Agencies may conduct these collections under CIPSEA if any such
nonstatistical uses are clearly described in advance to the
respondent (with the respondent providing informed consent), and
these procedures are clearly stated in the notices and supporting
materials described in Section II. Agencies should also consult with
their institutional review boards to determine circumstances when
informed consent is appropriate or necessary.
---------------------------------------------------------------------------
A nonstatistical purpose means the use of information in
identifiable form for anything other than a statistical
[[Page 33368]]
purpose, including any administrative, regulatory, law enforcement,
adjudicative, or other purpose that affects the rights, privileges or
benefits of a particular identifiable respondent. Providing
confidential information in response to a Freedom of Information Act
(FOIA) request is also considered a nonstatistical purpose.\29\ Since
the CIPSEA statute is a (b)(3) statute under FOIA, confidential
information covered under CIPSEA is exempt from release pursuant to a
FOIA request (5 U.S.C. 552(b)(3)).
---------------------------------------------------------------------------
\29\ Sec. 502(5)(B).
---------------------------------------------------------------------------
Agencies acquire information in different ways from a wide variety
of respondents. An agency may collect information directly (e.g.,
surveys) from individuals, households, businesses, organizations, or
institutions, or the agency may acquire information through secondary
sources (e.g., from State government agencies).\30\ This guidance, in
accordance with the law, will use as the more general term,
``acquire,'' to include both agency collections of information directly
from respondents, and acquisitions of information from secondary
sources.
---------------------------------------------------------------------------
\30\ Sec. 502(6).
---------------------------------------------------------------------------
In many cases, agencies acquire information directly from
respondents (including local or State governments) to a Federal survey;
in other cases, agencies do not themselves directly acquire information
from respondents but do so through intermediaries, such as contractors
or researchers who are operating under cooperative agreements or grants
at the direction of the agency. CIPSEA defines contractors and their
employees, researchers, and employees of private organizations or
institutions of higher learning that have a contract or agreement with
a Federal agency as ``agents.'' \31\
---------------------------------------------------------------------------
\31\ Sec. 502(2).
---------------------------------------------------------------------------
Any agency that directly acquires information from a respondent,
including a local or State government, under a pledge of
confidentiality for exclusively statistical purposes, can use CIPSEA to
protect the information. However, if an agency is using an agent, such
as a contractor, to acquire information for exclusively statistical
purposes, the agency may not be able to protect the information under
CIPSEA unless it is a statistical agency (see part G). In these
situations, nonstatistical agencies should use their existing statutory
authority to protect the confidentiality of this information.
Generally, the applicable statute with the strongest
confidentiality protections for the information governs the use and
disclosure of the information. CIPSEA does not restrict or diminish any
other confidentiality protections or penalties for unauthorized
disclosure that an agency may otherwise have for information collected
for statistical purposes.\32\ Accordingly, if an agency has any
stronger protections in its statutes, these protections would remain in
effect. For example, the more restrictive use and disclosure provisions
of the Census Act and the International Investment and Trade in
Services Survey Act would take precedence over the broader statistical
uses permitted under CIPSEA. In another example, if an agency's
authorizing statute prohibited disclosure with informed consent, the
agency would not be able to disclose the information with informed
consent, which could be permissible under CIPSEA under certain
circumstances.\33\
---------------------------------------------------------------------------
\32\ Sec. 504(h); Sec. 512(b)(3).
\33\ Sec. 512(b).
---------------------------------------------------------------------------
On the other hand, if an agency pledges to use the information for
only statistical purposes, then the agency shall not use any other
authorities it has available to use the information for non-statistical
purposes, because those uses would be contrary to the agency's pledge.
For example, if information is protected by CIPSEA and the Privacy Act,
some of the routine uses permitted under the Privacy Act would no
longer be allowed because they are not for statistical purposes.
G. Use of CIPSEA by Statistical and Nonstatistical Agencies or Units
Although any Federal agency can acquire and protect information
under CIPSEA, CIPSEA provides additional authority and imposes
additional requirements on statistical agencies or units. These
additional provisions have implications for how and whether an agency
can use CIPSEA to acquire information; these provisions are discussed
in later sections of this guidance.
CIPSEA defines a statistical agency or unit as ``an agency or
organizational unit of the executive branch whose activities are
predominantly the collection, compilation, processing, or analysis of
information for statistical purposes.'' \34\
OMB shall determine whether an agency or unit can be considered a
statistical agency or unit for purposes of CIPSEA.
---------------------------------------------------------------------------
\34\ Sec. 502(8).
---------------------------------------------------------------------------
OMB recognized 12 statistical agencies or units in its 1997
Confidentiality Order: \35\
---------------------------------------------------------------------------
\35\ 62 FR 35,044-35,050.
---------------------------------------------------------------------------
Department of Agriculture
[cir] Economic Research Service
[cir] National Agricultural Statistics Service
Department of Commerce
[cir] Bureau of Economic Analysis
[cir] Census Bureau
Department of Education
[cir] National Center for Education Statistics
Department of Energy
[cir] Energy Information Administration
Department of Health and Human Services
[cir] National Center for Health Statistics
Department of Justice
[cir] Bureau of Justice Statistics
Department of Labor
[cir] Bureau of Labor Statistics
Department of Transportation
[cir] Bureau of Transportation Statistics
Department of the Treasury
[cir] Statistics of Income Division of the Internal Revenue Service
National Science Foundation
[cir] Division of Science Resources Statistics
Since this guidance was issued in proposed form in October 2006,
OMB has recognized two statistical organizational units: the Office of
Applied Studies within the Substance Abuse and Mental Health Services
Administration in the Department of Health and Human Services, and the
Microeconomic Surveys Unit of the Board of Governors of the Federal
Reserve. Other agencies or units that wish to be recognized as
statistical agencies or units for purposes of CIPSEA must send a
request to the Chief Statistician at OMB. The request must come from
the head of the agency or unit and have the concurrence of the larger
organization within which the agency or unit resides. This request
should include a statement of the organizational definition of the
agency or unit, its mission, statistical activities, and any
nonstatistical activities, and demonstrate that its activities are
predominantly statistical. Statistical activities include the
collection, compilation, processing, or analysis of data for the
purpose of describing the characteristics of groups or making estimates
concerning the whole or relevant groups, or components within, the
economy, society, or the natural environment. Statistical activities
also include the development of methods or resources that support these
activities, such as measurement methods, models, statistical
classifications, or sampling frames. A listing of OMB recognized
statistical agencies and units will be posted and maintained on OMB's
Web site.
Both statistical and nonstatistical agencies can use CIPSEA to
protect information they acquire directly from
[[Page 33369]]
respondents, including State and local governments. However, only
statistical agencies or units are authorized under CIPSEA to designate
agents to perform exclusively statistical activities, which include
data collection, subject to CIPSEA limitations and penalties.\36\
Because data collection contractors are agents under CIPSEA,\37\ only
statistical agencies may designate contractors to acquire information
that will be protected under CIPSEA. In order for the collections of
nonstatistical agencies to fall within the protections of CIPSEA,
nonstatistical agencies must acquire the information themselves
directly from respondents. Nonstatistical agencies cannot empower
contractors or other agents to acquire information or carry out any
other statistical activities for the agency under CIPSEA.\38\
---------------------------------------------------------------------------
\36\ Sec. 512(d).
\37\ Sec. 502(2)(iii).
\38\ Some nonstatistical agencies may have specific statutory
authority to designate agents that meets the requirements of CIPSEA,
allowing the agency to use agents to perform exclusively statistical
activities, including data collection, for the agency. Agencies
should consult with OMB on the applicability of their statute for
purposes of using CIPSEA before making plans to designate agents.
Agencies should also clearly describe how their authority meets the
requirements for CIPSEA designation of agents in their information
collection requests to OMB.
---------------------------------------------------------------------------
The following sections II and III of this guidance describe in
detail the requirements for all agencies using CIPSEA. Additional
requirements for statistical agencies or units designating agents are
covered in section IV. Because it is generally expected that
statistical agencies or organizational units will be collecting
information for exclusively statistical purposes under a pledge of
confidentiality, statistical agencies or units that conduct or sponsor
a collection that will not be for exclusively statistical purposes must
follow additional requirements as described in section V. Additional
requirements for nonstatistical agencies or units are provided in
section VI.
II. Requirements for Agencies Collecting or Acquiring Information
Protected Under CIPSEA
CIPSEA provides strong protection for information obtained for
exclusively statistical purposes under a pledge of confidentiality. For
CIPSEA to have its intended effect of reinforcing public confidence in
Federal confidentiality pledges, all Federal agencies that make the
CIPSEA pledge must provide CIPSEA protection to that information. A
Federal agency should not make a CIPSEA pledge unless the agency is
fully committed to taking all the actions that are necessary to provide
CIPSEA level protection; making the CIPSEA pledge means giving CIPSEA
level protection to the collected information.
To faithfully maintain this commitment requires that agencies meet
a number of minimum requirements that are described in detail in the
remainder of this guidance. Specifically, agencies must:
Inform the respondents about the confidentiality
protection and use of the information (section II.);
Collect and handle confidential information to minimize
risk of disclosure, including properly training employees (section
III.);
Ensure the information is used only for statistical
purposes (section III. A.);
Review information to be disseminated to prevent
identifiable information from being reasonably inferred by either
direct or indirect means (section III. F.); and
Supervise and control agents who have access to
confidential information (section IV.).
A. Requirements for Public Notice Prior to Data Collection
Agencies are required under the PRA to:
Publish a notice in the Federal Register allowing 60 days
for the public to comment on information collections and otherwise
consult with members of the public and affected agencies concerning
each proposed collection of information; \39\
---------------------------------------------------------------------------
\39\ 5 CFR 1320.8(d)(1).
---------------------------------------------------------------------------
Publish a notice in the Federal Register at the time OMB
approval is being sought, and allow the public 30 days to comment; and
``Describe any assurance of confidentiality provided to
respondents and the basis for the assurance in statute, regulation, or
agency policy'' in their PRA supporting statements submitted to
OMB.\40\
---------------------------------------------------------------------------
\40\ Instructions for Supporting Statement for Paperwork
Reduction Act submissions and 5 CFR 1320.8(b)(3).
---------------------------------------------------------------------------
When agencies are acquiring information that will be protected
under CIPSEA, they shall: \41\
---------------------------------------------------------------------------
\41\ Agencies conducting an OMB-approved information collection
prior to passage of CIPSEA or issuance of this guidance, such as a
periodic or longitudinal survey, can also protect that collection
under CIPSEA if the collection is intended for exclusively
statistical purposes, the agency pledges confidentiality, and the
agency will follow this guidance in implementing CIPSEA. In this
case, the agency should consult with OMB about the change in
confidentiality protection for the collection and plan appropriate
consultation with stakeholders and respondents. OMB may require
agencies to provide Federal Register notices concerning the change
in policy and to contact respondents for comments before the agency
can make a CIPSEA pledge.
---------------------------------------------------------------------------
State that the information will be protected under CIPSEA,
and cite any other authority they have to protect the confidentiality
of the data in their PRA supporting statements; and
State in their Federal Register notices if there is a
substantive change in the confidentiality protection of the information
being collected, such as using CIPSEA to protect the information for an
ongoing collection when similar protection was not available
previously.
B. Requirements for Informing Respondents at the Time of Information
Collection
At the time of the information collection, agencies are required
under the PRA to adequately inform potential respondents about the uses
of the information they provide.\42\ This description must include the
following information related to the confidentiality of their
responses:
---------------------------------------------------------------------------
\42\ 5 CFR 1320.8(b)(3); Additional requirements are imposed if
the collection involves a Privacy Act system of records (5 U.S.C.
552a(e)(3) as amended).
---------------------------------------------------------------------------
The reasons the information is planned to be and/or has
been collected;
The way such information is planned to be and/or has been
used to further the proper performance of the functions of the agency;
and
The nature and extent of confidentiality protection to be
provided, if any.\43\
---------------------------------------------------------------------------
\43\ 5 CFR 1320.8(b)(3).
---------------------------------------------------------------------------
When agencies are collecting information that they want to be
protected under CIPSEA, they are required by law at the time of
collection to do the following:\44\
---------------------------------------------------------------------------
\44\ Sec. 512(a).
---------------------------------------------------------------------------
Pledge to keep the data or information confidential, and
Pledge that the information will be used for exclusively
statistical purposes.
Agencies that are not protecting information under CIPSEA must
ensure that the public is able to distinguish easily between pledges
that reflect the protections provided by CIPSEA and those affording
less protection than CIPSEA. In particular, the pledge for collections
not protected to the extent afforded by CIPSEA shall not contain all
the elements related to CIPSEA found in the pledges below--
specifically, the pledge shall not state both that the data are
confidential and that they are for exclusively statistical use (in such
cases CIPSEA would apply even if not stated).\45\ The degree to which
the
[[Page 33370]]
pledge differs from the CIPSEA pledge needs to be based on the laws and
regulations governing the collection and determined in collaboration
with the agency legal staff, agency confidentiality officer, and PRA
clearance officer. A pledge of confidentiality for collections not
protected by CIPSEA must specifically cite the statutory authorization
protecting the confidentiality of the data being collected and
accurately describe the extent of that protection. If an agency elects
to collect information under laws affording less protection than
CIPSEA, OMB will not approve an agency's proposed non-CIPSEA pledge
that is too similar to the CIPSEA pledge (e.g., one that includes the
term `confidential' and states that the information will be used for
exclusively statistical purposes).
---------------------------------------------------------------------------
\45\ As noted at the end of this subsection (and in footnote
17), CIPSEA does not restrict or diminish any other confidentiality
protections or penalties for unauthorized disclosure that an agency
may otherwise have for information collected for statistical
purposes, and any stronger protections would remain in effect (Sec.
504(h); Sec. 512(b)(3)).
---------------------------------------------------------------------------
The following examples of confidentiality pledges under CIPSEA are
sufficient to inform respondents of the protections afforded. Agencies
shall use the following model and customize the wording in accordance
with their needs. Parentheses indicate options and italics are
instructions. Comparable pledge language may be substituted, but that
alternative wording shall be included in the PRA supporting statements
to OMB and should be cognitively tested. A complete confidentiality
pledge shall be developed from the following:
The information (choose one--you, your household, your
establishment--as needed) provide(s) will be used for statistical
purposes only. In accordance with the Confidential Information
Protection provisions of Title V, Subtitle A, Public Law 107-347
(option to add or substitute laws that are stronger or more
restrictive than CIPSEA) and other applicable Federal laws (option
to list them, but it is not necessary to be exhaustive), your
responses will be kept confidential and will not be disclosed in
identifiable form to anyone other than employees (option to add ``or
agents'' if applicable, or another term the agency uses) (option to
add--without your consent).\46\ By law, every (your agency here)
employee (optional--including the Director), (if applicable, option
to add ``as well as every agent such as then list as appropriate--
contractors, field representatives,
telephone interviewers, authorized researchers,\47\ etc''.\48\),
(optional--has taken an oath and) is subject to a jail term
(optional--of up to 5 years), a fine (optional--of up to $250,000),
or both if he or she willfully discloses ANY identifiable
information about (choose one--you, your household, your
establishment).
---------------------------------------------------------------------------
\46\ Use the phrase ``without your consent'' only in cases where
an agency can reasonably anticipate such consent will be requested.
\47\ Agencies that plan to provide access to confidential
information for statistical purposes should include mention of this
in their pledge.
\48\ Designated statistical agencies (as defined under CIPSEA
Subtitle B) may include ``employees of partner statistical
agencies'' for collections of confidential business information that
may be used in data sharing agreements as authorized under that
Subtitle.
The above pledge may be placed on the survey instrument (e.g.,
form), in the instructions, or on the back side of the cover letter. A
shorter, more user-friendly version may be used in introductory
statements, on the cover of the instrument, or in the body of the cover
letter as long as there is a reference to the full pledge. In addition,
the agency may place the full pledge on the agency's web site and point
respondents to that site.
To illustrate the actual pledge wording, an agency could implement
this pledge as follows:
The information you provide will be used for statistical
purposes only. In accordance with the Confidential Information
Protection provisions of Title V, Subtitle A, Public Law 107-347 and
other applicable Federal laws, your responses will be kept
confidential and will not be disclosed in identifiable form to
anyone other than employees or agents. By law, every ABC employee as
well as every agent has taken an oath and is subject to a jail term
of up to 5 years, a fine of up to $250,000, or both if he or she
willfully discloses ANY identifiable information about you.
Agencies may choose to employ a shortened version of the pledge,
such as the following, when conducting telephone surveys or in other
similar circumstances as long as respondents are given access to the
longer version in some other manner such as posting on the agency's Web
site:
The information you provide about (choose one--yourself,
household, establishment) will be used for statistical purposes
only. In accordance with the Confidential Information Protection
provisions in Public Law 107-347 (option to add and other applicable
Federal laws), your responses will be kept confidential and will not
be disclosed in identifiable form (optional--without your
consent).\49\ By law, everyone working on this (your agency here)
survey is subject to a jail term, a fine, or both if he or she
willfully discloses ANY information that could identify you.
Agencies whose statutory authority provides confidentiality
protections more restrictive than CIPSEA for information acquired for
exclusively statistical purposes under a pledge of confidentiality may
use the CIPSEA pledge or their existing pledges that are similar as
long as they make clear what confidentiality protections cover the
information and the statutory authority for those protections. In such
cases, the resemblance of an agency's pledge to the CIPSEA pledge does
not imply that any provisions in CIPSEA would overrule the agency's
stronger confidentiality statute. CIPSEA does not restrict or diminish
any other confidentiality protections or penalties for unauthorized
disclosure that an agency may otherwise have for information collected
for statistical purposes, and any stronger protections would remain in
effect.\50\
---------------------------------------------------------------------------
\49\ Use ``without your consent'' only if consent is asked or
may be in the future--omitting this phrase could create difficulties
if the agency later wants to ask for consent.
\50\ Sec. 504(h); Sec. 512(b)(3).
---------------------------------------------------------------------------
III. Minimum Standards for Safeguarding Confidential Information
Acquired Under CIPSEA
These standards for safeguarding confidential information apply to
information protected under CIPSEA. Federal agencies shall follow the
minimum standards in this section. In addition, some best practices are
provided that agencies are encouraged to adopt but are not required to
implement. \51\
---------------------------------------------------------------------------
\51\ Best practices that agencies are encouraged but not
required to implement are designated as items that agencies ``may''
do, while requirements are noted as items that agencies ``shall''
do.
---------------------------------------------------------------------------
The central objective of these standards is to ensure that a
Federal agency that pledges confidentiality for statistical information
honors that pledge. Each Federal agency remains ultimately responsible
and accountable for the confidential information that the agency
acquires under a CIPSEA pledge. Any inappropriate use or disclosure of
CIPSEA-protected information violates the law and can undermine public
trust. Therefore, there is no ``acceptable'' level of non-compliance
with the CIPSEA pledge.
These minimum standards have been developed according to the
principle of disclosure risk, which considers both the probability of
an unauthorized disclosure and the expected harm from such a
disclosure. These minimum standards apply to data for which the
disclosure risk has been deemed relatively low by the Federal agency
responsible for the information. Federal agencies shall set higher
standards as the disclosure risk increases.
At a minimum, such standards shall make clear that each person
having
[[Page 33371]]
access to confidential information understands his/her responsibility
related to maintaining the confidentiality of that information. In
addition, these standards shall make clear who is accountable for each
part of the information protection, including:
Determining and monitoring procedures for collection and
release;
Evaluating the reason for accessing the information and
controlling access to the information; and
Maintaining physical and information systems security.
A. Principles and Procedures for Protecting Confidential Information
Agencies or organizational units protecting information under
CIPSEA shall incorporate the costs for protecting confidential
information throughout the lifecycle of the statistical activity. This
will ensure that sufficient resources are available to develop and
implement procedures to ensure that:
The confidentiality of the information is protected;
Confidential information is used exclusively for
statistical purposes;
Access to confidential information is controlled, and only
authorized persons have access to the information;
All persons having access to confidential information
understand
[cir] The obligations of confidentiality protection,
[cir] That unauthorized access to confidential information is
prohibited, and
[cir] The penalties for unauthorized access to and unauthorized use
of confidential information; and
A person or persons are designated to oversee all
procedures for handling confidential information, and that such persons
are responsible for all agency confidentiality procedures, reviews, and
compliance with confidentiality laws.
B. Physical and Information Systems Security
Each agency shall ensure the physical security and information
systems security where data protected under CIPSEA are accessed and
stored.
Agencies are required to establish appropriate administrative and
technical safeguards to ensure the security of all media containing
confidential information is protected against unauthorized disclosures
and anticipated threats or hazards to their security or integrity. For
example, agencies must ensure that security requirements are followed
for reports, documents, printouts, information collection instruments,
laptops, PDA's, zip drives, floppy disks, CD-ROMs, or any other IT
devices that contain confidential information to prevent access by
unauthorized persons. Agencies must also ensure that only persons
authorized by the head of the statistical agency or unit are permitted
access to confidential information stored in information systems.
Agencies are required to assess and secure their information and
information systems in accord with the Federal Information Security
Management Act (FISMA) which appears as Title III of the E-Government
Act of 2002. OMB has issued guidance on implementing FISMA, and the
National Institute of Standards and Technology (NIST) has issued
compulsory and binding standards used to identify the level of impact
and controls for maintaining the confidentiality, integrity, and
availability of all information collected or maintained on behalf of an
agency.\52\
---------------------------------------------------------------------------
\52\ For more information about existing security and privacy
requirements, see http://www.whitehouse.gov/omb/inforeg/infopoltech.html, FIPS PUB 199, Standards for Security
Categorization of Federal Information and Information Systems,
Gaithersburg, MD:U.S. Department of Commerce, and related
publications.
---------------------------------------------------------------------------
One of three security objectives for information and information
systems that FISMA defines is confidentiality. The security category of
an information type is determined by its potential impact on agencies
should there be a breach of security, i.e., a loss of
confidentiality.\53\ Because agencies handle many different types of
information, an agency should determine what the potential impact of a
security breach on the agency is (including mission, function, image,
and reputation), and take into account CIPSEA requirements that the
information be used for exclusively statistical purposes as well as the
penalties that CIPSEA imposes for disclosure.
---------------------------------------------------------------------------
\53\ See FIPS PUB 199, Standards for Security Categorization of
Federal Information and Information Systems, Gaithersburg, MD:U.S.
Department of Commerce; and related publications such as NIST
Special Publication 800-60.
---------------------------------------------------------------------------
Privacy Impact Assessments (PIAs) are also required of agencies
developing or procuring information systems or projects that maintain
or handle confidential information in identifiable form about members
of the public, and agencies initiating new electronic collections of
information in identifiable form.\54\
---------------------------------------------------------------------------
\54\ See OMB Memorandum M-03-22, September 26, 2003, OMB
Guidance for Implementing the Privacy Provisions of the E-Government
Act of 2002.
---------------------------------------------------------------------------
C. Confidentiality Training
Each agency with information protected under CIPSEA shall ensure
that all individuals having access to such confidential information
have a current understanding of confidentiality rules and procedures.
Confidentiality training shall include at a minimum:
An overview of information protection procedures,
The importance of ``need to know'' for an authorized
purpose in accessing confidential information,
Physical and information systems security procedures, and
The penalties for unauthorized access, use and
disclosures.
Employees who have access to confidential information shall be
recertified annually to ensure their understanding of confidentiality
requirements.
D. Record Keeping
Agencies shall establish and maintain a system of records \55\ that
identifies individuals accessing confidential information. Agencies
shall also be prepared to document their compliance with the safeguard
principles to OMB.\56\
---------------------------------------------------------------------------
\55\ Agencies should assess for themselves the nature of these
records and requirements for record keeping, including whether what
an agency does for this purpose qualifies as a system of records
under the Privacy Act. OMB is not implying in this guidance what
form these record keeping systems should take and is leaving that
determination to the agency.
\56\ OMB recognizes that in some cases agencies have very
detailed documentation on access to confidential information that
itself is treated as confidential by the agency. In this case, it is
sufficient for the agency simply to demonstrate that the basic
safeguard principles are being followed; agencies should not reveal
specific individuals or specific procedures that would compromise
the protection of the information.
---------------------------------------------------------------------------
E. Information Collection, Processing, or Analysis Contracts
Prior to award, agencies shall review any contracts that involve
CIPSEA protected information to ensure language is included that
informs the contractor of the requirements of CIPSEA and of the
contractor's obligations under the law and penalties for noncompliance
(see Section IV).
F. Guidelines for Review of Information Prior to Dissemination
For CIPSEA protected information, the agency as well as any agent
accessing the information shall ensure that any dissemination of
information based on confidential information is done in a manner that
preserves the confidentiality of the information. To accomplish this,
agencies shall:
Review their information products prior to public release
for disclosures of confidential information, and
Apply appropriate statistical disclosure limitation (SDL)
techniques
[[Page 33372]]
to preserve the confidentiality of the information.
For further guidance on SDL techniques, agencies can refer to
practices described in Statistical Policy Working Paper #22, Report on
Statistical Disclosure Limitation Methodology \57\ and utilize other
resources such as the disclosure review checklist provided by the
Federal Committee on Statistical Methodology's Confidentiality and Data
Access Committee.\58\
---------------------------------------------------------------------------
\57\ Available at http://www.fcsm.gov/reports/.
\58\ See http://www.fcsm.gov/committees/cdac/cdac.html. Agencies
may also wish to consult HIPAA standards for deidentification of
protected health information at 45 CFR 164.514.
---------------------------------------------------------------------------
Additional guidelines are provided below for handling confidential
information protected under CIPSEA in conjunction with information not
protected by CIPSEA.
Tabular Information
When a table includes both data protected under CIPSEA and other
data not protected under CIPSEA, all data shall be treated as
confidential, and identifiable respondent information shall not be
present in the table.
When a table includes both data protected under CIPSEA and
nonconfidential data, the agency:
Shall apply SDL techniques to ensure protection of any
table cells based on information protected under CIPSEA;
May have a table cell that reveals nonconfidential
identifiable respondent information. However, the agency shall take
special care to ensure that the presentation of the nonconfidential
information in no way jeopardizes confidential information.
[cir] If the table includes any identifiable nonconfidential
respondent information, the agency shall distinguish what information
is protected under CIPSEA in the accompanying text or notes to the
table.
[cir] If the table does not include any identifiable
nonconfidential respondent information, there is no need to distinguish
these data from those protected under CIPSEA.
A special case exists when a table cell value reflects a
combination of CIPSEA protected data and nonconfidential data (e.g., a
ratio or weighted average). In this case, these data elements are
considered confidential and shall not be disseminated in a manner where
any respondent could be identified.
The agency shall determine how the disclosure limitation methods
used on the data affect the users and thus what information about
confidentiality protection shall be included with tabular presentation.
Microdata \59\
---------------------------------------------------------------------------
\59\ Microdata are data about individual respondents (e.g.,
persons, households, organizations, companies, farms, etc.)
---------------------------------------------------------------------------
The confidentiality provisions and limits on uses of microdata
shall be completely discussed in the documentation or mentioned with a
reference for details. For microdata protected under CIPSEA, SDL
techniques shall be applied prior to public release.
There are two possible scenarios to consider for the dissemination
of microdata in which some elements are protected under CIPSEA and
other elements are not (e.g., not confidential or confidential under
other laws/authorities).
If variables protected under CIPSEA are linked to other
variables that are not, the most restrictive law (in terms of promising
confidentiality and limiting the use of the information) shall apply.
For example:
[cir] If an agency links data protected under CIPSEA with
nonconfidential administrative data from another source and releases a
linked public use microdata file, the restrictions of CIPSEA apply.
[cir] If an agency links data protected under CIPSEA with
confidential administrative data from another source (e.g., IRS data)
and releases a linked public use microdata file, the most restrictive
law (in terms of promising confidentiality and limiting the use of the
information) shall prevail.
If data from some respondents are protected under CIPSEA
and data from other respondents are not, an agency may keep the data in
separate files or combine the data sets and include a variable that
tells the source for each record. Keeping the data in separate files
may be the best choice because it would help highlight the difference
in confidentiality provisions and limits on uses.
IV. Requirements and Guidelines for Statistical Agencies or
Organizational Units When Designating Agents to Acquire or Access
Confidential Information Protected Under CIPSEA
Statistical agencies or organizational units may under CIPSEA
designate agents by contract or by entering into a special agreement to
perform exclusively statistical activities that are subject to CIPSEA
limitations and penalties.\60\ To ensure that the protections of CIPSEA
apply to the information that a statistical agency or unit acquires,
the agency shall follow the requirements in this section when
designating agents to acquire information for the agency for
exclusively statistical purposes under a pledge of confidentiality.
---------------------------------------------------------------------------
\60\ Sec. 512(d).
---------------------------------------------------------------------------
Because CIPSEA has a broad definition of agents, statistical
agencies and organizational units may use CIPSEA to designate a variety
of individuals as agents to allow them to access confidential
information for exclusively statistical purposes.\61\ A statistical
agency may designate agents to perform exclusively statistical
activities, at its discretion, subject to the agency's needs,
resources, and other requirements. The agency that possesses the
confidential information shall ensure that all agents comply with the
agency's confidentiality procedures and shall follow the requirements
in this section when designating agents to access confidential
information for exclusively statistical purposes.
---------------------------------------------------------------------------
\61\ Sec. 512(a).
---------------------------------------------------------------------------
Information protected under CIPSEA must be used only for
statistical purposes. When entering into contracts or special
agreements with agents to acquire or access confidential information,
an agency shall consider:
The sensitivity of the confidential information,
The risk of disclosure, and
The resources required to maintain supervision and control
of agents.
Agencies are responsible for protecting the confidentiality of
their data and may establish standards beyond those in this guidance.
This section thus provides the minimum requirements as well as
additional guidelines for statistical agencies or units to designate
agents to perform exclusively statistical activities, including data
collection.
It is important to note that neither CIPSEA nor this guidance
requires any statistical agency or unit to designate agents; the
decision to enter into these agreements is at the discretion of the
statistical agency or unit. Therefore, an agency may decline to
designate agents in accordance with its authorities or practices.\62\
If a statistical agency or unit chooses to designate agents, the agency
remains responsible for all confidential information protected under
CIPSEA, and statistical agencies or units should not designate agents
unless the agencies
[[Page 33373]]
or units are able to ensure that all CIPSEA requirements in this
guidance will be met and faithfully carried out by their agents.
Carrying out these responsibilities will take agency resources, and
thus, will limit the extent to which a statistical agency or unit
should consider designating agents.
---------------------------------------------------------------------------
\62\ An example is the authority granted the Census Bureau under
Title 13, Section 23(c) that permits the use of temporary staff to
assist in the performance of work authorized by Title 13. Whereas
CIPSEA puts no limits on the statistical uses made by agents, Title
13 limits the statistical uses to those that support the work of the
agency.
---------------------------------------------------------------------------
A. Designating Agents
Under CIPSEA, a statistical agency or unit may designate as an
agent \63\ any of the following:
---------------------------------------------------------------------------
\63\ Sec. 502(2)(A); Sec. 512(d).
---------------------------------------------------------------------------
An employee of a private organization or a researcher
affiliated with an institution of higher learning;
Someone who is working under the authority of a government
entity;
Someone who is a self-employed researcher, a consultant, a
contractor, or an employee of a contractor; or
Someone who is a contractor or an employee of a
contractor, and who is engaged by the agency to design or maintain the
systems for handling or storage of data received under this title.\64\
---------------------------------------------------------------------------
\64\ CIPSEA includes as agents contractors maintaining systems
for handling or storage of data. Such information technology
personnel provide support and have direct contact with confidential
information not because they would necessarily use the information
for statistical purposes, but because they would be responsible for
the protection of the information from use for nonstatistical
purposes and for ensuring appropriate security. As agents, these
contractors and their employees are bound by CIPSEA to protect the
confidentiality of the information.
---------------------------------------------------------------------------
Statistical agencies or units designating agents must do so through
contracts or other agreements that require the agent to agree in
writing to comply with all provisions of law that affect information
acquired by that agency.\65\ Any statistical agencies or units that
designate agents shall exercise supervision and/or control of the
agents to ensure the confidentiality and appropriate use of the
information.
---------------------------------------------------------------------------
\65\ Sec. 502(2)(B).
---------------------------------------------------------------------------
B. Requirements for Agents To Request Access to Confidential
Information Protected Under CIPSEA
Some statistical agencies and units receive requests from outside
researchers and others who wish to obtain access to confidential data
for statistical purposes as agents of the statistical agency. Most
agencies that receive these kinds of requests have found it useful to
first obtain a written proposal from the prospective agent. Agencies
may require prospective agents to submit a proposal that includes some
or all of the following in order to properly evaluate the proposed
access and use of their confidential data:
A clear and detailed description of the purpose of the
access,
The specific confidential information needed,
How the information will be used,
Plans for disseminating information as well as the
products planned for public distribution,
A list of persons involved in the project who will have
access to the information,
A security plan (information systems and physical
security) for protecting the information [applicable only for off-site
access arrangements], and
A timeframe for access.
After an agency receives the proposal and reviews it, the agency
may provide comments and may request changes or may request the
prospective agent to complete a written agreement (see section
IV.C).\66\ Agencies shall deny any proposal that does not meet the
requirements described in this guidance.
---------------------------------------------------------------------------
\66\ If the agency chooses, the agent may submit the proposal in
conjunction with a completed written agreement.
---------------------------------------------------------------------------
Whether or not a prospective agent has submitted a proposal to an
agency, access to confidential information shall not be granted until
the agency has entered into a written agreement with the agent, and the
agent has met the requirements contained in this guidance and in agency
standards for accessing the data.
Prior to the enactment of CIPSEA, some statistical agencies and
units had statutory authority to authorize agents to access
confidential information. Agencies have developed a variety of
mechanisms that balance permitting access to confidential data, while
controlling that access. This area is evolving rapidly, and the
following examples are included only as illustrations:
Onsite at Agency: An external analyst works at an agency
as an agent to participate in statistical activities involving
confidential data. This work shall be done either in collaboration with
or otherwise under the direct control and supervision of agency staff,
per the terms of a written agreement. The agent's work is subject to
review by the supervising staff.
Data Center: An agent visits a controlled access secure
facility maintained by the agency or unit to conduct analyses on
confidential data held by the agency. The facility must be equipped
with secure computers and staffed by agency personnel who review all
outputs for the purposes of confidentiality. There may be additional
constraints on what the agent may bring to or remove from the center.
Off-site License Agreement: An agent is granted access to
confidential information from an agency or unit for use at the agent's
facility. The organization the agent is affiliated with shall enter
into a legally binding written agreement as described in section IV.C
with the agency that possesses the confidential information.
C. Written Agreements for Agent Access to Confidential Information
Protected Under CIPSEA
Some statistical agencies or units use contractors to acquire
information and/or perform other statistical activities. Under CIPSEA,
the contractor and the contractor's employees are considered agents.
For any data that will be acquired by the contractor under CIPSEA, or
if the contractor will have access to any confidential information
protected by CIPSEA, the legally binding contract shall include the
provisions shown in the Appendix.
If a statistical agency or unit provides designated agents access
to confidential information protected under CIPSEA for exclusively
statistical purposes, then all such access shall require a written,
legally binding contract or other agreement between the agency and the
responsible management level official from the institution with which
the agent(s) is(are) affiliated.\67\ The information required as part
of that written agreement is shown in the Appendix.
---------------------------------------------------------------------------
\67\ For situations in which agents are not affiliated with an
institution, the agreement will be signed as legally binding by the
agent(s). The latter arrangements would include those with a single
agent operating independently as a sole proprietor as well as those
with multiple agents operating independently.
---------------------------------------------------------------------------
D. Physical and Information Systems Security for Confidential
Information Protected Under CIPSEA: On-Site and Off-Site
Agencies have the responsibility to ensure the security of physical
and information systems for on-site as well as off-site access (if
applicable) to confidential information and must follow applicable OMB
Guidance and NIST standards and publications.\68\ In addition to the
security requirements described in section III.B, agencies allowing
agents access to confidential information protected under CIPSEA
[[Page 33374]]
outside of the collecting agency or a facility under the agency's
control shall require that the written access agreement, described in
section IV.C, stipulate the agency's right to conduct inspections of
the off-site facility.
---------------------------------------------------------------------------
\68\ For more information about existing security and privacy
requirements, see http://www.whitehouse.gov/omb/inforeg/infopoltech.html, FIPS PUB 199, Standards for Security
Categorization of Federal Information and Information Systems,
Gaithersburg, MD:U.S. Department of Commerce, and related
publications.
---------------------------------------------------------------------------
In order to ensure the physical and information systems security of
the confidential information, agencies shall conduct inspections of any
off-site facility that harbors confidential information protected under
CIPSEA. (If the off-site facility is another Federal statistical agency
or unit, agencies may at their option conduct inspections but are not
required to inspect these facilities.) These inspections shall be
conducted according to the following principles:
The inspections shall assess and document whether the
protection procedures outlined in the written agreement and in the
agent's security plan are being implemented.
While an inspection of the off-site facility is encouraged
prior to release of the information to the agent, it is not required.
(The inspection may occur any time during the access agreement period,
preferably as soon as possible.)
Inspections shall be conducted at all off-site facilities
at some time during the timeframe of access. Agencies may prioritize
their selection of sites for inspections based on risk, but must still
inspect all off-site facilities; however, agencies may coordinate and
collaborate on inspections of off-site facilities that harbor
confidential data from multiple agencies. Agencies may choose not to
inform the agent of the timing of such inspections.
E. Confidentiality Training
All persons with access to confidential information protected under
CIPSEA shall participate in agency-provided confidentiality training
(see section III.(C) prior to accessing the confidential information as
stipulated in the written agreement (section IV.C) between the agency
and the agent's organization or institution.\69\
---------------------------------------------------------------------------
\69\ For situations in which agents are not affiliated with an
institution, the agreement will be signed as legally binding by the
agent(s).
---------------------------------------------------------------------------
The agency possessing the confidential data shall certify or
receive notification that each project staff member has undergone the
training. Agents shall also be required to be recertified annually.
F. Record Keeping
Agencies shall establish and maintain a system of records \70\ that
identifies designated agents accessing confidential information
protected under CIPSEA and the project for which the information was
authorized.
---------------------------------------------------------------------------
\70\ Agencies should assess for themselves the nature of these
records and requirements for record keeping, including whether what
an agency does for this purpose qualifies as a system of records
under the Privacy Act. OMB is not implying in this guidance what
form these record keeping systems should take, and is leaving that
determination to the agency.
---------------------------------------------------------------------------
V. Requirements for Statistical Agencies or Organizational Units
Acquiring Information That May Be Used for Nonstatistical Purposes
CIPSEA defines a statistical agency or unit to be ``an agency or
organizational unit of the executive branch whose activities are
predominantly the collection, compilation, processing, or analysis of
information for statistical purposes.'' \71\
---------------------------------------------------------------------------
\71\ Sec. 502(8).
---------------------------------------------------------------------------
Because the public should expect that a statistical agency or unit
will be collecting information for exclusively statistical purposes,
CIPSEA requires a statistical agency to ``clearly distinguish any data
or information it collects for nonstatistical purposes (as authorized
by law) and provide notice to the public, before the data or
information is collected, that the data or information could be used
for nonstatistical purposes.'' \72\
---------------------------------------------------------------------------
\72\ Sec. 512(c).
---------------------------------------------------------------------------
A. Requirements for Public Notice
If a statistical agency or unit will collect information that may
be subject to use for nonstatistical purposes, the statistical agency
or unit shall use the notices in the Federal Register that are required
under the PRA to inform the public about the nonstatistical uses of the
information during the process of requesting OMB approval of the
information collection.
As noted in section II.A, OMB's regulations for Controlling
Paperwork Burdens on the Public \73\ set forth public notification
requirements for agencies conducting or sponsoring an information
collection. Agencies are required under the PRA to:
---------------------------------------------------------------------------
\73\ 5 CFR 1320.
---------------------------------------------------------------------------
Publish a notice in the Federal Register allowing 60 days
for the public to comment on information collections and otherwise
consult with members of the public and affected agencies concerning
each proposed collection of information; \74\
---------------------------------------------------------------------------
\74\ 5 CFR 1320.8(d)(1).
---------------------------------------------------------------------------
Publish a notice in the Federal Register at the time OMB
approval is being sought, and allow the public 30 days to comment; and
``Describe any assurance of confidentiality provided to
respondents and the basis for the assurance in statute, regulation, or
agency policy'' in their PRA supporting statements submitted to
OMB.\75\
---------------------------------------------------------------------------
\75\ Instructions for Supporting Statement for Paperwork
Reduction Act submissions and 5 CFR 1320.8(b)(3).
---------------------------------------------------------------------------
Both Federal Register notices (i.e., the initial one seeking public
comments for consideration by the agency and the later one seeking
public comments for consideration by OMB) must explicitly address what
information the statistical agency or unit plans to collect that may be
used for nonstatistical purposes.
B. Requirements for Informing and Making Pledges to Respondents
As noted in section II.B, at the time of the information
collection, agencies are required under the PRA to adequately inform
potential respondents about the uses of the information they
provide.\76\
---------------------------------------------------------------------------
\76\ 5 CFR 1320.8(b)(3); Additional requirements are imposed if
the collection involves a Privacy Act system of records (5 U.S.C.
552a(e)(3) as amended).
---------------------------------------------------------------------------
This description must include the following information related to
the confidentiality of their responses:
The reasons the information is planned to be and/or has
been collected;
The way such information is planned to be and/or has been
used; and
The nature and extent of confidentiality to be provided,
if any.\77\
---------------------------------------------------------------------------
\77\ 5 CFR 1320.8(b)(3).
---------------------------------------------------------------------------
The statistical agency or unit must clearly explain the
confidentiality provisions, if any, for all information not protected
under CIPSEA. As appropriate, the explanation shall include:
What information will be treated as confidential and the
basis (e.g., laws) for any confidentiality pledge;
What information will be treated as nonconfidential;
What information, if any, is limited to use for
exclusively statistical purposes and the agency's basis (e.g., laws)
for such assurances;
What information, if any, is not limited to use for
exclusively statistical purposes and may be used for nonstatistical
purposes; and
Any limitations on the confidentiality provisions (e.g.,
the information will be kept confidential only to the extent that it
satisfies a criterion for exemption in the Freedom of Information Act
(FOIA), the information may be shared with other Federal government
agencies for official uses, etc.).
Agencies must ensure that the public is able to distinguish easily
between their CIPSEA pledge and any non-CIPSEA pledge covering
information
[[Page 33375]]
that will be used for nonstatistical purposes. The degree to which the
pledge differs from the CIPSEA pledge needs to be based on the laws and
regulations governing the collection and determined in collaboration
with the agency legal staff, agency confidentiality officer, and PRA
clearance officer. The pledge shall be in compliance with section
512(c) of CIPSEA--requiring notice that any data could be used for
nonstatistical purposes. The approach a statistical agency or unit uses
in crafting wording for confidentiality pledges for information not
protected under CIPSEA must be done with care and take into account the
laws governing the particular agency, and the agency is strongly
encouraged to test changes from currently used wording. In particular,
the pledge for collections not protected under CIPSEA (because, for
example, the information would be used for nonstatistical purposes)
shall not contain all the elements related to CIPSEA found in the
pledges given in section II--for example, the pledge shall not state
both that the data are confidential and that they are for exclusively
statistical use (in such cases CIPSEA would apply even if not stated).
For example, a pledge for data that are legally permitted to be
accessed for nonstatistical purposes may state:
The information you provide will be protected to the fullest
extent allowable under (name the law). This law allows for the (name
specific nonstatistical uses). Information will be protected from
public disclosure by (your agency). Results from this survey will be
reported publicly only in statistical summaries, so that individuals
cannot be identified.
To illustrate the actual pledge wording, an agency could implement
this pledge as follows:
The information you provide will be protected and will not be
disclosed to the public to the extent that it satisfies the criteria
for exemption under the Freedom of Information Act (FOIA), 5 U.S.C.
Sec. 552, and the Trade Secrets Act, 18 U.S.C. Sec. 1905.
To ensure public understanding and avoid confusion (about whether
the agency will provide CIPSEA protection to the data), the above
pledges do not use the word ``confidential'' because use of this term
could give rise to confusion.
VI. Requirements and Guidelines for Nonstatistical Agencies or Units
Acquiring and Handling Information Protected Under CIPSEA
Nonstatistical agencies seeking to acquire information that will be
protected under CIPSEA can take two general approaches: (1) They can
directly acquire the information themselves from respondents, or (2)
they can enter into an agreement with a statistical agency to acquire
the information.
As noted in Section I. G., Subtitle A of CIPSEA may be used by any
Federal agency that directly acquires information from respondents for
exclusively statistical purposes under a pledge of confidentiality.
Nonstatistical agencies that acquire information in this manner must
follow all of the requirements in sections II and III of this guidance
for confidential information protected by CIPSEA.
Nonstatistical agencies or units that will not collect the
information themselves directly from respondents will need to carefully
consider their plans for acquiring and using information if they want
to use CIPSEA to protect the information. Although nonstatistical
agencies and units do acquire information directly from respondents,
they frequently use contractors or other agencies to acquire
information for them that is used for statistical purposes. CIPSEA did
not authorize nonstatistical agencies or units to designate agents,
such as contractors, university researchers, or others included within
the definition of agents,\78\ to perform exclusively statistical
activities, including data collection. Because nonstatistical agencies
or units are not empowered under CIPSEA to designate agents, who are
subject to CIPSEA limitations and penalties, they will not be able to
protect the information under CIPSEA if they employ contractors or
other agents to acquire the information or if they plan to allow access
to the information by anyone outside of authorized agency employees,
even if they intend to use the information for exclusively statistical
purposes and want to keep it confidential.\79\
---------------------------------------------------------------------------
\78\ See Sec. 502(2)(A).
\79\ Some nonstatistical agencies may have specific statutory
authority to designate agents that meets the requirements of CIPSEA,
allowing the agency to use agents to perform exclusively statistical
activities, including data collection, for the agency. Agencies
should consult with OMB on the applicability of their statute for
purposes of using CIPSEA before making plans to designate agents.
Agencies should also clearly describe how their authority meets the
requirements for CIPSEA designation of agents in their information
collection requests to OMB.
---------------------------------------------------------------------------
As an alternative to collecting the data directly themselves,
nonstatistical agencies or units that wish to acquire information with
CIPSEA protection may want to consider entering into an agreement with
a Federal statistical agency or unit. Because the statistical agency or
unit would be responsible for protecting all confidential information
acquired under the CIPSEA pledge, carrying out these responsibilities
will take resources that non-statistical agencies should be prepared to
provide to the statistical agency. Statistical agencies or units may
designate agents under CIPSEA, but must follow the requirements in
Section IV of this guidance to do so. Employees within a nonstatistical
agency or unit may serve as agents for a statistical agency or unit to
perform exclusively statistical activities on confidential information
and be bound by CIPSEA provided that the statistical agency or unit and
the agents have followed all of the requirements given in section IV.
An agreement between the statistical agency and the nonstatistical
agency could be used to make the statistical agency or unit responsible
for the control of the confidential information. The statistical agency
could then designate a contractor to acquire the information and
perform other exclusively statistical activities. The statistical
agency could also designate as agents select employees of the
nonstatistical agency or unit to have access to the information for
exclusively statistical purposes. As noted earlier, all requirements in
sections II, III, and IV would have to be met; and, therefore, all
agents would be subject to penalties under CIPSEA for any disclosure.
VII. Data Sharing Under Subtitle B of CIPSEA
Subtitle B, Statistical Efficiency, provides only for the sharing
of business data for exclusively statistical purposes and provides for
that sharing only among three statistical agencies designated in
Subtitle B. Subtitle B of CIPSEA does not authorize the sharing of
confidential business data among any Federal agencies other than the
three designated statistical agencies, nor does it authorize any
sharing of demographic or other types of data among any Federal
agencies.\80\
---------------------------------------------------------------------------
\80\ Although CIPSEA Subtitle B only authorizes the sharing of
confidential business information among BEA, BLS, and the Census
Bureau, CIPSEA did not alter other existing authorities for data
sharing among Federal agencies (see Sec. 504(a)).
---------------------------------------------------------------------------
The following brief guidance in this section applies to the three
designated statistical agencies sharing business data. These three
agencies are currently working to implement the data sharing provisions
of CIPSEA. OMB is working closely with them and may issue additional
guidance to these three agencies as needed to implement the data
sharing provisions of CIPSEA.
[[Page 33376]]
A. Designated Statistical Agencies
The three designated statistical agencies permitted by Subtitle B
to share business data for exclusively statistical purposes are the
Bureau of the Census, the Bureau of Economic Analysis, and the Bureau
of Labor Statistics.\81\
---------------------------------------------------------------------------
\81\ Sec. 522.
---------------------------------------------------------------------------
B. Requirements When the Designated Statistical Agencies Share Data
Prior to sharing any business data under CIPSEA, the designated
statistical agencies shall inform respondents about their intentions to
share the business data. If, prior to collection, the designated
agencies anticipate that they will share business data, the agencies
shall:
Include in their Federal Register notices required under
the PRA notification that the business data may be shared with
designated statistical agencies, and
Also include in their CIPSEA confidentiality pledges
notification that the data may be shared with designated statistical
agencies.
When a designated statistical agency plans to share data that was
collected under a legal requirement to supply the information without
notice of the intent to share that information with one or more
designated statistical agencies, the agency shall publish a notice of
the proposed data sharing activity in the Federal Register and specify
the business data to be shared and the statistical purposes for which
the business data are to be used. This notice shall allow a minimum of
60 days for public comment,\82\ and a copy of this notice shall be sent
to OMB when it is published.
---------------------------------------------------------------------------
\82\ Sec. 524(d).
---------------------------------------------------------------------------
C. Requirements for Written Agreements for Data Sharing Among
Designated Statistical Agencies
Designated statistical agencies shall enter into a written
agreement before sharing any business data. The written agreement shall
specify:
The business data to be shared;
The statistical purposes for which the business data are
to be used;
The officers, employees, and agents authorized to examine
the business data to be shared; and
Appropriate security procedures to safeguard the
confidentiality of the business data.
A copy of the written agreement shall be provided to OMB ten days
prior to execution.
VIII. Annual Reporting and Review Requirements
A. Reporting Requirements
To coordinate and oversee the confidentiality and disclosure
policies established under CIPSEA, the Office of Management and Budget
is authorized under CIPSEA to require reports and other information
regarding the implementation of this legislation by Federal
agencies.\83\ In order to effectively monitor Federal agencies' use of
the different provisions in CIPSEA, all agencies shall report to OMB on
(1) The use of the CIPSEA pledge, (2) the use of the CIPSEA agents
provision, and (3) data sharing activities under Subtitle B.
---------------------------------------------------------------------------
\83\ Sec. 503.
---------------------------------------------------------------------------
Use of the CIPSEA pledge. Any Federal agency acquiring data under
CIPSEA Subtitle A shall report to OMB on an annual basis on those
collections it has conducted under CIPSEA and affirm that the agency
has followed the procedures in this guidance to ensure the
confidentiality of the information is protected.
Use of the agents provision in CIPSEA. Statistical agencies and
units are authorized under Subtitle A of CIPSEA to designate agents,
who may perform exclusively statistical activities, including data
collection, and are bound to the same legal requirements as agency
employees for maintaining the confidentiality of the information.
Statistical agencies or units that choose to designate agents shall
report to OMB on an annual basis on the number of agents designated;
the kinds of statistical activities performed by agents, e.g., data
collection, analysis, etc.; the different types of arrangements for
access to confidential information (if applicable), e.g., on-site at
the statistical agency, through an agency-controlled research data
center, or off-site licensing agreement; and the kind of written
agreement that is required for each type of access.
Use of data sharing provisions under Subtitle B of CIPSEA. CIPSEA
directs that the three designated agencies shall report annually to the
Director of the Office of Management and Budget, the Committee on
Government Reform of the House of Representatives, and the Committee on
Governmental Affairs of the Senate on the actions taken to implement
the sections of the law on sharing of business data. Designated agency
reports shall be prepared on a calendar year basis, and shall include a
summary of activities carried out under this law including the
statistical purposes for sharing, any anticipated improvements to
quality, and any anticipated or achieved reductions in cost or
respondent burden due to the sharing of business data. The report shall
include copies of each written agreement for the sharing of business
data for the applicable year.
The initial report to OMB shall cover any collections since the
enactment of the legislation in December 2002 through December 2006,
and subsequent reports shall cover a calendar year. Agencies shall
submit their initial reports to OMB by May 30, 2007. Subsequent reports
shall be submitted annually to OMB by April 30th of each year. Agencies
shall also post copies of this report on their Web sites.
B. OMB Review of Agency Rules
Agencies are authorized to promulgate rules to implement
CIPSEA.\84\ Agencies proposing rules to implement CIPSEA shall submit
these proposed rules to OMB for review and approval.\85\
---------------------------------------------------------------------------
\84\ Sec. 503(b).
\85\ Sec. 503(c).
---------------------------------------------------------------------------
Appendix Requirements for Contracts and Written Agreements for Agents
Acquiring or Accessing Confidential Information Under CIPSEA
The following information shall be included in the contract or
written agreement:
The identity and affiliation of both the legally
responsible agent (e.g., contractor or requestor seeking access to
confidential data) and agency official signing the agreement;
Whether the agent will be acquiring confidential
information on behalf of the agency or only accessing confidential
information the agency possesses;
A clear and detailed description of the purpose of the
access;
The specific confidential information needed;
How the information will be used;
Any plans for disseminating information as well as the
products planned for public distribution;
Legally binding signature lines for the agency, and the
responsible management level official from the institution with which
the agent(s) is (are) affiliated. When the agent is operating
independently for these purposes and is unaffiliated with an
institution, the agent will sign;
The legal authority under which the information was
collected or acquired;
The legal authority from CIPSEA and other laws for
providing the agent the ability to acquire or to access the
information;
[[Page 33377]]
Penalties for violating confidentiality or unauthorized
use of the information;
The timeframe for access;
A requirement that the agent provide and update as
necessary a list of persons involved in the project who will have
access to the information;
The agent's responsibility to notify agency when
[cir] The agent no longer needs the information,
[cir] The agent plans a change in site access, and/or
[cir] The project purpose changes (agency approval must be obtained
first);
Confidentiality training requirement for all persons who
have access to confidential information;
The requirement that each person with access to
confidential information sign a non-disclosure form that signifies an
understanding of and agreement to the terms of access and agreement to
comply with CIPSEA and any other applicable laws (see below for options
on where to include this information);
The requirement that the agent submit any project
information products to the agency for disclosure review (agencies may
also include or reference reporting requirements or standards);
For off-site access arrangements
[cir] A security plan (information systems and physical security)
for protecting the information,
[cir] Procedures regarding the return or destruction of information
when access is no longer necessary (may precede project's end), and
[cir] The requirement that the agent allows the agency to carry out
a physical and IT security inspection of the agent's workplace;
Conditions requiring modification of the agreement;
Termination clause for the agreement;
Listing of contact persons for the agency and the
responsible management level official from the institution with which
the agent is affiliated. (When the agent is operating independently and
is unaffiliated with an institution, the agent will designate a contact
person.); and
As applicable, information on funding of project work,
including any between the agency, agent(s), and/or agents' institution.
The following information may be included in the body of the
agreement, added to the agreement as appendices, or made part of the
agency's official files for the actual agreement:
Copy of the agency-approved proposal (if required);
Copies of all laws cited in the agreement;
The list of persons with access to confidential
information;
Certification that all persons who have access to
confidential information have completed confidentiality training;
Signed non-disclosure forms for all persons with access to
confidential information; and
For each person with data access, a copy of the background
certification supporting such access--details to be determined by
agency (options could include fingerprinting, a sworn affidavit of
nondisclosure, work history checks, etc.).
Agencies may also include additional requirements in their written
agreements. Examples of written agreements used by some agencies that
conform to the above requirements will be available on the OMB Web
site.\86\
---------------------------------------------------------------------------
\86\ http://www.whitehouse.gov/omb go to ``Statistical Programs
and Standards.''
[FR Doc. E7-11542 Filed 6-14-07; 8:45 am]
BILLING CODE 3110-01-P