Download:
pdf |
pdfEXECUTIVE OFFICE OF THE PRESIDENT
OFFICE OF MANAGEMENT AND BUDGET
WASHINGTON, D.C. 20503
Febmary 14, 2014
THE DIRECTOR
M-14-06
MEMORANDUM FOR THE HEADS OF EXECUTIVE DEPARTMENTS AND AGENCIES
S~lvia Burw4~~~
FROM:
M.
Director
SUBJECT:
Guidance for Providing and Using Administrative Data for Statistical Purposes
This Administration continues to focus on improving how agencies leverage existing data
to facilitate agencies' programmatic work and enhance the value of those data to the American
public. These efforts are necessary, as information is a valuable national resource and a strategic
asset to the Federal Government, its partners, and the American public in promoting important
goals and targeting resources toward priorities ranging from expanding economic growth and
education to fostering scientific discovery and the very functioning of our democracy. As part of
the President's Management Agenda and Open Data efforts, the Administration continues to
seek ways to open up Federal data for private sector innovation and public use, while fully
respecting privacy and protecting confidentiality.
In addition, the Administration continues to focus on improving how agencies leverage
existing Federal data to facilitate their own programmatic work and better serve the American
public. In particular, high-quality and reliable statistics provide the foundation for the research,
evaluation, and analysis that help the Federal Government understand how public needs are
changing, how well Federal policy and programs are addressing those needs, and where greater
progress can be achieved.
In many cases, the Federal Government has the opportunity to create such statistical
information more efficiently through greater use of information that the Federal Government has
already collected for programmatic and regulatory purposes, often called "administrative data."
The goal of this Memorandum is to help both program and statistical agencies and components
(including evaluation and analysis units) use administrative data more fully in a manner that
respects privacy and protects confidentiality. Specifically, this guidance will help program
agencies manage their administrative data with statistical purposes in mind.
The increased use of administrative data for statistical purposes can generate a range of
benefits. Most notably, individuals, businesses, and institutions will benefit through agencies'
use of existing information that would otherwise need to be collected from them again through
costly and duplicative surveys. Fmihe1more, agencies will benefit from relying on more
consistent policies and tools to create a more routine, efficient, and integral role for
administrative data in their statistical programs. Finally, the increased use of administrative data
will enhance agencies' ability to build evidence on which to evaluate the effectiveness of their
programs and policies.
Some administrative data can be publicly released, whereas other administrative data
cannot be released. While it is the case that both types of administrative data (public and non
public) can be useful for Federal statistical purposes, this Memorandum focuses primarily on
those administrative data that cannot be made publicly available due to statutory, regulatory, or
policy protections. In working with agencies over the past several years, the Office of
Management and Budget (OMB) has noted that agencies sometimes do not make full,
appropriate use of non-public administrative data for statistical purposes, because they perceive
the requirements and protections that apply to non-public data as being complicated and
burdensome to navigate.
To encourage the greater use of administrative data for statistical purposes, this
Memorandum provides agencies with guidance for addressing the legal, policy, and operational
issues that exist with respect to using administrative data for statistical purposes. This guidance
builds on three previously issued OMB memoranda designed to increase the value of existing
data: Sharing Data While Protecting Privacy (M-11-02 ofNovember 3, 2010), Open Data
Policy-Managing Information as an Asset (M-13-13 of May 9, 2013), and Next Steps in the
Evidence and Innovation Agenda (M-13-17 of July 26, 2013). In particular, this Memorandum
builds on the :fi·amework that OMB established in the Open Data Policy "to help institutionalize
the principles of effective information management at each stage of the information's life cycle
to promote interoperability and openness."
This Memorandum (and its more detailed guidance in the Attachment) has four elements.
First, the Memorandum calls for departmental and agency leadership to: (i) foster greater
collaboration between program and statistical offices; (ii) develop strong data stewardship
policies and practices around the statistical use of administrative data; (iii) require the
documentation of quality control measures and key attributes of important administrative
datasets; and (iv) require the designation of responsibilities and practices through the use of
agreements amongst these offices.
Second, the Memorandum encourages Federal departments and agencies to promote the
use of administrative data for statistical purposes and provides guidance in addressing legal and
policy requirements for such uses, including the need to continue to fully protect the privacy and
confidentiality afforded to the individuals, businesses, and institutions providing the data.
Third, the Memorandum also provides some "best practice" tools, including detailed
guidance on the interaction of the Privacy Act requirements and the use of administrative data
for statistical purposes, as well as a model interagency agreement for departments and agencies
to follow when developing their policies and practices for sharing data for statistical purposes to
another department or agency.
Lastly, to monitor progress and identify any barriers to moving forward, the
Memorandum requires each department/agency to report to OMB, within 120 days of the date of
2
this Memorandum, on its progress in implementing this Memorandum. This reporting
requirement applies to the 15 departments and to those other agencies that had a staffing level, as
of the beginning ofFY14, of more than 50 FTEs.
Agencies with questions about this Memorandum or about ways to improve performance
through providing and using data for statistical purposes may contact OMB at
[email protected].
Attachment
3
Attachment
This attachment provides definitions and implementation guidance for M-14-06,
Guidance for Providing and Using Administrative Data for Statistical Purposes.
I.
Purpose
This Memorandum builds on the goals of three previously issued Office of Management
and Budget (OMB) memoranda designed to increase the value of existing data: Sharing Data
While Protecting Privacy (M-11-02), Open Data Policy—Managing Information as an Asset (M13-13), and Next Steps in the Evidence and Innovation Agenda (M-13-17). As stressed in M-1313, information is a valuable national resource and a strategic asset to the Federal Government,
its partners, and the American public in promoting important goals and targeting resources
toward priorities ranging from economic growth and education to scientific discovery and the
very functioning of our democracy. In particular, high-quality and reliable statistics provide the
foundation for the research, evaluation, and analysis that help the Federal Government
understand how public needs are changing, where greater progress is needed, and how well
Federal policy and programs are addressing those needs. In many cases, the Federal Government
has the opportunity to create such statistical information more efficiently through greater use of
Federal information already collected for programmatic and regulatory purposes, often called
administrative data.1
Notably, M-13-13 also “establishes a framework to help institutionalize the principles of
effective information management at each stage of the information’s life cycle to promote
interoperability and openness.” Furthermore, it creates “a presumption in favor of openness to
the extent permitted by law and subject to privacy, confidentiality, security, or other valid
restrictions.” Within this existing framework, this Memorandum establishes responsibilities of
Federal departments and agencies for promoting the use of administrative data for statistical
purposes2 and provides guidance in addressing legal and policy requirements for such uses,
including the need to continue to fully protect the privacy and confidentiality afforded to the
individuals, businesses, and institutions providing the data. Managing administrative data with
statistical purposes in mind will reduce burden on the public by making use of information about
individuals, businesses, and institutions that would otherwise need to be collected through
surveys or would simply be unobtainable from surveys within an acceptable level of burden or
accuracy.
“Administrative data,” for purposes of this Memorandum, refers to administrative, regulatory, law enforcement,
adjudicatory, financial, or other data held by agencies and offices of the government or their contractors or grantees
(including States or other units of government) and collected for other than statistical purposes. Administrative data
are typically collected to carry out the basic administration of a program, such as processing benefit applications or
tracking services received. These data relate to individuals, businesses, and other institutions.
2
“Statistical purpose,” for purposes of this Memorandum, refers to “the description, estimation, or analysis of the
characteristics of groups, without identifying the individuals or organizations that comprise such groups,” (PL-107347, Title V—Confidential Information Protection and Statistical Efficiency Act (CIPSEA), Section 502 (9)(A)).
Statistical purposes exclude “any administrative, regulatory, law enforcement, adjudicatory, or other purpose that
affects the rights, privileges, or benefits of a particular identifiable respondent” (PL-107-347, Title V—CIPSEA,
Section 502 (5)(A)).
1
4
II.
Summary of Requirements3
To help agencies find solutions that allow data sharing to move forward in a manner that
complies with applicable privacy laws, regulations, and policies, OMB is calling on agencies to
complete the following:
1. Heads of departments shall identify effective internal mechanisms to communicate the
importance of identifying those administrative datasets with potential for statistical use.
They shall establish an ongoing process for program and statistical agencies and
components to collaboratively identify such datasets.
2. Program and statistical agencies and components shall adhere to the data stewardship
principles outlined in this Memorandum to maintain public trust in their ability to
appropriately and responsibly handle information in identifiable form. They shall also
work closely with privacy officials and general counsel whenever data are shared to
ensure that privacy and confidentiality are fully protected.
3. As part of M-13-13’s requirement to manage information throughout its life cycle for
interoperability and openness, program agencies shall consider statistical agencies and
components as potential data stakeholders. In that subset of cases where datasets are
identified as likely useful for statistical purposes, program agencies should provide the
technical documentation or other assistance that statistical agencies or components
require to adequately assess the quality of a particular dataset. Statistical agencies and
components should use such information to make a preliminary assessment of the quality
of administrative data prior to obtaining or using it. For datasets that appear useful and
are obtained, statistical agencies and components will need to more thoroughly assess
quality after receipt.
4. Program and statistical agencies shall use interagency agreements (IAAs) or other similar
tools to document terms and conditions governing data access and use when program
agencies provide data that are not publicly available to statistical agencies or components.
5. Program and statistical agencies must continue to meet their legal responsibilities for
protecting privacy as described in this Memorandum.
6. Heads of departments shall report, as explained in the “Reporting Requirement” section
below, on progress and any identified barriers to providing and using administrative data
for statistical purposes to OMB within 120 days of the date of this Memorandum.
3
For a more complete discussion of requirements 1 to 4, please refer to Section V,. Policy on Managing and Using
Administrative Data for Statistical Purposes. Item 5 is elaborated in Section VII., Legal Responsibilities for
Protecting Privacy. Item 6 is elaborated in Section VIII., Reporting Requirement.
5
III.
Scope
The goal of this Memorandum is to help both program and statistical agencies and
components leverage administrative data more fully for statistical purposes, to the mutual benefit
of both, as well as the American public. While both public and non-public government
information might be useful for Federal statistical purposes, this Memorandum focuses primarily
on those administrative data that cannot be made publicly available due to statutory, regulatory,
or policy protections.4 The unique requirements and protections associated with non-public data
mean that Federal departments and agencies may particularly benefit from guidance on effective
and efficient administrative data management. Statistical activities, for purposes of this
Memorandum, include activities typically characterized as research, evaluation, and analysis, as
long as the focus of those activities is on reporting aggregate findings about a group.5 Such
activities are integral to evidence building in support of broad policy and specific program
research, evaluation, and analysis.
For purposes of this Memorandum and the specific responsibilities therein, all
organizational units of departments and agencies, such as bureaus, offices, and centers are
classified as belonging to one of three distinct groups: (i) statistical agencies;6 (ii) agency
components performing statistical activities, typically as part of policy- or program-related
research, analysis or evaluation (hereinafter referred to as “components”7); or (iii) program
agencies.8 This Memorandum applies to all three, with the goal of helping statistical agencies
4
Agencies should continue to follow standard Executive Branch procedures for handling requests from the public
for government information, such as those made under the Freedom of Information Act (FOIA), including
consultation with their General Counsel or Freedom of Information Act (FOIA) Offices.
5
“Statistical activities,” for purposes of this Memorandum,“(A) means the collection, compilation, processing, or
analysis of data for the purpose of describing or making estimates concerning the whole, or relevant groups or
components within, the economy, society, or the natural environment; and (B) includes the development of methods
or resources that support those activities, such as measurement methods, models, statistical classifications, or
sampling frames” (PL-107-347, Title V—CIPSEA, Section 502 (7)).
6
“Statistical agency” refers to “an agency or organizational unit of the executive branch whose activities are
predominantly the collection, compilation, processing, or analysis of information for statistical purposes” (PL-107347, Title V—CIPSEA, Section 502 (8). The statistical agencies within the executive branch of the Federal
Government are: the Bureau of Economic Analysis; the Bureau of Justice Statistics; the Bureau of Labor Statistics;
the Bureau of Transportation Statistics; the Census Bureau; the Economic Research Service; the Energy Information
Administration; the National Agricultural Statistics Service; the National Center for Education Statistics; the
National Center for Health Statistics; the National Center for Science and Engineering Statistics; the Office of
Research, Evaluation, and Statistics at SSA; and Statistics of Income at IRS. In addition, “OMB shall determine
whether an agency or unit can be considered a statistical agency . . . for purposes of CIPSEA. . . . Other agencies . . .
that wish to be recognized as statistical agencies . . . for purposes of CIPSEA must send a request to the Chief
Statistician at OMB.” (See CIPSEA Implementation Guidance.)
7
“Statistical component,” for purposes of this Memorandum, refers to units conducting statistical activities within a
program agency and is designed to include a broader set of organizations than statistical agencies. For example, the
Office of Planning, Research & Evaluation within the Administration for Children and Families (ACF) at the
Department of Health and Human Services performs statistical activities as part of evaluating ACF programs.
8
“Program agency,” for purposes of this Memorandum, refers to an agency or unit, typically within the
organizational structure of a Federal department, that administers, or helps to administer, a Federal program within
which a determination about the rights, benefits, or privileges of individuals, businesses, or institutions is made,
6
and components leverage administrative data more fully for statistical purposes—to the mutual
benefit of both statistical agencies and components and program agencies. Some support offices,
such as offices of general counsel and privacy offices, may not fit into any of the three categories
listed above and would likely not manage administrative data of potential utility for statistical
purposes. As a result, this Memorandum may not apply directly to their data management
activities but provides guidance in how they should support data provision by program agencies
that collect administrative data to statistical agencies and components. Independent agencies are
requested to adhere to this guidance.
Some agencies already have a strong history of managing administrative data in ways
that support statistical uses—facilitating improved stewardship of taxpayer dollars by increasing
the efficiency of statistical programs and reducing paperwork burdens on the American public.
In some cases, agencies even have well established procedures and tools. All agencies, however,
can do more to embrace or enhance these efficiencies. This Memorandum does not require
replacing effective existing practices and tools with new ones; rather, it is designed to promote
the adoption and spread of such effective practices and tools.
IV.
Background
Identifying and providing statistical agencies or components with access to administrative
data for statistical purposes can improve the effectiveness of program agency budget and
management decisions. Such data are useful not only as an input to official statistics, but also in
support of statistical activities that are part of program-specific research, evaluation, or analysis.
The ability to combine administrative datasets with each other or with survey data offers
significant potential to answer important questions that neither type of data can answer alone—
questions whose answers may be particularly applicable to program agencies seeking to increase
program efficiency and efficacy. Administrative data from program agencies can reduce survey
respondent burden and support statistical activities such as building sampling frames, imputing
missing information, and supplementing content of household or establishment questionnaires.
They can also form the basis for comparing participant and non-participant outcomes or for
comparing program implementation approaches. For example:
Linking veteran health and disability status data to labor market data could be used to
determine strategies for targeting and tailoring more effective interventions to improve
veteran employment outcomes and enhance self-sufficiency.
Combining crime reports with information about local crime prevention and policing
policies could shed light on program effectiveness. These reports could then be used to
improve crime prevention strategies.
Such uses typically involve matching or linking an administrative dataset, based on
identifiable information, to a survey or another administrative dataset. This matching makes it
including those agencies with regulatory or law enforcement responsibilities. These agencies may include, for
example, finance offices within agencies.
7
possible to associate characteristics or outcomes in one file to specific individuals in the other
file, allowing the calculation of statistics about groups and subgroups.
Such activity is consistent with one of the principal objectives of the Paperwork
Reduction Act (PRA), to minimize the burden associated with collection of information by or for
the Federal Government. The PRA authorizes the Director of OMB to “direct an agency to make
available to another agency, or an agency may make available to another agency, information
obtained by a collection of information if the disclosure is not inconsistent with applicable law”9
in order to avoid duplicative reporting of information by the public.
These specific benefits of using administrative data for statistical purposes have been
recognized for decades. Dating back to 1977, the Report to the President from the Privacy
Protection Study Commission recognizes the enormous societal benefits of providing
administrative data for statistical purposes. It sets forth an approach for doing so in accordance
with the Privacy Act of 1974,10 through “functional separation” of statistical and administrative
uses.11 The 1977 Report of the Commission on Federal Paperwork (also discussed in OMB’s
Implementation Guidance for Title V of the E-Government Act, Confidential Information
Protection and Statistical Efficiency Act of 2002 (CIPSEA)) likewise recognizes these benefits
and endorses the concept of functional separation between statistical and administrative uses of
administrative data when it states that data “collected for administrative or regulatory purposes
must be made available for statistical use, with appropriate confidentiality and security
safeguards, when assurances are given that the information will be used solely for statistical
purposes.”12
Despite this history, many agencies continue to face challenges in navigating legal,
policy, and operational requirements to provide access to administrative data for statistical
purposes. Determining and ensuring an acceptable level of data quality for statistical uses
presents additional barriers. Following the policies and practices described in this Memorandum
will help both program agencies and statistical agencies and components enjoy the benefits of
increased efficiency and effectiveness in their work.
9
44 U.S.C. §3510.
5 U.S.C. §552a.
11
“Functional separation” is defined as “separating the use of information about an individual for a research or
statistical purpose from its use in arriving at an administrative or other decision about that individual.” See Chapter
15, The Relationship Between Citizen and Government: The Citizen As Participant in Research and Statistical
Studies, Personal Privacy in an Information Society: The Report of the Privacy Protection Study Commission,
1977.
12
See Statistics—A Report of the Commission on Federal Paperwork, p. 128, October 1977.
10
8
V.
Policy on Managing and Using Administrative Data for Statistical Purposes
The policy set forth in this Memorandum is designed to help agencies overcome barriers
to statistical uses of administrative data. The policy includes: (1) fostering collaboration across
program agencies and statistical agencies and components, (2) implementing data stewardship
policies and practices that anticipate statistical uses of program data, (3) creating and making
available for statistical agencies and components well-documented information on quality
control measures and key attributes of the data, and (4) creating IAAs to designate
responsibilities and practices between the program agencies and agencies serving statistical
purposes. Following these four policy recommendations will facilitate agencies’ responses as
described in the “Reporting Requirement” section later in this Memorandum.
1.
Collaboration across Program Agencies and Statistical Agencies and Components
Heads of departments and agencies shall identify effective internal mechanisms to
communicate the importance of identifying those administrative datasets with great potential for
statistical use. They also should establish a process that encourages the discovery of
opportunities for, and subsequent implementation of, collaboration and communication between
program agencies and statistical agencies and components.
For example, a departmental policy Memorandum could be used to emphasize the
importance of identifying and using administrative datasets for statistical purposes and to
announce the department’s process. Departments are encouraged to rely on existing processes
when feasible but may find opportunities to improve them. Statistical agencies can serve as
strong partners to heads of departments and other agencies and components in these efforts, such
as by helping to identify and communicate specific benefits to departmental leadership and
program agencies.13 Statistical agencies have a strong motivation to help define or support any
new process. They will also be particularly well positioned to help identify and communicate
not only their own needs but those of statistical agencies within other departments, such as the
Census Bureau, given that the heads of those agencies are members of the Interagency Council
on Statistical Policy (ICSP). The ICSP, a committee established by statute, advises and assists
OMB in coordinating the Federal statistical system.14 In cases where there is no statistical
agency within a department or agency, the department head should identify an internal contact,
such as a statistical component, through which other departments’ statistical components and
statistical agencies can engage program agency contacts efficiently and effectively.
Program and statistical agencies and components engaged in this process should use the
enterprise dataset inventory building process required under M-13-1315 as an opportunity to work
together to identify existing and planned administrative datasets with potential statistical value.
While not exhaustive, some agencies have found already available listings of information
13
The statistical agencies are listed in footnote 6.
44 U.S.C. §3504 (e)(8).
15
M-13-13 requires agencies to create an enterprise inventory of all datasets, including data associated with
administrative, research, and statistical activities.
14
9
collection requests under the PRA and lists of Privacy Act system of records notices (SORNs)16
helpful in their enterprise data inventory building efforts. Both types of documents are important
sources of information about the content of these administrative data assets.
This process also should include identifying and addressing legal and policy barriers to
providing and using administrative data for statistical purposes, and should involve general
counsel and senior privacy officials. As explained in the “Reporting Requirement” section
below, department heads shall report to OMB on the status and results of these efforts to foster
collaboration and increase access to administrative data for statistical purposes.
2.
Data Stewardship Practices
Program and statistical agencies and components should adhere to the data stewardship
principles outlined in this Memorandum in order to maintain public trust in their ability to
appropriately handle identifiable information. They also should work closely with privacy
officials and offices of general counsel to ensure that privacy and confidentiality are fully
protected whenever data are shared.
Statistical uses of data differ fundamentally from administrative uses because, by
definition, statistical records are not used to make determinations regarding the rights, benefits,
and privileges of an individual.17 Nonetheless, since programmatic data often have statutory or
policy requirements for the protection of identifiable information, a critical aspect of managing
such data as a resource for statistical purposes is to formulate and implement data stewardship
policies and practices that anticipate statistical uses in addition to program uses. Such policies
and practices can enhance privacy and confidentiality protections.
The Fair Information Practice Principles (FIPPs)18 provide a framework for such policies
and practices. In brief, these principles are transparency, individual participation,19 purpose
16
See 5 U.S.C. §552a(e)(4); see also Federal Register, Vol. 40, No. 132 (Privacy Act Implementation Guidelines
and Responsibilities), page 28961.
17
“[T]he term ‘statistical record,’” for example, “means a record in a system of records maintained for statistical
research or reporting purposes only and not used in whole or in part in making any determination about an
identifiable individual, except as provided by section 8 of title 13” (5 U.S.C. §552a(a)(6)). “The term ‘identifiable
individual’ is used to distinguish determinations about specific individuals from determinations about aggregates of
individuals as, for example, census data are used to apportion funds on the basis of population.” (See OMB Privacy
Act Implementation: Guidelines and Responsibilities (July 9, 1975).
18
The White House National Strategy for Trusted Identities in Cyberspace (April 2011) describes the Fair
Information Practice Principles. “Rooted in the United States Department of Health, Education and Welfare’s
seminal 1973 report, ‘Records, Computers and the Rights of Citizens’ (1973), these principles are at the core of the
Privacy Act of 1974 and are mirrored in the laws of many U.S. states, as well as in those of many foreign nations
and international organizations. A number of private and not-for-profit organizations have also incorporated these
principles into their privacy policies” (45).
19
While the Privacy Act allows an individual to gain access to and amend his or her records, statistical records, as
defined in the Privacy Act, may be exempted if the records are required by statute to be maintained and used solely
as statistical records and the head of the agency promulgates a rule to exempt the system of records from the
relevant provisions of the law. See 5 U.S.C. §552a(k)(4).
10
specification, data minimization, use limitation, data quality and integrity, security, and
accountability and auditing.
In the context of providing administrative data for statistical purposes, both program
agencies and statistical components facilitate these principles by, among other things:
1. Respecting the public’s time and effort by minimizing the number of times they are asked
to provide the same or similar information.
2. Being transparent by providing adequate notice about the planned purpose and potential
statistical uses of administrative data (such as in SORNs and Privacy Act statements).
3. Collaborating to define which data are needed for specified statistical purposes and
providing access only to those data for those purposes, and only to those who have a need
for the data in the performance of their duties. Identifiable information should be
provided only if the need cannot be met by relying on non-identifiable information, and
even then, only relevant subsets should be provided.
4. Protecting data provided to the statistical agency or component against unauthorized
access and disclosure. And once the data are provided to the statistical agency or
component, providing the level of confidentiality protection in policy and practice
necessary to ensure that the data, particularly if linked to other data, are not provided
from the statistical agency or component back to the program agency for non-statistical
purposes.20
5. Implementing a set of policy and procedural safeguards, including the use of a written
agreement, to certify the procedural safeguards that are employed to implement
assurances of exclusively statistical uses and confidentiality. Such safeguards include
applying sufficient expertise in statistical disclosure avoidance in final products in order
to maintain confidentiality, taking into account risks posed by external influences such as
the mosaic effect.21
6. Eliminating the identifiable information when the data are no longer needed or timely.22
20
Under CIPSEA, maintenance of functional separation for confidentiality protection is imperative. When data,
whether collected through surveys, interviews, administrative records, or any other means, are provided to a
statistical agency as defined by CIPSEA under a pledge of confidentiality, the data will be protected under this
statute, just as individual data reported to the statistical agency are (see CIPSEA Implementation Guidance I.F.).Data
provided to all agencies may be protected by the Privacy Act of 1974 and other relevant statutes.
21
“The mosaic effect occurs when the information in an individual dataset, in isolation, may not pose a risk of
identifying an individual (or threatening some other important interest such as security), but when combined with
other available information, could pose such risk. Before disclosing potential PII or other potentially sensitive
information, agencies must consider other publicly available data—in any medium and from any source—to
determine whether some combination of existing data and the data intended to be publicly released could allow for
the identification of an individual or pose another security concern.” See M-13-13.
22
Agencies should eliminate data consistent with records schedules managed by their internal records offices. Any
Federal records elimination must be in accordance with procedures described in 44 U.S.C. Chapter 33.
11
Adhering to these principles is as important to statistical agencies and components as it is
to program agencies because the public must be able to trust agencies’ ability to handle and
protect identifiable information.
Program agencies will be chiefly responsible for ensuring that statistical purposes and
uses are described in initial or, as appropriate, revised SORNs or Privacy Act Statements (see
Appendix A for more detail), for ensuring safe transmission of data to statistical agencies or
components, and for helping statistical agencies or components to understand any unique
statutory or other requirements pertaining to specific datasets. In so doing, they should consult
with their general counsel and privacy officials.
Statistical agencies and components should have in place demonstrable policies and
procedures to support functional separation; ensure that administrative data received from the
program agency are used solely for statistical purposes; and ensure that data are accessed only by
those who have a need for the data in the performance of their duties. Statistical components
should also demonstrate that they have statutory, policy, regulatory, and/or policy protections at
least as stringent as those that the program agency uses to protect the data. For statistical
agencies as defined under the Confidential Information Protection and Statistical Efficiency Act
(CIPSEA), legal protections for administrative data acquired for exclusively statistical purposes
under a pledge of confidentiality are inherent in statute and specified in the CIPSEA
Implementation Guidance.
3.
Documentation on Data Quality
As part of M-13-13’s requirement to manage information throughout its life cycle for
interoperability and openness, program agencies should consider statistical agencies and
components as potential data stakeholders. Further, in those limited cases where datasets are
identified as of potentially high value for statistical purposes, program agencies should provide
the technical documentation or other assistance that statistical agencies or components require
to adequately assess the quality of a particular dataset. Statistical agencies and components
should initially assess the quality of an administrative dataset prior to obtaining or using it. For
datasets that appear useful and are obtained, statistical agencies and components will need to
more thoroughly assess quality after receipt.
The information life cycle of administrative datasets should be managed to benefit both
program and statistical activities, when feasible and appropriate. Consistent with the
requirements and practices described in M-13-13, program agencies should manage those
datasets identified as of high potential utility for statistical purposes to be accessible and of
sufficient quality. They can do so most efficiently and effectively by integrating these
considerations into data collection and management for programmatic purposes, rather than
treating them as separate or after-the-fact considerations. This includes, for example, collecting
and retaining data items that would facilitate evaluation and analysis of the data.
In addition, using program data for statistical purposes always requires an evaluation of
the match between the quality of the dataset and the specific statistical use to which it will be
12
put. Once potentially valuable administrative datasets are identified, the statistical agency or
component will need to assess data quality for the specific statistical use envisioned, and should
do so through a standardized approach, such as by using the tool developed by the Federal
Committee on Statistical Methodology or a similar tool that considers all aspects of quality from
a statistical perspective.23 For those identified datasets, program agencies will usually need to
provide technical documentation to complete such an assessment; such information may already
exist for agencies that are exceeding the minimum metadata requirements of OMB Memorandum
M-13-13.
Consistent with OMB’s Government-wide Information Quality Standards,24 statistical
agencies’ and components’ evaluations of quality should specifically consider the purpose of the
planned use, frequently referred to as assessing “fitness for use.” Considerations include
understanding the purpose, collection methods, timeliness, periodicity, completeness, and other
aspects of quality of the administrative data as well as the level of quality required for the
intended statistical purpose.25 Data of sufficient quality for program administration may or may
not be sufficient for statistical purposes; this distinction does not imply that the administrative
data are of poor quality, only that they may not be well-suited for the desired statistical purpose.
Sometimes program agencies will be able to make the data more useful, particularly over time,
by providing additional documentation or making minor changes to the program data they collect
and maintain. Other times, the agencies may conclude that the data will not be useful even with
such efforts.
4.
Interagency Agreements
Program and statistical agencies should use interagency agreements (IAAs) or other
similar tools to document terms and conditions when a program agency provides data that are
not publicly available to statistical agencies or components.
An IAA provides an effective vehicle to document both the legal authority for disclosing
or providing data and the applicable data stewardship policies and practices that will protect data
provided by the program agency for statistical purposes. It also provides an effective way to
describe such important topics as planned methods for file transfers and documentation routines.
To facilitate more timely development and execution of sound IAAs, Appendix B provides
guidance on the format and content that agencies can use. Individual agencies will need to seek
the advice of their counsel before signing IAAs to assure that they are legally sufficient from the
agency’s perspective.
23
See Data Quality Assessment Tool for Administrative Data, by a working group of the Federal Committee on
Statistical Methodology.
24
See Agency Information Quality Guidelines for further information.
25
Ibid.
13
VI.
Legal Authorization
The authority to provide data for statistical purposes can be explicit or implicit in the
authorizing statute. Provision of administrative data for statistical purposes can be authorized
through different types of legal authorities, including agency-specific authorities (such as U.S.
Code Title 13, the Census Code or U.S. Code Title 26, the Internal Revenue Code), which
provide authority to obtain, disclose, and protect data. For example, the Internal Revenue
Service is explicitly authorized to furnish certain information to specified agencies for statistical
purposes in its authorizing statute.26
Furthermore, statistical uses of data typically inform the context, policies, and operations
of the same programs authorized by a given statute. As such, the absence of specific express
authority to provide administrative data for statistical purposes does not necessarily prohibit the
agency from providing data to another agency or component. In those cases, the agencies’
general statutory authority can grant sufficient authorization to provide administrative data to
other Federal agencies for statistical purposes. For example, the Social Security Administration
provides data for statistical purposes consistent with its authorizing statute and implementing
regulations.27 To make this determination, agencies should consult with their general counsel
and senior privacy officials.
Furthermore, agencies should keep in mind that in these cases where agencies’ general
statutory authority provides such authorization, the procedural requirements of the Privacy Act
and other relevant statutes continue to apply.
VII.
Legal Responsibilities for Protecting Privacy
While most administrative datasets contain identifiable information, when those data are
about an individual, the Privacy Act is an essential consideration. The Privacy Act is designed to
protect individual privacy by, for example, ensuring appropriate limits on the collection, use,
maintenance, and dissemination of information about individuals maintained by an agency. The
Privacy Act prohibits agencies from disclosing information in a “system of records,”28 as defined
in the statute, without the prior written consent of the individual to whom the information
pertains. However, the statute provides a limited number of exceptions to this general rule. Four
of the exceptions may be relevant to efforts to provide data for statistical purposes, one
permitting intra-departmental29 disclosure and use, and three permitting certain interdepartmental disclosures of data:
See 26 U.S.C. §6103(j), “Statistical use.”
See 42 U.S.C. §1306(a); and 20 C.F.R. §401.165
28
A “record,” according to the Privacy Act, refers to “any item, collection, or grouping of information about an
individual that is maintained by an agency, including, but not limited to, his education, financial transactions,
medical history, and criminal or employment history and that contains his name, or the identifying number, symbol,
or other identifying particular assigned to the individual, such as a finger or voice print or a photograph.” See 5
U.S.C. §552a(4).
29
"Agency" as defined in the Privacy Act and at 5 U.S.C. §552(f), "includes any executive department, military
department, Government corporation, Government controlled corporation, or other establishment in the executive
branch of the Government (including the Executive Office of the President), or any independent regulatory agency."
26
27
14
1. “[T]o those officers and employees of the agency which maintains the record who have a
need for the record in the performance of their duties.”30
In some cases, agencies may be able to engage in an intra-agency disclosure of data for
statistical purposes if there is a valid “need to know.”31
2. For a “routine use,”32 as defined in the Privacy Act.
This exception may apply when the information will be used for a purpose which is
compatible with and related to the purpose for which the information was collected.33
3. “[T]o the Bureau of the Census for purposes of planning or carrying out a census or
survey or related activity pursuant to the provisions of title 13.”34
4. “[T]o a recipient who has provided the agency with advance adequate written assurance
that the record will be used solely as a statistical research or reporting record, and the
record is to be transferred in a form that is not individually identifiable.”35
This is limited to use for statistical research, and applies only to non-identifiable
information. That exception, while valuable, may not permit the disclosure of
information that could be linked with other data for statistical uses.
Moreover, the Privacy Act also provides an exception from the matching requirements
specified in the Act for “matches performed to produce aggregate statistical data without any
personal identifiers” and those “performed to support any research or statistical project, the
specific data of which may not be used to make decisions concerning the rights, benefits, or
privileges of specific individuals.”36 OMB’s 1975 Privacy Act Implementation Guidelines and
Responsibilities further distinguishes statistical records, “which by definition are ‘not used in
whole or in part, in making a determination about an individual,’” from “virtually any other
record.” The guidance states that only non-statistical records need to be “obtained directly from
“Department,” for the purposes of this Memorandum, is used to more clearly differentiate between the parent
agency (typically a department) and those program and statistical agencies within it.
30
See 5 U.S.C. §552a(b)(1).
31
According to the 1975 Privacy Act Implementation Guidelines and Responsibilities, “Minimally, the recipient
officer or employee must have an official ‘need to know’ . . . [and] the use should be generally related to the purpose
for which the record is maintained.” See Federal Register, Vol. 40, No. 132 (Privacy Act Implementation Guidelines
and Responsibilities), page 28954.
32
"[T]he term ‘routine use’ means, with respect to the disclosure of a record, the use of such record for a purpose
which is compatible with the purpose for which it was collected.” See 5 U.S.C. §552a(a)(7).
33
Please refer to Appendix A for further detail on the routine use exception.
34
See 5 U.S.C. §552a(b)(4).
35
See 5 U.S.C. §552a(b)(5).
36
See 5 U.S.C. §552a(a)(8)(B)(i)-(ii).
15
the individual whenever practicable,”37 which implies that statistical records may be obtained
indirectly from already collected administrative data. (Further information about how the
Privacy Act applies to providing information for statistical purposes is provided in Appendix A.)
Beyond the Privacy Act, agencies must comply with agency-specific and other statutes,
regulations, interagency agreements, and other requirements that may limit or prohibit disclosure
of certain records in providing administrative data for statistical purposes.
VIII. Reporting Requirement
The goal of this Memorandum is to help both program and statistical agencies and
components leverage administrative data more fully for statistical purposes, to the mutual benefit
of both program agencies and statistical agencies and components. It will thereby promote
burden reduction through the efficient use of information previously collected by Federal
agencies while maintaining appropriate privacy and confidentiality protections.
Based on the definitions, policies, and guidance in this Memorandum, departments and
agencies are required to provide an initial report to the Chief Statistician, Office of Information
and Regulatory Affairs (OIRA) by June 30, 2014, using the electronic mail address provided
below. This reporting requirement applies to the 15 departments (the department shall submit a
single report to OMB on behalf of all of its agencies and offices) and to those other agencies that
had a staffing level, as of the beginning of FY14, of more than 50 FTEs. The status report shall
provide a description of both processes established or adapted in response to this Memorandum
and substantive findings to date, specifically:
Processes established or adapted:
1. A copy of the department head’s communication with staff on the importance of
promoting the use of administrative data for statistical purposes;
2. The process by which program and statistical agencies and components are convening to
review administrative datasets of potential statistical value; and
3. Identification of the offices or functional areas that are participating in that process.
Substantive findings to date:
4. Three datasets—whether within or outside of the department—identified through the
above process as of highest potential statistical value, as well as:
The statistical agency or component(s) that would like access to the datasets; and
A brief description of the analyses these datasets would allow statistical agencies
and components to complete and the value of these analyses to government and
the public.
37
See Federal Register, Vol. 40, No. 132 (Privacy Act Implementation Guidelines and Responsibilities), page
28961.
16
5. The status of requests related to the statistical use of these three datasets, which could
include:
Data identified; request in process but not yet submitted;
Data provision anticipated and estimated timeframe for provision;
Data not provided; access does not seem possible due to critical barriers to data
provision for statistical purposes
Please specify the reasons the request cannot be fulfilled (critical barriers
could include policy, statutory, or related impediments causing significant
delays to data provision); and
All high-value data identified already provided.
These reports will help OMB to better understand common barriers to administrative data
provision for statistical purposes. This understanding will, in turn, inform the need for future
guidance, technical assistance, or other support to enhance program and statistical agencies’ and
components’ use of administrative data for statistical purposes toward increased operational
efficiency and decreased information collection burden.
OMB may request supplemental reports from agencies after the initial reporting deadline.
Please submit these reports to OMB at [email protected]. Any
questions regarding this Memorandum can also be directed to OMB at this email address.
Appendices:
1. Appendix A: Further Guidance on Privacy Act Requirements Related to the Provision of
Administrative Data for Statistical Purposes
2. Appendix B: Model Agreement for the Provision of Administrative Records for
Statistical Purposes
17
Appendix A: Further Guidance on Privacy Act Requirements Related to the Provision of
Administrative Data for Statistical Purposes
When collecting identifiable information, agencies must adhere to all applicable
requirements in the Paperwork Reduction Act (PRA)38, the Privacy Act of 1974, and other
applicable laws. This appendix describes some of the requirements regarding the need for
Privacy Act statements and system of records notices (SORNs) when providing and using
administrative data about individual persons for statistical purposes. It also provides additional
guidance on the Privacy Act’s routine use exception, one of four that may be applicable when
providing data for statistical purposes mentioned in the Legal Responsibilities for Protecting
Privacy section of this Memorandum.
The Privacy Act requires agencies to provide certain information to individuals who are
asked to supply information that will become part of a system of records. Specifically, agencies
must describe the authority for the collection, whether the disclosure of the information is
mandatory or voluntary, the principal purpose or purposes for which the information is intended
to be used, and any routine uses to which the information may be subject.39 These details must
be provided in understandable language in a Privacy Act statement on the form used to collect
the information or a separate form that can be retained by the individual.
In addition to Privacy Act statements, the statute and OMB implementation guidance also
require agencies to publish a SORN in the Federal Register that informs the public of the
existence and character of any new or significantly modified system of records.40 As described
in the Privacy Act at 5 U.S.C. §552a(e)(4), a SORN provides greater detail about the nature of
the system of records and the rules to which it will be subject. For example, agencies must
describe each routine use of the records contained in the system, including the categories of users
and the purpose of such use.
When drafting Privacy Act statements and SORNs, agencies should provide a sufficient
level of detail regarding the collection or use of data for statistical purposes. In particular,
agencies should ensure that any routine uses that would allow for the disclosure of information
for statistical purposes are clearly and accurately explained. In a Privacy Act statement, the
description of routine uses should be a summary of the material published in the SORN, tailored
to the circumstances of the data collection.41 Program and statistical agencies should bear in
mind:
38
The PRA requires agencies to inform individuals (including businesses or other institutions) of several things,
including how the information will be used, though agencies have some discretion related to the amount of detail
provided.
39
See 5 U.S.C. §552a(e)(3).
40
See 5 U.S.C. §552a(e)(4).
41
See Federal Register, Vol. 40, No. 132 (Privacy Act Implementation Guidelines and Responsibilities), page
28962.
1. The most effective notices provide all of the required information about the statistical
uses of the administrative data in clear, salient language appropriate for a general
audience.
2. Consistent with law, regulation, and policy, program agencies should take time to
consider adopting a routine use for their administrative data that are likely to be requested
for statistical activities, in order to permit the provision under the Privacy Act’s routine
use exception.
3. Consistent with law, regulation, and policy, statistical agencies or components should
consider whether a particular Privacy Act statement or SORN should be modified to
allow for the combining or linking of administrative data that are received from a
program agency with survey data or other acquired administrative data, if applicable.
4. Agencies must always provide an appropriate level of specificity in their notices;
however, they may also elect to provide additional details on the agency’s website, such
as information on each specific data provision arrangement.
5. Program and statistical agencies should confer with general counsel and/or senior privacy
official for additional guidance.
While agencies retain the final responsibility for complying with the Privacy Act, as
noted in the Legal Responsibilities for Protecting Privacy section of this Memorandum, there are
four exceptions to the general prohibition on agencies from disclosing information in a “system
of records,” as defined in the statute, without the prior written consent of the individual to whom
the information pertains.
The following scenarios are intended to help clarify when an agency could disclose data
for statistical purposes under the Privacy Act’s routine use exception, the second of four
described in the Memorandum, and when it could not.
1. The routine use exception can be used and no additional notice is required if the program
agency determines that providing data to a statistical agency or component for statistical
purposes is authorized by law and covered by the data collection purpose in the SORN
and Privacy Act statement—and is either identified as a routine use or is otherwise
permissible under the Privacy Act. Before a statistical agency or component receives
data about individuals, it may need to create or revise a SORN.
2. If providing data to a statistical agency or component for statistical purposes is authorized
by law and is compatible with the purpose for which the data were collected, but was not
previously identified as a routine use of the data, the routine use exception can be used
after the program agency does two things. First, it must publish a revised SORN.
Second, it must modify the description of routine uses in its Privacy Act statement to
inform future program participants of potential data provision for statistical purposes.
The 1975 Privacy Act Implementation Guidelines and Responsibilities cites, as an
example, meeting the “compatible and related” criteria of a routine use, “[the]
2
development of a sampling frame for an evaluation study or other statistical purposes.”42
Such statistical purposes will often include combining the administrative data with other
datasets. Before a statistical agency or component receives data about individuals, it may
need to create or revise a SORN.
3. If providing data for statistical purposes is not compatible with the original purpose for
which the data were collected, then the routine use exception cannot be used. If none of
the other three exceptions described in the Legal Responsibilities for Protecting Privacy
section of this Memorandum apply, then three things must occur: (a) a new or revised
SORN must be published by the program agency, (b) individuals who previously
supplied data must provide written consent, and (c) a revised Privacy Act statement must
be provided in future rounds of data collection. This situation would occur when the
program agency identified only purposes and uses that could not be interpreted to include
statistical purposes in the original SORN and Privacy Act statement. The revised notices
would permit statistical uses only of data collected after the new or revised notices were
in effect. If already collected administrative data are deemed essential for a statistical
purpose, the program agency would need to re-contact individuals from whom data were
previously collected in order to obtain their written consent to use the data for statistical
purposes. Re-contacting individuals can be difficult and costly—and may cause
statistical bias by obtaining data only for the subset of the population successfully
contacted and having provided consent. Thus, agencies need to carefully evaluate the
need for data in this situation. Before a statistical agency or component receives data
about individuals, it may need to create or revise a SORN.
42
See Federal Register, Vol. 40, No. 132, page 28953.
3
Appendix B: Model Agreement for the Provision of Administrative Records for Statistical
Purposes
Table of Contents
Introduction..................................................................................................................................... 2
Model Agreements for Providing Data........................................................................................... 2
Standard Elements .......................................................................................................................... 3
1. Parties...................................................................................................................................... 3
2. Legal and Programmatic Authority ........................................................................................ 3
3. Duration or Period of Agreement ........................................................................................... 3
4. Purpose.................................................................................................................................... 4
5. Use of Data ............................................................................................................................. 4
6. Data Quality ............................................................................................................................ 6
7. Roles and Responsibilities for Data Protection ...................................................................... 7
7(a). Confidentiality and Privacy............................................................................................ 7
7(b). Data Security .................................................................................................................. 8
7(c). Data Transfer, Media and Methods for Transmission of Data ..................................... 10
7(d). Record Keeping, Retention, and Disposition of Records............................................. 10
8. Specific Penalties for Unauthorized Disclosure of Information ........................................... 11
9. Potential Work Constraints ................................................................................................... 11
10. Breach ................................................................................................................................. 12
11. Disclaimers ......................................................................................................................... 13
12. Reporting............................................................................................................................. 13
13. Administrative Points of Contact........................................................................................ 14
14. Funding Information ........................................................................................................... 14
15. Estimated Costs and Payment............................................................................................. 15
16. Resolution of Conflicts ....................................................................................................... 16
17. Modification/Amendment of Agreement............................................................................ 16
18. Cancellation of Agreement ................................................................................................. 17
19. Periodic Review of Agreement ........................................................................................... 17
20. Concurrence and Agency Signatory ................................................................................... 18
Introduction
Agreements are a tool that Federal agencies should use whenever there is an exchange of
data, funds, personnel, property, services, or any type of commitment or obligation because they
help to optimize the benefits from each party’s efforts in a well-defined, legally sound manner.
This appendix provides a model that Federal agencies can use when an agency wishes to provide
data for a statistical purpose to another agency. While agencies may find the document helpful
in other contexts, it was specifically crafted to facilitate the provision of administrative records
data from agencies or other organizations holding such data to Federal statistical agencies and
components. Consistent with OMB policy, including M-11-02 and M-13-13, statistical agencies
and components seek to acquire and use administrative data for statistical purposes to contain
costs and reduce burdens on respondents, while increasing the quality and quantity of statistical
information. Data provision agreements are the method for statistical agencies or components to
obtain administrative data from other governmental entities or other institutions.
Currently there are myriad different agreements that government entities apply to
exchange data and administrative records. Crucial components of agreements designed to permit
one agency to provide data to another agency for statistical purposes, such as data security
procedures, are addressed in varying approaches or may be inadvertently omitted from the
agreements. In addition, the lack of standardization means that agreements tend to require
extensive review and revision at multiple stages of review, creating substantial delays. This
model agreement provides guidance on the issues that agencies should consider when executing
agreements to provide administrative records for statistical purposes. While use of the model is
not required, the model agreement will promote uniform implementation of interagency data
provision agreements while considering specific factual circumstances and different individual
program requirements and procedures. The Model Agreement may also be used when necessary
to govern the relationship between program components and statistical components within the
same agency.
The model agreement includes basic elements, principles, and practice
recommendations. The elements in the model agreement should be included in agreements that
provide data for statistical purposes unless circumstances warrant their exclusion. Principles
address common challenges or issues facing agencies as they engage in the provision or
exchange of data. The concepts are broad enough that they should be considered prior to
entering into any agreement where data would be provided for statistical purposes. For example,
provisions such as legal and programmatic authority, confidentiality and privacy, data security
procedures, and records retention may be very similar across many such data use agreements.
The model agreement also offers recommendations for applying various provisions to
agreements. Practice recommendations are best practices that should be carefully reviewed and
incorporated into agency policies and procedures, as appropriate. The common issues in data use
agreements have been drawn from projects where agencies have successfully provided
administrative data to another agency for statistical purposes.
OMB encourages agencies to start from this model, rather than “home grown” agreement
templates when they identify new opportunities for providing data for statistical purposes. In so
doing, agencies will begin from a comprehensive, common base, which should increase the
2
sufficiency of agreements while reducing the time and resources invested in their creation and
implementation. Making such exchanges more efficient is essential to enabling the policy
direction set forth in this Memorandum. The standard elements of a model agreement follow.
1.
Parties
Identify the primary organizations or offices that are partnering to provide
administrative records to another for statistical purposes.
2.
Principle(s)
The parties agree to provide and receive
data in accordance with the terms and
conditions described in the data provision
agreement which outlines each party’s
obligations and responsibilities for
ensuring that the provided data are
appropriately used, secured, and
protected.
Practice Recommendation(s)
The data provision agreement should reflect
all promises to perform between the parties
to the agreement. There may be multiple
data provision or use agreements in any
given project.
The names and addresses of the primary
organizations/offices should be included in
this section.
Legal and Programmatic Authority
Identify the legal authority that authorizes the parties to enter into the data provision
agreement.
Principle(s)
A Federal agency may enter into an
agreement if authorized by law. An
agreement may require both legal and
programmatic authority.
3.
Practice Recommendation(s)
Cite the statutory and/or regulatory
provision that authorizes the provision of
data for statistical purposes, as well as any
transfer authority that may be applicable.
Duration or Period of Agreement
Indicate effective start and end dates of the agreement.
Principle(s)
The parties should carefully consider the
term of the agreement in order to mutually
accommodate their interests.
Practice Recommendation(s)
Establish the period of the agreement as
appropriate, whether the agreement is
mutually beneficial (i.e., up to 5 years) or
reimbursable (i.e., one-year, two-year to
coincide with availability of funds).
Agreements become effective when both
parties have signed.
3
4.
Purpose
Describe the specific purpose of the agreement, including the anticipated benefits and
goals of the parties.
5.
Principle(s)
A detailed purpose that clearly describes
the intended benefits of the parties and
key stakeholders promotes
communication and increases the
likelihood that the benefits and goals will
be achieved. This description includes
specific deliverables, actions, and
milestones each party agrees to complete
during the performance period.
If the agency providing the data intends to
issue a contract or order to provide the
requested data, state or attach a specific,
definite, and clear description of the
contracted work. The description should
be definitive enough to demonstrate a
bona fide need and support a binding
agreement that can be recorded as an
obligation in the fiscal year that funds or
other services are available for obligation.
Practice Recommendation(s)
Briefly describe the relationship
between/among the agencies and explain
how work described in this agreement will
benefit the relationship. This may include a
short history of the relationship.
Include general introductory information
about the functions of the parties involved.
Clearly define how the data will be used, the
organizations that are permitted to use the
data, the period of time the data may be
used, and what happens to the data after it is
used.
Include specific reference to the data or data
files that will be used and the authorized
studies that will be undertaken.
Use of Data
List any constraints on use of the data.
Principle(s)
Specify the approved projects and/or uses
for which the other agency can use the
data. Set limitations on the type of use and
specific applications, particularly if/when
access/usage requirements are expanded.
If the parties are publicly releasing any
documents or research related to the
exchange of administrative records data
specified in the agreement, specify the
subject matter, rights, and responsibilities
pertaining to public use of data. This may
include disclosure avoidance procedures.
4
Practice Recommendation(s)
Specify the individuals who are
authorized to access the data subject to the
agreement.
If the data are being linked to other data
files, specify the linkage procedure and
approved uses of the data.
If the data are being linked to other data
files, comply with the statutes relevant to
each of the files (e.g., Privacy Act, the
Paperwork Reduction Act, the
Confidential Information Protection and
Statistical Efficiency Act (CIPSEA), and
Principle(s)
If the parties are publicly releasing any
documents or research, note the
anticipated public disclosure and set forth
the publication review and approval
procedures.
Practice Recommendation(s)
the Family Educational Rights and
Privacy Act (FERPA).
For Federal agencies where there is a
practice of ongoing provision of data, the
agreement may specify that additional
projects and/or uses of data may be added
to the agreement with written permission.
Note that some agreements only require
notification rather than approval. The
parties to the agreement can discuss the
additional project in advance and review a
draft of the memorandum prior to formal
transmissions and approval.
Establish guidelines for publication,
including providing a draft report,
establishing the approval process,
designating a period of time for a response
to the draft report, and issuing the final
report. The guidelines apply to all public
releases and activities planned during the
term of agreement.
The agreement should specify the
individuals and/or entity, such as the
Disclosure Review Board (DRB) charged
with the responsibility of reviewing and
approving reports prior to public release.
If the data subject to the agreement will be
made available to researchers via a
restricted data use license, reference the
policies and procedures that apply to
licenses for restricted use data files.
5
6.
Data Quality
Describe the quality of the datasets to be provided.
Principle(s)
A statement about the quality of data is
important to ensure appropriate use of the
data by the receiving agency. The
statement should address the quality of the
provided data in terms of its timeliness,
accuracy, reliability, and completeness.
If data errors, inaccuracies, and/or
discrepancies are discovered subsequent
to information sharing for statistical
purposes, either party to the data sharing
agreement should have the opportunity to
clarify or address data issues in a timely
manner.
Practice Recommendation(s)
Include concepts, definitions, and codes
(e.g., NAICS, SOC) used to describe the
data collected, including copies of the data
collection instrument.
Also, include a description of the
universe, frame, target population, and
any sample design used to identify
respondents.
Add a description and findings from any
quality control procedures (e.g. edits,
imputation, reviews) including notice of
any changes that are made to identifiers,
coding flags, or other items that may
affect the interpretation of the data.
Include a provision specifying that, upon
discovery of data errors, inaccuracies,
and/or discrepancies in data provided for
statistical purposes, any party to the
agreement may address data issues,
including in some cases, correcting
inaccuracies, where feasible and
appropriate, within 30 days of discovery
of the data errors.
6
7.
Roles and Responsibilities for Data Protection
Delineate each entity’s agreed-upon roles and responsibilities for protecting provided
data. The division of responsibilities and commitments of each entity should be defined as
precisely as possible, with separate paragraphs for each of the key following roles and
responsibilities:
7(a). Confidentiality and Privacy
Describe the required processes that the receiver must use to ensure that data remain
confidential.
Principle(s)
Agencies providing data must ensure that
they comply with applicable governmentwide and agency-specific statutes and
regulations governing the collection and
dissemination of information.
Entities using provided data must
establish appropriate administrative,
technical, and physical safeguards to
protect the confidentiality of the data and
prevent unauthorized use or access to it.
Practice Recommendation(s)
Agencies providing data should indicate
whether the Privacy Act, the Title V of the
E-Government Act, Confidential
Information Protection and Statistical
Efficiency Act of 2002 (CIPSEA) (a), the
Family Educational Rights and Privacy
Act (FERPA), the Education Sciences
Reform Act of 2002, or other relevant
statutes are applicable given the facts and
circumstances. Describe the requirements
of each statute with respect to the
provided data.
For individuals who are approved to work
with the provided data, consider requiring
certification of training for safeguarding
and protecting confidential information.
Cite Privacy Act system of records notice
(SORN) if applicable so that all parties are
aware of what will be published in the
Federal Register regarding access to and
use of information.
Institutional Review Board (IRB)
approval may be required, particularly if
data acquisition involves personally
identifiable information. In certain
circumstances, agency or IRB rules
governing the use of data for research
projects may require notice and consent
procedures beyond those described in the
Privacy Act and the Paperwork Reduction
7
Principle(s)
7(b).
Practice Recommendation(s)
Act.
Data Security
Include the data security procedures in the agreement and reference relevant policies
and procedures that provide guidance in the protection of confidential data.
Principle(s)
Maintaining secure data is a shared
responsibility and requires all parties to
take appropriate measures to ensure that
data are protected from unauthorized
access.
Practice Recommendation(s)
Describe the specific methods that the
receiver must use to maintain data
security. The data security procedures
should be comprehensive and restrict
access to all protected information
obtained from the other to only those
authorized employees and officials who
perform their duties in accordance with
the uses of the information and
requirements as stipulated in applicable
data security agreements.
Specify procedures to be followed,
including when, how, and to whom
notifications will be sent, if an attempt is
made to gain inappropriate access to data
or personally identifiable information is
lost or stolen.
Chief information security officers should
have sufficient authority to conduct onsite
reviews and require other provisions are
instituted to ensure that adequate
safeguards are being maintained by the
other entity.
Provisions should specify that agencies
will store sensitive records in areas that
are physically safe (criteria for this may
vary across agencies) from access by
unauthorized person at all times. These
should describe or reference a description
of what is meant by “safe”.
The agreement should require a security
agreement that clearly delineates the
8
Principle(s)
Practice Recommendation(s)
requirements for information technology
(IT) security. The date that the Security
Plan received operational approval should
be set forth in the agreement.
Consider whether the Federal Information
Security Management Act of 2002
(FISMA) applies. FISMA provides in
pertinent part that “[e]ach agency shall
develop, document, and implement an
agency-wide information security
program . . . to provide information
security for the information and
information systems that support the
operations and assets of the agency.”43
The provision includes developing
“[p]olicies and procedures that . . . costeffectively reduce information security
risks to an acceptable level.”44
Reference the OMB procedures that
require agencies to report all incidents
involving personally identifiable
information to US-CERT within one hour
of discovering the incident. Specify the
individuals from each agency or entity
that is a party to the agreement who are
responsible to report all incidents
involving personally identifiable
information to a Federal incident response
center (US-CERT) within one hour of
discovering the incident.45
Examining the quality, quantity,
authenticity, and condition of the security
arrangements as well as inspecting
security arrangements may be necessary
for the agency providing the data to
confirm that the user is in compliance
43
44 U.S.C §3544 (b).
44 U.S.C. §3544 (b)(2).
45
OMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable
Information (May 22, 2007).
44
9
Principle(s)
7(c).
Practice Recommendation(s)
with data security procedures and
requirements specified by the agreement.
Data Transfer, Media, and Methods for Transmission of Data
Identify the way in which data will be securely transferred from the provider to the
receiver.
Principle(s)
Establish comprehensive methods for the
transfer of data including the media
utilized for transfer and the specific
safeguards to be used.
7(d).
Practice Recommendation(s)
Specify the method by which files will be
received, encrypted and passwords used
along with what constitutes an acceptable
level of encryption, whether the transfer is
one or two way; inter-connection security
agreements; etc.
Analyze whether an Interconnection
Security Agreement is required per NIST
SP 800-47.
Record Keeping, Retention, and Disposition of Records
Develop procedures for record keeping, retention and disposition of records.
Principle(s)
Clearly set forth procedures for record
keeping, retention and disposition of
records and designate the specific parties
and/or personnel who are responsible for
maintaining, destroying, and certifying
destruction of the records.
10
Practice Recommendation(s)
Each agreement should contain a
provision for retention of records by
governmental and non-governmental
entities. Specify what records shall be
retained for the project contemplated by
the agreement and for a back-up system.
Specify the duration of time that records
should be retained (e.g., commencing
upon approval of the agreement and
ending xx years hence).
Identify the data custodian from each
party to the agreement who is responsible
for record keeping, retention and
disposition of records.
8.
Specific Penalties for Unauthorized Disclosure of Information
Set forth potential criminal and civil penalties for unauthorized disclosure of information.
Principle(s)
If criminal or civil penalties apply for
unauthorized disclosure of information,
set forth an acknowledgement of all
criminal and civil penalties in the
agreement.
9.
Practice Recommendation(s)
Cite the applicable statutes and penalties
governing the protection of the
information, such as the Privacy Act or
the Social Security Act.
Insert a provision that the data user and
any individual employed or affiliated
therewith may be subject to civil suit
under the Privacy Act for damages which
occur as a result of willful or intentional
actions which violate an individual’s
rights under the Privacy Act. (For Census
Bureau employees, wrongful disclosure of
confidential Census Bureau information
could result in a fine of up to $250,000,
imprisonment of up to 5 years, or both, in
accordance with 13 U.S.C. §214, as
amended by 18 U.S.C. §3559 and §3571.
For officers, employees, or agents of any
agency acquiring information for
exclusively statistical purposes under a
pledge of confidentiality, wrongful
disclosure of confidential information
could result in a fine of up to $250,000,
imprisonment up to 5 years, or both, in
accordance with section 513 of CIPSEA.)
Potential Work Constraints
Anticipate restrictions or prohibition that may interrupt performance.
Principle(s)
Procedures addressing potential work
constraints should be inserted into
agreements.
11
Practice Recommendation(s)
Potential work constraints such as changes
due to employment ceilings, reductions in
force, temporary furloughs, or other
controls imposed by OMB, Executive
Order, or congressional action can
interrupt performance.
10.
Breach
Draft provisions in the event of the breaking or violation of an obligation or a law.
Principle(s)
When a party who owes a present duty
under an agreement fails to perform that
duty, it will have the effect of suspending
or discharging the other party’s obligation
to perform under the agreement.
If the breach is partial (not material) it
does not relieve the aggrieved party from
continuing to perform under the
agreement.
A breach of confidentiality could
constitute a partial breach of the
agreement.
The Federal Information Security
Management Act of 2002 requires all
agencies to report security incidents to a
Federal incident response center (USCERT).
Practice Recommendation(s)
OMB requires agencies to develop and
implement a breach notification policy,
including the timing and form of
notification. If one party breaches the
agreement, set forth which party is
responsible to notify other parties to the
agreement of the breach. Specify which
party is responsible for the costs of
notification of the breach, as well as
which stakeholders should be informed of
the breach.
Specify the remedies and damages in the
event of breach of the agreement,
including liquidated damages if
applicable. Parties negotiating an
agreement often make an explicit
agreement as to what each party’s remedy
for breach of contract shall be.
If liquidated damages are specified for
breach of agreement, the amount fixed
must be reasonable relative to the
anticipated or actual loss from the breach.
In some cases, the harm caused by the
breach will be uncertain or very difficult
to calculate accurately and should be
noted as such.
Breaches subject to notification
requirements include electronic systems
and paper documents.
12
11.
Disclaimers
Consider including indemnification language to protect the parties from legal actions.
12.
Principle(s)
Divisions or operating units of Federal
agencies cannot indemnify outside parties.
Parties to the agreement may be requested
to assist and cooperate if legal actions are
brought.
Practice Recommendation(s)
Consider including language that provides
that if such suits are brought against one
entity, the other party to the agreement
will assist with or cooperate in the
agency’s defense.
Reporting
Specify the time periods and method of reporting (e.g. annual reports via e-mail) and
specific elements to include in the reports.
Principle(s)
Reporting may be required to meet
statutory or regulatory requirements
13
Practice Recommendation(s)
Draft a provision that specifies that each
party to the agreement agrees to report to
the other party inventories of approved
projects that use the data as authorized in
the agreement and inventories of training
certification for individuals approved to
work with the data received under this
agreement.
13.
Administrative Points of Contact
Identify administrative points of contact responsible for the day to day management of
the data provision agreement.
Principle(s)
To ensure sound management of data
provision agreements agencies must
assign responsible individuals to be
accountable for the day to day
management and administration of the
agreement.
Administrative points of contract should
be identified in the data provision
agreement and parties to the agreement
should be notified generally within 30
days of any changes to the contact
information.
14.
Practice Recommendation(s)
Administrative points of contact include
the:
- Project Officer who supervises
adherence to reporting/notification
requirements, updates to review of
agreement, data management, data
quality, retention and destruction of data
files, data security procedures, etc.
- Program Official(s), if work is
performed by contractors, who ensure
that the scope of work is properly
defined and can be fulfilled for the
order. The program official may or may
not be a Contracting Officer depending
on each agency’s interagency
acquisition business process.
Agreements may identify additional
points of contact as appropriate.
Funding Information
Identify funding obligations.
Principle(s)
If funds are to be obligated under the
agreement, the financial arrangements for
all parties to the agreement must be
clearly stipulated.
If no funds are to be obligated under the
agreement, a statement should be included
to make it clear that the agreement is not
an instrument that obligates funds of any
party to the agreement.
14
Practice Recommendation(s)
Set forth the funding amounts that are
certified by a certifying/approving official
and are available. Where practical, the
appropriations act that provided the
funding should be cited. At a minimum,
the following financial data are needed for
each party to the agreement: Agency
Locator Code (ALC), Business Event
Transaction Code (BETC), Treasury
Account Symbol (TAS), and Data
Universal Numbering System/Business
Partner Network (DUNS/BPN).
15.
Estimated Costs and Payment
Describe how estimated costs will be reimbursed.
Principle(s)
If the agreement results in the exchange of
money between/among entities, state the
estimated costs, budgeted amounts and
terms of payment.
Practice Recommendation(s)
If appropriate, set forth a budget listing
for each party to the agreement. If the
agreement does not contain a detailed
budget, the official agreement file may
contain a copy of the budget listing with
the total estimated costs for each party to
the agreement.
Enter the total agreed-upon direct cost for
providing the products and/or services.
Enter the total agreed-upon overhead fees
and charges for providing the products
and/or services.
Enter the total agreed-upon estimated
amount (direct cost plus overhead fees &
charges) for the agreement.
If additional costs are incurred, describe
how they are shared.
The agreement should set forth the
frequency of billing and how the funds
will be transferred between agencies (e.g.
IPAC, small purchase cards, etc.).
The agreement should contain financial
contact information for each party to the
agreement.
15
16.
Resolution of Conflicts
Describe how disputes will be resolved.
17.
Principle(s)
Set forth a method to resolve disputes
Practice Recommendation(s)
Specify various methods of conflict
resolution according to the level of
escalation of the dispute, including the
conditions that trigger the formal attempt
to resolve conflicts.
Specify the individuals who are
authorized to engage in conflict
resolution.
Consider inserting a provision that in the
event of a dispute regarding any part of
the agreement, the dispute may be
submitted to non-binding arbitration upon
consent of all parties to the agreement.
Modification/Amendment of Agreement
Indicate that amendments must be in writing signed by authorized individuals.
Principle(s)
Amendments should not change the
general purpose and effect of the
agreement.
Amendments should be made on consent
of all parties to the data use agreement
and in writing.
16
Practice Recommendation(s)
The agreement should specify who is
authorized to modify or amend the
agreement.
Amendments should include the
signature(s) of the point(s) of contact for
each agency or entity that is a party to the
agreement or authorized individual as
deemed by the participating entity.
18.
Cancellation of Agreement
Describe how and under what circumstances the agreement may be cancelled.
Principle(s)
The agreement should contain a provision
whereby each party may cancel the
agreement within a specified time and,
under what conditions - some situations
may permit immediate termination if prior
written notice is provided to all parties.
19.
Practice Recommendation(s)
Draft language indicating that failure to
maintain security adequate to avoid the
unauthorized disclosure of confidential
information shall be grounds for
immediate termination of the
authorization to access such data.
Consider inserting a provision specifying
that in the event of agreement termination,
each party shall be solely responsible for
the payment of any expenses it has
incurred.
Periodic Review of Agreement
Principle(s)
Each agency or entity should conduct
annual self-audits of all offices where
work on approved projects is conducted to
ascertain whether confidentiality, privacy
and security safeguards are adequate.
A complete report of each audit citing
strengths, deficiencies, and corrective
actions as necessary shall be made
available to the chief information security
officer and designated “point of contact”
of the agency requesting the audit.
If the agreement is extended for an
indefinite period of time, it should contain
a provision for review, at least every three
years, to determine the continuing need
and whether the agreement should be
revised, renewed, or canceled.
17
Practice Recommendation(s)
Consider inserting an “audit access
clause” in any agreement between
governmental agencies and nongovernmental entities that involves the
transfer of funds or department resources
such as considerable staff time.
20.
Concurrence and Agency Signatory
Principle(s)
In order to be a valid agreement, there
must be approval among all parties to the
agreement.
When there are factual circumstances
wherein a third party must assent to the
terms of the agreement, a third party
concurrence should be drafted. The third
party concurrence is made part of the
original data provision agreement.
Practice Recommendation(s)
Identify the agency signatory. Agency
signatories agree that they have the
authority to sign for the agency or
participating entity and denote their
acceptance of the agreement terms by
affixing their signature and the date.
The agreement period must begin on or
after the signature dates.
The agency official should be the highest
level accepting authority or official as
designated by the requesting agency and
servicing agency to sign this agreement.
18
File Type | application/pdf |
File Title | M-14-06, Guidance for Providing and Using Administrative Data for Statistical Purposes |
Subject | M-14-06, Guidance for Providing and Using Administrative Data for Statistical Purposes |
Author | OMB |
File Modified | 2015-05-11 |
File Created | 2014-02-14 |