[Federal Register Volume 72, Number 115 (Friday, June 15, 2007)]
[Notices]
[Pages 33362-33377]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: E7-11542]



[[Page 33361]]

-----------------------------------------------------------------------

Part IV





Office of Management and Budget





-----------------------------------------------------------------------



Implementation Guidance for Title V of the E-Government Act, 
Confidential Information Protection and Statistical Efficiency Act of 
2002 (CIPSEA); Notice

  Federal Register / Vol. 72, No. 115 / Friday, June 15, 2007 / 
Notices  

[[Page 33362]]


-----------------------------------------------------------------------

OFFICE OF MANAGEMENT AND BUDGET


Implementation Guidance for Title V of the E-Government Act, 
Confidential Information Protection and Statistical Efficiency Act of 
2002 (CIPSEA)

AGENCY: Office of Management and Budget, Executive Office of the 
President.

ACTION: Notice of decision.

-----------------------------------------------------------------------

SUMMARY: The Confidential Information Protection and Statistical 
Efficiency Act of 2002 (CIPSEA) can provide strong confidentiality 
protections for statistical information collections, such as surveys 
and censuses, as well as for other statistical activities, such as data 
analysis, modeling, and sample design, that are sponsored or conducted 
by Federal agencies. The Office of Management and Budget (OMB) is 
issuing Implementation Guidance for Title V of the E-Government Act, 
the Confidential Information Protection and Statistical Efficiency Act 
of 2002 (Pub. L. 107-347). The purpose of the CIPSEA implementation 
guidance is to inform agencies about the requirements for using CIPSEA 
and to clarify the circumstances under which CIPSEA can be used.

    Authority: 31 U.S.C. 1104(d); 44 U.S.C. 3504 (specifically 
(a)(1)(B)(iii) and (v), (e)(1), (3) and (5), and (g)(1)); Pub. L. 
107-347 section 503(a), 44 U.S.C. 3501 note.

FOR FURTHER INFORMATION CONTACT: Brian Harris-Kojetin, Ph.D., 
Statistical and Science Policy Office, Office of Information and 
Regulatory Affairs, Office of Management and Budget, NEOB, Room 10201, 
725 17th Street, NW., Washington, DC 20503. Telephone: 202-395-3093.

SUPPLEMENTARY INFORMATION:

A. Background

    Statistics collected and published by the Federal Government 
constitute a significant portion of the available information about the 
United States' economy, population, natural resources, environment, and 
public and private institutions. There are more than 70 Federal 
agencies or organizational units that carry out statistical activities 
as their principal mission or in conjunction with other program 
missions, such as providing services or enforcing regulations. In 
addition to these 70 agencies, many other Federal agencies or units may 
collect statistical information to use for specific program needs.
    Prior to the enactment of CIPSEA, a patchwork of legislative 
protections governed the confidentiality of data gathered for 
statistical purposes by the different agencies and units. Some agencies 
had strong statutory authority to protect the confidentiality of the 
data they gathered for statistical purposes, while other agencies had 
weak or no legislative authority to protect confidentiality. In 
addition, the ability of the designated statistical agencies to share 
information to improve the efficiency of the Federal statistical system 
was limited by statutory constraints affecting those agencies.
    By establishing a uniform policy for all Federal statistical 
collections, this law will reduce public confusion, uncertainty, and 
concern about the treatment of confidential statistical information by 
different Federal agencies. By establishing consistent rational 
principles and processes to buttress confidentiality pledges, the 
guidance that implements the law will harmonize confidentiality claims 
and set minimum standards for safeguarding confidential statistical 
information. Such consistent protection of confidential statistical 
information will, in turn, reduce the perceived risks of more efficient 
working relationships among statistical agencies, relationships that 
can reduce both the cost and reporting burden imposed by statistical 
programs.

B. Development and Review

    In 2003, OMB and the other members of the Interagency Council on 
Statistical Policy (ICSP) formed an interagency group to discuss issues 
that OMB and the agencies anticipated would arise in the implementation 
of CIPSEA. OMB was particularly interested in understanding the 
questions and concerns that these statistical agencies had about the 
new law and how it would affect their activities. OMB also sought to 
incorporate the best practices of these agencies for handling 
confidential statistical information.
    An initial draft of this implementation guidance was reviewed by 
the ICSP members, and OMB revised the draft guidance in response to the 
comments that we received. Based on the use of the law by agencies over 
the past three years, OMB has also addressed in the guidance specific 
issues that have arisen, such as nonstatistical agencies' use of 
CIPSEA.

C. Summary of and Response to Comments Received in Response to the 
October 16, 2006 Federal Register Notice

    OMB issued proposed Implementation Guidance for Title V of the E-
Government Act, Confidential Information Protection and Statistical 
Efficiency Act of 2002 (CIPSEA)(Pub. L. 107-347) in October 2006 (71 FR 
60,772-60,773). Five public comments were received in response to OMB's 
request. OMB reviewed the public comments on the guidance and made some 
modifications in response to the comments. The complete text of the 
public comments and this document are available on the OMB Web site at 
http://www.whitehouse.gov/omb/inforeg/statpolicy.html.

General Comments

    One commenter expressed support for the guidance and stated that 
``the proposed guidelines establish principles and policies that will 
protect the confidentiality of the data provided by respondents to 
federal statistical surveys'' and noted that the guidance provides 
``reasonable approaches to protecting confidentiality, and thereby will 
reduce the costs and reporting burdens imposed by statistical 
programs.'' The commenter also noted that it was ``especially useful to 
see guidelines for statistical agency interactions with outside 
analysts (e.g., contractors) authorized to see the confidential data.''
I. Introduction
Identifiability
    One commenter believed the discussion of the identifiability of 
personal information in the proposed guidance was insufficient. 
Although the commenter noted the technical references to Statistical 
Policy Working Paper 22 \1\ and to the Federal Committee on 
Statistical Methodology's Confidentiality and Data Access Committee's 
disclosure review checklist,\2\ she asked for ``more specific guidance 
about the meaning of the terms reasonably inferred and direct or 
indirect means'' [emphasis in original] and ``how the CIPSEA standard 
specifically relates to the HIPAA standards of no reasonable basis to 
believe and risk is very small [emphasis in original] * * * ``whether a 
risk assessment is required, how to conduct that risk assessment, what 
data sources (public and private) must be considered in assessing 
identifiability'' as well as how much effort and cost are reasonable.
---------------------------------------------------------------------------

    \1\ Available at http://www.fcsm.gov/reports/.
    \2\ Available at http://www.fcsm.gov/committees/cdac/cdac.html.
---------------------------------------------------------------------------

    In response to this comment, OMB has included a definition of 
``personally identifiable information'' in footnote 21 and provided an 
example of indirect identification in footnote 23, as follows:


[[Page 33363]]


    \21\ ``personally identifiable information'' refers to 
information which can be used to distinguish or trace an 
individual's identity, such as his or her name, social security 
number, biometric records, etc., alone, or when combined with other 
personal or identifying information that is linked or linkable to a 
specific individual, such as date and place of birth, mother's 
maiden name, etc.
    \23\ Indirect identification refers to using information in 
conjunction with other data elements to reasonably infer the 
identity of a respondent. For example, data elements such as a 
combination of gender, race, date of birth, geographic indicators, 
or other descriptors may be used to identify an individual 
respondent.

    However, it is beyond the scope of this implementation guidance to 
provide lists of other data sources that could be used to reidentify 
respondents or specific risk assessment techniques agencies must 
employ. As the commenter noted, OMB does provide references to more 
technical resources that address these issues, such as Statistical 
Policy Working Paper 22, and a citation to the HIPAA privacy 
rule has been added. Federal statistical agencies are in the best 
position to know about the sensitivity of their confidential 
statistical information and to take appropriate steps to assess and 
mitigate the risks of reidentification. Because this area is a ``moving 
target,'' as the commenter noted, OMB, through its Federal Committee on 
Statistical Methodology, sponsors the Confidentiality and Data Access 
Committee, which facilitates the sharing and adoption of best practices 
and latest techniques in disclosure avoidance across Federal agencies.
Relation of CIPSEA to Other Laws
    One commenter noted that ``subsection (b) of the Privacy Act of 
1974 authorizes numerous disclosures, many of which are inappropriate 
for CIPSEA records. For example, disclosures for law enforcement 
purposes'' as well as many routine uses. The commenter asked OMB to 
``elaborate on the intersection between CIPSEA and the Privacy Act of 
1974.''
    As OMB has noted in the guidance, agencies are responsible for 
ensuring that information protected under CIPSEA is used exclusively 
for statistical purposes. OMB recognizes that the Privacy Act does 
permit routine uses that are nonstatistical; these uses are not 
permitted for CIPSEA-protected information. OMB believes that the 
minimum standards in the guidance for safeguarding confidential 
information make clear that agencies need to develop appropriate 
policies and procedures for CIPSEA-protected information that go beyond 
those that exist for Privacy Act systems of records; however, we have 
added the following language to make this explicit in Part I.F. of the 
guidance:

    On the other hand, if an agency pledges to use the information 
for only for statistical purposes, then the agency shall not use any 
other authorities it has available to use the information for non-
statistical purposes, because those uses would be contrary to the 
agency's pledge. For example, if information is protected by CIPSEA 
and the Privacy Act, some of the routine uses permitted under the 
Privacy Act would no longer be allowed because they are not for 
statistical purposes.
Agencies Authorized To Designate Agents
    One commenter cited Footnote 31 on page 11 of the proposed guidance 
\3\ that tells agencies that they should consult with OMB regarding use 
of agents and stated that the use of agents should be subject to public 
notice and comment. In this footnote, OMB was referring specifically to 
the review and legal interpretation of a nonstatistical agency's 
statute and whether that would meet the requirements of CIPSEA and 
permit the agency to designate agents under CIPSEA. Generally, legal 
analysis and interpretation are accomplished by the agency. However, 
when agencies are applying a new statute that OMB has responsibility 
for, agencies should consult with OMB to ensure a government-wide 
perspective.
---------------------------------------------------------------------------

    \3\ This footnote appears as footnote 40 in this final document.
---------------------------------------------------------------------------

    Commenters also had questions about other specific matters that 
will be addressed during implementation.
II. Requirements for Agencies Collecting or Acquiring Information 
Protected Under CIPSEA
Non-CIPSEA Pledges
    One commenter objected to agencies being restricted from using both 
the terms ``confidential'' and ``statistical purposes'' together if 
CIPSEA did not cover the collection. The commenter noted that these 
terms have meaning independent of CIPSEA and agencies should be able to 
use them as they see fit. The commenter suggested that ``Rather than 
prohibit the use of the terms `confidential' and `exclusively 
statistical purposes,' we suggest that OMB advise agencies, as it has 
in prior guidance, to ensure that they do not use terms that are 
confusing. OMB could also prohibit the mention of CIPSEA when it is not 
applicable and require that agencies invoke coverage by CIPSEA only by 
the mention of that law directly to survey respondents.''
    OMB agrees that the terms ``confidential'' and ``statistical 
purposes'' have meaning independent of CIPSEA; however, when used 
together in a pledge to respondents, they clearly meet the requirements 
of CIPSEA and the protection of this law. Sec. 512 of CIPSEA simply 
requires that the information be ``acquired by an agency under a pledge 
of confidentiality and for exclusively statistical purposes.'' The law 
does not require that CIPSEA be mentioned explicitly, and OMB would 
certainly prohibit an agency from mentioning the law if it did not 
apply. It would clearly be confusing to respondents for different 
protections to be implied by two different agencies both pledging that 
the information would be confidential and used for exclusively 
statistical purposes. Thus, it is necessary to ensure that CIPSEA 
protections or greater protections apply when an agency makes this 
pledge to respondents.
CIPSEA Pledges
    One commenter supported the shorter version of the pledge, but 
expressed concerns about its comprehensibility. The commenter then 
suggested that OMB consider developing a formal statistical 
confidentiality seal that would provide an identifiable marker that 
would tell individuals what level of protection the information they 
provide will receive under the law. Specifically the commenter 
suggested as an example that OMB consider a green-yellow-red color 
scheme: Green would mean respond with confidence because answers 
receive the highest level of legal confidentiality protection; yellow 
would mean respond with caution because answers receive some 
confidentiality protection but less than the highest level of legal 
protection; and red would mean no legal confidentiality protections at 
all.
    The CIPSEA pledge was based on a pledge that was thoroughly tested; 
however, OMB has encouraged further cognitive testing of this pledge by 
agencies. OMB agrees that it would also be helpful to have more testing 
on a shortened version. OMB also appreciates the commenter's 
suggestions regarding potential ``seals'' that would be easy for 
respondents to understand and recognize, and agrees that this idea is 
worthy of further investigation and testing. We also agree that this 
will require a considerable amount of research not only to develop a 
recognizable seal but also to figure out appropriate ways to present it 
in different modes. If this research proves fruitful, OMB will consider 
revising this

[[Page 33364]]

implementation guidance and/or issuing other guidance for use of a 
seal.
III. Minimum Standards for Safeguarding Confidential Information 
Acquired Under CIPSEA
Costs and Burden of Security Requirements
    One commenter noted that during a time of reduced funding resources 
the implementation requirements call for annual recertification of 
employees, increased physical and information security, additional 
record keeping requirements, and additional staff time (to ensure that 
appropriate confidentiality and security protocols are followed). 
Providing appropriate security for agency information and information 
systems does require resources. As with any ongoing program, agencies 
need to incorporate into their budgets the costs for protecting 
confidential information throughout the lifecycle of the statistical 
activities.
Security of Confidential Information in Laptop Computers
    One commenter noted that ``recent events have highlighted the 
particular vulnerability of laptop computers to loss and theft,'' and 
suggested that additional information be included in the guidance about 
the security of laptops, PDAs, or other types of devices. OMB agrees 
with the comment and has modified language in the section on physical 
and information systems security in Part III. B, which also applies to 
Part IV. D of the proposed guidance referenced on page 22, so that it 
now reads:

    Agencies are required to establish appropriate administrative 
and technical safeguards to ensure that the security of all media 
containing confidential information is protected against 
unauthorized disclosures and anticipated threats or hazards to their 
security or integrity. For example, agencies must ensure that 
security requirements are followed for reports, documents, 
printouts, information collection instruments, laptops, PDA's, zip 
drives, floppy disks, CD-ROMs, or any other IT devices that contain 
confidential information to prevent access by unauthorized persons.
VII. Data Sharing Under Subtitle B of CIPSEA
Data Linking and Data Sharing
    One comment requested that OMB include administrative data as well 
as other agencies under the data sharing provisions of Subtitle B of 
CIPSEA to further improve efficiency. OMB notes that Subtitle B is 
limited in statute to the three designated statistical agencies (BLS, 
BEA, and Census) and applies only to business data. While OMB 
appreciates the potential benefits suggested in this comment, CIPSEA 
does not authorize any other data sharing or authorize additional 
agencies to share data. However, CIPSEA did not alter other existing 
authorities for data sharing among Federal agencies.
VIII. Annual Reporting and Review Requirements
Annual Reports to OMB
    One commenter requested that the annual reports that agencies 
provide to OMB be made public and posted on agency Web sites. In the 
interest of transparency, agencies will now be required to post their 
reports on their Web sites.

Susan E. Dudley,
Administrator, Office of Information and Regulatory Affairs.

Implementation Guidance for Title V of the E-Government Act, 
Confidential Information Protection and Statistical Efficiency Act of 
2002 (CIPSEA)

I. Introduction

A. Overview

    Issues of privacy and confidentiality are of increasing concern to 
respondents to Federal government surveys. Agencies often seek to 
assuage these concerns by pledging to respondents that the agency will 
protect the information that respondents provide, and by using whatever 
statutory authority that the agency has to substantiate this pledge. 
However, many agencies do not have strong confidentiality provisions in 
their authorizing statutes. In this case, agencies may be able to use 
government-wide statutes such as the Privacy Act or exemptions under 
the Freedom of Information Act as the basis for a pledge to 
respondents, but these statutes still do not apply to many Federal 
surveys.
    The Confidential Information Protection and Statistical Efficiency 
Act of 2002 (CIPSEA) is a new government-wide law that can provide 
strong confidentiality protections to many Federal agencies conducting 
statistical information collections, such as surveys and censuses as 
well as other statistical activities including data analysis and 
modeling, sample design, etc. The purpose of this guidance is to inform 
agencies about the requirements for using CIPSEA and clarify the 
circumstances under which CIPSEA can be used.
    There are several key definitions and distinctions in CIPSEA 
regarding statistical and nonstatistical agencies, and statistical and 
nonstatistical purposes, that affect whether CIPSEA can be used by an 
agency to acquire and protect information. Below is a brief description 
of these major definitions and distinctions, as well as of issues 
related to data sharing under CIPSEA, and additional requirements for 
using CIPSEA that are addressed in greater detail in this guidance.
    1. Is the agency a statistical or nonstatistical agency? CIPSEA 
distinguishes between statistical and nonstatistical agencies or units 
and imposes different requirements and privileges on these different 
types of agencies. Briefly, statistical agencies or units are those 
whose activities are predominantly the collection, compilation, 
processing, or analysis of information for statistical purposes. More 
detail and a listing of statistical agencies and units is provided in 
section I., part G of this section of the guidance.
    2. Is the information used for statistical or nonstatistical 
purposes? CIPSEA provides protection for information acquired for 
statistical purposes under a pledge of confidentiality. Under CIPSEA, a 
statistical purpose includes the description, estimation, or analysis 
of the characteristics of groups, without identifying the individuals 
or organizations that comprise such groups, while nonstatistical 
purposes include any administrative, regulatory, law enforcement, 
adjudicatory, or other purpose that affects the rights, privileges, or 
benefits of a particular respondent. Information acquired and protected 
under CIPSEA may only be used for statistical purposes.
    3. Is the information being acquired by the Federal agency itself? 
Agencies acquire information in different ways from a wide variety of 
respondents. Agencies often acquire information directly from a 
respondent to a Federal survey. In some cases, these respondents are 
local or State governments that have themselves collected the 
information from a respondent. Any agency that directly acquires 
information from a respondent, including a local or State government, 
under a pledge of confidentiality for exclusively statistical purposes, 
is bound by CIPSEA. However, CIPSEA does not restrict or diminish 
confidentiality protections in law that otherwise apply to a collection 
of statistical data or information. Agencies protecting information 
under CIPSEA must follow the requirements specified in section II of 
this guidance and include an appropriate pledge to respondents. All 
agencies that have information protected under CIPSEA

[[Page 33365]]

must also follow the procedures in section III for safeguarding the 
security of this information.
    4. Is the information being acquired for the Federal agency by 
contractors or others acting on behalf of the agency? Many agencies 
acquiring information from respondents do not directly collect the 
information themselves from respondents but do so through 
intermediaries such as contractors or researchers who are operating 
under cooperative agreements or grants at the direction of the agency. 
CIPSEA defines contractors and their employees, researchers, and 
employees of private organizations or institutions of higher learning 
who have a contract or agreement with a Federal agency as ``agents'' 
and authorizes only some agencies to use agents to acquire information 
that will be protected under CIPSEA or access CIPSEA-protected 
information.
    5. How can statistical agencies use CIPSEA? Statistical agencies or 
units that directly acquire information from respondents, including 
State and local governments, may protect the confidentiality of that 
information under CIPSEA. Statistical agencies or units may also 
designate agents to acquire information for the agency under CIPSEA as 
well as perform other exclusively statistical activities for the agency 
on CIPSEA-protected information. Statistical activities include the 
collection, compilation, processing, or analysis of data for the 
purposes of describing or making estimates concerning the whole, or 
relevant groups or components within, the economy, society, or the 
natural environment. Statistical activities also include the 
development of methods or resources that support these activities, such 
as measurement methods, models, statistical classifications, or 
sampling frames. More information is provided in section IV about the 
requirements for statistical agencies designating agents under CIPSEA.
    6. How can nonstatistical agencies use CIPSEA? Nonstatistical 
agencies can use CIPSEA to protect information they are authorized to 
acquire directly themselves from respondents, including State and local 
governments. However, nonstatistical agencies or units are not 
permitted to designate agents under CIPSEA. Therefore, nonstatistical 
agencies or units may not protect information under CIPSEA if they are 
using a contractor or other persons who fall under the CIPSEA 
definition of agents to acquire that information unless they have the 
authority to designate agents to collect information or perform other 
statistical activities under some other statute. More information on 
how nonstatistical agencies can acquire and protect information under 
CIPSEA is provided in section VI of this guidance.
    7. What if a statistical agency acquires information for 
nonstatistical purposes? OMB expects that the vast majority of 
information collections conducted by statistical agencies or units will 
be subject to CIPSEA because these agencies generally collect 
information for exclusively statistical purposes and pledge 
confidentiality. Statistical agencies or units that are collecting 
information that may be used for nonstatistical purposes need to ensure 
that respondents understand these nonstatistical uses and that CIPSEA 
does not apply to the specific collection. Requirements for statistical 
agencies collecting information that may be used for nonstatistical 
purposes are covered in section V.
    8. What data sharing does CIPSEA authorize? Subtitle B of CIPSEA 
explicitly provides the ability for three designated statistical 
agencies, the Bureau of Economic Analysis, the Bureau of Labor 
Statistics, and the Bureau of the Census to share business data. 
Requirements for data sharing among these designated statistical 
agencies are outlined in section VII.
    9. What other requirements are there for using CIPSEA? Agencies 
should carefully review this guidance to determine whether CIPSEA 
applies to any of their information collections or statistical 
activities. Agencies using CIPSEA are responsible for following all 
requirements in this guidance. In addition, OMB is requiring agencies 
that use CIPSEA to report annually to OMB on their use of this law in 
order to effectively monitor the implementation of CIPSEA across 
Federal agencies. All agencies that use CIPSEA for their collections 
are asked to report to OMB annually the information collections CIPSEA 
applies to and affirm that all of the requirements in this guidance are 
being met. Statistical agencies protecting information under CIPSEA are 
further required to report on their use of agents, and the three 
designated statistical agencies in Subtitle B of CIPSEA are required to 
report annually on their data sharing activities under CIPSEA. Further 
information on the reporting requirements is in section VIII of this 
guidance.

B. Purposes of CIPSEA

    The Confidential Information Protection and Statistical Efficiency 
Act of 2002 (CIPSEA), Title V of the E-Government Act of 2002 (Pub. L. 
107-347), has two subtitles.
    Subtitle A, Confidential Information Protection, concerns 
confidentiality and statistical uses of information. The purposes of 
Subtitle A are:
    1. To ensure that information supplied by individuals or 
organizations to an agency for statistical purposes under a pledge of 
confidentiality is used exclusively for statistical purposes;
    2. To ensure that individuals or organizations who supply 
information under a pledge of confidentiality to agencies for 
statistical purposes will neither have that information disclosed in 
identifiable form to anyone not authorized by this title nor have that 
information used for any purpose other than a statistical purpose; and
    3. To safeguard the confidentiality of individually identifiable 
information acquired under a pledge of confidentiality for statistical 
purposes by controlling access to, and uses made of, such 
information.\4\
---------------------------------------------------------------------------

    \4\ Sec. 511(b).
---------------------------------------------------------------------------

    CIPSEA Subtitle A protects information that is acquired for 
exclusively statistical purposes under a pledge of confidentiality. 
This subtitle of the law applies to all Federal agencies that acquire 
information under these carefully prescribed conditions. The protection 
of information collected under this law is supported by a penalty of a 
Class E Felony for a knowing and willful disclosure of confidential 
information. This includes imprisonment for up to five years and fines 
up to $250,000.\5\ Thus, for many agencies this law strengthens the 
protections afforded to confidential statistical information.
---------------------------------------------------------------------------

    \5\ Sec. 513.
---------------------------------------------------------------------------

    CIPSEA Subtitle B promotes statistical efficiency through limited 
sharing of business data among three designated statistical agencies, 
the Bureau of the Census (Census), the Bureau of Economic Analysis 
(BEA), and the Bureau of Labor Statistics (BLS). The purposes of 
Subtitle B are:
    1. To authorize the sharing of business data among Census, BEA, and 
BLS for exclusively statistical purposes;
    2. To reduce the paperwork burdens imposed on businesses that 
provide requested information to the Federal Government;
    3. To improve the comparability and accuracy of Federal economic 
statistics by allowing Census, BEA, and BLS to update sample frames, 
develop consistent classifications of establishments and companies into 
industries, improve coverage, and reconcile significant differences in 
data produced by the three agencies; and

[[Page 33366]]

    4. To increase understanding of the United States economy, 
especially for key industry and regional statistics, to develop more 
accurate measures of the impact of technology on productivity growth, 
and to enhance the reliability of the Nation's most important economic 
indicators, such as the National Income and Product Accounts.\6\
---------------------------------------------------------------------------

    \6\ Sec. 521(b).
---------------------------------------------------------------------------

    The remainder of this section of the guidance provides background 
information on CIPSEA and its applicability to Federal agencies. 
Sections II through VI provide implementation guidance on CIPSEA 
Subtitle A, and Section VII provides implementation guidance on 
Subtitle B. Section VIII covers agency reporting requirements to OMB on 
the implementation of CIPSEA.

C. Background

    There are more than 70 Federal agencies or organizational units 
that carry out statistical activities as their principal mission or in 
conjunction with other program missions, such as providing services or 
enforcing regulations.\7\ In addition to these 70 agencies, many other 
Federal agencies or units may collect statistical information to use 
for specific program needs. Prior to the enactment of CIPSEA, a 
patchwork of legislative protections governed the confidentiality of 
data gathered for statistical purposes by the different agencies and 
units. Some agencies had strong statutory authority to protect the 
confidentiality of the data they gathered for statistical purposes, 
while other agencies had weak or no legislative authority to protect 
confidentiality. In addition, the ability of the designated statistical 
agencies to share information to improve the efficiency of the Federal 
statistical system was limited by statutory constraints affecting those 
agencies.
---------------------------------------------------------------------------

    \7\ Statistical Programs of the U.S. Government FY 2007, Office 
of Management and Budget, Washington, DC.
---------------------------------------------------------------------------

    Over the years, there have been numerous attempts both to shore up 
legal protection for the confidentiality of statistical information, 
and to permit some limited sharing of data for statistical purposes. 
Strengthening and standardizing statutory protections for the 
confidentiality of individually identifiable data that are collected 
for statistical purposes as well as enhancing the capability of Federal 
agencies to share information for exclusively statistical purposes have 
always been goals.
    In 1971, the President's Commission on Federal Statistics 
recommended that the term confidential should always mean that 
disclosure of data in a manner that would allow public identification 
of the respondent or would in any way be harmful to him should be 
prohibited. In addition, the Commission recommended that a promise to 
hold data in confidence should not be made unless the agency has legal 
authority to uphold such a promise, and that legislation should be 
enacted authorizing agencies collecting data for statistical purposes 
to promise confidentiality as the term was defined by the 
Commission.\8\
---------------------------------------------------------------------------

    \8\ Federal Statistics--Report of the President's Commission, 
Volume 1, p. 222, September, 1971.
---------------------------------------------------------------------------

    In July 1977, the Privacy Protection Study Commission stated that 
``no record or information * * * collected or maintained for a research 
or statistical purpose under Federal authority * * * may be used in 
individually identifiable form to make any decision or take any action 
directly affecting the individual to whom the record pertains * * *'' 
\9\
---------------------------------------------------------------------------

    \9\ Personal Privacy in an Information Society--Report of the 
Privacy Protection Study Commission, p. 574, July, 1977.
---------------------------------------------------------------------------

    In October 1977, the President's Commission on Federal Paperwork 
endorsed the confidentiality and ``functional separation'' concepts, 
but applied them directly and simply to statistical programs, saying 
that:
     Information collected or maintained for statistical 
purposes must never be used for administrative or regulatory purposes 
or disclosed in identifiable form, except to another statistical agency 
with assurances that it will be used solely for statistical purposes; 
and
     Information collected for administrative and regulatory 
purposes must be made available for statistical use, with appropriate 
confidentiality and security safeguards, when assurances are given that 
the information will be used solely for statistical purposes.\10\
---------------------------------------------------------------------------

    \10\ Statistics--A Report of the Commission on Federal 
Paperwork, p. 128, October, 1977.
---------------------------------------------------------------------------

    The policy discussions generated by the three Commissions came 
together in a bipartisan outpouring of support for the Paperwork 
Reduction Act of 1980, which largely addressed the efficiency 
recommendations of the Paperwork Commission. The legislative history of 
that Act recognized the unfinished work of fitting the ``functional 
separation'' of statistical information into the overall scheme.
    In 1993, a National Academy of Sciences panel on confidentiality 
and data access recommended that ``Statistical records across all 
federal agencies should be governed by a consistent set of statutes and 
regulations meeting standards for the maintenance of such records, 
including the following features of fair statistical information 
practices: (a) A definition of statistical data that incorporates the 
principle of functional separation as defined by the Privacy Protection 
Study Commission, (b) a guarantee of confidentiality for data, * * * 
(g) legal sanctions for those who violate confidentiality 
requirements.'' \11\
---------------------------------------------------------------------------

    \11\ Private Lives and Public Policies, 1993, National Academy 
Press, Washington, DC.
---------------------------------------------------------------------------

    To clarify and make consistent government policy protecting the 
privacy and confidentiality interests of individuals and organizations 
who furnish data for Federal statistical programs, OMB issued an 
``Order Providing for the Confidentiality of Statistical Information'' 
in June 1997.\12\ This order applied the principles of functional 
separation and protection of confidential information gathered for 
statistical purposes to twelve principal statistical agencies.
---------------------------------------------------------------------------

    \12\ 62 FR 35,044-35,050.
---------------------------------------------------------------------------

    CIPSEA builds upon these and other efforts of the Executive and 
Legislative branches including H.R. 2885 (the Statistical Efficiency 
Act of 1999, originally offered by Representative Stephen Horn, and 
unanimously passed by the House of Representatives) and H.R. 2136 (the 
Confidential Information Protection Act, originally offered by 
Representative Tom Sawyer in 2001). Introducing CIPSEA, H.R. 5215, on 
July 25, 2002, Representative Horn indicated,

``The bill's enhanced confidentiality protections will improve the 
quality of Federal statistics by encouraging greater cooperation on 
the part of respondents. Even more important, these protections 
ensure that the Federal Government does not abuse the trust of those 
who provide data to it under a pledge of confidentiality. * * * the 
Confidential Information Protection and Statistical Efficiency Act 
of 2002 makes important, common sense and long overdue improvements 
in our Nation's statistical programs. It is a bipartisan, good 
Government measure that has the Administration's strong support. I 
urge my colleagues to join with us to achieve prompt enactment of 
the bill.'' \13\
---------------------------------------------------------------------------

    \13\ Congressional Record, July 25, 2002, p. E1397.

    In this guidance, OMB is establishing a uniform policy for all 
Federal statistical collections to reduce public confusion, 
uncertainty, and concern about the application of the newly-enacted 
confidentiality requirements associated with protected statistical 
information acquired by different Federal agencies. By establishing 
consistent rational principles and

[[Page 33367]]

processes to buttress confidentiality pledges, the law codifies 
confidentiality claims and sets minimum standards for safeguarding 
confidential statistical information. Establishing consistent 
protection of confidential statistical information will, in turn, 
reduce the perceived risks of more efficient working relationships 
among statistical agencies, relationships that can reduce both the cost 
and reporting burden imposed by statistical programs.

D. Authority

    The Paperwork Reduction Act (PRA) of 1980 (as amended in 1986 and 
1995) requires the Office of Information and Regulatory Affairs (OIRA) 
within OMB to develop policies, principles, standards, and guidelines 
for privacy and confidentiality generally; the integrity of 
confidentiality pledges; and the confidentiality of information 
collected for statistical purposes.\14\ In addition, the Act tasks OIRA 
to oversee agency compliance with related requirements of the Act and 
with the policies referenced above.\15\ For example, agencies are 
required to ``inform respondents fully and accurately about the 
sponsors, purposes, and uses of statistical surveys and studies.'' \16\
---------------------------------------------------------------------------

    \14\ 44 U.S.C. 3504(e)(1), 3504(e)(5), and 3504(g)(1).
    \15\ 44 U.S.C. 3506(b)(1)(C), 3506(e)(2)-(4), and 3506(g)(1).
    \16\ 44 U.S.C. 3506(e)(2).
---------------------------------------------------------------------------

    With respect to statistical policy and coordination, the PRA 
directs OMB to:
     Coordinate the activities of the Federal statistical 
system to ensure--
    [cir] The efficiency and effectiveness of the system; and
    [cir] The integrity, objectivity, impartiality, utility, and 
confidentiality of information collected for statistical purposes; * * 
*
     Develop and oversee the implementation of Governmentwide 
policies, principles, standards, and guidelines * * *
     Promote the sharing of information collected for 
statistical purposes consistent with privacy rights and confidentiality 
pledges; \17\
---------------------------------------------------------------------------

    \17\ 44 U.S.C. 3504(e).
---------------------------------------------------------------------------

    In addition, Title V of the E-Government Act of 2002 authorizes the 
Director of the Office of Management and Budget to coordinate and 
oversee the confidentiality and disclosure policies established by 
CIPSEA. The Director is authorized to promulgate rules or provide other 
guidance to ensure the consistent interpretation of this title by the 
affected agencies.\18\
---------------------------------------------------------------------------

    \18\ Sec. 503(a).
---------------------------------------------------------------------------

E. Affected Agencies

    Executive agencies as defined in 31 U.S.C. 102 or 44 U.S.C. 3502 
\19\ are subject to the provisions and penalties in CIPSEA Subtitle A 
if they (1) Acquire information for exclusively statistical purposes 
under a pledge of confidentiality, or (2) they possess or access 
information protected by CIPSEA, unless even stronger confidentiality 
protections apply.\20\ CIPSEA also imposes additional requirements on 
statistical agencies or units, which are defined to include ``an agency 
or organizational unit of the executive branch whose activities are 
predominantly the collection, compilation, processing, or analysis of 
information for statistical purposes.'' \21\ CIPSEA Subtitle B applies 
only to the designated statistical agencies, i.e., the Bureau of the 
Census of the Department of Commerce, the Bureau of Economic Analysis 
of the Department of Commerce, and the Bureau of Labor Statistics of 
the Department of Labor.\22\
---------------------------------------------------------------------------

    \19\ Sec. 502(1).
    \20\ Sec. 512(a) and 512(b). Agencies may also be governed by 
other statutes that may have additional restrictions on the use and 
disclosure of confidential statistical information that apply beyond 
CIPSEA (Sec. 504(h); Sec. 512(b)(3)).
    \21\ Sec. 502(8).
    \22\ Sec. 522.
---------------------------------------------------------------------------

F. Applicability of CIPSEA

    Federal agencies collect and acquire information for a wide variety 
of purposes and uses, including benefit determinations, program 
planning and management, program evaluation, measurement of compliance 
with laws and regulations, and research, as well as for general purpose 
statistics. When acquiring information, an agency must inform the 
person or organization being asked to provide information whether or 
not it will be treated as confidential and the purpose(s) for which the 
information will be used.\23\
---------------------------------------------------------------------------

    \23\ 5 CFR 1320.8(b)(3).
---------------------------------------------------------------------------

    CIPSEA protection applies to any identifiable information acquired 
by the agency under a pledge of confidentiality for exclusively 
statistical purposes. For purposes of CIPSEA, this information includes 
personally identifiable information \24\ as well as information that 
permits the identity of any respondent, such as business 
establishments, institutions, or State or local governments,\25\ to be 
reasonably inferred by either direct or indirect means.\26\ In this 
guidance, the terms confidential information and confidential data 
refer to information that is protected by CIPSEA.
---------------------------------------------------------------------------

    \24\ The term ``personally identifiable information'' refers to 
information that can be used to distinguish or trace an individual's 
identity, such as his or her name, social security number, biometric 
records, etc., alone, or when combined with other personal or 
identifying information that is linked or linkable to a specific 
individual, such as date and place of birth, mother's maiden name, 
etc.
    \25\ Statistical agencies may collect information from a State 
or local government that is in the public domain, and, therefore, 
the statistical agency would typically not pledge to keep that 
information confidential under CIPSEA or other legal authorities.
    \26\ Sec. 502(4). Indirect identification refers to using 
information in conjunction with other data elements to reasonably 
infer the identity of a respondent. For example, data elements such 
as a combination of gender, race, date of birth, geographic 
indicators, or other descriptors may be used to identify an 
individual respondent.
---------------------------------------------------------------------------

    CIPSEA can apply only when an agency pledges both to protect the 
confidentiality of the information it acquires and to use the 
information only for statistical purposes. CIPSEA defines a statistical 
purpose to include the description, estimation, or analysis of the 
characteristics of groups, without identifying the individuals or 
organizations that comprise such groups and includes the development, 
implementation, or maintenance of methods, technical or administrative 
procedures, or information resources that support the above 
purposes.\27\ If information is collected or acquired for any 
nonstatistical purpose, then CIPSEA shall not be used to protect the 
confidentiality of the information.\28\
---------------------------------------------------------------------------

    \27\ Sec. 502(9).
    \28\ There are some authorized, nonstatistical uses of 
information collected for statistical purposes, such as the use of 
Decennial Census information for genealogical research, that are 
noted in Section 504 of CIPSEA. CIPSEA was intended to apply to 
these collections that are intended for statistical purposes and 
have only very narrow exceptions for specific nonstatistical uses 
that do not result in any actions directly affecting the respondent. 
Agencies acquiring or protecting information under CIPSEA with 
similar nonstatistical uses of the information should consult with 
OMB on the applicability of CIPSEA for the information collection. 
Unless there is a specific exception noted in Section 504 of CIPSEA, 
CIPSEA clearly prohibits disclosures for administrative, regulatory, 
law enforcement, or adjudicatory purposes that affect the rights, 
privileges, or benefits of a particular identifiable respondent 
absent informed consent. Since some State or Federal laws may 
require notification of authorities if, for example, child abuse is 
reported by the respondent, agencies collecting such information 
shall inform respondents at the time of collection that revelations 
of this type of information must be reported to legal authorities. 
Agencies may conduct these collections under CIPSEA if any such 
nonstatistical uses are clearly described in advance to the 
respondent (with the respondent providing informed consent), and 
these procedures are clearly stated in the notices and supporting 
materials described in Section II. Agencies should also consult with 
their institutional review boards to determine circumstances when 
informed consent is appropriate or necessary.
---------------------------------------------------------------------------

    A nonstatistical purpose means the use of information in 
identifiable form for anything other than a statistical

[[Page 33368]]

purpose, including any administrative, regulatory, law enforcement, 
adjudicative, or other purpose that affects the rights, privileges or 
benefits of a particular identifiable respondent. Providing 
confidential information in response to a Freedom of Information Act 
(FOIA) request is also considered a nonstatistical purpose.\29\ Since 
the CIPSEA statute is a (b)(3) statute under FOIA, confidential 
information covered under CIPSEA is exempt from release pursuant to a 
FOIA request (5 U.S.C. 552(b)(3)).
---------------------------------------------------------------------------

    \29\ Sec. 502(5)(B).
---------------------------------------------------------------------------

    Agencies acquire information in different ways from a wide variety 
of respondents. An agency may collect information directly (e.g., 
surveys) from individuals, households, businesses, organizations, or 
institutions, or the agency may acquire information through secondary 
sources (e.g., from State government agencies).\30\ This guidance, in 
accordance with the law, will use as the more general term, 
``acquire,'' to include both agency collections of information directly 
from respondents, and acquisitions of information from secondary 
sources.
---------------------------------------------------------------------------

    \30\ Sec. 502(6).
---------------------------------------------------------------------------

    In many cases, agencies acquire information directly from 
respondents (including local or State governments) to a Federal survey; 
in other cases, agencies do not themselves directly acquire information 
from respondents but do so through intermediaries, such as contractors 
or researchers who are operating under cooperative agreements or grants 
at the direction of the agency. CIPSEA defines contractors and their 
employees, researchers, and employees of private organizations or 
institutions of higher learning that have a contract or agreement with 
a Federal agency as ``agents.'' \31\
---------------------------------------------------------------------------

    \31\ Sec. 502(2).
---------------------------------------------------------------------------

    Any agency that directly acquires information from a respondent, 
including a local or State government, under a pledge of 
confidentiality for exclusively statistical purposes, can use CIPSEA to 
protect the information. However, if an agency is using an agent, such 
as a contractor, to acquire information for exclusively statistical 
purposes, the agency may not be able to protect the information under 
CIPSEA unless it is a statistical agency (see part G). In these 
situations, nonstatistical agencies should use their existing statutory 
authority to protect the confidentiality of this information.
    Generally, the applicable statute with the strongest 
confidentiality protections for the information governs the use and 
disclosure of the information. CIPSEA does not restrict or diminish any 
other confidentiality protections or penalties for unauthorized 
disclosure that an agency may otherwise have for information collected 
for statistical purposes.\32\ Accordingly, if an agency has any 
stronger protections in its statutes, these protections would remain in 
effect. For example, the more restrictive use and disclosure provisions 
of the Census Act and the International Investment and Trade in 
Services Survey Act would take precedence over the broader statistical 
uses permitted under CIPSEA. In another example, if an agency's 
authorizing statute prohibited disclosure with informed consent, the 
agency would not be able to disclose the information with informed 
consent, which could be permissible under CIPSEA under certain 
circumstances.\33\
---------------------------------------------------------------------------

    \32\ Sec. 504(h); Sec. 512(b)(3).
    \33\ Sec. 512(b).
---------------------------------------------------------------------------

    On the other hand, if an agency pledges to use the information for 
only statistical purposes, then the agency shall not use any other 
authorities it has available to use the information for non-statistical 
purposes, because those uses would be contrary to the agency's pledge. 
For example, if information is protected by CIPSEA and the Privacy Act, 
some of the routine uses permitted under the Privacy Act would no 
longer be allowed because they are not for statistical purposes.

G. Use of CIPSEA by Statistical and Nonstatistical Agencies or Units

    Although any Federal agency can acquire and protect information 
under CIPSEA, CIPSEA provides additional authority and imposes 
additional requirements on statistical agencies or units. These 
additional provisions have implications for how and whether an agency 
can use CIPSEA to acquire information; these provisions are discussed 
in later sections of this guidance.
    CIPSEA defines a statistical agency or unit as ``an agency or 
organizational unit of the executive branch whose activities are 
predominantly the collection, compilation, processing, or analysis of 
information for statistical purposes.'' \34\
     OMB shall determine whether an agency or unit can be considered a 
statistical agency or unit for purposes of CIPSEA.
---------------------------------------------------------------------------

    \34\ Sec. 502(8).
---------------------------------------------------------------------------

    OMB recognized 12 statistical agencies or units in its 1997 
Confidentiality Order: \35\
---------------------------------------------------------------------------

    \35\ 62 FR 35,044-35,050.
---------------------------------------------------------------------------

     Department of Agriculture
    [cir] Economic Research Service
    [cir] National Agricultural Statistics Service
     Department of Commerce
    [cir] Bureau of Economic Analysis
    [cir] Census Bureau
     Department of Education
    [cir] National Center for Education Statistics
     Department of Energy
    [cir] Energy Information Administration
     Department of Health and Human Services
    [cir] National Center for Health Statistics
     Department of Justice
    [cir] Bureau of Justice Statistics
     Department of Labor
    [cir] Bureau of Labor Statistics
     Department of Transportation
    [cir] Bureau of Transportation Statistics
     Department of the Treasury
    [cir] Statistics of Income Division of the Internal Revenue Service
     National Science Foundation
    [cir] Division of Science Resources Statistics
    Since this guidance was issued in proposed form in October 2006, 
OMB has recognized two statistical organizational units: the Office of 
Applied Studies within the Substance Abuse and Mental Health Services 
Administration in the Department of Health and Human Services, and the 
Microeconomic Surveys Unit of the Board of Governors of the Federal 
Reserve. Other agencies or units that wish to be recognized as 
statistical agencies or units for purposes of CIPSEA must send a 
request to the Chief Statistician at OMB. The request must come from 
the head of the agency or unit and have the concurrence of the larger 
organization within which the agency or unit resides. This request 
should include a statement of the organizational definition of the 
agency or unit, its mission, statistical activities, and any 
nonstatistical activities, and demonstrate that its activities are 
predominantly statistical. Statistical activities include the 
collection, compilation, processing, or analysis of data for the 
purpose of describing the characteristics of groups or making estimates 
concerning the whole or relevant groups, or components within, the 
economy, society, or the natural environment. Statistical activities 
also include the development of methods or resources that support these 
activities, such as measurement methods, models, statistical 
classifications, or sampling frames. A listing of OMB recognized 
statistical agencies and units will be posted and maintained on OMB's 
Web site.
    Both statistical and nonstatistical agencies can use CIPSEA to 
protect information they acquire directly from

[[Page 33369]]

respondents, including State and local governments. However, only 
statistical agencies or units are authorized under CIPSEA to designate 
agents to perform exclusively statistical activities, which include 
data collection, subject to CIPSEA limitations and penalties.\36\ 
Because data collection contractors are agents under CIPSEA,\37\ only 
statistical agencies may designate contractors to acquire information 
that will be protected under CIPSEA. In order for the collections of 
nonstatistical agencies to fall within the protections of CIPSEA, 
nonstatistical agencies must acquire the information themselves 
directly from respondents. Nonstatistical agencies cannot empower 
contractors or other agents to acquire information or carry out any 
other statistical activities for the agency under CIPSEA.\38\
---------------------------------------------------------------------------

    \36\ Sec. 512(d).
    \37\ Sec. 502(2)(iii).
    \38\ Some nonstatistical agencies may have specific statutory 
authority to designate agents that meets the requirements of CIPSEA, 
allowing the agency to use agents to perform exclusively statistical 
activities, including data collection, for the agency. Agencies 
should consult with OMB on the applicability of their statute for 
purposes of using CIPSEA before making plans to designate agents. 
Agencies should also clearly describe how their authority meets the 
requirements for CIPSEA designation of agents in their information 
collection requests to OMB.
---------------------------------------------------------------------------

    The following sections II and III of this guidance describe in 
detail the requirements for all agencies using CIPSEA. Additional 
requirements for statistical agencies or units designating agents are 
covered in section IV. Because it is generally expected that 
statistical agencies or organizational units will be collecting 
information for exclusively statistical purposes under a pledge of 
confidentiality, statistical agencies or units that conduct or sponsor 
a collection that will not be for exclusively statistical purposes must 
follow additional requirements as described in section V. Additional 
requirements for nonstatistical agencies or units are provided in 
section VI.

II. Requirements for Agencies Collecting or Acquiring Information 
Protected Under CIPSEA

    CIPSEA provides strong protection for information obtained for 
exclusively statistical purposes under a pledge of confidentiality. For 
CIPSEA to have its intended effect of reinforcing public confidence in 
Federal confidentiality pledges, all Federal agencies that make the 
CIPSEA pledge must provide CIPSEA protection to that information. A 
Federal agency should not make a CIPSEA pledge unless the agency is 
fully committed to taking all the actions that are necessary to provide 
CIPSEA level protection; making the CIPSEA pledge means giving CIPSEA 
level protection to the collected information.
    To faithfully maintain this commitment requires that agencies meet 
a number of minimum requirements that are described in detail in the 
remainder of this guidance. Specifically, agencies must:
     Inform the respondents about the confidentiality 
protection and use of the information (section II.);
     Collect and handle confidential information to minimize 
risk of disclosure, including properly training employees (section 
III.);
     Ensure the information is used only for statistical 
purposes (section III. A.);
     Review information to be disseminated to prevent 
identifiable information from being reasonably inferred by either 
direct or indirect means (section III. F.); and
     Supervise and control agents who have access to 
confidential information (section IV.).

A. Requirements for Public Notice Prior to Data Collection

    Agencies are required under the PRA to:
     Publish a notice in the Federal Register allowing 60 days 
for the public to comment on information collections and otherwise 
consult with members of the public and affected agencies concerning 
each proposed collection of information; \39\
---------------------------------------------------------------------------

    \39\ 5 CFR 1320.8(d)(1).
---------------------------------------------------------------------------

     Publish a notice in the Federal Register at the time OMB 
approval is being sought, and allow the public 30 days to comment; and
     ``Describe any assurance of confidentiality provided to 
respondents and the basis for the assurance in statute, regulation, or 
agency policy'' in their PRA supporting statements submitted to 
OMB.\40\
---------------------------------------------------------------------------

    \40\ Instructions for Supporting Statement for Paperwork 
Reduction Act submissions and 5 CFR 1320.8(b)(3).
---------------------------------------------------------------------------

    When agencies are acquiring information that will be protected 
under CIPSEA, they shall: \41\
---------------------------------------------------------------------------

    \41\ Agencies conducting an OMB-approved information collection 
prior to passage of CIPSEA or issuance of this guidance, such as a 
periodic or longitudinal survey, can also protect that collection 
under CIPSEA if the collection is intended for exclusively 
statistical purposes, the agency pledges confidentiality, and the 
agency will follow this guidance in implementing CIPSEA. In this 
case, the agency should consult with OMB about the change in 
confidentiality protection for the collection and plan appropriate 
consultation with stakeholders and respondents. OMB may require 
agencies to provide Federal Register notices concerning the change 
in policy and to contact respondents for comments before the agency 
can make a CIPSEA pledge.
---------------------------------------------------------------------------

     State that the information will be protected under CIPSEA, 
and cite any other authority they have to protect the confidentiality 
of the data in their PRA supporting statements; and
     State in their Federal Register notices if there is a 
substantive change in the confidentiality protection of the information 
being collected, such as using CIPSEA to protect the information for an 
ongoing collection when similar protection was not available 
previously.

B. Requirements for Informing Respondents at the Time of Information 
Collection

    At the time of the information collection, agencies are required 
under the PRA to adequately inform potential respondents about the uses 
of the information they provide.\42\ This description must include the 
following information related to the confidentiality of their 
responses:
---------------------------------------------------------------------------

    \42\ 5 CFR 1320.8(b)(3); Additional requirements are imposed if 
the collection involves a Privacy Act system of records (5 U.S.C. 
552a(e)(3) as amended).
---------------------------------------------------------------------------

     The reasons the information is planned to be and/or has 
been collected;
     The way such information is planned to be and/or has been 
used to further the proper performance of the functions of the agency; 
and
     The nature and extent of confidentiality protection to be 
provided, if any.\43\
---------------------------------------------------------------------------

    \43\ 5 CFR 1320.8(b)(3).
---------------------------------------------------------------------------

    When agencies are collecting information that they want to be 
protected under CIPSEA, they are required by law at the time of 
collection to do the following:\44\
---------------------------------------------------------------------------

    \44\ Sec. 512(a).
---------------------------------------------------------------------------

     Pledge to keep the data or information confidential, and
     Pledge that the information will be used for exclusively 
statistical purposes.
    Agencies that are not protecting information under CIPSEA must 
ensure that the public is able to distinguish easily between pledges 
that reflect the protections provided by CIPSEA and those affording 
less protection than CIPSEA. In particular, the pledge for collections 
not protected to the extent afforded by CIPSEA shall not contain all 
the elements related to CIPSEA found in the pledges below--
specifically, the pledge shall not state both that the data are 
confidential and that they are for exclusively statistical use (in such 
cases CIPSEA would apply even if not stated).\45\ The degree to which 
the

[[Page 33370]]

pledge differs from the CIPSEA pledge needs to be based on the laws and 
regulations governing the collection and determined in collaboration 
with the agency legal staff, agency confidentiality officer, and PRA 
clearance officer. A pledge of confidentiality for collections not 
protected by CIPSEA must specifically cite the statutory authorization 
protecting the confidentiality of the data being collected and 
accurately describe the extent of that protection. If an agency elects 
to collect information under laws affording less protection than 
CIPSEA, OMB will not approve an agency's proposed non-CIPSEA pledge 
that is too similar to the CIPSEA pledge (e.g., one that includes the 
term `confidential' and states that the information will be used for 
exclusively statistical purposes).
---------------------------------------------------------------------------

    \45\ As noted at the end of this subsection (and in footnote 
17), CIPSEA does not restrict or diminish any other confidentiality 
protections or penalties for unauthorized disclosure that an agency 
may otherwise have for information collected for statistical 
purposes, and any stronger protections would remain in effect (Sec. 
504(h); Sec. 512(b)(3)).
---------------------------------------------------------------------------

    The following examples of confidentiality pledges under CIPSEA are 
sufficient to inform respondents of the protections afforded. Agencies 
shall use the following model and customize the wording in accordance 
with their needs. Parentheses indicate options and italics are 
instructions. Comparable pledge language may be substituted, but that 
alternative wording shall be included in the PRA supporting statements 
to OMB and should be cognitively tested. A complete confidentiality 
pledge shall be developed from the following:

    The information (choose one--you, your household, your 
establishment--as needed) provide(s) will be used for statistical 
purposes only. In accordance with the Confidential Information 
Protection provisions of Title V, Subtitle A, Public Law 107-347 
(option to add or substitute laws that are stronger or more 
restrictive than CIPSEA) and other applicable Federal laws (option 
to list them, but it is not necessary to be exhaustive), your 
responses will be kept confidential and will not be disclosed in 
identifiable form to anyone other than employees (option to add ``or 
agents'' if applicable, or another term the agency uses) (option to 
add--without your consent).\46\ By law, every (your agency here) 
employee (optional--including the Director), (if applicable, option 
to add ``as well as every agent such as then list as appropriate--
contractors, field representatives,
    telephone interviewers, authorized researchers,\47\ etc''.\48\), 
(optional--has taken an oath and) is subject to a jail term 
(optional--of up to 5 years), a fine (optional--of up to $250,000), 
or both if he or she willfully discloses ANY identifiable 
information about (choose one--you, your household, your 
establishment).
---------------------------------------------------------------------------

    \46\ Use the phrase ``without your consent'' only in cases where 
an agency can reasonably anticipate such consent will be requested.
    \47\ Agencies that plan to provide access to confidential 
information for statistical purposes should include mention of this 
in their pledge.
    \48\ Designated statistical agencies (as defined under CIPSEA 
Subtitle B) may include ``employees of partner statistical 
agencies'' for collections of confidential business information that 
may be used in data sharing agreements as authorized under that 
Subtitle.

    The above pledge may be placed on the survey instrument (e.g., 
form), in the instructions, or on the back side of the cover letter. A 
shorter, more user-friendly version may be used in introductory 
statements, on the cover of the instrument, or in the body of the cover 
letter as long as there is a reference to the full pledge. In addition, 
the agency may place the full pledge on the agency's web site and point 
respondents to that site.
    To illustrate the actual pledge wording, an agency could implement 
this pledge as follows:

    The information you provide will be used for statistical 
purposes only. In accordance with the Confidential Information 
Protection provisions of Title V, Subtitle A, Public Law 107-347 and 
other applicable Federal laws, your responses will be kept 
confidential and will not be disclosed in identifiable form to 
anyone other than employees or agents. By law, every ABC employee as 
well as every agent has taken an oath and is subject to a jail term 
of up to 5 years, a fine of up to $250,000, or both if he or she 
willfully discloses ANY identifiable information about you.

    Agencies may choose to employ a shortened version of the pledge, 
such as the following, when conducting telephone surveys or in other 
similar circumstances as long as respondents are given access to the 
longer version in some other manner such as posting on the agency's Web 
site:

    The information you provide about (choose one--yourself, 
household, establishment) will be used for statistical purposes 
only. In accordance with the Confidential Information Protection 
provisions in Public Law 107-347 (option to add and other applicable 
Federal laws), your responses will be kept confidential and will not 
be disclosed in identifiable form (optional--without your 
consent).\49\ By law, everyone working on this (your agency here) 
survey is subject to a jail term, a fine, or both if he or she 
willfully discloses ANY information that could identify you.

    Agencies whose statutory authority provides confidentiality 
protections more restrictive than CIPSEA for information acquired for 
exclusively statistical purposes under a pledge of confidentiality may 
use the CIPSEA pledge or their existing pledges that are similar as 
long as they make clear what confidentiality protections cover the 
information and the statutory authority for those protections. In such 
cases, the resemblance of an agency's pledge to the CIPSEA pledge does 
not imply that any provisions in CIPSEA would overrule the agency's 
stronger confidentiality statute. CIPSEA does not restrict or diminish 
any other confidentiality protections or penalties for unauthorized 
disclosure that an agency may otherwise have for information collected 
for statistical purposes, and any stronger protections would remain in 
effect.\50\
---------------------------------------------------------------------------

    \49\ Use ``without your consent'' only if consent is asked or 
may be in the future--omitting this phrase could create difficulties 
if the agency later wants to ask for consent.
    \50\ Sec. 504(h); Sec. 512(b)(3).
---------------------------------------------------------------------------

III. Minimum Standards for Safeguarding Confidential Information 
Acquired Under CIPSEA

    These standards for safeguarding confidential information apply to 
information protected under CIPSEA. Federal agencies shall follow the 
minimum standards in this section. In addition, some best practices are 
provided that agencies are encouraged to adopt but are not required to 
implement. \51\
---------------------------------------------------------------------------

    \51\ Best practices that agencies are encouraged but not 
required to implement are designated as items that agencies ``may'' 
do, while requirements are noted as items that agencies ``shall'' 
do.
---------------------------------------------------------------------------

    The central objective of these standards is to ensure that a 
Federal agency that pledges confidentiality for statistical information 
honors that pledge. Each Federal agency remains ultimately responsible 
and accountable for the confidential information that the agency 
acquires under a CIPSEA pledge. Any inappropriate use or disclosure of 
CIPSEA-protected information violates the law and can undermine public 
trust. Therefore, there is no ``acceptable'' level of non-compliance 
with the CIPSEA pledge.
    These minimum standards have been developed according to the 
principle of disclosure risk, which considers both the probability of 
an unauthorized disclosure and the expected harm from such a 
disclosure. These minimum standards apply to data for which the 
disclosure risk has been deemed relatively low by the Federal agency 
responsible for the information. Federal agencies shall set higher 
standards as the disclosure risk increases.
    At a minimum, such standards shall make clear that each person 
having

[[Page 33371]]

access to confidential information understands his/her responsibility 
related to maintaining the confidentiality of that information. In 
addition, these standards shall make clear who is accountable for each 
part of the information protection, including:
     Determining and monitoring procedures for collection and 
release;
     Evaluating the reason for accessing the information and 
controlling access to the information; and
     Maintaining physical and information systems security.

A. Principles and Procedures for Protecting Confidential Information

    Agencies or organizational units protecting information under 
CIPSEA shall incorporate the costs for protecting confidential 
information throughout the lifecycle of the statistical activity. This 
will ensure that sufficient resources are available to develop and 
implement procedures to ensure that:
     The confidentiality of the information is protected;
     Confidential information is used exclusively for 
statistical purposes;
     Access to confidential information is controlled, and only 
authorized persons have access to the information;
     All persons having access to confidential information 
understand
    [cir] The obligations of confidentiality protection,
    [cir] That unauthorized access to confidential information is 
prohibited, and
    [cir] The penalties for unauthorized access to and unauthorized use 
of confidential information; and
     A person or persons are designated to oversee all 
procedures for handling confidential information, and that such persons 
are responsible for all agency confidentiality procedures, reviews, and 
compliance with confidentiality laws.

B. Physical and Information Systems Security

    Each agency shall ensure the physical security and information 
systems security where data protected under CIPSEA are accessed and 
stored.
    Agencies are required to establish appropriate administrative and 
technical safeguards to ensure the security of all media containing 
confidential information is protected against unauthorized disclosures 
and anticipated threats or hazards to their security or integrity. For 
example, agencies must ensure that security requirements are followed 
for reports, documents, printouts, information collection instruments, 
laptops, PDA's, zip drives, floppy disks, CD-ROMs, or any other IT 
devices that contain confidential information to prevent access by 
unauthorized persons. Agencies must also ensure that only persons 
authorized by the head of the statistical agency or unit are permitted 
access to confidential information stored in information systems.
    Agencies are required to assess and secure their information and 
information systems in accord with the Federal Information Security 
Management Act (FISMA) which appears as Title III of the E-Government 
Act of 2002. OMB has issued guidance on implementing FISMA, and the 
National Institute of Standards and Technology (NIST) has issued 
compulsory and binding standards used to identify the level of impact 
and controls for maintaining the confidentiality, integrity, and 
availability of all information collected or maintained on behalf of an 
agency.\52\
---------------------------------------------------------------------------

    \52\ For more information about existing security and privacy 
requirements, see http://www.whitehouse.gov/omb/inforeg/infopoltech.html, FIPS PUB 199, Standards for Security 
Categorization of Federal Information and Information Systems, 
Gaithersburg, MD:U.S. Department of Commerce, and related 
publications.
---------------------------------------------------------------------------

    One of three security objectives for information and information 
systems that FISMA defines is confidentiality. The security category of 
an information type is determined by its potential impact on agencies 
should there be a breach of security, i.e., a loss of 
confidentiality.\53\ Because agencies handle many different types of 
information, an agency should determine what the potential impact of a 
security breach on the agency is (including mission, function, image, 
and reputation), and take into account CIPSEA requirements that the 
information be used for exclusively statistical purposes as well as the 
penalties that CIPSEA imposes for disclosure.
---------------------------------------------------------------------------

    \53\ See FIPS PUB 199, Standards for Security Categorization of 
Federal Information and Information Systems, Gaithersburg, MD:U.S. 
Department of Commerce; and related publications such as NIST 
Special Publication 800-60.
---------------------------------------------------------------------------

    Privacy Impact Assessments (PIAs) are also required of agencies 
developing or procuring information systems or projects that maintain 
or handle confidential information in identifiable form about members 
of the public, and agencies initiating new electronic collections of 
information in identifiable form.\54\
---------------------------------------------------------------------------

    \54\ See OMB Memorandum M-03-22, September 26, 2003, OMB 
Guidance for Implementing the Privacy Provisions of the E-Government 
Act of 2002.
---------------------------------------------------------------------------

C. Confidentiality Training

    Each agency with information protected under CIPSEA shall ensure 
that all individuals having access to such confidential information 
have a current understanding of confidentiality rules and procedures. 
Confidentiality training shall include at a minimum:
     An overview of information protection procedures,
     The importance of ``need to know'' for an authorized 
purpose in accessing confidential information,
     Physical and information systems security procedures, and
     The penalties for unauthorized access, use and 
disclosures.
    Employees who have access to confidential information shall be 
recertified annually to ensure their understanding of confidentiality 
requirements.

D. Record Keeping

    Agencies shall establish and maintain a system of records \55\ that 
identifies individuals accessing confidential information. Agencies 
shall also be prepared to document their compliance with the safeguard 
principles to OMB.\56\
---------------------------------------------------------------------------

    \55\ Agencies should assess for themselves the nature of these 
records and requirements for record keeping, including whether what 
an agency does for this purpose qualifies as a system of records 
under the Privacy Act. OMB is not implying in this guidance what 
form these record keeping systems should take and is leaving that 
determination to the agency.
    \56\ OMB recognizes that in some cases agencies have very 
detailed documentation on access to confidential information that 
itself is treated as confidential by the agency. In this case, it is 
sufficient for the agency simply to demonstrate that the basic 
safeguard principles are being followed; agencies should not reveal 
specific individuals or specific procedures that would compromise 
the protection of the information.
---------------------------------------------------------------------------

E. Information Collection, Processing, or Analysis Contracts

    Prior to award, agencies shall review any contracts that involve 
CIPSEA protected information to ensure language is included that 
informs the contractor of the requirements of CIPSEA and of the 
contractor's obligations under the law and penalties for noncompliance 
(see Section IV).

F. Guidelines for Review of Information Prior to Dissemination

    For CIPSEA protected information, the agency as well as any agent 
accessing the information shall ensure that any dissemination of 
information based on confidential information is done in a manner that 
preserves the confidentiality of the information. To accomplish this, 
agencies shall:
     Review their information products prior to public release 
for disclosures of confidential information, and
     Apply appropriate statistical disclosure limitation (SDL) 
techniques

[[Page 33372]]

to preserve the confidentiality of the information.
    For further guidance on SDL techniques, agencies can refer to 
practices described in Statistical Policy Working Paper #22, Report on 
Statistical Disclosure Limitation Methodology \57\ and utilize other 
resources such as the disclosure review checklist provided by the 
Federal Committee on Statistical Methodology's Confidentiality and Data 
Access Committee.\58\
---------------------------------------------------------------------------

    \57\ Available at http://www.fcsm.gov/reports/.
    \58\ See http://www.fcsm.gov/committees/cdac/cdac.html. Agencies 
may also wish to consult HIPAA standards for deidentification of 
protected health information at 45 CFR 164.514.
---------------------------------------------------------------------------

    Additional guidelines are provided below for handling confidential 
information protected under CIPSEA in conjunction with information not 
protected by CIPSEA.
Tabular Information
    When a table includes both data protected under CIPSEA and other 
data not protected under CIPSEA, all data shall be treated as 
confidential, and identifiable respondent information shall not be 
present in the table.
    When a table includes both data protected under CIPSEA and 
nonconfidential data, the agency:
     Shall apply SDL techniques to ensure protection of any 
table cells based on information protected under CIPSEA;
     May have a table cell that reveals nonconfidential 
identifiable respondent information. However, the agency shall take 
special care to ensure that the presentation of the nonconfidential 
information in no way jeopardizes confidential information.
    [cir] If the table includes any identifiable nonconfidential 
respondent information, the agency shall distinguish what information 
is protected under CIPSEA in the accompanying text or notes to the 
table.
    [cir] If the table does not include any identifiable 
nonconfidential respondent information, there is no need to distinguish 
these data from those protected under CIPSEA.
     A special case exists when a table cell value reflects a 
combination of CIPSEA protected data and nonconfidential data (e.g., a 
ratio or weighted average). In this case, these data elements are 
considered confidential and shall not be disseminated in a manner where 
any respondent could be identified.
    The agency shall determine how the disclosure limitation methods 
used on the data affect the users and thus what information about 
confidentiality protection shall be included with tabular presentation.
Microdata \59\
---------------------------------------------------------------------------

    \59\ Microdata are data about individual respondents (e.g., 
persons, households, organizations, companies, farms, etc.)
---------------------------------------------------------------------------

    The confidentiality provisions and limits on uses of microdata 
shall be completely discussed in the documentation or mentioned with a 
reference for details. For microdata protected under CIPSEA, SDL 
techniques shall be applied prior to public release.
    There are two possible scenarios to consider for the dissemination 
of microdata in which some elements are protected under CIPSEA and 
other elements are not (e.g., not confidential or confidential under 
other laws/authorities).
     If variables protected under CIPSEA are linked to other 
variables that are not, the most restrictive law (in terms of promising 
confidentiality and limiting the use of the information) shall apply. 
For example:
    [cir] If an agency links data protected under CIPSEA with 
nonconfidential administrative data from another source and releases a 
linked public use microdata file, the restrictions of CIPSEA apply.
    [cir] If an agency links data protected under CIPSEA with 
confidential administrative data from another source (e.g., IRS data) 
and releases a linked public use microdata file, the most restrictive 
law (in terms of promising confidentiality and limiting the use of the 
information) shall prevail.
     If data from some respondents are protected under CIPSEA 
and data from other respondents are not, an agency may keep the data in 
separate files or combine the data sets and include a variable that 
tells the source for each record. Keeping the data in separate files 
may be the best choice because it would help highlight the difference 
in confidentiality provisions and limits on uses.

IV. Requirements and Guidelines for Statistical Agencies or 
Organizational Units When Designating Agents to Acquire or Access 
Confidential Information Protected Under CIPSEA

    Statistical agencies or organizational units may under CIPSEA 
designate agents by contract or by entering into a special agreement to 
perform exclusively statistical activities that are subject to CIPSEA 
limitations and penalties.\60\ To ensure that the protections of CIPSEA 
apply to the information that a statistical agency or unit acquires, 
the agency shall follow the requirements in this section when 
designating agents to acquire information for the agency for 
exclusively statistical purposes under a pledge of confidentiality.
---------------------------------------------------------------------------

    \60\ Sec. 512(d).
---------------------------------------------------------------------------

    Because CIPSEA has a broad definition of agents, statistical 
agencies and organizational units may use CIPSEA to designate a variety 
of individuals as agents to allow them to access confidential 
information for exclusively statistical purposes.\61\ A statistical 
agency may designate agents to perform exclusively statistical 
activities, at its discretion, subject to the agency's needs, 
resources, and other requirements. The agency that possesses the 
confidential information shall ensure that all agents comply with the 
agency's confidentiality procedures and shall follow the requirements 
in this section when designating agents to access confidential 
information for exclusively statistical purposes.
---------------------------------------------------------------------------

    \61\ Sec. 512(a).
---------------------------------------------------------------------------

    Information protected under CIPSEA must be used only for 
statistical purposes. When entering into contracts or special 
agreements with agents to acquire or access confidential information, 
an agency shall consider:
     The sensitivity of the confidential information,
     The risk of disclosure, and
     The resources required to maintain supervision and control 
of agents.
    Agencies are responsible for protecting the confidentiality of 
their data and may establish standards beyond those in this guidance. 
This section thus provides the minimum requirements as well as 
additional guidelines for statistical agencies or units to designate 
agents to perform exclusively statistical activities, including data 
collection.
    It is important to note that neither CIPSEA nor this guidance 
requires any statistical agency or unit to designate agents; the 
decision to enter into these agreements is at the discretion of the 
statistical agency or unit. Therefore, an agency may decline to 
designate agents in accordance with its authorities or practices.\62\ 
If a statistical agency or unit chooses to designate agents, the agency 
remains responsible for all confidential information protected under 
CIPSEA, and statistical agencies or units should not designate agents 
unless the agencies

[[Page 33373]]

or units are able to ensure that all CIPSEA requirements in this 
guidance will be met and faithfully carried out by their agents. 
Carrying out these responsibilities will take agency resources, and 
thus, will limit the extent to which a statistical agency or unit 
should consider designating agents.
---------------------------------------------------------------------------

    \62\ An example is the authority granted the Census Bureau under 
Title 13, Section 23(c) that permits the use of temporary staff to 
assist in the performance of work authorized by Title 13. Whereas 
CIPSEA puts no limits on the statistical uses made by agents, Title 
13 limits the statistical uses to those that support the work of the 
agency.
---------------------------------------------------------------------------

A. Designating Agents

    Under CIPSEA, a statistical agency or unit may designate as an 
agent \63\ any of the following:
---------------------------------------------------------------------------

    \63\ Sec. 502(2)(A); Sec. 512(d).
---------------------------------------------------------------------------

     An employee of a private organization or a researcher 
affiliated with an institution of higher learning;
     Someone who is working under the authority of a government 
entity;
     Someone who is a self-employed researcher, a consultant, a 
contractor, or an employee of a contractor; or
     Someone who is a contractor or an employee of a 
contractor, and who is engaged by the agency to design or maintain the 
systems for handling or storage of data received under this title.\64\
---------------------------------------------------------------------------

    \64\ CIPSEA includes as agents contractors maintaining systems 
for handling or storage of data. Such information technology 
personnel provide support and have direct contact with confidential 
information not because they would necessarily use the information 
for statistical purposes, but because they would be responsible for 
the protection of the information from use for nonstatistical 
purposes and for ensuring appropriate security. As agents, these 
contractors and their employees are bound by CIPSEA to protect the 
confidentiality of the information.
---------------------------------------------------------------------------

    Statistical agencies or units designating agents must do so through 
contracts or other agreements that require the agent to agree in 
writing to comply with all provisions of law that affect information 
acquired by that agency.\65\ Any statistical agencies or units that 
designate agents shall exercise supervision and/or control of the 
agents to ensure the confidentiality and appropriate use of the 
information.
---------------------------------------------------------------------------

    \65\ Sec. 502(2)(B).
---------------------------------------------------------------------------

B. Requirements for Agents To Request Access to Confidential 
Information Protected Under CIPSEA

    Some statistical agencies and units receive requests from outside 
researchers and others who wish to obtain access to confidential data 
for statistical purposes as agents of the statistical agency. Most 
agencies that receive these kinds of requests have found it useful to 
first obtain a written proposal from the prospective agent. Agencies 
may require prospective agents to submit a proposal that includes some 
or all of the following in order to properly evaluate the proposed 
access and use of their confidential data:
     A clear and detailed description of the purpose of the 
access,
     The specific confidential information needed,
     How the information will be used,
     Plans for disseminating information as well as the 
products planned for public distribution,
     A list of persons involved in the project who will have 
access to the information,
     A security plan (information systems and physical 
security) for protecting the information [applicable only for off-site 
access arrangements], and
     A timeframe for access.
    After an agency receives the proposal and reviews it, the agency 
may provide comments and may request changes or may request the 
prospective agent to complete a written agreement (see section 
IV.C).\66\ Agencies shall deny any proposal that does not meet the 
requirements described in this guidance.
---------------------------------------------------------------------------

    \66\ If the agency chooses, the agent may submit the proposal in 
conjunction with a completed written agreement.
---------------------------------------------------------------------------

    Whether or not a prospective agent has submitted a proposal to an 
agency, access to confidential information shall not be granted until 
the agency has entered into a written agreement with the agent, and the 
agent has met the requirements contained in this guidance and in agency 
standards for accessing the data.
    Prior to the enactment of CIPSEA, some statistical agencies and 
units had statutory authority to authorize agents to access 
confidential information. Agencies have developed a variety of 
mechanisms that balance permitting access to confidential data, while 
controlling that access. This area is evolving rapidly, and the 
following examples are included only as illustrations:
     Onsite at Agency: An external analyst works at an agency 
as an agent to participate in statistical activities involving 
confidential data. This work shall be done either in collaboration with 
or otherwise under the direct control and supervision of agency staff, 
per the terms of a written agreement. The agent's work is subject to 
review by the supervising staff.
     Data Center: An agent visits a controlled access secure 
facility maintained by the agency or unit to conduct analyses on 
confidential data held by the agency. The facility must be equipped 
with secure computers and staffed by agency personnel who review all 
outputs for the purposes of confidentiality. There may be additional 
constraints on what the agent may bring to or remove from the center.
     Off-site License Agreement: An agent is granted access to 
confidential information from an agency or unit for use at the agent's 
facility. The organization the agent is affiliated with shall enter 
into a legally binding written agreement as described in section IV.C 
with the agency that possesses the confidential information.

C. Written Agreements for Agent Access to Confidential Information 
Protected Under CIPSEA

    Some statistical agencies or units use contractors to acquire 
information and/or perform other statistical activities. Under CIPSEA, 
the contractor and the contractor's employees are considered agents. 
For any data that will be acquired by the contractor under CIPSEA, or 
if the contractor will have access to any confidential information 
protected by CIPSEA, the legally binding contract shall include the 
provisions shown in the Appendix.
    If a statistical agency or unit provides designated agents access 
to confidential information protected under CIPSEA for exclusively 
statistical purposes, then all such access shall require a written, 
legally binding contract or other agreement between the agency and the 
responsible management level official from the institution with which 
the agent(s) is(are) affiliated.\67\ The information required as part 
of that written agreement is shown in the Appendix.
---------------------------------------------------------------------------

    \67\ For situations in which agents are not affiliated with an 
institution, the agreement will be signed as legally binding by the 
agent(s). The latter arrangements would include those with a single 
agent operating independently as a sole proprietor as well as those 
with multiple agents operating independently.
---------------------------------------------------------------------------

D. Physical and Information Systems Security for Confidential 
Information Protected Under CIPSEA: On-Site and Off-Site

    Agencies have the responsibility to ensure the security of physical 
and information systems for on-site as well as off-site access (if 
applicable) to confidential information and must follow applicable OMB 
Guidance and NIST standards and publications.\68\ In addition to the 
security requirements described in section III.B, agencies allowing 
agents access to confidential information protected under CIPSEA

[[Page 33374]]

outside of the collecting agency or a facility under the agency's 
control shall require that the written access agreement, described in 
section IV.C, stipulate the agency's right to conduct inspections of 
the off-site facility.
---------------------------------------------------------------------------

    \68\ For more information about existing security and privacy 
requirements, see http://www.whitehouse.gov/omb/inforeg/infopoltech.html, FIPS PUB 199, Standards for Security 
Categorization of Federal Information and Information Systems, 
Gaithersburg, MD:U.S. Department of Commerce, and related 
publications.
---------------------------------------------------------------------------

    In order to ensure the physical and information systems security of 
the confidential information, agencies shall conduct inspections of any 
off-site facility that harbors confidential information protected under 
CIPSEA. (If the off-site facility is another Federal statistical agency 
or unit, agencies may at their option conduct inspections but are not 
required to inspect these facilities.) These inspections shall be 
conducted according to the following principles:
     The inspections shall assess and document whether the 
protection procedures outlined in the written agreement and in the 
agent's security plan are being implemented.
     While an inspection of the off-site facility is encouraged 
prior to release of the information to the agent, it is not required. 
(The inspection may occur any time during the access agreement period, 
preferably as soon as possible.)
     Inspections shall be conducted at all off-site facilities 
at some time during the timeframe of access. Agencies may prioritize 
their selection of sites for inspections based on risk, but must still 
inspect all off-site facilities; however, agencies may coordinate and 
collaborate on inspections of off-site facilities that harbor 
confidential data from multiple agencies. Agencies may choose not to 
inform the agent of the timing of such inspections.

E. Confidentiality Training

    All persons with access to confidential information protected under 
CIPSEA shall participate in agency-provided confidentiality training 
(see section III.(C) prior to accessing the confidential information as 
stipulated in the written agreement (section IV.C) between the agency 
and the agent's organization or institution.\69\
---------------------------------------------------------------------------

    \69\ For situations in which agents are not affiliated with an 
institution, the agreement will be signed as legally binding by the 
agent(s).
---------------------------------------------------------------------------

    The agency possessing the confidential data shall certify or 
receive notification that each project staff member has undergone the 
training. Agents shall also be required to be recertified annually.

F. Record Keeping

    Agencies shall establish and maintain a system of records \70\ that 
identifies designated agents accessing confidential information 
protected under CIPSEA and the project for which the information was 
authorized.
---------------------------------------------------------------------------

    \70\ Agencies should assess for themselves the nature of these 
records and requirements for record keeping, including whether what 
an agency does for this purpose qualifies as a system of records 
under the Privacy Act. OMB is not implying in this guidance what 
form these record keeping systems should take, and is leaving that 
determination to the agency.
---------------------------------------------------------------------------

V. Requirements for Statistical Agencies or Organizational Units 
Acquiring Information That May Be Used for Nonstatistical Purposes

    CIPSEA defines a statistical agency or unit to be ``an agency or 
organizational unit of the executive branch whose activities are 
predominantly the collection, compilation, processing, or analysis of 
information for statistical purposes.'' \71\
---------------------------------------------------------------------------

    \71\ Sec. 502(8).
---------------------------------------------------------------------------

    Because the public should expect that a statistical agency or unit 
will be collecting information for exclusively statistical purposes, 
CIPSEA requires a statistical agency to ``clearly distinguish any data 
or information it collects for nonstatistical purposes (as authorized 
by law) and provide notice to the public, before the data or 
information is collected, that the data or information could be used 
for nonstatistical purposes.'' \72\
---------------------------------------------------------------------------

    \72\ Sec. 512(c).
---------------------------------------------------------------------------

A. Requirements for Public Notice

    If a statistical agency or unit will collect information that may 
be subject to use for nonstatistical purposes, the statistical agency 
or unit shall use the notices in the Federal Register that are required 
under the PRA to inform the public about the nonstatistical uses of the 
information during the process of requesting OMB approval of the 
information collection.
    As noted in section II.A, OMB's regulations for Controlling 
Paperwork Burdens on the Public \73\ set forth public notification 
requirements for agencies conducting or sponsoring an information 
collection. Agencies are required under the PRA to:
---------------------------------------------------------------------------

    \73\ 5 CFR 1320.
---------------------------------------------------------------------------

     Publish a notice in the Federal Register allowing 60 days 
for the public to comment on information collections and otherwise 
consult with members of the public and affected agencies concerning 
each proposed collection of information; \74\
---------------------------------------------------------------------------

    \74\ 5 CFR 1320.8(d)(1).
---------------------------------------------------------------------------

     Publish a notice in the Federal Register at the time OMB 
approval is being sought, and allow the public 30 days to comment; and
     ``Describe any assurance of confidentiality provided to 
respondents and the basis for the assurance in statute, regulation, or 
agency policy'' in their PRA supporting statements submitted to 
OMB.\75\
---------------------------------------------------------------------------

    \75\ Instructions for Supporting Statement for Paperwork 
Reduction Act submissions and 5 CFR 1320.8(b)(3).
---------------------------------------------------------------------------

    Both Federal Register notices (i.e., the initial one seeking public 
comments for consideration by the agency and the later one seeking 
public comments for consideration by OMB) must explicitly address what 
information the statistical agency or unit plans to collect that may be 
used for nonstatistical purposes.

B. Requirements for Informing and Making Pledges to Respondents

    As noted in section II.B, at the time of the information 
collection, agencies are required under the PRA to adequately inform 
potential respondents about the uses of the information they 
provide.\76\
---------------------------------------------------------------------------

    \76\ 5 CFR 1320.8(b)(3); Additional requirements are imposed if 
the collection involves a Privacy Act system of records (5 U.S.C. 
552a(e)(3) as amended).
---------------------------------------------------------------------------

    This description must include the following information related to 
the confidentiality of their responses:
     The reasons the information is planned to be and/or has 
been collected;
     The way such information is planned to be and/or has been 
used; and
     The nature and extent of confidentiality to be provided, 
if any.\77\
---------------------------------------------------------------------------

    \77\ 5 CFR 1320.8(b)(3).
---------------------------------------------------------------------------

    The statistical agency or unit must clearly explain the 
confidentiality provisions, if any, for all information not protected 
under CIPSEA. As appropriate, the explanation shall include:
     What information will be treated as confidential and the 
basis (e.g., laws) for any confidentiality pledge;
     What information will be treated as nonconfidential;
     What information, if any, is limited to use for 
exclusively statistical purposes and the agency's basis (e.g., laws) 
for such assurances;
     What information, if any, is not limited to use for 
exclusively statistical purposes and may be used for nonstatistical 
purposes; and
     Any limitations on the confidentiality provisions (e.g., 
the information will be kept confidential only to the extent that it 
satisfies a criterion for exemption in the Freedom of Information Act 
(FOIA), the information may be shared with other Federal government 
agencies for official uses, etc.).
    Agencies must ensure that the public is able to distinguish easily 
between their CIPSEA pledge and any non-CIPSEA pledge covering 
information

[[Page 33375]]

that will be used for nonstatistical purposes. The degree to which the 
pledge differs from the CIPSEA pledge needs to be based on the laws and 
regulations governing the collection and determined in collaboration 
with the agency legal staff, agency confidentiality officer, and PRA 
clearance officer. The pledge shall be in compliance with section 
512(c) of CIPSEA--requiring notice that any data could be used for 
nonstatistical purposes. The approach a statistical agency or unit uses 
in crafting wording for confidentiality pledges for information not 
protected under CIPSEA must be done with care and take into account the 
laws governing the particular agency, and the agency is strongly 
encouraged to test changes from currently used wording. In particular, 
the pledge for collections not protected under CIPSEA (because, for 
example, the information would be used for nonstatistical purposes) 
shall not contain all the elements related to CIPSEA found in the 
pledges given in section II--for example, the pledge shall not state 
both that the data are confidential and that they are for exclusively 
statistical use (in such cases CIPSEA would apply even if not stated).
    For example, a pledge for data that are legally permitted to be 
accessed for nonstatistical purposes may state:

    The information you provide will be protected to the fullest 
extent allowable under (name the law). This law allows for the (name 
specific nonstatistical uses). Information will be protected from 
public disclosure by (your agency). Results from this survey will be 
reported publicly only in statistical summaries, so that individuals 
cannot be identified.

    To illustrate the actual pledge wording, an agency could implement 
this pledge as follows:

    The information you provide will be protected and will not be 
disclosed to the public to the extent that it satisfies the criteria 
for exemption under the Freedom of Information Act (FOIA), 5 U.S.C. 
Sec. 552, and the Trade Secrets Act, 18 U.S.C. Sec. 1905.

    To ensure public understanding and avoid confusion (about whether 
the agency will provide CIPSEA protection to the data), the above 
pledges do not use the word ``confidential'' because use of this term 
could give rise to confusion.

VI. Requirements and Guidelines for Nonstatistical Agencies or Units 
Acquiring and Handling Information Protected Under CIPSEA

    Nonstatistical agencies seeking to acquire information that will be 
protected under CIPSEA can take two general approaches: (1) They can 
directly acquire the information themselves from respondents, or (2) 
they can enter into an agreement with a statistical agency to acquire 
the information.
    As noted in Section I. G., Subtitle A of CIPSEA may be used by any 
Federal agency that directly acquires information from respondents for 
exclusively statistical purposes under a pledge of confidentiality. 
Nonstatistical agencies that acquire information in this manner must 
follow all of the requirements in sections II and III of this guidance 
for confidential information protected by CIPSEA.
    Nonstatistical agencies or units that will not collect the 
information themselves directly from respondents will need to carefully 
consider their plans for acquiring and using information if they want 
to use CIPSEA to protect the information. Although nonstatistical 
agencies and units do acquire information directly from respondents, 
they frequently use contractors or other agencies to acquire 
information for them that is used for statistical purposes. CIPSEA did 
not authorize nonstatistical agencies or units to designate agents, 
such as contractors, university researchers, or others included within 
the definition of agents,\78\ to perform exclusively statistical 
activities, including data collection. Because nonstatistical agencies 
or units are not empowered under CIPSEA to designate agents, who are 
subject to CIPSEA limitations and penalties, they will not be able to 
protect the information under CIPSEA if they employ contractors or 
other agents to acquire the information or if they plan to allow access 
to the information by anyone outside of authorized agency employees, 
even if they intend to use the information for exclusively statistical 
purposes and want to keep it confidential.\79\
---------------------------------------------------------------------------

    \78\ See Sec. 502(2)(A).
    \79\ Some nonstatistical agencies may have specific statutory 
authority to designate agents that meets the requirements of CIPSEA, 
allowing the agency to use agents to perform exclusively statistical 
activities, including data collection, for the agency. Agencies 
should consult with OMB on the applicability of their statute for 
purposes of using CIPSEA before making plans to designate agents. 
Agencies should also clearly describe how their authority meets the 
requirements for CIPSEA designation of agents in their information 
collection requests to OMB.
---------------------------------------------------------------------------

    As an alternative to collecting the data directly themselves, 
nonstatistical agencies or units that wish to acquire information with 
CIPSEA protection may want to consider entering into an agreement with 
a Federal statistical agency or unit. Because the statistical agency or 
unit would be responsible for protecting all confidential information 
acquired under the CIPSEA pledge, carrying out these responsibilities 
will take resources that non-statistical agencies should be prepared to 
provide to the statistical agency. Statistical agencies or units may 
designate agents under CIPSEA, but must follow the requirements in 
Section IV of this guidance to do so. Employees within a nonstatistical 
agency or unit may serve as agents for a statistical agency or unit to 
perform exclusively statistical activities on confidential information 
and be bound by CIPSEA provided that the statistical agency or unit and 
the agents have followed all of the requirements given in section IV.
    An agreement between the statistical agency and the nonstatistical 
agency could be used to make the statistical agency or unit responsible 
for the control of the confidential information. The statistical agency 
could then designate a contractor to acquire the information and 
perform other exclusively statistical activities. The statistical 
agency could also designate as agents select employees of the 
nonstatistical agency or unit to have access to the information for 
exclusively statistical purposes. As noted earlier, all requirements in 
sections II, III, and IV would have to be met; and, therefore, all 
agents would be subject to penalties under CIPSEA for any disclosure.

VII. Data Sharing Under Subtitle B of CIPSEA

    Subtitle B, Statistical Efficiency, provides only for the sharing 
of business data for exclusively statistical purposes and provides for 
that sharing only among three statistical agencies designated in 
Subtitle B. Subtitle B of CIPSEA does not authorize the sharing of 
confidential business data among any Federal agencies other than the 
three designated statistical agencies, nor does it authorize any 
sharing of demographic or other types of data among any Federal 
agencies.\80\
---------------------------------------------------------------------------

    \80\ Although CIPSEA Subtitle B only authorizes the sharing of 
confidential business information among BEA, BLS, and the Census 
Bureau, CIPSEA did not alter other existing authorities for data 
sharing among Federal agencies (see Sec. 504(a)).
---------------------------------------------------------------------------

    The following brief guidance in this section applies to the three 
designated statistical agencies sharing business data. These three 
agencies are currently working to implement the data sharing provisions 
of CIPSEA. OMB is working closely with them and may issue additional 
guidance to these three agencies as needed to implement the data 
sharing provisions of CIPSEA.

[[Page 33376]]

A. Designated Statistical Agencies

    The three designated statistical agencies permitted by Subtitle B 
to share business data for exclusively statistical purposes are the 
Bureau of the Census, the Bureau of Economic Analysis, and the Bureau 
of Labor Statistics.\81\
---------------------------------------------------------------------------

    \81\ Sec. 522.
---------------------------------------------------------------------------

B. Requirements When the Designated Statistical Agencies Share Data

    Prior to sharing any business data under CIPSEA, the designated 
statistical agencies shall inform respondents about their intentions to 
share the business data. If, prior to collection, the designated 
agencies anticipate that they will share business data, the agencies 
shall:
     Include in their Federal Register notices required under 
the PRA notification that the business data may be shared with 
designated statistical agencies, and
     Also include in their CIPSEA confidentiality pledges 
notification that the data may be shared with designated statistical 
agencies.
    When a designated statistical agency plans to share data that was 
collected under a legal requirement to supply the information without 
notice of the intent to share that information with one or more 
designated statistical agencies, the agency shall publish a notice of 
the proposed data sharing activity in the Federal Register and specify 
the business data to be shared and the statistical purposes for which 
the business data are to be used. This notice shall allow a minimum of 
60 days for public comment,\82\ and a copy of this notice shall be sent 
to OMB when it is published.
---------------------------------------------------------------------------

    \82\ Sec. 524(d).
---------------------------------------------------------------------------

C. Requirements for Written Agreements for Data Sharing Among 
Designated Statistical Agencies

    Designated statistical agencies shall enter into a written 
agreement before sharing any business data. The written agreement shall 
specify:
     The business data to be shared;
     The statistical purposes for which the business data are 
to be used;
     The officers, employees, and agents authorized to examine 
the business data to be shared; and
     Appropriate security procedures to safeguard the 
confidentiality of the business data.
    A copy of the written agreement shall be provided to OMB ten days 
prior to execution.

VIII. Annual Reporting and Review Requirements

A. Reporting Requirements

    To coordinate and oversee the confidentiality and disclosure 
policies established under CIPSEA, the Office of Management and Budget 
is authorized under CIPSEA to require reports and other information 
regarding the implementation of this legislation by Federal 
agencies.\83\ In order to effectively monitor Federal agencies' use of 
the different provisions in CIPSEA, all agencies shall report to OMB on 
(1) The use of the CIPSEA pledge, (2) the use of the CIPSEA agents 
provision, and (3) data sharing activities under Subtitle B.
---------------------------------------------------------------------------

    \83\ Sec. 503.
---------------------------------------------------------------------------

    Use of the CIPSEA pledge. Any Federal agency acquiring data under 
CIPSEA Subtitle A shall report to OMB on an annual basis on those 
collections it has conducted under CIPSEA and affirm that the agency 
has followed the procedures in this guidance to ensure the 
confidentiality of the information is protected.
    Use of the agents provision in CIPSEA. Statistical agencies and 
units are authorized under Subtitle A of CIPSEA to designate agents, 
who may perform exclusively statistical activities, including data 
collection, and are bound to the same legal requirements as agency 
employees for maintaining the confidentiality of the information. 
Statistical agencies or units that choose to designate agents shall 
report to OMB on an annual basis on the number of agents designated; 
the kinds of statistical activities performed by agents, e.g., data 
collection, analysis, etc.; the different types of arrangements for 
access to confidential information (if applicable), e.g., on-site at 
the statistical agency, through an agency-controlled research data 
center, or off-site licensing agreement; and the kind of written 
agreement that is required for each type of access.
    Use of data sharing provisions under Subtitle B of CIPSEA. CIPSEA 
directs that the three designated agencies shall report annually to the 
Director of the Office of Management and Budget, the Committee on 
Government Reform of the House of Representatives, and the Committee on 
Governmental Affairs of the Senate on the actions taken to implement 
the sections of the law on sharing of business data. Designated agency 
reports shall be prepared on a calendar year basis, and shall include a 
summary of activities carried out under this law including the 
statistical purposes for sharing, any anticipated improvements to 
quality, and any anticipated or achieved reductions in cost or 
respondent burden due to the sharing of business data. The report shall 
include copies of each written agreement for the sharing of business 
data for the applicable year.
    The initial report to OMB shall cover any collections since the 
enactment of the legislation in December 2002 through December 2006, 
and subsequent reports shall cover a calendar year. Agencies shall 
submit their initial reports to OMB by May 30, 2007. Subsequent reports 
shall be submitted annually to OMB by April 30th of each year. Agencies 
shall also post copies of this report on their Web sites.

B. OMB Review of Agency Rules

    Agencies are authorized to promulgate rules to implement 
CIPSEA.\84\ Agencies proposing rules to implement CIPSEA shall submit 
these proposed rules to OMB for review and approval.\85\
---------------------------------------------------------------------------

    \84\ Sec. 503(b).
    \85\ Sec. 503(c).
---------------------------------------------------------------------------

Appendix Requirements for Contracts and Written Agreements for Agents 
Acquiring or Accessing Confidential Information Under CIPSEA
    The following information shall be included in the contract or 
written agreement:
     The identity and affiliation of both the legally 
responsible agent (e.g., contractor or requestor seeking access to 
confidential data) and agency official signing the agreement;
     Whether the agent will be acquiring confidential 
information on behalf of the agency or only accessing confidential 
information the agency possesses;
     A clear and detailed description of the purpose of the 
access;
     The specific confidential information needed;
     How the information will be used;
     Any plans for disseminating information as well as the 
products planned for public distribution;
     Legally binding signature lines for the agency, and the 
responsible management level official from the institution with which 
the agent(s) is (are) affiliated. When the agent is operating 
independently for these purposes and is unaffiliated with an 
institution, the agent will sign;
     The legal authority under which the information was 
collected or acquired;
     The legal authority from CIPSEA and other laws for 
providing the agent the ability to acquire or to access the 
information;

[[Page 33377]]

     Penalties for violating confidentiality or unauthorized 
use of the information;
     The timeframe for access;
     A requirement that the agent provide and update as 
necessary a list of persons involved in the project who will have 
access to the information;
     The agent's responsibility to notify agency when
    [cir] The agent no longer needs the information,
    [cir] The agent plans a change in site access, and/or
    [cir] The project purpose changes (agency approval must be obtained 
first);
     Confidentiality training requirement for all persons who 
have access to confidential information;
     The requirement that each person with access to 
confidential information sign a non-disclosure form that signifies an 
understanding of and agreement to the terms of access and agreement to 
comply with CIPSEA and any other applicable laws (see below for options 
on where to include this information);
     The requirement that the agent submit any project 
information products to the agency for disclosure review (agencies may 
also include or reference reporting requirements or standards);
     For off-site access arrangements
    [cir] A security plan (information systems and physical security) 
for protecting the information,
    [cir] Procedures regarding the return or destruction of information 
when access is no longer necessary (may precede project's end), and
    [cir] The requirement that the agent allows the agency to carry out 
a physical and IT security inspection of the agent's workplace;
     Conditions requiring modification of the agreement;
     Termination clause for the agreement;
     Listing of contact persons for the agency and the 
responsible management level official from the institution with which 
the agent is affiliated. (When the agent is operating independently and 
is unaffiliated with an institution, the agent will designate a contact 
person.); and
     As applicable, information on funding of project work, 
including any between the agency, agent(s), and/or agents' institution.
    The following information may be included in the body of the 
agreement, added to the agreement as appendices, or made part of the 
agency's official files for the actual agreement:
     Copy of the agency-approved proposal (if required);
     Copies of all laws cited in the agreement;
     The list of persons with access to confidential 
information;
     Certification that all persons who have access to 
confidential information have completed confidentiality training;
     Signed non-disclosure forms for all persons with access to 
confidential information; and
     For each person with data access, a copy of the background 
certification supporting such access--details to be determined by 
agency (options could include fingerprinting, a sworn affidavit of 
nondisclosure, work history checks, etc.).
    Agencies may also include additional requirements in their written 
agreements. Examples of written agreements used by some agencies that 
conform to the above requirements will be available on the OMB Web 
site.\86\
---------------------------------------------------------------------------

    \86\ http://www.whitehouse.gov/omb go to ``Statistical Programs 
and Standards.''

 [FR Doc. E7-11542 Filed 6-14-07; 8:45 am]
BILLING CODE 3110-01-P