§310.52 General.
(a) A computer matching program covers two kinds of matching programs (see OMB Matching Guidelines, 54 FR 25818 (June 19, 1989)). If covered, the matches are subject to the requirements of this subpart. The covered programs are:
(1) Matches using records from Federal personnel or payroll systems of records, or
(2) Matches involving Federal benefits program if:
(i) To determine eligibility for a Federal benefit,
(ii) To determine compliance with benefit program requirements, or
(iii) To effect recovery of improper payments or delinquent debts under a Federal benefit program.
(b) The requirements of this part do not apply if matches are:
(1) Performed solely to produce aggregated statistical data without any personal identifiers. Personally identifying data can be used for purposes of conducting the match. However, the results of the match shall be stripped of any data that would identify an individual. Under no circumstances shall match results be used to take action against specific individuals.
(2) Performed to support research or statistical projects. Personally identifying data can be used for purposes of conducting the match and the match results may contain identifying data about individuals. However, the match results shall not be used to make a decision that affects the rights, benefits, or privileges of specific individuals.
(3) Performed by an agency, or a component thereof, whose principal function is the enforcement of criminal laws, subsequent to the initiation of a specific criminal or civil law enforcement investigation of a named individual or individuals.
(i) The match must flow from an investigation already underway which focuses on a named person or persons. “Fishing expeditions” in which the subjects are generically identified, such as “program beneficiaries” are not covered.
(ii) The match must be for the purpose of gathering evidence against the named individual or individuals.
(4) Performed for tax information-related purposes.
(5) Performed for routine administrative purposes using records relating to Federal personnel.
(i) The records to be used in the match must predominantly relate to Federal personnel (i.e., the percentage of records in the system of records that are about Federal personnel must be greater than of any other category).
(ii) The purpose of the match must not be for purposes of taking any adverse financial, personnel, disciplinary, or other unfavorable action against an individual.
(6) Performed using only records from systems of records maintained by an agency.
(i) The purpose of the match must not be for purposes of taking any adverse financial, personnel, disciplinary, or other unfavorable action against an individual.
(ii) A match of DoD personnel using records in a system of records for purposes of identifying fraud, waste, and abuse is not covered.
(7) Performed to produce background checks for security clearances of Federal or contractor personnel or performed for foreign counter-intelligence purposes.
[72 FR 18758, Apr. 13, 2007. Redesignated at 81 FR 71830, Oct. 17, 2016]
Back to Top
§310.53 Computer matching publication and review requirements.
(a) DoD Components shall identify the systems of records that will be used in the match to ensure the publication requirements of subpart G have been satisfied. If the match will require disclosure of records outside the Department of Defense, Components shall ensure a routine use has been established, and that the publication and review requirements have been met, before any disclosures are made (see subpart G of this part).
(b) If a computer matching program is contemplated, the DoD Component shall contact the DPO and provide information regarding the contemplated match. The DoD DPO shall ensure that any proposed computer matching program satisfies the requirements of the Privacy Act (5 U.S.C. 552a) and OMB Matching Guidelines (54 FR 25818 (June 19, 1989)).
(c) A computer matching agreement (CMA) shall be prepared by the Component, consistent with the requirements of §310.53 of this subpart and submitted to the DPO. If the CMA satisfies the requirements of the Privacy Act (5 U.S.C. 552a) and OMB Matching Guidelines (54 FR 25818 (June 19, 1989)), as well as this subpart, it shall be forwarded to the Defense Data Integrity Board (DIB) for approval or disapproval.
(1) If the CMA is approved by the DIB, the DPO shall prepare and forward a report to both Houses of Congress and to OMB as required by, and consistent with, OMB Circular A-130, “Management of Federal Information Resources,” February 8, 1996, as amended. Congress and OMB shall have 40 days to review and comment on the proposed match. Any comments received must be resolved before matching can take place.
(2) If the CMA is approved by the DIB, the DPO shall prepare and forward a match notice as required by OMB Circular A-130, “Management of Federal Information Resources,” February 8, 1996, as amended, for publication in the Federal Register. The public shall be given 30 days to comment on the proposed match. Any comments received must be resolved before matching can take place.
[72 FR 18758, Apr. 13, 2007. Redesignated at 81 FR 71830, Oct. 17, 2016]
Back to Top
§310.54 Computer matching agreements (CMAs).
(a) If a match is to be conducted internally within DoD, a memorandum of understanding (MOU) shall be prepared. It shall contain the same elements as a CMA, except as otherwise indicated in paragraph (b)(4)(ii) of this section.
(b) A CMA shall contain the following elements:
(1) Purpose. Why the match is being proposed and what will be achieved by conducting the match.
(2) Legal authority. What is the Federal or state statutory or regulatory basis for conducting the match. The Privacy Act does not constitute independent authority for matching. Other legal authority shall be identified.
(3) Justification and expected results. Explain why computer matching as opposed to some other administrative means is being proposed and what the expected results will be, including a specific estimate of any savings (see paragraph (b)(13) of this section).
(4) Records description. Identify:
(i) The system of records or non-Federal records. For DoD systems of records, provide the Federal Register citation for the system notice;
(ii) The specific routine use in the system notice if records are to be disclosed outside the Department of Defense (see §310.22(c)). If records are disclosed within the Department of Defense for an internal match, disclosures are permitted pursuant to paragraph (a) of §310.22.
(iii) The number of records involved;
(iv) The data elements to be included in the match;
(v) The projected start and completion dates of the match. CMAs remain in effect for 18 months but can be renewed for an additional 12 months provided:
(A) The match will be conducted without any change, and
(B) Each party to the match certifies in writing that the program has been conducted in compliance with the CMA or MOU.
(vi) How frequently will the records be matched.
(5) Records accuracy assessment. Provide an assessment by the source and recipient agencies as to the quality of the information that will be used for the match. The poorer the quality, the more likely that the program will not be cost-effective.
(6) Notice procedures. Identify what direct and indirect means will be used to inform individuals that matching will take place.
(i) Direct notice. Indicate whether the individual is advised that matching may be conducted when he or she applies for a Federal benefit program. Such an advisory should normally be part of the Privacy Act Statement that is contained in the application for benefits. Individual notice sometimes is provided by a separate notice that is furnished the individual upon receipt of the benefit.
(ii) Indirect notice. Indicate whether the individual is advised that matching may be conducted by constructive notice. Indirect or constructive notice is achieved by publication of a routine use in the Federal Register when the matching is between agencies or is achieved by publication of the match notice in the Federal Register.
(7) Verification procedures. Explain how information produced as a result of the match will be independently verified to ensure any adverse information obtained is that of the individual identified in the match.
(8) Due process procedures. Describe what procedures will be used to notify individuals of any adverse information uncovered as a result of the match and to give such individuals an opportunity to either explain the information or how to contest the information. No adverse action shall be taken against the individual until the due process procedures have been satisfied.
(i) Unless other statutory or regulatory authority provides for a longer period of time, the individual shall be given 30 calendar days from the date of the notice to respond to the notice.
(ii) If an individual contacts the agency within the notice period and indicates his or her acceptance of the validity of the adverse information, the agency may take final action. If the period expires without a response, the agency may take final action.
(iii) If the agency determines that there is a potentially significant effect on public health or safety, it may take appropriate action notwithstanding the due process provisions.
(9) Security procedures. Describe the administrative, technical, and physical safeguards that will be established to preserve and protect the privacy and confidentiality of the records involved in the match. The level of security must be commensurate with the level of the sensitivity of the records.
(10) Records usage, duplication, and redisclosure restrictions. Describe any restrictions imposed by the source agency or by statute or regulation on the collateral uses of the records. Recipient agencies may not use the records obtained for matching purposes for any other purpose absent a specific statutory requirement or where the disclosure is essential to the conduct of the matching program.
(11) Disposition procedures. Clearly state that the records used in the match will be retained only for the time required for conducting the match. Once the matching purpose has been achieved, the records will be destroyed unless the records must be retained as directed by other legal authority. Unless the source agency requests that the records be returned, identify the means by which destruction will occur, i.e., shredding, burning, electronic erasure, etc.
(12) Comptroller General access. Include a statement that the Comptroller General may have access to all records of the recipient agency to monitor or verify compliance with the terms of the CMA.
(13) Cost-benefit analysis. (i) A cost-benefit analysis shall be conducted for the proposed computer matching program unless:
(A) The Data Integrity Board waives the requirement, or
(B) The matching program is required by a specific statute.
(ii) The analysis must demonstrate that the program is likely to be cost-effective. This analysis is to ensure agencies are following sound management practices. The analysis provides an opportunity to examine the programs and to reject those that will only produce marginal results.
[72 FR 18758, Apr. 13, 2007. Redesignated at 81 FR 71830, Oct. 17, 2016]
Back to Top