This is the accessible text file for GAO report number GAO-14-44 entitled 'Computer Matching Act: OMB and Selected Agencies Need to Ensure Consistent Implementation' which was released on February 12, 2014. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. United States Government Accountability Office: GAO: Report to Congressional Requesters: January 2014: Computer Matching Act: OMB and Selected Agencies Need to Ensure Consistent Implementation: GAO-14-44: GAO Highlights: Highlights of GAO-14-44, a report to congressional requesters. Why GAO Did This Study: or more information systems is one method of data analysis that can assist in detecting and preventing fraud, waste, and abuse in government programs, and it is commonly used to help identify improper payments in federal benefit programs and activities. However, computer matching may also pose privacy risks to individuals. To ensure that federal agency computer matching programs protect individuals' privacy rights, from 1988 through 1990 Congress enacted amendments to the Privacy Act of 1974 (collectively referred to in this report as the Computer Matching Act). GAO was asked to review issues relating to computer matching. This report examines (1) agencies' responsibilities under the Computer Matching Act, (2) how selected agencies are implementing the act with regard to federal benefits programs, and (3) the views of officials at selected agencies on the process of developing and implementing computer matching agreements. GAO reviewed the act's provisions and OMB guidance. It also interviewed officials and examined documents at seven agencies with high expenditures in benefits and assistance programs. What GAO Found: The Office of Management and Budget (OMB) is responsible for developing guidelines and providing assistance to agencies on implementing the Computer Matching Act, while agencies have a variety of implementation responsibilities. Agency responsibilities include (1) developing computer matching agreements (CMA) containing specific elements for each proposed matching program and notifying Congress, OMB, and the public of such activities; (2) conducting cost-benefit analyses for proposed matching programs; and (3) establishing data integrity boards to oversee matching programs. The seven agencies GAO reviewed (the Departments of Agriculture, Education, Health and Human Services, Homeland Security, Labor, Veterans Affairs, and the Social Security Administration) have taken a number of steps to implement the act's requirements. They have all established processes for creating CMAs, and the agreements generally included the elements required by the act. However, implementation among these agencies was inconsistent in several ways. First, the selected agencies differed in their understanding of whether CMAs were required for data queries. OMB's guidance is not clear on whether such queries are covered by the act. Second, while the selected agencies generally developed cost-benefit analyses for their CMAs, they did not consistently address key elements needed to assess the value of computer matching programs. OMB stated in 1989 that it would issue specific guidance for cost-benefit analyses of computer matching programs, but it has not done so. Finally, agency data integrity boards have not consistently reported to OMB on agencies' computer matching activities as required by the act. OMB guidance requires biennial reporting, which varies from the act's requirement for annual reports. The lack of clear guidance from OMB has contributed to the inconsistent implementation of the act at the agencies GAO reviewed. Several agency and office of inspector general officials stated that the act's rigorous requirements and short time frames discouraged them from pursuing CMAs. Officials at six agencies stated that CMA review processes were lengthy and resource-intensive and that statutory durations for conducting matching activities were too short. Similarly, officials from offices of the inspector general at four agencies stated that the length of the approval process and the requirement that proposed agreements be approved by data integrity boards discouraged them from computer matching. The figure below shows the number of active computer matching agreements at the agencies GAO reviewed. Figure: Number of Computer Matching Agreements at Seven Federal Agencies as of September 20, 2013: [Refer to PDF for image: vertical bar graph] Agency: Agriculture; Active CMAs: 1. Agency: Education; Active CMAs: 8. Agency: Health and Human Services; Active CMAs: 11. Agency: Homeland Security; Active CMAs: 10. Agency: Labor; Active CMAs: 3. Agency: Veterans Affairs; Active CMAs: 15. Agency: Social Security Administration; Active CMAs: 34. Source: GAO analysis of agency data. [End of figure] What GAO Recommends: GAO is recommending that OMB revise its guidance and that selected agencies develop and implement policies and procedures for cost- benefit analyses and ensure annual reviews and reporting. In their comments, agencies concurred with GAO's recommendations, with the exception of Education. OMB did not state whether the agency agreed or disagreed. GAO continues to believe that the recommendations are valid, as discussed in the report. View [hyperlink, http://www.gao.gov/products/GAO-14-44]. For more information, contact Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov. [End of section] Contents: Letter: Background: OMB and Agencies Have a Variety of Responsibilities under the Computer Matching Act: Agencies We Reviewed Have Established Procedures for Implementing the Computer Matching Act, but Implementation Has Been Inconsistent: Several Factors May Discourage Implementation of CMAs at Selected Agencies: Conclusions: Recommendations for Executive Action: Agency Comments and Our Evaluation: Appendix I: Objectives, Scope, and Methodology: Appendix II: Comments from the Department of Agriculture: Appendix III: Comments from the Department of Education: Appendix IV: Comments from the Department of Homeland Security: Appendix V: Comments from the Department of Labor: Appendix VI: Comments from the Department of Veterans Affairs: Appendix VII: Comments from the Social Security Administration: Appendix VIII: GAO Contact and Staff Acknowledgments: Tables: Table 1: Selected Agencies' and Labor's Inclusion of Key Elements in Cost-Benefit Analyses: Table 2: Summary of Data Integrity Board Membership: Table 3: Agencies' Computer Matching Report Submissions, 2008-2012: Figures: Figure 1: Number of Active CMAs at Seven Agencies as of September 20, 2013: Figure 2: The Computer Matching Agreement Process: Abbreviations: CIGIE: Council of the Inspectors General on Integrity and Efficiency: CMA: computer matching agreement: DHS: Department of Homeland Security: DIB: Data Integrity Board: ED: Department of Education: FISMA: Federal Information Security Management Act: FR: Federal Register: HHS: Department of Health and Human Services: IPERIA: Improper Payments Elimination and Recovery Improvement Act: Labor: Department of Labor: NIST: National Institute of Standards and Technology: OIG: Office of inspector general: OMB: Office of Management and Budget: PII: personally identifiable information: Recovery Board: Recovery Accountability and Transparency Board: SSA: Social Security Administration: Treasury: Department of the Treasury: USDA: Department of Agriculture: VA: Department of Veterans Affairs: [End of section] GAO: United States Government Accountability Office: 441 G St. N.W. Washington, DC 20548: January 13, 2014: The Honorable Thomas R. Carper: Chairman: The Honorable Tom Coburn, M.D. Ranking Member: Committee on Homeland Security and Governmental Affairs: United States Senate: The Honorable Claire McCaskill: Chairman: Subcommittee on Financial and Contracting Oversight: Committee on Homeland Security and Governmental Affairs: United States Senate: The Honorable Susan M. Collins: United States Senate: Computerized matching of data from two or more information systems is one method of data analysis that can assist in detecting and preventing fraud, waste, and abuse in government programs, and it is commonly used to help identify improper payments in federal benefit programs and activities. However, computer matching may also pose risks to the privacy of individuals whose data are involved. To ensure that federal agency computer matching programs are effective and protect individuals' privacy rights, from 1988 through 1990 Congress enacted amendments to the Privacy Act of 1974. These amendments established conditions for the use of information about individuals for, among other things, establishing or verifying eligibility for federal benefits programs. They also established protections to ensure procedural uniformity in carrying out computer matches and included due process rights for individuals whose benefits may be affected. Throughout the remainder of this report, we refer to these amendments as the Computer Matching Act. You asked us to examine agencies' efforts to share data through the Computer Matching Act. Specifically, our objectives were to (1) determine agencies' responsibilities under the Computer Matching Act, (2) determine how selected agencies are implementing that act with regard to federal benefits programs, and (3) describe the views of officials at selected agencies on the process of developing and implementing computer matching agreements (CMA). To describe agencies' responsibilities under the Computer Matching Act, we reviewed the act's provisions, as well as other relevant laws, policies, and guidance that address computer matching for program integrity purposes. We also interviewed agency officials and examined agency documents, including policies and procedures on computer matching programs and processes. We selected for review federal agencies with the highest expenditures in benefits and assistance programs, specifically the Departments of Agriculture (USDA), Education (ED), Health and Human Services (HHS), Homeland Security (DHS), and Veterans Affairs (VA), and the Social Security Administration (SSA). We added the Department of Labor (Labor) because it oversees significant employment benefit programs and there were some indications that the Labor Office of Inspector General (OIG) had faced challenges in using CMAs. Labor is also one of the 10 federal agencies with the highest expenditures in benefits and assistance programs. We also reviewed guidance developed by the Office of Management and Budget (OMB). In addition, we obtained information from the Department of the Treasury (Treasury) on the Do Not Pay Working System[Footnote 1] and its relationship to the Computer Matching Act. To assess agencies' implementation of the act, we compared the requirements of the act with agencies' computer matching agreements relating to benefits programs, including accompanying cost-benefit analyses and agency processes for approving the agreements. To describe the views of officials at selected agencies on the process of developing and implementing CMAs, we interviewed agency officials on how they implemented the act with regard to federal benefits programs. Further, we obtained the views of inspectors general at the agencies we reviewed on the implementation of the act. We conducted this performance audit from January 2013 to January 2014 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. Appendix I contains additional details on the objectives, scope, and methodology of our review. Background: Sharing information is an important tool in improving the efficiency and integrity of government programs. By sharing data, agencies can often reduce errors, improve program efficiency, evaluate program performance, and reduce information collection burdens on the public. Technological advances have broadened the government's ability to share data for these uses. Likewise, such advances have enhanced the government's ability to use computerized analysis to identify and reduce fraud, waste, and abuse. One important analytical technique is computer matching, a term commonly used to refer to the computerized comparison of information, generally including personally identifiable information (PII), such as names and Social Security numbers, in two or more information systems. Agencies use computer matching in a variety of ways to help ensure that federal benefits are distributed appropriately. For example, the National Directory of New Hires, established in 1996 under the Personal Responsibility and Work Opportunity Reconciliation Act, is used to match new-hire information from states with information from other states and federal programs to detect and prevent erroneous payments for the Temporary Assistance for Needy Families program, Supplemental Nutrition Assistance Program, unemployment insurance, Medicaid, and other benefit programs. In another example, according to the Chairman of the House Committee on Ways and Means,[Footnote 2] SSA collects prisoner data from states and local governments to identify incarcerated individuals who should not receive Supplemental Security Income benefits. The chairman stated that from 1997 to 2009 computer matching had helped SSA identify over 720,000 inmates who were improperly receiving benefits, contributing to billions of dollars in savings to the federal government. Due to the success of this program, prisoner data are now shared with child support enforcement and Supplemental Nutrition Assistance programs as well. Likewise, the chairman also reported that the Public Assistance Reporting Information System was being used to match state enrollment data for the Temporary Assistance for Needy Families program, Supplemental Nutrition Assistance Program, Medicaid, and child care programs with data from participating states and a selected group of federal databases to identify potentially inappropriate payments. According to the Subcommittee on Human Resources of the House Committee on Ways and Means,[Footnote 3] the State of Colorado realized a return on investment of 4000 percent from using the system, and the state of New York annually saves an average of $62 million through its participation in the system. Much computer matching is done for program integrity purposes, but it has other uses as well. For example, Secure Flight, a program run by DHS's Transportation Security Administration, matches information about passengers provided by the airlines against government watch lists to detect individuals on the No Fly List and prevent them from boarding aircraft and to identify individuals for additional screening. Another example is E-Verify, an Internet-based system developed by U.S. Citizenship and Immigration Services that allows businesses to determine the eligibility of potential employees to work in the United States. While computer matching programs have been successful in identifying fraud, waste, and abuse in federal benefit programs, if proper controls are not in place, they can also adversely affect the privacy and due process rights of individuals whose records are being matched. The data that are exchanged through matching programs involve personal information such as Social Security numbers and income and employment data. Without adequate protection, individuals' information could be compromised through inappropriate use, modification, or disclosure. In addition, without effective due process protections, individuals could unfairly lose government benefits if decisions were made to reduce or terminate those benefits based on inaccurate or misleading computer matches. For example, according to a senior policy analyst of the Center of Law and Social Policy, a computer match authorized under the Children's Health Insurance Program Reauthorization Act of 2009, which allowed states to verify the citizenship of Medicaid and Children's Health Insurance Program applicants by matching Social Security records rather than using clients' birth certificates, produced matches of questionable accuracy. Specifically, according to this analyst, in the first year of using this matching program, the state of Alabama incorrectly identified over 1,000 children who would have been denied benefits if the results had not been verified. [Footnote 4] Key Laws That Address Computer Matching: The major requirements for computer matching and the protection of personal privacy by federal agencies come from two laws, the Privacy Act of 1974[Footnote 5] and the privacy provisions of the E-Government Act of 2002.[Footnote 6] The Privacy Act places limitations on agencies' collection, disclosure, and use of personal information maintained in systems of records. The act defines a "record" as any item, collection, or grouping of information about an individual that is maintained by an agency and contains his or her name or another individual identifier. It defines a "system of records" as a group of records under the control of any agency from which information is retrieved by the name of the individual or other individual identifier. The Privacy Act requires that when agencies establish or make changes to a system of records, they must notify the public through a system of records notice in the Federal Register that identifies, among other things, the categories of data collected, the categories of individuals about whom information is collected, the intended "routine" uses of data, and procedures that individuals can use to review and contest its content.[Footnote 7] In 2002, Congress enacted the E-Government Act to, among other things, enhance protection for personal information in government information systems. Toward this end, the act requires agencies to conduct privacy impact assessments before developing or procuring information systems that will collect or process personal information. These assessments provide a means for agencies to analyze and document the privacy protections they have established for uses of automated data, such as computer matching and other data-sharing activities. Because of concerns about agency use of personal information in computer matching programs, Congress passed the Computer Matching and Privacy Protection Act in 1988 as an amendment to the Privacy Act. [Footnote 8] The provisions were intended to create procedures that would require serious deliberation and prevent data "fishing expeditions" that could reduce or terminate benefits without verifying the information and notifying affected individuals of the matching program. In 1989 and 1990,[Footnote 9] Congress enacted further amendments to, among other things, require due process procedures for agency computer matching programs, including independent verification of "hits" and a 30-day notice for individuals affected by a matching program. Under these sets of amendments, which we collectively refer to as the Computer Matching Act, computer matching is defined as the computerized comparison of records for the purpose of establishing or verifying eligibility or recouping payments for a federal benefit program or relating to federal personnel management. To ensure procedural uniformity in carrying out matching programs and to provide due process for potentially affected individuals, the law established a number of requirements for covered agency computer matching programs, including: * agencies must have computer matching agreements with participating agencies that specify, among other things, the purpose and legal authority of the program and a justification for the program, including a specific estimate of any savings; * Data Integrity Boards (DIB) must be established to approve and review all agency computer matching programs covered by the Computer Matching Act, including the costs and benefits of such programs; and: * OMB must prescribe guidance for agencies on conducting computer matching programs as part of implementation of the Privacy Act. These requirements do not, however, apply to all federal agency computer matching activities. For example, the law's definitions exclude matches of federal agency information with commercial data and matches of federal agency payments, grants, or loans to entities other than individuals. Further, the law exempts a number of matching activities. For example, the initial 1988 amendments included exemptions for matches for statistical or research purposes, law enforcement investigations of specific individuals, and certain tax- related matches. In 1999, an exemption was added for Social Security Act-related matches of prisoner data.[Footnote 10] In addition, in 2010, the Patient Protection and Affordable Care Act[Footnote 11] exempted matches by HHS relating to potential fraud, waste, and abuse. Most recently, in January 2013, the Improper Payments Elimination and Recovery Improvement Act (IPERIA)[Footnote 12] provided, among other things, that data-matching activities conducted by agencies and offices of inspectors general (OIG) that assist in the detection and prevention of improper payments would be subject to requirements that differ from those of the Computer Matching Act. These include a 60-day time limit on DIB review, approvals extended up to 3 years, and a waiver on the requirement for a specific estimate of savings in a computer matching agreement. In addition, IPERIA established in law the Do Not Pay Initiative, coordinated by the Department of the Treasury, to require agencies to reduce improper payments by reviewing a number of databases, including the SSA Death Master File and the Department of Housing and Urban Development Credit Alert System, before issuing any payments. IPERIA also required OMB to ensure the establishment of a working system to provide agencies with access to these databases, and to report to Congress on the operations of the Do Not Pay Initiative. OMB's August 16, 2013, guidance also contained instructions for agencies on implementing this initiative, including responsibilities for agency DIBs. For example, the guidance states that DIBs should be properly trained and should meet annually to evaluate agency matching programs. [Footnote 13] OMB and Agencies Have a Variety of Responsibilities under the Computer Matching Act: OMB is responsible for developing guidelines and providing continuing assistance to agencies on the implementation of the Computer Matching Act, while agencies have a variety of implementation responsibilities. Agency responsibilities can be grouped into three major areas: (1) developing computer matching agreements containing specific elements for each proposed matching program and notifying Congress, OMB, and the public of computer matching activities; (2) conducting cost- benefit analyses for proposed computer matching programs; and (3) establishing DIBs to oversee computer matching programs, including reviewing and approving computer matching agreements. OMB Has Primary Responsibility for Providing Assistance to Agencies for Privacy and Computer Matching: The Privacy Act gives OMB responsibility for developing guidelines and providing continuing assistance to agencies on the implementation of the Computer Matching Act. OMB has periodically published guidance for implementing the act, including documents issued in 1989,[Footnote 14] 1991,[Footnote 15] 2000,[Footnote 16] and 2013.[Footnote 17] In addition, Circular No. A-130 includes instructions to agencies for reporting on computer matching activities.[Footnote 18] The 1989 guidance provided explanations for agencies on interpreting various provisions of the 1988 amendments, including examples of activities that should be treated as computer matching programs covered by the act, types of information that should be in computer matching agreements (CMAs), and responsibilities for fulfilling reporting requirements. The 1989 guidance also addressed required cost- benefit analyses and the responsibilities of DIBs. The 1991 guidance was intended to help implement changes made in the 1990 computer matching amendments to simplify several due process requirements after agencies experienced difficulties implementing the requirements established in 1988. OMB Circular No. A-130, Management of Federal Information Resources, includes guidance on implementation of a number of information and information technology laws. According to OMB staff, the Circular A- 130 requirements provide guidance to agencies on meeting the reporting requirements for computer matching activities. The circular's Appendix I, "Federal Agency Responsibilities for Maintaining Records about Individuals," provides specific instructions for agencies on reporting requirements relating to computer matching. OMB's 2000[Footnote 19] memorandum reinforced existing Privacy Act requirements, while its 2013[Footnote 20] memorandum on reducing improper payments provided guidance on implementing the requirements in IPERIA as well as some additional clarifications on computer matching programs. Agencies Are Required to Develop and Report on Formal Agreements to Conduct Computer Matches: Agencies are required to establish computer matching programs when conducting any computer matches, which are defined as a "computerized comparison of records for the purpose of establishing or verifying eligibility or recouping payments for a federal benefit program or relating to federal personnel management." Agencies first need to determine whether their planned activity falls within the scope of the law under this definition. If a proposed match is covered by the Computer Matching Act, a CMA must be developed and approved by all participating agencies.[Footnote 21] Among other things, the act requires that CMAs include: * the purpose and legal authority for conducting the program; * the justification for the program and the anticipated results, including a specific estimate of any savings; * a description of the records that will be matched, including each data element that will be used, the approximate number of records that will be matched, and the projected starting and completion dates of the matching program; * procedures for providing individual notice at the time of application, and notice periodically thereafter as directed by the DIB (subject to OMB guidance), to applicants or recipients of federal benefits; * procedures for verifying information produced in the matching program as required to ensure that no benefits action is taken before the information acquired through computer matching is verified and potentially affected individuals are notified and have an opportunity to contest findings; * procedures for the retention and timely destruction of identifiable records created by a recipient agency or nonfederal agency in the matching program; * procedures for ensuring the administrative, technical, and physical security of the records matched and the results of the matching programs; and: * information on assessments that have been made on the accuracy of the records that will be used in the program. After the CMA has been approved by all participating agencies, the agency that receives the data and derives benefit from the matching program is responsible for publishing a notice describing the details of the CMA in the Federal Register and must notify Congress and OMB prior to implementation. The act requires agencies to: * annually review each ongoing matching program in which the agency has participated during the year and: * submit a copy of every CMA to the House Committee on Oversight and Government Reform and the Senate Committee on Homeland Security and Governmental Affairs. Agencies Are Required to Perform a Cost-Benefit Analysis: The Computer Matching Act also requires that agencies conduct cost- benefit analyses in conjunction with the development of CMAs. The act states that agency CMAs must include a specific estimate of any savings from the matching program and that DIBs shall not approve any CMA without a cost-benefit analysis of the proposed program that demonstrates that the program is likely to be cost-effective.[Footnote 22] According to OMB's 1989 guidance, the intent of this requirement is to ensure that sound management practices are followed when agencies use records from Privacy Act systems of records in matching programs. According to OMB, cost-effectiveness must be established before a CMA is approved and matching can occur, the goal being to ensure that when agencies are conducting matching programs they do not drain agency resources that could be better spent elsewhere. OMB guidance states that the cost-benefit information from CMAs helps Congress evaluate the effectiveness of statutory matching requirements. The act does not specify the elements of the required cost-benefit analyses, and OMB's guidance provides only a general outline of the costs and benefits that should be considered. In its 1989 guidance, OMB referred agencies to a GAO report published in 1986[Footnote 23] on assessing the costs and benefits of computer matching programs as one source for conducting a computer matching cost-benefit analysis, and stated that it would issue a checklist providing a step-by-step methodology for such analyses at a later date. However, according to OMB staff, it has not issued such a checklist. Officials at three agencies we reviewed stated that they used our report as a source of guidance on the expected contents of cost-benefit analyses for computer matching. Without more recent guidance, our 1986 report is the only guidance available to agencies specifically for developing cost-benefit analyses for computer matching programs. While different computer matching programs may have unique costs and benefits, our 1986 report[Footnote 24] identified the following key elements as common types of costs and benefits associated with computer matching: * Costs: - Personnel costs, such as salaries and fringe benefits, for personnel involved in the matching process, including staff time dedicated to performing the match. - Computer costs related to the processing of computer matching programs, such as the maintenance and use of computers at facilities. * Benefits: - Avoidance of future improper payments: the prevention of future overpayments by identifying and correcting an error. - Recovery of improper payments and debts: the detection of an overpayment or debt already made and the collection of the money owed to an agency. Agencies Are Required to Establish a Data Integrity Board with Specific Responsibilities: The Computer Matching Act also requires that each agency participating in a computer matching program establish a DIB to oversee computer matching activities. The act requires that the DIBs be composed of senior officials designated by the head of each agency. According to the act, duties of the DIBs include the following: * Reviewing, approving, and maintaining all written agreements for receipt or disclosure of agency records under computer matching programs. * Determining the agency's compliance with applicable laws, regulations, guidelines, and agency agreements. * Assessing the costs and benefits of matching programs and approving only those for which a cost-benefit analysis demonstrates that the program is likely to be cost-effective.[Footnote 25] * Reviewing all recurring matching programs for continued justification. * Annually reviewing all matching programs in which the agency participated during the year, either as source or recipient. * Compiling an annual report describing the matching activities of the agency, which is to be submitted to the head of the agency and OMB and made available to the public. The annual report should include a description of matching programs, matching agreements disapproved by the DIB, waivers of a cost-benefit analysis, and any violations of matching agreements. In addition, OMB's1989 guidance specifies that DIBs are to include the inspector general and a senior official responsible for the implementation of the Privacy Act. The inspector general may not serve as the chairman of the DIB. OMB recommended, but did not require, that the Privacy Act officer serve as the board secretary. According to OMB's 1989 guidance, reviewing computer matching agreements is the foremost responsibility of the DIBs, and they are required to meet often enough to ensure that the agency's matching programs are carried out efficiently, expeditiously, and in conformance with the Privacy Act. More generally, OMB's 1989 guidance noted that the DIBs should serve as an information resource on matching for agencies, be placed at the top of the agency's organization, be staffed with senior personnel, and ensure that their reasons for either approving or denying a matching program are well documented. Among other things, the guidance also explained that the law's requirement for annual DIB review of agency matching programs was to (1) determine whether the matches have been, or are being, conducted in accordance with appropriate authorities and under the terms of the matching agreements and (2) assess the utility of the programs in terms of their costs and benefits. The act and OMB guidance also state that if a matching agreement is disapproved by the DIB, any party to such agreement may appeal the disapproval to the Director of OMB. OMB Circular No. A-130 also instructs agencies to submit a biennial report (rather than an annual report, as required by the act) to OMB summarizing the agency's computer matching activities. The report is to include the names of the DIB members and a list of each matching program, including its purpose, the participating agency, and a brief description of the program. For each matching program, the report is to state whether a cost-benefit analysis provided a favorable ratio or if the cost-benefit analysis was waived, the reason why. Agencies We Reviewed Have Established Procedures for Implementing the Computer Matching Act, but Implementation Has Been Inconsistent: The agencies we reviewed have taken a number of steps to implement the requirements of the act. All seven agencies had established processes for creating and approving computer matching agreements, and the agreements they implemented generally included the elements required by the act. However, implementation among these seven agencies was inconsistent in several ways: * Agencies differed in their understanding of what circumstances and types of data-sharing the act applied to, such as whether CMAs were required for "front-end"[Footnote 26] data queries. * While these agencies generally developed cost-benefit analyses for their computer matching agreements, they did not consistently address key costs and benefits needed to assess the value of their computer matching programs. * Agency DIBs, which are required to review and approve computer matching agreements, did not always regularly meet or thoroughly review proposed CMAs or cost-benefit analyses. DIBs have also not consistently reported to OMB on agencies' computer matching activities, as required by the act, leading to reduced transparency of these programs. Further, OMB has provided little assistance to agencies in implementing the act, which may contribute to inconsistent implementation. Agencies We Reviewed Have Established Computer Matching Programs but Have Interpreted the Scope of the Act Inconsistently: For the matching programs that the agencies believe are covered by the act, the seven agencies we reviewed had 82 CMAs in place that addressed the act's requirements. All seven agencies also issued agency-wide policies and guidance that address compliance with the act, and the CMAs these agencies had in place met basic requirements, including stating the purpose and legal authority for conducting the match, justification for the program and anticipated results, descriptions of records to be matched, procedures for providing individual notice, procedures for verifying information, procedures for retention and timely destruction of records, procedures for ensuring the physical security of the records, and assessments of the accuracy of the records used. Figure 1 shows the number of active CMAs at each of these agencies. Figure 1: Number of Active CMAs at Seven Agencies as of September 20, 2013: [Refer to PDF for image: vertical bar graph] Agency: Agriculture; Active CMAs: 1. Agency: Education; Active CMAs: 8. Agency: Health and Human Services; Active CMAs: 11. Agency: Homeland Security; Active CMAs: 10. Agency: Labor; Active CMAs: 3. Agency: Veterans Affairs; Active CMAs: 15. Agency: Social Security Administration; Active CMAs: 34. Source: GAO analysis of agency data. [End of figure] While the seven selected agencies were in compliance with the basic requirements of the act with regard to developing CMAs for activities they identified as covered by the act, they differed in how they interpreted the scope and application of the act to their data-sharing activities. Specifically, three agencies interpreted the law to apply only to the matching of an entire system of records against another database, but not to other types of comparisons. For example: * Officials from DHS and VA stated that they interpret the act to apply only to automated comparisons of two complete systems of records (e.g., a batch comparison of two entire databases identified under the Privacy Act as "systems of records"). They believe that single-record comparisons, such as checks performed by front-end verification systems or individual queries of information within a system of records, are exempt. * Similarly, no CMAs were established for certain data-sharing arrangements between SSA and VA. Specifically, SSA established information exchange agreements with VA by which it provides information via online queries about individuals for program integrity and benefit accuracy purposes. According to SSA officials, a CMA with VA was not necessary because VA employees directly accessed SSA data using a computer terminal. An SSA official also commented that they preferred using information exchange agreements because they were quicker to process and approve than CMAs. * Likewise, DHS offers a web-based service that federal, state, and local benefit-issuing agencies, institutions, and licensing agencies use to verify the immigration status of benefit applicants so that only those entitled to benefits receive them. According to DHS officials, this service is also not covered by the act because it does not involve comparison of two complete systems of records. In contrast, officials from USDA's Food and Nutrition Service noted that a CMA was established between the states and SSA for performing front-end verification of Supplemental Nutrition Assistance Program eligibility. Similarly, ED officials stated that they require CMAs for front-end queries that establish eligibility for federal student aid. In addition, HHS officials stated that they believe the Computer Matching Act requires CMAs to cover front-end queries. Labor officials indicated that they do not use front-end verification to establish benefits eligibility. Moreover, the Do Not Pay Working System, an online portal run by the Department of the Treasury that can conduct online queries similar to computer matching, is not currently covered by any CMAs. The system is run as part of the Do Not Pay Initiative, which was established by law in IPERIA on January 10, 2013. IPERIA requires federal agencies to use certain databases, which are to be available through the Do Not Pay Working System, for prepayment review of eligibility for payments and awards. Agencies use the portal to perform online queries to verify records related to specific individuals, a process known as front-end verification. Treasury officials stated that the initiative currently has no computer matching agreements in place because the portal operates only as a query system, which they believe does not require CMAs. They stated that in the future, upon establishment of a system of records, they plan to add batch matching for Privacy Act records, at which time they will secure computer matching agreements. Varying agency interpretations of the scope of the act are partially due to unclear guidance from OMB on this subject. OMB's 1989 matching guidance includes examples of front-end verification programs that are covered by the act, but none of OMB's guidance documents indicate specifically whether queries are subject to the act. OMB's 2013 IPERIA guidance addressed the subject indirectly by stating that matches involving "subsets" of systems of records are covered by the act. However, it did not clarify whether front-end verification queries qualify as subsets of systems of records or are otherwise covered, thus continuing to leave the subject unclear. According to OMB, it is up to agencies to adhere to the act and official guidance. OMB staff stated that the types of data-sharing covered by the act are determined on a case-by-case basis, and OMB's IPERIA guidance states that the act applies to matches involving a "subset" of records from a system of records. However, OMB has not clarified whether the law applies to front-end verification, which generally involves just one record, or only to the matching of larger sets of records against another database. Without clear guidance on the scope of the act, agencies are likely to continue to interpret what the act covers in varying ways, and its privacy protections are likely to continue to be inconsistently applied. Agencies We Reviewed Did Not Always Include Key Elements for Cost- Benefit Analyses: While agency CMAs generally included cost-benefit analyses, the completeness of their analyses varied. Of the 82 CMAs from the seven agencies we reviewed, 68 included cost-benefit analyses. Eleven CMAs from the seven agencies were for statutorily required programs that did not require cost-benefit analyses.[Footnote 27] For the other 3 CMAs, SSA did not conduct cost-benefit analyses because, according to officials, it was the source agency for these matching programs. According to OMB's 1989 guidance, while recipient agencies are suggested to take the lead in developing cost-benefit analyses, such analyses should be provided to source agencies to assist in their decision to approve or deny a CMA. While most agencies submitted a cost-benefit analysis with their CMAs, they did not always address all four key elements identified by GAO's 1986 report.[Footnote 28] More specifically, of the 68 cost-benefit analyses from the seven agencies that we reviewed, 2 included all the key elements, 63 included some but not all key elements, and 3 did not address any of the key elements. Fourteen cost-benefit analyses did not include personnel costs, and 14 did not include computer costs. Additionally, 13 did not include the avoidance of future improper payments, and 33 did not include an estimate of the recovery of improper payments and debts. The DIBs approved all CMAs even though most cost-benefit analyses did not include all key information. Table 1 provides more detail on the seven selected agencies' inclusion of key elements in their cost-benefit analyses. Table 1: Selected Agencies' and Labor's Inclusion of Key Elements in Cost-Benefit Analyses: Agency: USDA; Total cost-benefit analyses: 1; Number of cost-benefit analyses that did not address key elements: Costs: Personnel: 1; Computer: 1; Benefits: Avoidance of future improper payments: 1; Recovery of improper payments and debts: 1. Agency: ED; Total cost-benefit analyses: 8; Number of cost-benefit analyses that did not address key elements: Costs: Personnel: 1; Computer: 0; Benefits: Avoidance of future improper payments: 2; Recovery of improper payments and debts: 5. Agency: HHS; Total cost-benefit analyses: 9; Number of cost-benefit analyses that did not address key elements: Costs: Personnel: 3; Computer: 2; Benefits: Avoidance of future improper payments: 0; Recovery of improper payments and debts: 3. Agency: DHS; Total cost-benefit analyses: 9; Number of cost-benefit analyses that did not address key elements: Costs: Personnel: 4; Computer: 2; Benefits: Avoidance of future improper payments: 1; Recovery of improper payments and debts: 7. Agency: Labor; Total cost-benefit analyses: 2; Number of cost-benefit analyses that did not address key elements: Costs: Personnel: 0; Computer: 1; Benefits: Avoidance of future improper payments: 1; Recovery of improper payments and debts: 1. Agency: VA; Total cost-benefit analyses: 14[A]; Number of cost-benefit analyses that did not address key elements: Costs: Personnel: 2; Computer: 3; Benefits: Avoidance of future improper payments: 2; Recovery of improper payments and debts: 4. Agency: SSA; Total cost-benefit analyses: 25; Number of cost-benefit analyses that did not address key elements: Costs: Personnel: 3; Computer: 5; Benefits: Avoidance of future improper payments: 6; Recovery of improper payments and debts: 12. Agency: Total; Total cost-benefit analyses: 68; Number of cost-benefit analyses that did not address key elements: Costs: Personnel: 14; Computer: 14; Benefits: Avoidance of future improper payments: 13; Recovery of improper payments and debts: 33. Source: GAO analysis of agency data. [A] VA prepared a combined computer matching agreement and cost-benefit analysis for two of its computer matching programs. [End of table] The act requires that agencies conduct cost-benefit analyses in conjunction with the development of CMAs. The act states that agency CMAs must include a specific estimate of any savings from the matching program and that DIBs shall not approve any CMA without a cost-benefit analysis of the proposed program that demonstrates that the program is likely to be cost-effective. According to OMB guidance, the goal is to ensure that sound management practices are followed when agencies conduct matching programs and that they do not drain agency resources that could be better spent elsewhere. OMB's general guidance for conducting cost-benefit analyses for federal programs is contained in Circular A-94.[Footnote 29] However, specific guidance for cost-benefit analyses on computer matching programs, which was promised in OMB's1989 guidance, has never been developed. In the absence of specific OMB guidance, three agencies developed their own interim guides for cost-benefit analyses, while the others had no established methodology. Specifically, VA, ED, and SSA had policies and procedures on developing cost-benefit analyses: VA had guidance that included formulas staff should use to calculate each of the key elements, while ED used the prior GAO report;[Footnote 30] and SSA used OMB Circular No. A-94. The other four agencies--DHS, USDA, HHS, and Labor--did not develop or document guidance for conducting cost-benefit analyses. Without guidance from OMB that specifically addresses the necessary elements of cost-benefit analyses for computer matching, agencies are likely to continue to inconsistently assess the costs and benefits of their proposed matches and may be unable to demonstrate that such matches are a cost- effective use of resources. Agency Data Integrity Boards Did Not Always Comply with Requirements: While they varied in size and composition, all seven agencies we reviewed established DIBs as required by the act. As required by the act, all of the DIBs included senior officials and the inspector general, as shown in table 2. Table 2: Summary of Data Integrity Board Membership: Department: USDA; Number of senior officials: 4; Inspector general on board: Yes. Department: ED; Number of senior officials: 6; Inspector general on board: Yes. Department: HHS; Number of senior officials: 3; Inspector general on board: Yes. Department: DHS; Number of senior officials: 8; Inspector general on board: Yes. Department: Labor; Number of senior officials: 6; Inspector general on board: Yes. Department: VA; Number of senior officials: 8; Inspector general on board: Yes. Department: SSA; Number of senior officials: 8; Inspector general on board: Yes. Source: GAO analysis of agency data. [End of table] All seven agencies also have issued agency-wide policy and guidance that addresses DIB membership and responsibilities, in compliance with the act. According to these agency policies, the DIBs' primary purpose is to review and provide final approval of CMAs and associated cost- benefit analyses. Each of the 82 CMAs from the seven agencies we reviewed showed evidence that they were reviewed and approved by the DIBs. However, as noted previously, DIBs approved cost-benefit analyses that did not always include all key data elements. For example, the DIB at USDA approved one cost-benefit analysis that did not include any estimate of cost or benefits and provided no estimated value. In addition, DIBs at the seven agencies we selected for review approved 13 cost-benefit analyses that did not identify an estimate of the avoidance of future improper payments, as well as 33 cost-benefit analyses that did not identify an estimate of the recovery of improper payments and debts. Without the DIBs ensuring that cost-benefit analyses include key costs and benefits, agencies will have less assurance that their computer matching programs are a cost-effective use of resources. In addition to reviewing specific proposed CMAs and their associated cost-benefit analyses, the Computer Matching Act requires DIBs to conduct an annual review of agency matching programs. These annual reviews are an important element of the act's privacy protections and are intended to (1) determine whether matches have been or are being conducted in accordance with appropriate authorities and under the terms of the matching agreements and (2) assess the utility of the programs in terms of their costs and benefits. Appendix I to OMB Circular No. A-130, on the management of federal information resources, includes guidance for implementing the reporting requirements for computer matching agreements. However, the DIBs have not always followed the review and reporting requirements of the act or OMB guidance. Of the seven agencies, only VA provided evidence of an annual DIB review and report of computer matching activities.[Footnote 31] According to officials at HHS and ED, they do not submit such a report because OMB guidance only requires the submission of a biennial report. Without annual reviews, agencies and OMB have less assurance that matches are being conducted in accordance with the terms of matching agreements and that the programs are justified and viable in terms of cost and benefits. In addition, the transparency of agency computer matching programs may be limited if annual reviews are not conducted. OMB staff agreed that they have required agencies to submit only biennial reports rather than the annual reports required by the act: OMB guidance requires DIBs to report on computer matching activity every 2 years. This guidance is inconsistent with the Computer Matching Act, which requires an annual reporting of computer matching activity. OMB did not revise its guidance to reflect amendments to the act in 1995 and 1998.[Footnote 32] However, OMB staff stated that OMB guidance still requires DIBs to conduct annual reviews of all computer matching programs, even if it does not require them to report on those reviews annually as required by the act. While only VA submitted annual reports, other agencies submitted the OMB-required biennial reports only intermittently: * While the DIBs at VA, ED, and SSA have submitted biennial reports over the last 5 years, HHS did not submit one in 2012. * Labor's DIB did not submit biennial reports in 2008 or 2012. Officials stated they were waiting for instructions from OMB to send their latest one. * USDA did not submit two of the last three biennial reports. USDA officials stated that they were not able to send past reports due to resource constraints. * DHS's DIB has not submitted any biennial reports. However, it reports summary information on computer matching programs annually in the privacy portion of its Federal Information Security Management Act (FISMA) report to OMB. According to DHS officials, this reporting meets the requirements of the act. Table 3 shows submission of biennial reports from 2008 through 2012 by the seven agencies we reviewed. Table 3: Agencies' Computer Matching Report Submissions, 2008-2012: Agency: USDA; 2008: No; 2010: No; 2012: Yes. Agency: ED; 2008: Yes; 2010: Yes; 2012: Yes. Agency: HHS; 2008: Yes; 2010: Yes; 2012: No. Agency: DHS; 2008: No; 2010: No; 2012: No. Agency: Labor; 2008: No; 2010: Yes; 2012: No. Agency: VA; 2008: Yes; 2010: Yes; 2012: Yes. Agency: SSA; 2008: Yes; 2010: Yes; 2012: Yes. Source: GAO analysis of agency data. [End of table] In addition, while the law does not specifically require agencies to publish reports on their websites, it does require they be made publicly available. However, existing reports were not always accessible on six agencies' websites. Only one agency, VA, had a recent biennial report posted online. DHS had posted its annual privacy report, which includes information on new CMAs, on its website. ED officials stated they are in the process of upgrading their website and plan to post the reports at a future date. SSA and USDA require that individual requests be submitted to gain access to their biennial reports. Labor does not post any reports, and officials said they are not aware of any public requests for them. Also, we found that the agencies submitting biennial reports (USDA, ED, HHS, Labor, VA, and SSA) did not always include all the information required by OMB guidance. For example, VA was the only agency included in our review that submitted biennial reports with cost-benefit analysis ratios; however, for certain programs it was not able to determine cost savings information or whether the program had a favorable cost-benefit ratio. Labor did not include in its biennial report whether the CMAs approved or conducted during the 2 years covered by the report had a favorable cost-benefit ratio. Other agencies (USDA, ED, HHS, and SSA) stated in their biennial reports that all their matching programs had favorable ratios but did not provide specific cost-benefit information for any of the programs. As stated previously, not all CMAs included cost-benefit analyses or savings information; therefore, statements in agency biennial reports that all their matching programs had favorable cost-benefit ratios could be unjustified. Without consistent DIB review and reporting, agencies' computer matching programs are not being regularly evaluated for effectiveness by agencies and are less transparent to OMB, Congress, and the public. OMB Has Provided Little Assistance to Agencies: The Computer Matching Act gave OMB responsibility for providing continuing assistance to agencies in their implementation of the act and the other provisions of the Privacy Act. However, agency officials stated that they have not received consistent assistance from OMB. According to USDA, DHS, Labor, VA, and SSA officials, OMB has not provided assistance to them on conducting CMAs or submitting biennial reports. However, officials at ED stated that OMB had briefed them on the CMA process, and HHS officials have not received any specific instruction from OMB on conducting CMAs. In addition, officials at the HHS OIG and SSA stated they had no knowledge of actions taken by OMB with regard to CMAs, notices, or related reports submitted to OMB. According to OMB, it is up to agencies to adhere to the act and OMB guidance. When asked what happens if an agency does not submit a biennial report as required by OMB guidance, OMB staff said they may reach out and discuss it with the agency. However, OMB staff gave no evidence of knowing the extent to which agencies have not submitted the biennial reports or following up with any of the agencies. For example, USDA did not submit a report between 2000 and 2013. Further, Labor officials stated that one reason for not submitting the 2012 biennial report is that they have been waiting for OMB to provide specific reporting instructions. The Labor officials also stated that they do not even know where to send the biennial reports at OMB. When informed of this, OMB staff said that is not consistent with the requirement to submit a report biennially to OMB. Without taking steps to follow up on reporting requirements or to provide assistance to agencies, OMB may be allowing agencies to implement the act inconsistently. Several Factors May Discourage Implementation of CMAs at Selected Agencies: Agency officials at six of the seven agencies we reviewed told us that the act's rigorous requirements and the CMA review processes within and among agencies were lengthy and resource-intensive and that statutory time frames for conducting matching activities were too short, discouraging implementation of CMAs. Similarly, OIG officials at four agencies stated that, given the short duration of CMAs, the typical length of the CMA approval process discouraged them from computer matching, as did the requirement that their proposed agreements be approved by agency DIBs. For example, officials at DHS told us they avoid attempting to implement CMAs because the internal review processes are lengthy and resource-intensive and because of the relatively short duration of approved CMAs. Officials at ED, HHS, Labor, SSA, and VA agreed that the CMA review process is lengthy and resource-intensive. They said that the fact that proposed CMAs must be reviewed by both the source and recipient agencies created extensive review processes that often took a long time to complete. In contrast, officials at USDA did not think the review process was overly lengthy or resource-intensive. To implement the requirements of the act, agencies we reviewed typically adhere to the following CMA process, which involves an extensive sequence of multiple reviews: * Development of the Computer Matching Agreement: The agency that wants to run a match on its program records (the recipient) develops a proposed CMA to receive records from another agency (the source) to match against its records. The proposed CMA must include a cost- benefit analysis that adheres to all the act's requirements, which can add to the time and cost of developing a CMA. Reaching agreement on the CMA frequently involves negotiation between the agencies over what data will be matched and how the data will be transferred. Upon reaching a draft agreement, the proposed CMA is reviewed and approved by multiple offices, including separate legal and privacy office reviews, in each agency. Officials said that the negotiation process and legal and privacy reviews often took many months to complete. * Data Integrity Board Review: The proposed CMA is reviewed and must be approved by DIBs at both the source and recipient agencies. * Agency Head Approval: Following DIB approval, the proposed CMA must also be approved by both agency heads, requiring that the draft agreement be vetted through officials at additional offices within each agency. * Notice to Congress: Recipient agencies must allow an additional 40 days to notify the Senate Committee on Homeland Security and Governmental Affairs, the House Committee on Oversight and Government Reform, and OMB to provide an opportunity for review and comments prior to implementation of the match. * Public Notice: A notice of the computer matching program must be published in the Federal Register at least 30 days prior to implementation to provide an opportunity for interested persons to submit comments. (This public notice period can occur at the same time as notice is given to OMB and Congress.) Figure 2 provides an overview of the typical CMA approval process. Figure 2: The Computer Matching Agreement Process: [Refer to PDF for image: process illustration] Recipient Agency; Source Agency: Propose CMA and develop draft: Internal reviews (OGC, privacy office): conducted by: Recipient Agency; Source Agency. DIB review: conducted by: Recipient Agency; Source Agency. Agency Head review: conducted by: Recipient Agency; Source Agency. Recipient Agency: Sends notices (OMB, Congress, FR). CMA: DIBs conduct an annual review and reporting of matching programs, and submit reports to OMB, agency head and make them publicly available. Source: GAO analysis of Privacy Act requirements and agency documentation. [End of figure] According to agency officials, following these steps can be a lengthy process, often taking 3 months or longer to complete. For example: * An ED official stated that new CMAs usually take 9-10 months and renewals take 6 months to complete. * According to officials from the HHS Administration for Children and Families, CMAs with Supplemental Nutrition Assistance Program agencies typically take 6 to 9 months, while those with state workforce programs take up to a year. * According to officials from the DHS privacy office, the CMA process at DHS can take up to 6 months. * According to officials from VA's Veterans Benefits Administration, CMAs can take 3 months to 1 year. * According to officials from the SSA privacy office, on average, CMAs take about a year to process or to be renewed; however, the process can take longer. Officials at VA and HHS stated that CMAs with SSA must be planned a year in advance. Not all agency officials reported that the CMA process was lengthy. For example, USDA officials stated that the CMA process could take up to 45 days to complete. In addition, agency officials generally believed that CMAs do not last long enough. Given the lengthy internal review processes, agency officials from ED, HHS, DHS, VA, and SSA indicated that the statutory requirement that agreements be effective for only 18 months with a possible extension for 12 additional months was too short. Given such constraints, the approval process can last nearly as long as the proposed matching program itself.[Footnote 33] These officials said that when they have a continuing need to maintain permanent matching programs they have to restart the approval process nearly as soon as a CMA is approved in order to get either a 12-month extension or to reinstate the CMA as a new agreement after an existing 12-month extension has expired. As a result of the lengthy administrative process, agencies could be discouraged from pursuing CMAs. Similarly, DHS privacy office officials stated that the review requirements and limited duration of CMAs discouraged implementation in the department. They said that the department's other review processes provided protections that were as good as those afforded by the act. For example, they stated that privacy protections were examined in privacy impact assessments and were assessed for all data- sharing agreements, including those that fell outside of the act. In addition, DHS privacy impact assessments are publicly available on the agency's website and thus contribute to the transparency of the programs. OIG officials also had concerns with the approval process for CMAs. Specifically, OIG officials at ED, DHS, SSA, and Labor stated that they were reluctant to make the effort to establish CMAs because it could take 6 months to several years to get them approved, which could overly delay their planned audit and investigative work. OIGs that did not have active CMAs, including those at USDA, ED, DHS, and Labor, said they perform computer matches only when they do not need to seek new CMAs, such as when they can use data already obtained by other entities within their departments or gathered by the states. In both such cases, separate CMAs are not required. ED OIG officials also added that although the lengthy computer matching approval process may be acceptable for agency programs that may last for multiple years, OIG's needs generally are confined to investigations and audits with limited time frames, and CMAs are less practical in those circumstances. An OIG official at HHS stated that the HHS OIG was exempt by law from having to prepare CMAs. OIG officials at ED and representatives from the Council of the Inspectors General on Integrity and Efficiency (CIGIE) and Recovery Accountability and Transparency Board (Recovery Board) also expressed concerns about their independence in initiating and conducting computer matching programs. Specifically, they said that because agency management officials sit on the Data Integrity Boards that approve CMAs, the agency is informed of OIG investigations that intend to use computer matching, which could compromise certain investigations.[Footnote 34] Lastly, an official from the DHS OIG expressed the opinion that because the OIG's role is advisory in nature and does not involve making official eligibility determinations based on computer matching results, the OIG should be exempt from having to establish CMAs in order to do computer matching. Not all OIG officials agreed that CMAs were problematic. For example, OIG officials from Labor and USDA said they had not experienced independence issues at their agencies. In addition, an official from the VA OIG stated that while the computer matching process usually takes 6 to 9 months, she did not feel the requirements posed a problem for investigative projects that were adequately planned in advance. For example, the VA OIG official pointed out that the act allowed for pilot data matches (under its exemption for statistical matching) that provide an opportunity for investigative methods to be tested in advance of developing a CMA. The official stated that in one case the VA OIG had conducted pilot matches using a small data subset to determine whether it would be productive to perform a match of the entire dataset. After the pilot showed the value of conducting the match, the VA OIG initiated a CMA with the source agency, and matching under this CMA is currently under way. In this case, the length of time required to get the CMA approved was not problematic because the OIG had planned for it in advance. Further, officials from privacy offices in several agencies, such as USDA, ED, and SSA, stated that requirements of the Computer Matching Act were valuable to their agencies as privacy protections and did not discourage use. For example, an official in the USDA Privacy Office stated that USDA ensures that mechanisms similar to those in the Computer Matching Act are incorporated in policies and practices relating to all applicable computer matching and data-sharing activities regardless of whether they are statutorily covered by the act. Similarly, officials from ED said they have applied the CMA process to data-sharing agreements not covered by the act, including a data-sharing agreement with SSA, to ensure that that program had privacy protections comparable to those provided by the act. Furthermore, officials from SSA stated that the provisions play an important role for members of the public by providing protections for their information. Conclusions: The seven agencies we reviewed have responded to the Computer Matching Act by developing policies and procedures that comply with its requirements; however these agencies have also implemented the act inconsistently. Interpretations of the act's scope have varied, cost- benefit analyses have not always addressed key elements, and DIBs have not always met requirements. Inconsistent implementation has led to reduced transparency of computer matching programs and raises questions of whether privacy is being protected consistently for these agencies' computer matching activities. OMB has also not taken steps to ensure consistent implementation of the act. For example, OMB guidance does not resolve questions about what types of matching are covered by the act, as well as how to assess costs and benefits, resulting in confusion among the agencies. Without clearer guidance and assistance from OMB, the agencies we reviewed are likely to continue implementing the act inconsistently and potentially conducting computer matching programs that are neither cost-effective nor protective of privacy, as provided for by the act. Further, the act contains a number of provisions that pose challenges for agencies, such as the act's definitions and limited time frames for conducting computer matches. To the extent that agencies avoid performing matches because of the extensive and time-consuming process for establishing CMAs, they may be losing opportunities to identify improper payments that could result in savings to the government. Recommendations for Executive Action: To make government-wide computer matching program planning efforts more consistent, we recommend that the Director of OMB take the following four actions: * revise guidance on computer matching to clarify whether front-end verification queries are covered by the Computer Matching Act, * direct agencies to address all key elements when preparing cost- benefit analyses, * ensure that DIBs prepare and submit annual reports of agency-wide computer matching activities, and: * ensure that agencies receive assistance in implementing computer matching programs as envisioned by the act. We are also making specific recommendations for the seven agencies in our review to improve the implementation of the act as follows. We recommend that the Secretary of Agriculture: * develop and implement policies and procedures for cost-benefit analyses related to computer matching agreements to include key elements such as personnel and computer costs, as well as avoidance of future improper payments and recovery of improper payments and debts; * ensure the DIB reviews cost-benefit analyses to make certain cost savings information for the computer matching program is included before approving CMAs; and: * ensure the DIB performs annual reviews and submits annual reports on the agency's computer matching activities, as required by the act. We recommend that the Secretary of Education: * develop and implement policies and procedures for cost-benefit analyses related to computer matching agreements to include key elements such as personnel and computer costs, as well as avoidance of future improper payments and recovery of improper payments and debts; * ensure the DIB reviews cost-benefit analyses to make certain cost savings information for the computer matching program is included before approving CMAs; and: * ensure the DIB performs annual reviews and submits annual reports on agency computer matching activities, as required by the act. We recommend that the Secretary of Health and Human Services: * develop and implement policies and procedures for cost-benefit analyses related to computer matching agreements to include key elements such as personnel and computer costs, as well as avoidance of future improper payments and recovery of improper payments and debts; * ensure the DIB reviews cost-benefit analyses to make certain cost savings information for the computer matching program is included before approving CMAs; and: * ensure the DIB performs annual reviews and submits annual reports on agency computer matching activities, as required by the act. We recommend that the Secretary of Homeland Security: * develop and implement policies and procedures for cost-benefit analyses related to computer matching agreements to include key elements such as personnel and computer costs, as well as avoidance of future improper payments and recovery of improper payments and debts; * ensure the DIB reviews cost-benefit analyses to make certain cost savings information for the computer matching program is included before approving CMAs; and: * ensure the DIB performs annual reviews and submits annual reports on agency computer matching activities, as required by the act. We recommend that the Secretary of Labor: * develop and implement policies and procedures for cost-benefit analyses related to computer matching agreements to include key elements such as personnel and computer costs, as well as avoidance of future improper payments and recovery of improper payments and debts; * ensure the DIB reviews cost-benefit analyses to make certain cost savings information for the computer matching program is included before approving CMAs; and: * ensure the DIB performs annual reviews and submits annual reports on agency computer matching activities, as required by the act. We recommend that the Secretary of Veterans Affairs: * develop and implement policies and procedures for cost-benefit analyses related to computer matching agreements to include key elements such as personnel and computer costs, as well as avoidance of future improper payments and recovery of improper payments and debts; and: * ensure the DIB reviews cost-benefit analyses to make certain cost savings information for the computer matching program is included before approving CMAs. We recommend that the Administrator of Social Security: * develop and implement policies and procedures for cost-benefit analyses related to computer matching agreements to include key elements such as personnel and computer costs, as well as avoidance of future improper payments and recovery of improper payments and debts; * ensure the DIB reviews cost-benefit analyses to make certain cost savings information for the computer matching program is included before approving CMAs; and: * ensure the DIB performs annual reviews and submits annual reports on agency computer matching activities, as required by the act. Agency Comments and Our Evaluation: We sent draft copies of this report to the seven agencies covered by our review as well as to the Department of the Treasury and OMB. We received written responses from USDA, ED, DHS, Labor, VA, and SSA. These comments are reprinted in appendices II through VII. All of the agencies to which we made recommendations and received comments concurred with our recommendations, with the exception of ED, which concurred with one of our three recommendations. The agencies also provided technical comments, which we have incorporated as appropriate into the final report. The HHS GAO Intake Coordinator indicated via e- mail that HHS agreed with our recommendations and offered no further comments. The Executive Director of the Bureau of Fiscal Services at Treasury provided technical comments via e-mail, which we have addressed as appropriate. OMB staff provided technical comments via e- mail which we have considered and included as appropriate. The OMB staff did not state whether the agency agreed or disagreed with our recommendations. USDA concurred with all our recommendations and stated that it plans to move forward with implementing them. USDA noted the need for consistent, clear instructions and assistance from OMB on implementing the computer matching programs. ED concurred with one of our recommendations, to ensure the DIB performs annual reviews and submits annual reports on agency computer matching activities, as required by the Computer Matching Act. However, ED did not concur with the other two recommendations. Regarding our recommendation to develop and implement policies and procedures for cost-benefit analyses that include all key elements, ED stated that it agreed that the elements of our recommendation are important but stated that its analyses included appropriate key elements. Specifically, the department argued that not all key elements apply to every computer matching program. For example, ED did not think it appropriate to address the recovery of improper payments and debts for matching programs to establish eligibility. However, we believe all key elements should be addressed in cost benefit analyses, even if only to note that certain types of benefits have been considered and determined not to be applicable in the specific circumstances of a given computer matching program. Without a thorough assessment, the DIB may not have sufficient information to determine whether a thorough cost analysis has been conducted. Regarding our recommendation to ensure that the DIB reviews cost-benefit analyses to make certain cost savings information for CMAs are included before approval, ED did not concur and stated that the DIB has consistently reviewed cost-benefit analyses before approving CMAs and that no change in agency practices was needed. However, our review of ED's eight cost-benefit analyses showed that two did not address avoidance of future improper payments and five did not address recovery of improper payments and debts. Given that ED's cost-benefit analyses did not mention these costs, which are key elements of cost savings information, the DIB would not have been able to make a full review of costs and benefits to ensure that cost savings information was included in CMAs before approving them. We continue to believe it is important that agency DIBs perform comprehensive reviews of cost- benefit analyses to ensure that benefits outweigh costs. DHS stated that it will work to update its guidance concerning CMAs and the DIB and that it plans to update instructions on implementing policies and procedures for cost-benefit analyses to include the key elements we identified. In addition, the DHS Privacy Office plans to update its CMA process to clarify the DIB's responsibilities in assessing cost-benefit analyses and ensure the DIB reviews and reports annually on its computer matching program. In addition to DHS's written comments, a DHS privacy official provided technical comments in an e-mail, which we have incorporated as appropriate. Labor concurred with our recommendations and provided technical comments. We have taken Labor's comments into consideration and updated the report as appropriate. Labor also stated that it agreed that the computer matching process is both lengthy and resource- intensive, and we have noted this in the report. VA stated that it would revise its current policy to include the key elements of cost-benefit analyses within the next 12 months. Furthermore, VA also plans to ensure that the DIB reviews cost-benefit analyses to make certain that cost savings information is included in CMAs before approval. SSA stated that it is currently working on an initiative to improve its cost-benefit analysis process and will ensure that all CMAs comply with the act's requirements and OMB's guidance. In addition, SSA said it will ensure that the DIB receives cost-benefit analyses for proposed computer matching programs that include cost savings information prior to approval. Lastly, SSA stated that it agrees that its DIB should conduct an annual review but would defer to OMB with regard to complying with the requirement that the DIB report annually. As agreed with your offices, unless you publicly announce the contents of this report earlier, we plan no further distribution until 30 days from the report date. At that time, we will send copies to interested congressional committees, the Director of OMB, the Secretary of Treasury and the heads of the seven agencies in our review. In addition, the report will be available at no charge on the GAO website at [hyperlink, http://www.gao.gov]. If you or your staff have any questions about this report, please contact me at (202) 512-6244 or wilshuseng@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. GAO staff who made key contributions to this report are listed in appendix VIII. Signed by: Gregory C. Wilshusen: Director, Information Security Issues: [End of section] Appendix I: Objectives, Scope, and Methodology: The objectives of our review were to (1) determine agencies' responsibilities under the Computer Matching Act, (2) determine how selected agencies are implementing that act with regard to federal benefits programs, and (3) describe the views of officials at selected agencies on the process of developing and implementing computer matching agreements (CMA). To describe agencies' responsibilities under the Computer Matching Act, we reviewed the law, as well as other relevant laws, policies, and guidance that address computer matching for program integrity purposes. We also interviewed agency officials and examined agency documents on computer matching programs and processes. We focused on federal agencies with the highest expenditures in benefits and assistance programs, specifically the Departments of Agriculture (USDA), Education (ED), Health and Human Services (HHS), Homeland Security (DHS), and Veterans Affairs (VA), and the Social Security Administration (SSA). We added the Department of Labor (Labor) because it oversees significant employment benefit programs and there were some indications that the Labor Office of Inspector General (OIG) had faced challenges in using CMAs. Labor is also one of the 10 federal agencies with the highest expenditures in benefits and assistance programs. We also reviewed guidance developed by the Office of Management and Budget (OMB) on computer matching. In addition, we obtained information from the Department of the Treasury on the Do Not Pay Working System and the Do Not Pay Initiative, and their relationship to the computer matching provisions of the Privacy Act. We analyzed the requirements of the act and OMB guidance and confirmed with agency officials the typical process for conducting computer matching programs. In addition, while the provisions of the act established procedural safeguards for benefit programs and federal personnel management, we mainly focused on requirements for agencies to establish or verify eligibility for federal benefits. To determine selected agencies' implementation of the act with regard to federal benefits programs, we compared the requirements of the act with agencies' computer matching agreements, including accompanying cost-benefits analyses and documentation of agency processes for reviewing the draft agreements. Specifically, we examined computer matching agreements to determine if the agreements contained information required by the act. In addition, we reviewed the accompanying cost-benefit analyses to determine if they contained relevant information to conclude that the matching program was beneficial to the agency. Specifically we reviewed the 1986 GAO report[Footnote 35] for criteria on cost-benefit analyses since OMB guidance refers agencies to it and because agencies we reviewed used it. We selected four key elements of costs and benefits (cost: personnel and computer costs; benefits: avoidance of future improper payment and recovery of improper payments and debts) and determined whether the agencies' cost-benefit analyses included these key elements. We also reviewed the activities and documentation of the Data Integrity Boards (DIB) to determine if they followed the requirements of the law. Specifically, we examined the structure of the DIBs and determined whether they disapproved CMAs that included cost-benefit analyses that lacked key elements. Also, we reviewed the reporting requirements of the DIBs to determine if they issued computer matching reports as required. We also reviewed OMB's guidance and queried agency officials to determine whether they interpreted the guidance consistently. To describe the views of officials at selected agencies on the process of developing and implementing CMAs, we interviewed agency officials and inspectors general to determine how they implemented the act's computer matching provisions. Furthermore, we solicited these officials' views on the requirements of the act and whether they thought improvements could be made. We conducted this performance audit from January 2013 to January 2014 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. [End of section] Appendix II: Comments from the Department of Agriculture: USDA: United States Department of Agriculture: Office of the Secretary: Washington. D.C. 20250: December 9, 2013: Mr. Gregory C. Wilshusen: Director: Information Security Issues: U.S. Government Accountability Office: 441 G Street, NW: Washington, D.C. 20548: Dear Mr. Wilshusen: The U.S. Department of Agriculture (USDA) reviewed the draft report titled, "The Computer Matching Act: OMB and Selected Agencies Need to Ensure Consistent Implementation (GAO-14-44)". We have maintained the confidentiality of this report and accept with no contest, Government Accountability Office's (GAO) findings, audit number 311099. We intend to move forward with the recommendations with regard to cost- benefit analyses and annual reporting of computer matching activities. We further applaud GAO for recognizing and recommending the dire need for consistent, clear instructions, and assistance from the Office of Management and Budget to assist with the implementation of the computer matching programs as represented in the Computer Matching Act, as defined in the draft report. Safeguarding and protecting USDA's data and information is one of my highest priorities. USDA accepts GAO's report as written. Sincerely, Signed by: Thomas J. Vilsack: Secretary: [End of section] Appendix III: Comments from the Department of Education: United States Department of Education: Office of Management: 400 Maryland Ave. S.W. Washington, DC 20202-4500: [hyperlink, http://www.ed.gov] November 25, 2013: Mr. Gregory C. Wilshusen: Director: Information Security Issues: Government Accountability Office: 441 G Street, NW: Washington, DC 20548: Dear Mr. Wilshusen: I am writing in response to the draft recommendations made in the draft version of the Government Accountability Office (GAO) report, "Computer Matching Act: OMB and Selected Agencies Need to Ensure Consistent Implementation" (GAO-14-44). This report had three recommendations for the Secretary of Education, and I am responding with our comments to each of them below. Recommendation 1: We recommend that the Secretary of Education develop and implement policies and procedures for cost-benefit analyses related to computer matching agreements to include key elements such as personnel and computer costs, as well as avoidance of future improper payments and recovery of improper payments and debts. Response: While we agree that each of the elements of your draft recommendation are important, we do not concur in the recommendation. The Department developed policies and procedures for preparing cost-benefit analyses related to computer matching agreements long ago, and has been following them' faithfully as we consider entering into each of our computer matching agreements (Departmental Directive OM:6-l05, "Computer Matching Agreements," January 22,2007). These policies and procedures were developed to take into account GAO's prior report on this issue (GAO, Computer Matching: Assessing Its Costs and Benefits, [hyperlink, http://www.gao.gov/products/GAO/PEMD-87-2, Washington, D.C.: Nov. 10, 1986). We believe that we already incorporate the appropriate key elements in our cost-benefit analysis, although we continue to reexamine them in the interests of continuous improvement. We also disagree with GAO's assumption in the draft report that all cost-benefit analyses must necessarily address as key elements both "avoidance of future improper payments" and "recovery of improper payments and debts." As noted on page 18 of the draft report, 5 of the Department's 8 computer matching programs are conducted as part of the "front-end" establishment of an applicants' eligibility for federal student aid. On page 20 of the draft report, GAO also indicates that 5 of the Department's cost-benefit analyses failed to include the key element of "recovery of improper payments and debts." We do not agree that it is appropriate to have the Department address the recovery of improper payments and debts in the context of matching programs that are conducted in order to establish eligibility under a federal benefits program. The Department does not award federal student aid benefits if the matching programs cannot verifY the applicant's eligibility for benefits; we conduct the matching to avoid making improper payments in the first place. The Department believes that the key elements it needs to consider before approving computer matching programs designed to establish or verifY an applicant's eligibility prior to award of benefits are: personnel costs, computer costs, and the benefit derived from avoiding improper payments in the first place. Similarly, the Department engages in other computer matching programs solely to help locate debtors under Federal benefits programs to collect on these debts. These computer matching programs generally do not help the Department avoid future improper payments to these debtors, but instead only help the Department to recover on improper payments or debts. Thus, the Department believes that the draft report should be revised to reflect that the Department already includes appropriate key elements in its cost-benefit analysis. At most the draft report could be revised to reflect that the benefits from computer matching may include either the "avoidance of future improper payments" or the "recovery of improper payments and debts," or both. Recommendation 2: We recommend that the Secretary of Education ensure the DIB reviews cost-benefit analyses to make certain cost savings information for the computer matching program is included before approving CMAs. Response: Once again, we do not concur in this draft recommendation, because it does not adequately reflect the Department's current practices. The Department's Data Integrity Board (DIB) has consistently reviewed cost- benefit analyses before approving CMAs; therefore, there is no need for us to change our practices, as the draft recommendation would seem to require. Recommendation 3: We recommend that the Secretary of Education ensure the DIB performs annual reviews and submits annual reports on agency computer matching activities, as required by the act. Response: We concur in this draft recommendation. The Department's DIB has been submitting biennial reports, in line with Office of Management and Budget requirements. To come more in line with the statutory requirement for yearly reports, we will commence yearly reporting following our next regularly scheduled report. We appreciate the work that went into the draft report, and we appreciate the opportunity to comment on it. If you have any questions regarding this response, please contact Kathleen Styles, Chief Privacy Officer, in the Office of Management, at (202) 453-5587. Sincerely, Signed by: Denise L. Carter: Principal Deputy Assistant Secretary: U.S. Department of Education: [End of section] Appendix IV: Comments from the Department of Homeland Security: U.S. Department of Homeland Security: Washington, DC 20528: December 2,2013: Gregory C. Wilshusen: Director, Information Security Issues: U.S. Government Accountability Office: 441 G Street, NW: Washington, DC 20548: Re: Draft Report GAO-I 4-44, "Computer Matching Act: OMB and Selected Agencies Need to Ensure Consistent Implementation" Dear Mr. Wilshusen, Thank you for the opportunity to review and comment on this draft report. The U.S. Department of Homeland Security (DHS) appreciates the U.S. Government Accountability Office's (GAO's) work in planning and conducting its review and issuing this report. The Department is pleased to note the report recognizes that the lengthy administrative process related to Computer Matching Agreements (CMAs) discourages some agencies from implementing them. DHS examines privacy protections as part of privacy impact assessments for data- sharing agreements, including those that fall outside the Computer Matching Act. DHS believes the processes it uses provide protections that are as good as those afforded by the act. DHS also posts its annual privacy report on its website, which includes information on new CMAs. The draft report contained three recommendations directed to DHS, with which the Department concurs. Specifically, GAO recommended that the Secretary of Homeland Security: Recommendation 1: Develop and implement policies and procedures for cost-benefit analyses related to computer matching agreements to include key elements such as personnel and computer costs, as well as avoidance of future improper payments and recovery of improper payments and debts. Response: Concur. The DHS Privacy Office has guidance concerning Computer Matching Agreements and the Data integrity Board (DIB), and will work with the DHS Management Directorate, Office of General Counsel, and relevant components to update this guidance to incorporate instructions on implementing policies and procedures for cost-benefit analysis, including the key elements identified above, and distribute the guidance as appropriate. Estimated Completion Date (ECD): December 31, 2014. Recommendation 2: Ensure the DIB reviews cost-benefit analyses to make certain cost savings information for the computer matching program is included before approving CMAs. Response: Concur. The DHS Privacy Office will clarify the DIB's responsibilities with regard to assessing the costs and benefits associated with computer matching programs. DHS, the source agency for a majority of the CMAs in which it currently participates, generally ensures the recipient agency demonstrate that a matching program would likely be cost-effective prior to approving CMAs. This is because the recipient agency, being the agency that is generally administering the federal benefits, would yield any cost savings resulting from a computer matching program. Thus, the recipient agency should conduct the cost- benefit analysis using its own data. Clarifying the DIB's responsibilities under these scenarios will provide better consistency in terms of determining cost-savings and ongoing viability of computer matching programs. Specifically, DHS will: * Update its CMA process and/or other appropriate documents to clarify the DIB's responsibilities in assessing cost-benefit analyses; and; * Inform the DIB of GAO's review and recommendations, and subsequent computer matching program enhancements and expectations. ECD: December 31,2014. Recommendation 3: Ensure the DIB performs annual reviews and submits aru1Ual reports on agency computer matching activities, as required by the act. Response: Concur. The DHS Privacy Office will leverage aru1Ual calendar year reviews by the DIB as a mechanism to ensure that its computer matching programs are being conducted pursuant to its CMAs, which is in addition to the DIB's current practice of undertaking reviews of CMAs during the initial, recertification, and renewal processes. DHS will also submit annual calendar year reports on its computer matching programs, which is in addition to DHS's current practice of including a summary of such programs in its annual Federal Information Security Management Act report to the Office of Management and Budget COMB), and OMB's requirement to report computer matching activities biennially. The annual reviews and report submissions will provide better confidence in terms of program compliance and transparency. Specifically, DHS will: * Update its CMA process and/or other appropriate documents to capture the DIB's obligations to review all matching programs in which DHS has participated during the year; * Compile and submit, through the Chief Privacy Officer, an annual report as required by the act; and; * Inform the DIB of GAO's review and recommendations, and subsequent computer matching program enhancements and expectations. ECD: December 31, 2014. Again, thank you for the opportunity to review and comment on this draft report. Technical comments were previously provided under separate cover. Please feel free to contact me if you have any questions. We look forward to working with you in the future. Sincerely, Signed by: Jim H. Crumpacker: Director: Departmental GAO-OIG Liaison Office: [End of section] Appendix V: Comments from the Department of Labor: U.S. Department of Labor: Office of the Assistant Secretary for Administration and Management: Washington, D.C. 20210: December 3, 2013: Mr. Gregory C. Wilshusen: Director: Information Security Issues: Government Accountability Office: 441 G St. NW: Washington, D.C. 20548: Dear Mr. Wilshusen: Thank you for the opportunity to review and comment on the Draft Government Accountability Office (GAO) Report #GAO-14-44, Computer Matching Act: OMB and Selected Agencies Need to Ensure Consistent Implementation. We appreciate the GAO's efforts and the insight provided by the report. While the Department of Labor (DOL) concurs with the report's recommendations, we would like to address three areas of concern: 1) On Page 26, we believe that the statement attributed to DOL, "in contracts, officials at USDA and Labor did not think the review process was overly lengthy or resource-intensive" is not accurate. In fact, the Department of Labor agrees that the review process is both lengthy and resource-intensive. 2) The paragraph on Page 28 (beginning with "not all agency officials ..."), it appears that two processes are incorrectly compared. The first sentence of the paragraph seems to reference the overall process, but the next sentence focuses on the "internal approval." DOL disagrees with the conclusion of the first sentence. 3) DOL would also note that the above mentioned items were not included in the Statement of Facts provided to and reviewed by the Department in August. We recommend that they be removed from the Draft Report. Should you have any questions regarding the Department's response, please contact Ms. Dawn M. Leaf, Deputy Chief Information Officer, at leaf.dawn.m@dol.gov or 202-693-4220. Sincerely, Signed by: T. Michael Kerr: Assistant Secretary for Administration and Management, Chief Information Officer: cc: Dawn Leaf, Deputy Chief Information Officer. [End of section] Appendix VI: Comments from the Department of Veterans Affairs: Department of Veterans Affairs: Washington, DC 20420: December 2, 2013: Mr. Gregory C. Wilshusen: Director, Information Security Issues: U.S. Government Accountability Office: 441 G Street, NW: Washington, DC 20548: Dear Mr. Wilshusen: The Department of Veterans Affairs (VA) has reviewed the Government Accountability Office's (GAO) draft report, "Computer Matching Act: OMB and Selected Agencies Need to Ensure Consistent Implementation" (GAO-14-44). VA generally agrees with GAO's conclusions and concurs with GAO's recommendations to the Department. The enclosure specifically addresses GAO's recommendations and provides technical comments to the draft report. VA appreciates the opportunity to comment on your draft report. Sincerely, Signed by: Jose D. Riojas: Chief of Staff: Enclosure: Department of Veterans Affairs (VA) Response to Government Accountability Office (GAO) Draft Report "Computer Matching Act: OMB and Selected Agencies Need to Ensure Consistent Implementation" (GAO-14-44): GAO Recommendation: To improve the implementation of the Computer Matching Act, GAO recommends that the Secretary of Veterans Affairs: Recommendation 1: develop and implement policies and procedures for cost-benefit analyses related to computer matching agreements to include key elements such as personnel and computer costs, as well as avoidance of future improper payments and recovery of improper payments and debts; VA Comment: Concur. The current Department of Veterans Affairs (VA) policy, VA Handbook 6300.7, Procedures for Computer Matching Programs, does not include the key elements of a cost-benefit analysis. While neither the Privacy Act of 1974 nor the Office of Management and Budget (OMB) specifies the key elements, OMB's guidance, Privacy Act of 1974: Final Guidance Interpreting the Provisions of Public Law 100- 503, the Computer Matching and Privacy Protection Act of 1986, 54 25818 (June 19,1989) referred agencies to a GAO report, Computer Matching: Assessing Its Costs and Benefits, [hyperlink, http://www.gao.gov/products/GAO/PEMD-87-2 (Washington, DC: November 10, 1986) which identified the following: * Costs: - Personnel costs, such as salaries and fringe benefits, for personnel involved in the matching process, including staff time dedicated to performing the match. - Computer costs related to the processing of computer matching programs, such as the maintenance and use of computers at facilities. * Benefits: - Avoidance of future improper payments: the prevention of future overpayments by identifying and correcting an error. - Recovery of improper payments and debts: the detection of an overpayment or debt already made and the collection of the money owed to an agency. VA Handbook 6300.7 will be revised within the next 12 months to include specific, required key elements to be included in the cost- benefit analysis. In addition, VA's Office of Privacy and Records Management, Privacy Service, will communicate the requirements to members of the Data Integrity Board (DIB) and to the program offices that develop and implement Computer Matching Agreements (CMA). Recommendation 2: ensure the DIS reviews cost-benefit analyses to make certain cost savings information for the computer matching program is included before approving CMAs. VA Comment: Concur. Upon publication of the revised VA Handbook 6300.7, VA will ensure that the DIS reviews cost-benefit analyses to make certain cost savings information for computer matching activities is included before approving CMAs. [End of section] Appendix VII: Comments from the Social Security Administration: Social Security: Office of the Commissioner: Social Security Administration: Baltimore, MD 21235-0001: December 2, 2013: Mr. Gregory C. Wilshusen: Director, Information Security Issues: United States Government Accountability Office: 441 G Street, NW: Washington, DC 20548: Dear Mr. Wilshusen: Thank you for the opportunity to review the draft report, "Computer Matching Act: OMB and Selected Agencies Need to Ensure Consistent Implementation" (GAO-14-44). We have enclosed our response to the audit report contents. If you have any questions, please contact me at (410) 966-9014. Your staff may contact Gary S. Hatcher, Senior Advisor for Records Management and Audit Liaison Staff, at (410) 965-0680. Sincerely, Signed by: Katherine Thornton: Deputy Chief of Staff: Enclosure: Comments On The Government Accountability Office Draft Report, "Computer Matching Act: OMB and Selected Agencies Need to Ensure Consistent Implementation" GAO-14-44: Recommendation 1: Develop and implement policies and procedures for cost-benefit analyses related to computer matching agreements to include key elements such as personnel and computer costs, as well as avoidance of future improper payments and recovery of improper payments and debts. Response: We agree. We are currently working on an initiative to improve our cost benefit analysis (CBA) process and ensure all of our matching agreements comply with both the Computer Matching and Privacy Protection Act (CMPPA) requirements and the Office of Management and Budget's (OMB) guidance. Recommendation 2: Ensure the Data Integrity Board (DIB) reviews cost-benefit analyses to make certain cost savings information for the computer matching program is included before approving computer matching agreements (CMA). Response: We agree. We will share this recommendation with recipient agencies and advise them that our DIB must receive a CBA for the match prior to approving the matching process. We have prepared CBAs for all matching processes where we are the recipient agency, and our DIB reviews the CBAs to make certain cost savings information is included prior to approving the subject agreement. Recommendation 3: Ensure the DIB performs annual reviews and submits annual reports on agency computer matching activities, as required by the act. Response: We agree with regard to the DIB annual review. In light of the limited duration of CMPPA matches, and the certification and renewal process for matching agreements, we believe the biennial schedule for reporting to OMB provides the necessary assurances that we conduct matches in accordance with the terms and conditions of the matching agreement, and the programs are justified and viable in terms of costs and benefits. Accordingly, we defer to OMB with regard to the recommended annual reporting requirement. [End of section] Appendix VIII: GAO Contact and Staff Acknowledgments: GAO Contact: Gregory C. Wilshusen, (202) 512-6244 or wilshuseng@gao.gov: Staff Acknowledgments: In addition to the individuals named above, key contributions to this report were made by John de Ferrari (Assistant Director), Wilfred B. Holloway, Tammi N. Kalugdan, Lee A. McCracken, Mimi Nguyen, David F. Plocher, and Tina M. Torabi. [End of section] Footnotes: [1] The Treasury Do Not Pay Working System was developed to enable federal agencies to reduce improper payments by checking various databases before making payments or awards in order to identify ineligible recipients and prevent fraud or errors from being made. This effort was first required by a Presidential Memorandum issued on June 18, 2010, and was established in law as the Do Not Pay Initiative, by the Improper Payments Elimination and Recovery Improvements Act of 2012 (IPERIA, Pub. L. No. 112-248, Jan. 10, 2013). [2] Hearing on the Use of Data Matching to Improve Customer Service, Program Integrity, and Taxpayer Savings. Committee on Ways and Means, Subcommittee on Human Resources, U.S. House of Representatives, Mar. 4, 2011. [3] Hearing Advisory for the Hearing on the Use of Data Matching to Improve Customer Service, Program Integrity, and Taxpayer Savings. Committee on Ways and Means, Subcommittee on Human Resources, House of Representatives, Mar. 4, 2011. [4] Testimony of Elizabeth Lower Basch, Senior Policy Analyst at the Center for Law and Social Policy (CLASP), Hearing on the Use of Data Matching to Improve Customer Service, Program Integrity, and Taxpayer Savings. Committee on Ways and Means, Subcommittee on Human Resources, House of Representatives, Mar. 4, 2011. [5] Pub. L. No. 93-579 (Dec. 31, 1974); 5 U.S.C. 552a. [6] Sec. 208, Pub. L. No. 107-347 (Dec. 17, 2002). [7] Under the Privacy Act of 1974, the term "routine use" means (with respect to the disclosure of a record) the use of such a record for a purpose that is compatible with the purpose for which it was collected. 5 U.S.C. § 552a(a)(7) 5 U.S.C. 552a. [8] Computer Matching and Privacy Protection Act of 1988. Pub. L. No. 100-503. (Oct 18, 1988). [9] Computer Matching and Privacy Protection Act Amendments of 1989, Pub. L. No. 101-56 (July 19, 1989), and Computer Matching and Privacy Protection Amendments of 1990, sec. 7201, Pub. L. No. 101-508 (Nov. 5, 1990). [10] Sec. 402(a), Ticket to Work and Work Incentives Improvement Act of 1999, Pub. L. No. 106-170 (Dec. 17, 1999); 5 U.S.C. § 552a(a)(8)(B)(viii). [11] Sec. 6402(b)(2), Pub. L. No. 111-148 (Mar. 23, 2010); 5 U.S.C. § 552a(8)(B)(ix). [12] Sec. 5(e), Pub. L. No. 112-248 (Jan. 10, 2013). Under sec. 2(2) of IPERIA, the term "improper payments" means, in part, "any payment that should not have been made or that was made in an incorrect amount." [13] OMB, Protecting Privacy while Reducing Improper Payments with the Do Not Pay Initiative, M-13-20 (Aug. 16, 2013). [14] OMB, Privacy Act of 1974: Final Guidance Interpreting the Provisions of Public Law 100-503, the Computer Matching and Privacy Protection Act of 1988, 54 FR 25818 (June 19, 1989). [15] OMB, Proposed guidance, The Computer Matching and Privacy Protection Amendments of 1990 and the Privacy Act of 1974, 56 FR 18599 (Apr. 23, 1991). While the proposed 1991 guidance was never issued as a final guidance document, OMB has included it on its website as applicable Privacy Act computer matching guidance. [16] OMB, Guidance on Inter-Agency Sharing of Personal Data-Protecting Personal Privacy, M-01-05 (Dec. 20, 2000). [17] OMB, M-13-20. [18] OMB Circular No. A-130, Management of Federal Information Resources, Transmittal No. 4. For current provisions most directly relating to computer matching, see OMB Circular No. A-130, Appendix I, "Federal Agency Responsibilities for Maintaining Records about Individuals," [hyperlink, http://www.whitehouse.gov/omb/circulars_a130_a130appendix_i]. [19] OMB, M-01-05. [20] OMB, M-13-20. [21] Participation in computer matching programs involves both recipient agencies and source agencies. A recipient agency is one that receives information contained in a system of records from a source agency for use in a matching program. A source agency is one that discloses information contained in a system of records to be used in a matching program. These entities may be federal, state, or local government agencies as well as contractors for such agencies. [22] The act provides for the waiver of cost-benefit analyses in certain circumstances. Further, IPERIA states that CMAs for computer matching programs by agencies and OIGs that assist in the detection and prevention of improper payments are not required to contain a specific estimate of any associated savings, although a justification for the program and the anticipated results is still required. [23] GAO, Computer Matching: Assessing Its Costs and Benefits, [hyperlink, http://www.gao.gov/products/GAO/PEMD-87-2] (Washington, D.C.: Nov. 10, 1986). [24] [hyperlink, http://www.gao.gov/products/GAO/PEMD-87-2]. [25] In certain circumstances, such as when specified in statute, the cost-benefit analysis may not be required. [26] To perform online queries to verify records related to specific individuals. [27] Under the act, cost-benefit analyses are waived when statutorily required matches are first negotiated but required when such matches are renegotiated at a later date. [28] [hyperlink, http://www.gao.gov/products/GAO/PEMD-87-2] identified key elements of cost (personnel and computer costs) and benefits (avoidance of future improper payment and recovery of improper payments and debts). [29] OMB, Guidelines and Discount Rates for Benefit-Cost Analysis of Federal Programs, Circular No. A-94 Revised (Oct. 29, 1992). This guidance is general guidance on cost-benefit analysis and not specific to computer matching programs. [30] [hyperlink, http://www.gao.gov/products/GAO/PEMD-87-2]. [31] DHS prepares an annual privacy report, as required by 6 U.S.C. 142, and includes a high-level summary of computer matching activities. [32] Appendix I of OMB Circular No. 130 (as reflected in 1993, 1996, and 2000 revisions), states that the act requires DIB reporting on computer matching activity every 2 years; however, this is inconsistent with the Computer Matching Act (specifically, 5 U.S.C. § 552a(u) and (s)), as amended by sec. 1301 of Pub. L. No. 105-362 (Nov. 10, 1998), and sec. 3003 of Pub. L. No. 104-66 (Dec. 21, 1995). [33] Under OMB's IPERIA guidance, computer matching programs associated with the Do Not Pay Working System and OIG matching activities that assist in the detection and prevention of improper payments may be renewed for up to 3 years. [34] On the basis of this concern the council has supported legislation before Congress to amend the Privacy Act to provide more flexibility to OIGs with regard to computer matching. See GAO, Highlights of a Forum: Data Analytics for Oversight and Law Enforcement, [hyperlink, http://www.gao.gov/products/GAO-13-680SP] (Washington, D.C.: July 15, 2013). [35] [hyperlink, http://www.gao.gov/products/GAO/PEMD-87-2]. [End of section] GAO's Mission: The Government Accountability Office, the audit, evaluation, and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's website [hyperlink, http://www.gao.gov]. Each weekday afternoon, GAO posts on its website newly released reports, testimony, and correspondence. To have GAO e-mail you a list of newly posted products, go to [hyperlink, http://www.gao.gov] and select “E-mail Updates.” Order by Phone: The price of each GAO publication reflects GAO's actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO's website, [hyperlink, http://www.gao.gov/ordering.htm]. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. Connect with GAO: Connect with GAO on facebook, flickr, twitter, and YouTube. Subscribe to our RSS Feeds or E mail Updates. Listen to our Podcasts. Visit GAO on the web at [hyperlink, http://www.gao.gov]. To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Website: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]; E-mail: fraudnet@gao.gov; Automated answering system: (800) 424-5454 or (202) 512-7470. Congressional Relations: Katherine Siggerud, Managing Director, siggerudk@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, DC 20548. Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, DC 20548. [End of document]