Cipsea

Public Law 107-347 Sec 503(a) - CIPSEA - Confidentiality of Data - 06-15-2007.pdf

Cost of Pollination Survey

CIPSEA

OMB: 0535-0258

Document [pdf]
Download: pdf | pdf
Friday,
June 15, 2007

Part IV

Office of
Management and
Budget

sroberts on PROD1PC70 with NOTICES

Implementation Guidance for Title V of
the E-Government Act, Confidential
Information Protection and Statistical
Efficiency Act of 2002 (CIPSEA); Notice

VerDate Aug<31>2005

21:40 Jun 14, 2007

Jkt 211001

PO 00000

Frm 00001

Fmt 4717

Sfmt 4717

E:\FR\FM\15JNN3.SGM

15JNN3

33362

Federal Register / Vol. 72, No. 115 / Friday, June 15, 2007 / Notices

OFFICE OF MANAGEMENT AND
BUDGET
Implementation Guidance for Title V of
the E-Government Act, Confidential
Information Protection and Statistical
Efficiency Act of 2002 (CIPSEA)
Office of Management and
Budget, Executive Office of the
President.
ACTION: Notice of decision.
AGENCY:

SUMMARY: The Confidential Information
Protection and Statistical Efficiency Act
of 2002 (CIPSEA) can provide strong
confidentiality protections for statistical
information collections, such as surveys
and censuses, as well as for other
statistical activities, such as data
analysis, modeling, and sample design,
that are sponsored or conducted by
Federal agencies. The Office of
Management and Budget (OMB) is
issuing Implementation Guidance for
Title V of the E-Government Act, the
Confidential Information Protection and
Statistical Efficiency Act of 2002 (Pub.
L. 107–347). The purpose of the CIPSEA
implementation guidance is to inform
agencies about the requirements for
using CIPSEA and to clarify the
circumstances under which CIPSEA can
be used.

Authority: 31 U.S.C. 1104(d); 44 U.S.C.
3504 (specifically (a)(1)(B)(iii) and (v), (e)(1),
(3) and (5), and (g)(1)); Pub. L. 107–347
section 503(a), 44 U.S.C. 3501 note.
FOR FURTHER INFORMATION CONTACT:

sroberts on PROD1PC70 with NOTICES

Brian Harris-Kojetin, Ph.D., Statistical
and Science Policy Office, Office of
Information and Regulatory Affairs,
Office of Management and Budget,
NEOB, Room 10201, 725 17th Street,
NW., Washington, DC 20503.
Telephone: 202–395–3093.
SUPPLEMENTARY INFORMATION:
A. Background
Statistics collected and published by
the Federal Government constitute a
significant portion of the available
information about the United States’
economy, population, natural resources,
environment, and public and private
institutions. There are more than 70
Federal agencies or organizational units
that carry out statistical activities as
their principal mission or in
conjunction with other program
missions, such as providing services or
enforcing regulations. In addition to
these 70 agencies, many other Federal
agencies or units may collect statistical
information to use for specific program
needs.
Prior to the enactment of CIPSEA, a
patchwork of legislative protections
governed the confidentiality of data

VerDate Aug<31>2005

21:40 Jun 14, 2007

Jkt 211001

gathered for statistical purposes by the
different agencies and units. Some
agencies had strong statutory authority
to protect the confidentiality of the data
they gathered for statistical purposes,
while other agencies had weak or no
legislative authority to protect
confidentiality. In addition, the ability
of the designated statistical agencies to
share information to improve the
efficiency of the Federal statistical
system was limited by statutory
constraints affecting those agencies.
By establishing a uniform policy for
all Federal statistical collections, this
law will reduce public confusion,
uncertainty, and concern about the
treatment of confidential statistical
information by different Federal
agencies. By establishing consistent
rational principles and processes to
buttress confidentiality pledges, the
guidance that implements the law will
harmonize confidentiality claims and
set minimum standards for safeguarding
confidential statistical information.
Such consistent protection of
confidential statistical information will,
in turn, reduce the perceived risks of
more efficient working relationships
among statistical agencies, relationships
that can reduce both the cost and
reporting burden imposed by statistical
programs.
B. Development and Review
In 2003, OMB and the other members
of the Interagency Council on Statistical
Policy (ICSP) formed an interagency
group to discuss issues that OMB and
the agencies anticipated would arise in
the implementation of CIPSEA. OMB
was particularly interested in
understanding the questions and
concerns that these statistical agencies
had about the new law and how it
would affect their activities. OMB also
sought to incorporate the best practices
of these agencies for handling
confidential statistical information.
An initial draft of this implementation
guidance was reviewed by the ICSP
members, and OMB revised the draft
guidance in response to the comments
that we received. Based on the use of
the law by agencies over the past three
years, OMB has also addressed in the
guidance specific issues that have
arisen, such as nonstatistical agencies’
use of CIPSEA.
C. Summary of and Response to
Comments Received in Response to the
October 16, 2006 Federal Register
Notice
OMB issued proposed
Implementation Guidance for Title V of
the E-Government Act, Confidential
Information Protection and Statistical

PO 00000

Frm 00002

Fmt 4701

Sfmt 4703

Efficiency Act of 2002 (CIPSEA)(Pub. L.
107–347) in October 2006 (71 FR
60,772–60,773). Five public comments
were received in response to OMB’s
request. OMB reviewed the public
comments on the guidance and made
some modifications in response to the
comments. The complete text of the
public comments and this document are
available on the OMB Web site at http://
www.whitehouse.gov/omb/inforeg/
statpolicy.html.
General Comments
One commenter expressed support for
the guidance and stated that ‘‘the
proposed guidelines establish principles
and policies that will protect the
confidentiality of the data provided by
respondents to federal statistical
surveys’’ and noted that the guidance
provides ‘‘reasonable approaches to
protecting confidentiality, and thereby
will reduce the costs and reporting
burdens imposed by statistical
programs.’’ The commenter also noted
that it was ‘‘especially useful to see
guidelines for statistical agency
interactions with outside analysts (e.g.,
contractors) authorized to see the
confidential data.’’
I. Introduction
Identifiability
One commenter believed the
discussion of the identifiability of
personal information in the proposed
guidance was insufficient. Although the
commenter noted the technical
references to Statistical Policy Working
Paper #22 1 and to the Federal
Committee on Statistical Methodology’s
Confidentiality and Data Access
Committee’s disclosure review
checklist,2 she asked for ‘‘more specific
guidance about the meaning of the terms
reasonably inferred and direct or
indirect means’’ [emphasis in original]
and ‘‘how the CIPSEA standard
specifically relates to the HIPAA
standards of no reasonable basis to
believe and risk is very small [emphasis
in original] * * * ‘‘whether a risk
assessment is required, how to conduct
that risk assessment, what data sources
(public and private) must be considered
in assessing identifiability’’ as well as
how much effort and cost are
reasonable.
In response to this comment, OMB
has included a definition of ‘‘personally
identifiable information’’ in footnote 21
and provided an example of indirect
identification in footnote 23, as follows:
1 Available

at http://www.fcsm.gov/reports/.
at http://www.fcsm.gov/committees/
cdac/cdac.html.
2 Available

E:\FR\FM\15JNN3.SGM

15JNN3

Federal Register / Vol. 72, No. 115 / Friday, June 15, 2007 / Notices
21 ‘‘personally identifiable information’’
refers to information which can be used to
distinguish or trace an individual’s identity,
such as his or her name, social security
number, biometric records, etc., alone, or
when combined with other personal or
identifying information that is linked or
linkable to a specific individual, such as date
and place of birth, mother’s maiden name,
etc.
23 Indirect identification refers to using
information in conjunction with other data
elements to reasonably infer the identity of
a respondent. For example, data elements
such as a combination of gender, race, date
of birth, geographic indicators, or other
descriptors may be used to identify an
individual respondent.

sroberts on PROD1PC70 with NOTICES

However, it is beyond the scope of
this implementation guidance to
provide lists of other data sources that
could be used to reidentify respondents
or specific risk assessment techniques
agencies must employ. As the
commenter noted, OMB does provide
references to more technical resources
that address these issues, such as
Statistical Policy Working Paper #22,
and a citation to the HIPAA privacy rule
has been added. Federal statistical
agencies are in the best position to know
about the sensitivity of their
confidential statistical information and
to take appropriate steps to assess and
mitigate the risks of reidentification.
Because this area is a ‘‘moving target,’’
as the commenter noted, OMB, through
its Federal Committee on Statistical
Methodology, sponsors the
Confidentiality and Data Access
Committee, which facilitates the sharing
and adoption of best practices and latest
techniques in disclosure avoidance
across Federal agencies.
Relation of CIPSEA to Other Laws
One commenter noted that
‘‘subsection (b) of the Privacy Act of
1974 authorizes numerous disclosures,
many of which are inappropriate for
CIPSEA records. For example,
disclosures for law enforcement
purposes’’ as well as many routine uses.
The commenter asked OMB to
‘‘elaborate on the intersection between
CIPSEA and the Privacy Act of 1974.’’
As OMB has noted in the guidance,
agencies are responsible for ensuring
that information protected under
CIPSEA is used exclusively for
statistical purposes. OMB recognizes
that the Privacy Act does permit routine
uses that are nonstatistical; these uses
are not permitted for CIPSEA-protected
information. OMB believes that the
minimum standards in the guidance for
safeguarding confidential information
make clear that agencies need to
develop appropriate policies and
procedures for CIPSEA-protected

VerDate Aug<31>2005

21:40 Jun 14, 2007

Jkt 211001

information that go beyond those that
exist for Privacy Act systems of records;
however, we have added the following
language to make this explicit in Part
I.F. of the guidance:
On the other hand, if an agency pledges to
use the information for only for statistical
purposes, then the agency shall not use any
other authorities it has available to use the
information for non-statistical purposes,
because those uses would be contrary to the
agency’s pledge. For example, if information
is protected by CIPSEA and the Privacy Act,
some of the routine uses permitted under the
Privacy Act would no longer be allowed
because they are not for statistical purposes.

Agencies Authorized To Designate
Agents
One commenter cited Footnote 31 on
page 11 of the proposed guidance 3 that
tells agencies that they should consult
with OMB regarding use of agents and
stated that the use of agents should be
subject to public notice and comment.
In this footnote, OMB was referring
specifically to the review and legal
interpretation of a nonstatistical
agency’s statute and whether that would
meet the requirements of CIPSEA and
permit the agency to designate agents
under CIPSEA. Generally, legal analysis
and interpretation are accomplished by
the agency. However, when agencies are
applying a new statute that OMB has
responsibility for, agencies should
consult with OMB to ensure a
government-wide perspective.
Commenters also had questions about
other specific matters that will be
addressed during implementation.
II. Requirements for Agencies Collecting
or Acquiring Information Protected
Under CIPSEA
Non-CIPSEA Pledges
One commenter objected to agencies
being restricted from using both the
terms ‘‘confidential’’ and ‘‘statistical
purposes’’ together if CIPSEA did not
cover the collection. The commenter
noted that these terms have meaning
independent of CIPSEA and agencies
should be able to use them as they see
fit. The commenter suggested that
‘‘Rather than prohibit the use of the
terms ‘confidential’ and ‘exclusively
statistical purposes,’ we suggest that
OMB advise agencies, as it has in prior
guidance, to ensure that they do not use
terms that are confusing. OMB could
also prohibit the mention of CIPSEA
when it is not applicable and require
that agencies invoke coverage by
CIPSEA only by the mention of that law
directly to survey respondents.’’
3 This footnote appears as footnote 40 in this final
document.

PO 00000

Frm 00003

Fmt 4701

Sfmt 4703

33363

OMB agrees that the terms
‘‘confidential’’ and ‘‘statistical
purposes’’ have meaning independent of
CIPSEA; however, when used together
in a pledge to respondents, they clearly
meet the requirements of CIPSEA and
the protection of this law. Sec. 512 of
CIPSEA simply requires that the
information be ‘‘acquired by an agency
under a pledge of confidentiality and for
exclusively statistical purposes.’’ The
law does not require that CIPSEA be
mentioned explicitly, and OMB would
certainly prohibit an agency from
mentioning the law if it did not apply.
It would clearly be confusing to
respondents for different protections to
be implied by two different agencies
both pledging that the information
would be confidential and used for
exclusively statistical purposes. Thus, it
is necessary to ensure that CIPSEA
protections or greater protections apply
when an agency makes this pledge to
respondents.
CIPSEA Pledges
One commenter supported the shorter
version of the pledge, but expressed
concerns about its comprehensibility.
The commenter then suggested that
OMB consider developing a formal
statistical confidentiality seal that
would provide an identifiable marker
that would tell individuals what level of
protection the information they provide
will receive under the law. Specifically
the commenter suggested as an example
that OMB consider a green-yellow-red
color scheme: Green would mean
respond with confidence because
answers receive the highest level of
legal confidentiality protection; yellow
would mean respond with caution
because answers receive some
confidentiality protection but less than
the highest level of legal protection; and
red would mean no legal confidentiality
protections at all.
The CIPSEA pledge was based on a
pledge that was thoroughly tested;
however, OMB has encouraged further
cognitive testing of this pledge by
agencies. OMB agrees that it would also
be helpful to have more testing on a
shortened version. OMB also
appreciates the commenter’s suggestions
regarding potential ‘‘seals’’ that would
be easy for respondents to understand
and recognize, and agrees that this idea
is worthy of further investigation and
testing. We also agree that this will
require a considerable amount of
research not only to develop a
recognizable seal but also to figure out
appropriate ways to present it in
different modes. If this research proves
fruitful, OMB will consider revising this

E:\FR\FM\15JNN3.SGM

15JNN3

33364

Federal Register / Vol. 72, No. 115 / Friday, June 15, 2007 / Notices

implementation guidance and/or issuing
other guidance for use of a seal.
III. Minimum Standards for
Safeguarding Confidential Information
Acquired Under CIPSEA
Costs and Burden of Security
Requirements
One commenter noted that during a
time of reduced funding resources the
implementation requirements call for
annual recertification of employees,
increased physical and information
security, additional record keeping
requirements, and additional staff time
(to ensure that appropriate
confidentiality and security protocols
are followed). Providing appropriate
security for agency information and
information systems does require
resources. As with any ongoing
program, agencies need to incorporate
into their budgets the costs for
protecting confidential information
throughout the lifecycle of the statistical
activities.
Security of Confidential Information in
Laptop Computers
One commenter noted that ‘‘recent
events have highlighted the particular
vulnerability of laptop computers to loss
and theft,’’ and suggested that
additional information be included in
the guidance about the security of
laptops, PDAs, or other types of devices.
OMB agrees with the comment and has
modified language in the section on
physical and information systems
security in Part III. B, which also applies
to Part IV. D of the proposed guidance
referenced on page 22, so that it now
reads:
Agencies are required to establish
appropriate administrative and technical
safeguards to ensure that the security of all
media containing confidential information is
protected against unauthorized disclosures
and anticipated threats or hazards to their
security or integrity. For example, agencies
must ensure that security requirements are
followed for reports, documents, printouts,
information collection instruments, laptops,
PDA’s, zip drives, floppy disks, CD-ROMs, or
any other IT devices that contain confidential
information to prevent access by
unauthorized persons.

sroberts on PROD1PC70 with NOTICES

VII. Data Sharing Under Subtitle B of
CIPSEA
Data Linking and Data Sharing
One comment requested that OMB
include administrative data as well as
other agencies under the data sharing
provisions of Subtitle B of CIPSEA to
further improve efficiency. OMB notes
that Subtitle B is limited in statute to
the three designated statistical agencies
(BLS, BEA, and Census) and applies

VerDate Aug<31>2005

21:40 Jun 14, 2007

Jkt 211001

only to business data. While OMB
appreciates the potential benefits
suggested in this comment, CIPSEA
does not authorize any other data
sharing or authorize additional agencies
to share data. However, CIPSEA did not
alter other existing authorities for data
sharing among Federal agencies.
VIII. Annual Reporting and Review
Requirements
Annual Reports to OMB
One commenter requested that the
annual reports that agencies provide to
OMB be made public and posted on
agency Web sites. In the interest of
transparency, agencies will now be
required to post their reports on their
Web sites.
Susan E. Dudley,
Administrator, Office of Information and
Regulatory Affairs.

Implementation Guidance for Title V of
the E-Government Act, Confidential
Information Protection and Statistical
Efficiency Act of 2002 (CIPSEA)
I. Introduction
A. Overview
Issues of privacy and confidentiality
are of increasing concern to respondents
to Federal government surveys.
Agencies often seek to assuage these
concerns by pledging to respondents
that the agency will protect the
information that respondents provide,
and by using whatever statutory
authority that the agency has to
substantiate this pledge. However, many
agencies do not have strong
confidentiality provisions in their
authorizing statutes. In this case,
agencies may be able to use governmentwide statutes such as the Privacy Act or
exemptions under the Freedom of
Information Act as the basis for a pledge
to respondents, but these statutes still
do not apply to many Federal surveys.
The Confidential Information
Protection and Statistical Efficiency Act
of 2002 (CIPSEA) is a new governmentwide law that can provide strong
confidentiality protections to many
Federal agencies conducting statistical
information collections, such as surveys
and censuses as well as other statistical
activities including data analysis and
modeling, sample design, etc. The
purpose of this guidance is to inform
agencies about the requirements for
using CIPSEA and clarify the
circumstances under which CIPSEA can
be used.
There are several key definitions and
distinctions in CIPSEA regarding
statistical and nonstatistical agencies,
and statistical and nonstatistical

PO 00000

Frm 00004

Fmt 4701

Sfmt 4703

purposes, that affect whether CIPSEA
can be used by an agency to acquire and
protect information. Below is a brief
description of these major definitions
and distinctions, as well as of issues
related to data sharing under CIPSEA,
and additional requirements for using
CIPSEA that are addressed in greater
detail in this guidance.
1. Is the agency a statistical or
nonstatistical agency? CIPSEA
distinguishes between statistical and
nonstatistical agencies or units and
imposes different requirements and
privileges on these different types of
agencies. Briefly, statistical agencies or
units are those whose activities are
predominantly the collection,
compilation, processing, or analysis of
information for statistical purposes.
More detail and a listing of statistical
agencies and units is provided in
section I., part G of this section of the
guidance.
2. Is the information used for
statistical or nonstatistical purposes?
CIPSEA provides protection for
information acquired for statistical
purposes under a pledge of
confidentiality. Under CIPSEA, a
statistical purpose includes the
description, estimation, or analysis of
the characteristics of groups, without
identifying the individuals or
organizations that comprise such
groups, while nonstatistical purposes
include any administrative, regulatory,
law enforcement, adjudicatory, or other
purpose that affects the rights,
privileges, or benefits of a particular
respondent. Information acquired and
protected under CIPSEA may only be
used for statistical purposes.
3. Is the information being acquired
by the Federal agency itself? Agencies
acquire information in different ways
from a wide variety of respondents.
Agencies often acquire information
directly from a respondent to a Federal
survey. In some cases, these
respondents are local or State
governments that have themselves
collected the information from a
respondent. Any agency that directly
acquires information from a respondent,
including a local or State government,
under a pledge of confidentiality for
exclusively statistical purposes, is
bound by CIPSEA. However, CIPSEA
does not restrict or diminish
confidentiality protections in law that
otherwise apply to a collection of
statistical data or information. Agencies
protecting information under CIPSEA
must follow the requirements specified
in section II of this guidance and
include an appropriate pledge to
respondents. All agencies that have
information protected under CIPSEA

E:\FR\FM\15JNN3.SGM

15JNN3

sroberts on PROD1PC70 with NOTICES

Federal Register / Vol. 72, No. 115 / Friday, June 15, 2007 / Notices
must also follow the procedures in
section III for safeguarding the security
of this information.
4. Is the information being acquired
for the Federal agency by contractors or
others acting on behalf of the agency?
Many agencies acquiring information
from respondents do not directly collect
the information themselves from
respondents but do so through
intermediaries such as contractors or
researchers who are operating under
cooperative agreements or grants at the
direction of the agency. CIPSEA defines
contractors and their employees,
researchers, and employees of private
organizations or institutions of higher
learning who have a contract or
agreement with a Federal agency as
‘‘agents’’ and authorizes only some
agencies to use agents to acquire
information that will be protected under
CIPSEA or access CIPSEA-protected
information.
5. How can statistical agencies use
CIPSEA? Statistical agencies or units
that directly acquire information from
respondents, including State and local
governments, may protect the
confidentiality of that information
under CIPSEA. Statistical agencies or
units may also designate agents to
acquire information for the agency
under CIPSEA as well as perform other
exclusively statistical activities for the
agency on CIPSEA-protected
information. Statistical activities
include the collection, compilation,
processing, or analysis of data for the
purposes of describing or making
estimates concerning the whole, or
relevant groups or components within,
the economy, society, or the natural
environment. Statistical activities also
include the development of methods or
resources that support these activities,
such as measurement methods, models,
statistical classifications, or sampling
frames. More information is provided in
section IV about the requirements for
statistical agencies designating agents
under CIPSEA.
6. How can nonstatistical agencies use
CIPSEA? Nonstatistical agencies can use
CIPSEA to protect information they are
authorized to acquire directly
themselves from respondents, including
State and local governments. However,
nonstatistical agencies or units are not
permitted to designate agents under
CIPSEA. Therefore, nonstatistical
agencies or units may not protect
information under CIPSEA if they are
using a contractor or other persons who
fall under the CIPSEA definition of
agents to acquire that information
unless they have the authority to
designate agents to collect information
or perform other statistical activities

VerDate Aug<31>2005

21:40 Jun 14, 2007

Jkt 211001

under some other statute. More
information on how nonstatistical
agencies can acquire and protect
information under CIPSEA is provided
in section VI of this guidance.
7. What if a statistical agency acquires
information for nonstatistical purposes?
OMB expects that the vast majority of
information collections conducted by
statistical agencies or units will be
subject to CIPSEA because these
agencies generally collect information
for exclusively statistical purposes and
pledge confidentiality. Statistical
agencies or units that are collecting
information that may be used for
nonstatistical purposes need to ensure
that respondents understand these
nonstatistical uses and that CIPSEA
does not apply to the specific collection.
Requirements for statistical agencies
collecting information that may be used
for nonstatistical purposes are covered
in section V.
8. What data sharing does CIPSEA
authorize? Subtitle B of CIPSEA
explicitly provides the ability for three
designated statistical agencies, the
Bureau of Economic Analysis, the
Bureau of Labor Statistics, and the
Bureau of the Census to share business
data. Requirements for data sharing
among these designated statistical
agencies are outlined in section VII.
9. What other requirements are there
for using CIPSEA? Agencies should
carefully review this guidance to
determine whether CIPSEA applies to
any of their information collections or
statistical activities. Agencies using
CIPSEA are responsible for following all
requirements in this guidance. In
addition, OMB is requiring agencies that
use CIPSEA to report annually to OMB
on their use of this law in order to
effectively monitor the implementation
of CIPSEA across Federal agencies. All
agencies that use CIPSEA for their
collections are asked to report to OMB
annually the information collections
CIPSEA applies to and affirm that all of
the requirements in this guidance are
being met. Statistical agencies
protecting information under CIPSEA
are further required to report on their
use of agents, and the three designated
statistical agencies in Subtitle B of
CIPSEA are required to report annually
on their data sharing activities under
CIPSEA. Further information on the
reporting requirements is in section VIII
of this guidance.
B. Purposes of CIPSEA
The Confidential Information
Protection and Statistical Efficiency Act
of 2002 (CIPSEA), Title V of the EGovernment Act of 2002 (Pub. L. 107–
347), has two subtitles.

PO 00000

Frm 00005

Fmt 4701

Sfmt 4703

33365

Subtitle A, Confidential Information
Protection, concerns confidentiality and
statistical uses of information. The
purposes of Subtitle A are:
1. To ensure that information
supplied by individuals or organizations
to an agency for statistical purposes
under a pledge of confidentiality is used
exclusively for statistical purposes;
2. To ensure that individuals or
organizations who supply information
under a pledge of confidentiality to
agencies for statistical purposes will
neither have that information disclosed
in identifiable form to anyone not
authorized by this title nor have that
information used for any purpose other
than a statistical purpose; and
3. To safeguard the confidentiality of
individually identifiable information
acquired under a pledge of
confidentiality for statistical purposes
by controlling access to, and uses made
of, such information.4
CIPSEA Subtitle A protects
information that is acquired for
exclusively statistical purposes under a
pledge of confidentiality. This subtitle
of the law applies to all Federal agencies
that acquire information under these
carefully prescribed conditions. The
protection of information collected
under this law is supported by a penalty
of a Class E Felony for a knowing and
willful disclosure of confidential
information. This includes
imprisonment for up to five years and
fines up to $250,000.5 Thus, for many
agencies this law strengthens the
protections afforded to confidential
statistical information.
CIPSEA Subtitle B promotes statistical
efficiency through limited sharing of
business data among three designated
statistical agencies, the Bureau of the
Census (Census), the Bureau of
Economic Analysis (BEA), and the
Bureau of Labor Statistics (BLS). The
purposes of Subtitle B are:
1. To authorize the sharing of
business data among Census, BEA, and
BLS for exclusively statistical purposes;
2. To reduce the paperwork burdens
imposed on businesses that provide
requested information to the Federal
Government;
3. To improve the comparability and
accuracy of Federal economic statistics
by allowing Census, BEA, and BLS to
update sample frames, develop
consistent classifications of
establishments and companies into
industries, improve coverage, and
reconcile significant differences in data
produced by the three agencies; and
4 Sec.
5 Sec.

E:\FR\FM\15JNN3.SGM

511(b).
513.

15JNN3

33366

Federal Register / Vol. 72, No. 115 / Friday, June 15, 2007 / Notices

4. To increase understanding of the
United States economy, especially for
key industry and regional statistics, to
develop more accurate measures of the
impact of technology on productivity
growth, and to enhance the reliability of
the Nation’s most important economic
indicators, such as the National Income
and Product Accounts.6
The remainder of this section of the
guidance provides background
information on CIPSEA and its
applicability to Federal agencies.
Sections II through VI provide
implementation guidance on CIPSEA
Subtitle A, and Section VII provides
implementation guidance on Subtitle B.
Section VIII covers agency reporting
requirements to OMB on the
implementation of CIPSEA.

sroberts on PROD1PC70 with NOTICES

C. Background
There are more than 70 Federal
agencies or organizational units that
carry out statistical activities as their
principal mission or in conjunction
with other program missions, such as
providing services or enforcing
regulations.7 In addition to these 70
agencies, many other Federal agencies
or units may collect statistical
information to use for specific program
needs. Prior to the enactment of
CIPSEA, a patchwork of legislative
protections governed the confidentiality
of data gathered for statistical purposes
by the different agencies and units.
Some agencies had strong statutory
authority to protect the confidentiality
of the data they gathered for statistical
purposes, while other agencies had
weak or no legislative authority to
protect confidentiality. In addition, the
ability of the designated statistical
agencies to share information to
improve the efficiency of the Federal
statistical system was limited by
statutory constraints affecting those
agencies.
Over the years, there have been
numerous attempts both to shore up
legal protection for the confidentiality of
statistical information, and to permit
some limited sharing of data for
statistical purposes. Strengthening and
standardizing statutory protections for
the confidentiality of individually
identifiable data that are collected for
statistical purposes as well as enhancing
the capability of Federal agencies to
share information for exclusively
statistical purposes have always been
goals.
6 Sec.

521(b).
Programs of the U.S. Government FY
2007, Office of Management and Budget,
Washington, DC.
7 Statistical

VerDate Aug<31>2005

21:40 Jun 14, 2007

Jkt 211001

In 1971, the President’s Commission
on Federal Statistics recommended that
the term confidential should always
mean that disclosure of data in a
manner that would allow public
identification of the respondent or
would in any way be harmful to him
should be prohibited. In addition, the
Commission recommended that a
promise to hold data in confidence
should not be made unless the agency
has legal authority to uphold such a
promise, and that legislation should be
enacted authorizing agencies collecting
data for statistical purposes to promise
confidentiality as the term was defined
by the Commission.8
In July 1977, the Privacy Protection
Study Commission stated that ‘‘no
record or information * * * collected or
maintained for a research or statistical
purpose under Federal authority * * *
may be used in individually identifiable
form to make any decision or take any
action directly affecting the individual
to whom the record pertains * * *’’ 9
In October 1977, the President’s
Commission on Federal Paperwork
endorsed the confidentiality and
‘‘functional separation’’ concepts, but
applied them directly and simply to
statistical programs, saying that:
• Information collected or maintained
for statistical purposes must never be
used for administrative or regulatory
purposes or disclosed in identifiable
form, except to another statistical
agency with assurances that it will be
used solely for statistical purposes; and
• Information collected for
administrative and regulatory purposes
must be made available for statistical
use, with appropriate confidentiality
and security safeguards, when
assurances are given that the
information will be used solely for
statistical purposes.10
The policy discussions generated by
the three Commissions came together in
a bipartisan outpouring of support for
the Paperwork Reduction Act of 1980,
which largely addressed the efficiency
recommendations of the Paperwork
Commission. The legislative history of
that Act recognized the unfinished work
of fitting the ‘‘functional separation’’ of
statistical information into the overall
scheme.
In 1993, a National Academy of
Sciences panel on confidentiality and
data access recommended that
‘‘Statistical records across all federal
8 Federal Statistics—Report of the President’s
Commission, Volume 1, p. 222, September, 1971.
9 Personal Privacy in an Information Society—
Report of the Privacy Protection Study Commission,
p. 574, July, 1977.
10 Statistics—A Report of the Commission on
Federal Paperwork, p. 128, October, 1977.

PO 00000

Frm 00006

Fmt 4701

Sfmt 4703

agencies should be governed by a
consistent set of statutes and regulations
meeting standards for the maintenance
of such records, including the following
features of fair statistical information
practices: (a) A definition of statistical
data that incorporates the principle of
functional separation as defined by the
Privacy Protection Study Commission,
(b) a guarantee of confidentiality for
data, * * * (g) legal sanctions for those
who violate confidentiality
requirements.’’ 11
To clarify and make consistent
government policy protecting the
privacy and confidentiality interests of
individuals and organizations who
furnish data for Federal statistical
programs, OMB issued an ‘‘Order
Providing for the Confidentiality of
Statistical Information’’ in June 1997.12
This order applied the principles of
functional separation and protection of
confidential information gathered for
statistical purposes to twelve principal
statistical agencies.
CIPSEA builds upon these and other
efforts of the Executive and Legislative
branches including H.R. 2885 (the
Statistical Efficiency Act of 1999,
originally offered by Representative
Stephen Horn, and unanimously passed
by the House of Representatives) and
H.R. 2136 (the Confidential Information
Protection Act, originally offered by
Representative Tom Sawyer in 2001).
Introducing CIPSEA, H.R. 5215, on July
25, 2002, Representative Horn
indicated,
‘‘The bill’s enhanced confidentiality
protections will improve the quality of
Federal statistics by encouraging greater
cooperation on the part of respondents. Even
more important, these protections ensure that
the Federal Government does not abuse the
trust of those who provide data to it under
a pledge of confidentiality. * * * the
Confidential Information Protection and
Statistical Efficiency Act of 2002 makes
important, common sense and long overdue
improvements in our Nation’s statistical
programs. It is a bipartisan, good Government
measure that has the Administration’s strong
support. I urge my colleagues to join with us
to achieve prompt enactment of the bill.’’ 13

In this guidance, OMB is establishing
a uniform policy for all Federal
statistical collections to reduce public
confusion, uncertainty, and concern
about the application of the newlyenacted confidentiality requirements
associated with protected statistical
information acquired by different
Federal agencies. By establishing
consistent rational principles and
11 Private Lives and Public Policies, 1993,
National Academy Press, Washington, DC.
12 62 FR 35,044–35,050.
13 Congressional Record, July 25, 2002, p. E1397.

E:\FR\FM\15JNN3.SGM

15JNN3

Federal Register / Vol. 72, No. 115 / Friday, June 15, 2007 / Notices
processes to buttress confidentiality
pledges, the law codifies confidentiality
claims and sets minimum standards for
safeguarding confidential statistical
information. Establishing consistent
protection of confidential statistical
information will, in turn, reduce the
perceived risks of more efficient
working relationships among statistical
agencies, relationships that can reduce
both the cost and reporting burden
imposed by statistical programs.
D. Authority

sroberts on PROD1PC70 with NOTICES

The Paperwork Reduction Act (PRA)
of 1980 (as amended in 1986 and 1995)
requires the Office of Information and
Regulatory Affairs (OIRA) within OMB
to develop policies, principles,
standards, and guidelines for privacy
and confidentiality generally; the
integrity of confidentiality pledges; and
the confidentiality of information
collected for statistical purposes.14 In
addition, the Act tasks OIRA to oversee
agency compliance with related
requirements of the Act and with the
policies referenced above.15 For
example, agencies are required to
‘‘inform respondents fully and
accurately about the sponsors, purposes,
and uses of statistical surveys and
studies.’’ 16
With respect to statistical policy and
coordination, the PRA directs OMB to:
• Coordinate the activities of the
Federal statistical system to ensure—
Æ The efficiency and effectiveness of
the system; and
Æ The integrity, objectivity,
impartiality, utility, and confidentiality
of information collected for statistical
purposes; * * *
• Develop and oversee the
implementation of Governmentwide
policies, principles, standards, and
guidelines * * *
• Promote the sharing of information
collected for statistical purposes
consistent with privacy rights and
confidentiality pledges; 17
In addition, Title V of the EGovernment Act of 2002 authorizes the
Director of the Office of Management
and Budget to coordinate and oversee
the confidentiality and disclosure
policies established by CIPSEA. The
Director is authorized to promulgate
rules or provide other guidance to
ensure the consistent interpretation of
this title by the affected agencies.18
14 44

U.S.C. 3504(e)(1), 3504(e)(5), and 3504(g)(1).
U.S.C. 3506(b)(1)(C), 3506(e)(2)–(4), and
3506(g)(1).
16 44 U.S.C. 3506(e)(2).
17 44 U.S.C. 3504(e).
18 Sec. 503(a).
15 44

VerDate Aug<31>2005

21:40 Jun 14, 2007

Jkt 211001

E. Affected Agencies
Executive agencies as defined in 31
U.S.C. 102 or 44 U.S.C. 3502 19 are
subject to the provisions and penalties
in CIPSEA Subtitle A if they (1) Acquire
information for exclusively statistical
purposes under a pledge of
confidentiality, or (2) they possess or
access information protected by
CIPSEA, unless even stronger
confidentiality protections apply.20
CIPSEA also imposes additional
requirements on statistical agencies or
units, which are defined to include ‘‘an
agency or organizational unit of the
executive branch whose activities are
predominantly the collection,
compilation, processing, or analysis of
information for statistical purposes.’’ 21
CIPSEA Subtitle B applies only to the
designated statistical agencies, i.e., the
Bureau of the Census of the Department
of Commerce, the Bureau of Economic
Analysis of the Department of
Commerce, and the Bureau of Labor
Statistics of the Department of Labor.22
F. Applicability of CIPSEA
Federal agencies collect and acquire
information for a wide variety of
purposes and uses, including benefit
determinations, program planning and
management, program evaluation,
measurement of compliance with laws
and regulations, and research, as well as
for general purpose statistics. When
acquiring information, an agency must
inform the person or organization being
asked to provide information whether or
not it will be treated as confidential and
the purpose(s) for which the
information will be used.23
CIPSEA protection applies to any
identifiable information acquired by the
agency under a pledge of confidentiality
for exclusively statistical purposes. For
purposes of CIPSEA, this information
includes personally identifiable
information 24 as well as information
that permits the identity of any
respondent, such as business
establishments, institutions, or State or
19 Sec.

502(1).
512(a) and 512(b). Agencies may also be
governed by other statutes that may have additional
restrictions on the use and disclosure of
confidential statistical information that apply
beyond CIPSEA (Sec. 504(h); Sec. 512(b)(3)).
21 Sec. 502(8).
22 Sec. 522.
23 5 CFR 1320.8(b)(3).
24 The term ‘‘personally identifiable information’’
refers to information that can be used to distinguish
or trace an individual’s identity, such as his or her
name, social security number, biometric records,
etc., alone, or when combined with other personal
or identifying information that is linked or linkable
to a specific individual, such as date and place of
birth, mother’s maiden name, etc.
20 Sec.

PO 00000

Frm 00007

Fmt 4701

Sfmt 4703

33367

local governments,25 to be reasonably
inferred by either direct or indirect
means.26 In this guidance, the terms
confidential information and
confidential data refer to information
that is protected by CIPSEA.
CIPSEA can apply only when an
agency pledges both to protect the
confidentiality of the information it
acquires and to use the information only
for statistical purposes. CIPSEA defines
a statistical purpose to include the
description, estimation, or analysis of
the characteristics of groups, without
identifying the individuals or
organizations that comprise such groups
and includes the development,
implementation, or maintenance of
methods, technical or administrative
procedures, or information resources
that support the above purposes.27 If
information is collected or acquired for
any nonstatistical purpose, then CIPSEA
shall not be used to protect the
confidentiality of the information.28
A nonstatistical purpose means the
use of information in identifiable form
for anything other than a statistical
25 Statistical agencies may collect information
from a State or local government that is in the
public domain, and, therefore, the statistical agency
would typically not pledge to keep that information
confidential under CIPSEA or other legal
authorities.
26 Sec. 502(4). Indirect identification refers to
using information in conjunction with other data
elements to reasonably infer the identity of a
respondent. For example, data elements such as a
combination of gender, race, date of birth,
geographic indicators, or other descriptors may be
used to identify an individual respondent.
27 Sec. 502(9).
28 There are some authorized, nonstatistical uses
of information collected for statistical purposes,
such as the use of Decennial Census information for
genealogical research, that are noted in Section 504
of CIPSEA. CIPSEA was intended to apply to these
collections that are intended for statistical purposes
and have only very narrow exceptions for specific
nonstatistical uses that do not result in any actions
directly affecting the respondent. Agencies
acquiring or protecting information under CIPSEA
with similar nonstatistical uses of the information
should consult with OMB on the applicability of
CIPSEA for the information collection. Unless there
is a specific exception noted in Section 504 of
CIPSEA, CIPSEA clearly prohibits disclosures for
administrative, regulatory, law enforcement, or
adjudicatory purposes that affect the rights,
privileges, or benefits of a particular identifiable
respondent absent informed consent. Since some
State or Federal laws may require notification of
authorities if, for example, child abuse is reported
by the respondent, agencies collecting such
information shall inform respondents at the time of
collection that revelations of this type of
information must be reported to legal authorities.
Agencies may conduct these collections under
CIPSEA if any such nonstatistical uses are clearly
described in advance to the respondent (with the
respondent providing informed consent), and these
procedures are clearly stated in the notices and
supporting materials described in Section II.
Agencies should also consult with their
institutional review boards to determine
circumstances when informed consent is
appropriate or necessary.

E:\FR\FM\15JNN3.SGM

15JNN3

sroberts on PROD1PC70 with NOTICES

33368

Federal Register / Vol. 72, No. 115 / Friday, June 15, 2007 / Notices

purpose, including any administrative,
regulatory, law enforcement,
adjudicative, or other purpose that
affects the rights, privileges or benefits
of a particular identifiable respondent.
Providing confidential information in
response to a Freedom of Information
Act (FOIA) request is also considered a
nonstatistical purpose.29 Since the
CIPSEA statute is a (b)(3) statute under
FOIA, confidential information covered
under CIPSEA is exempt from release
pursuant to a FOIA request (5 U.S.C.
552(b)(3)).
Agencies acquire information in
different ways from a wide variety of
respondents. An agency may collect
information directly (e.g., surveys) from
individuals, households, businesses,
organizations, or institutions, or the
agency may acquire information through
secondary sources (e.g., from State
government agencies).30 This guidance,
in accordance with the law, will use as
the more general term, ‘‘acquire,’’ to
include both agency collections of
information directly from respondents,
and acquisitions of information from
secondary sources.
In many cases, agencies acquire
information directly from respondents
(including local or State governments)
to a Federal survey; in other cases,
agencies do not themselves directly
acquire information from respondents
but do so through intermediaries, such
as contractors or researchers who are
operating under cooperative agreements
or grants at the direction of the agency.
CIPSEA defines contractors and their
employees, researchers, and employees
of private organizations or institutions
of higher learning that have a contract
or agreement with a Federal agency as
‘‘agents.’’ 31
Any agency that directly acquires
information from a respondent,
including a local or State government,
under a pledge of confidentiality for
exclusively statistical purposes, can use
CIPSEA to protect the information.
However, if an agency is using an agent,
such as a contractor, to acquire
information for exclusively statistical
purposes, the agency may not be able to
protect the information under CIPSEA
unless it is a statistical agency (see part
G). In these situations, nonstatistical
agencies should use their existing
statutory authority to protect the
confidentiality of this information.
Generally, the applicable statute with
the strongest confidentiality protections
for the information governs the use and
disclosure of the information. CIPSEA

does not restrict or diminish any other
confidentiality protections or penalties
for unauthorized disclosure that an
agency may otherwise have for
information collected for statistical
purposes.32 Accordingly, if an agency
has any stronger protections in its
statutes, these protections would remain
in effect. For example, the more
restrictive use and disclosure provisions
of the Census Act and the International
Investment and Trade in Services
Survey Act would take precedence over
the broader statistical uses permitted
under CIPSEA. In another example, if an
agency’s authorizing statute prohibited
disclosure with informed consent, the
agency would not be able to disclose the
information with informed consent,
which could be permissible under
CIPSEA under certain circumstances.33
On the other hand, if an agency
pledges to use the information for only
statistical purposes, then the agency
shall not use any other authorities it has
available to use the information for nonstatistical purposes, because those uses
would be contrary to the agency’s
pledge. For example, if information is
protected by CIPSEA and the Privacy
Act, some of the routine uses permitted
under the Privacy Act would no longer
be allowed because they are not for
statistical purposes.
G. Use of CIPSEA by Statistical and
Nonstatistical Agencies or Units
Although any Federal agency can
acquire and protect information under
CIPSEA, CIPSEA provides additional
authority and imposes additional
requirements on statistical agencies or
units. These additional provisions have
implications for how and whether an
agency can use CIPSEA to acquire
information; these provisions are
discussed in later sections of this
guidance.
CIPSEA defines a statistical agency or
unit as ‘‘an agency or organizational
unit of the executive branch whose
activities are predominantly the
collection, compilation, processing, or
analysis of information for statistical
purposes.’’ 34
OMB shall determine whether an
agency or unit can be considered a
statistical agency or unit for purposes of
CIPSEA.
OMB recognized 12 statistical
agencies or units in its 1997
Confidentiality Order: 35
• Department of Agriculture
Æ Economic Research Service
32 Sec.

504(h); Sec. 512(b)(3).
512(b).
34 Sec. 502(8).
35 62 FR 35,044–35,050.

29 Sec.

502(5)(B).
30 Sec. 502(6).
31 Sec. 502(2).

VerDate Aug<31>2005

21:40 Jun 14, 2007

33 Sec.

Jkt 211001

PO 00000

Frm 00008

Fmt 4701

Sfmt 4703

Æ National Agricultural Statistics
Service
• Department of Commerce
Æ Bureau of Economic Analysis
Æ Census Bureau
• Department of Education
Æ National Center for Education
Statistics
• Department of Energy
Æ Energy Information Administration
• Department of Health and Human
Services
Æ National Center for Health Statistics
• Department of Justice
Æ Bureau of Justice Statistics
• Department of Labor
Æ Bureau of Labor Statistics
• Department of Transportation
Æ Bureau of Transportation Statistics
• Department of the Treasury
Æ Statistics of Income Division of the
Internal Revenue Service
• National Science Foundation
Æ Division of Science Resources
Statistics
Since this guidance was issued in
proposed form in October 2006, OMB
has recognized two statistical
organizational units: the Office of
Applied Studies within the Substance
Abuse and Mental Health Services
Administration in the Department of
Health and Human Services, and the
Microeconomic Surveys Unit of the
Board of Governors of the Federal
Reserve. Other agencies or units that
wish to be recognized as statistical
agencies or units for purposes of
CIPSEA must send a request to the Chief
Statistician at OMB. The request must
come from the head of the agency or
unit and have the concurrence of the
larger organization within which the
agency or unit resides. This request
should include a statement of the
organizational definition of the agency
or unit, its mission, statistical activities,
and any nonstatistical activities, and
demonstrate that its activities are
predominantly statistical. Statistical
activities include the collection,
compilation, processing, or analysis of
data for the purpose of describing the
characteristics of groups or making
estimates concerning the whole or
relevant groups, or components within,
the economy, society, or the natural
environment. Statistical activities also
include the development of methods or
resources that support these activities,
such as measurement methods, models,
statistical classifications, or sampling
frames. A listing of OMB recognized
statistical agencies and units will be
posted and maintained on OMB’s Web
site.
Both statistical and nonstatistical
agencies can use CIPSEA to protect
information they acquire directly from

E:\FR\FM\15JNN3.SGM

15JNN3

Federal Register / Vol. 72, No. 115 / Friday, June 15, 2007 / Notices
respondents, including State and local
governments. However, only statistical
agencies or units are authorized under
CIPSEA to designate agents to perform
exclusively statistical activities, which
include data collection, subject to
CIPSEA limitations and penalties.36
Because data collection contractors are
agents under CIPSEA,37 only statistical
agencies may designate contractors to
acquire information that will be
protected under CIPSEA. In order for
the collections of nonstatistical agencies
to fall within the protections of CIPSEA,
nonstatistical agencies must acquire the
information themselves directly from
respondents. Nonstatistical agencies
cannot empower contractors or other
agents to acquire information or carry
out any other statistical activities for the
agency under CIPSEA.38
The following sections II and III of
this guidance describe in detail the
requirements for all agencies using
CIPSEA. Additional requirements for
statistical agencies or units designating
agents are covered in section IV.
Because it is generally expected that
statistical agencies or organizational
units will be collecting information for
exclusively statistical purposes under a
pledge of confidentiality, statistical
agencies or units that conduct or
sponsor a collection that will not be for
exclusively statistical purposes must
follow additional requirements as
described in section V. Additional
requirements for nonstatistical agencies
or units are provided in section VI.
II. Requirements for Agencies
Collecting or Acquiring Information
Protected Under CIPSEA
CIPSEA provides strong protection for
information obtained for exclusively
statistical purposes under a pledge of
confidentiality. For CIPSEA to have its
intended effect of reinforcing public
confidence in Federal confidentiality
pledges, all Federal agencies that make
the CIPSEA pledge must provide
CIPSEA protection to that information.
A Federal agency should not make a
CIPSEA pledge unless the agency is
fully committed to taking all the actions
that are necessary to provide CIPSEA
36 Sec.

512(d).
502(2)(iii).
38 Some nonstatistical agencies may have specific
statutory authority to designate agents that meets
the requirements of CIPSEA, allowing the agency to
use agents to perform exclusively statistical
activities, including data collection, for the agency.
Agencies should consult with OMB on the
applicability of their statute for purposes of using
CIPSEA before making plans to designate agents.
Agencies should also clearly describe how their
authority meets the requirements for CIPSEA
designation of agents in their information collection
requests to OMB.

sroberts on PROD1PC70 with NOTICES

37 Sec.

VerDate Aug<31>2005

21:40 Jun 14, 2007

Jkt 211001

level protection; making the CIPSEA
pledge means giving CIPSEA level
protection to the collected information.
To faithfully maintain this
commitment requires that agencies meet
a number of minimum requirements
that are described in detail in the
remainder of this guidance. Specifically,
agencies must:
• Inform the respondents about the
confidentiality protection and use of the
information (section II.);
• Collect and handle confidential
information to minimize risk of
disclosure, including properly training
employees (section III.);
• Ensure the information is used only
for statistical purposes (section III. A.);
• Review information to be
disseminated to prevent identifiable
information from being reasonably
inferred by either direct or indirect
means (section III. F.); and
• Supervise and control agents who
have access to confidential information
(section IV.).
A. Requirements for Public Notice Prior
to Data Collection
Agencies are required under the PRA
to:
• Publish a notice in the Federal
Register allowing 60 days for the public
to comment on information collections
and otherwise consult with members of
the public and affected agencies
concerning each proposed collection of
information; 39
• Publish a notice in the Federal
Register at the time OMB approval is
being sought, and allow the public 30
days to comment; and
• ‘‘Describe any assurance of
confidentiality provided to respondents
and the basis for the assurance in
statute, regulation, or agency policy’’ in
their PRA supporting statements
submitted to OMB.40
When agencies are acquiring
information that will be protected under
CIPSEA, they shall: 41
39 5

CFR 1320.8(d)(1).
for Supporting Statement for
Paperwork Reduction Act submissions and 5 CFR
1320.8(b)(3).
41 Agencies conducting an OMB-approved
information collection prior to passage of CIPSEA
or issuance of this guidance, such as a periodic or
longitudinal survey, can also protect that collection
under CIPSEA if the collection is intended for
exclusively statistical purposes, the agency pledges
confidentiality, and the agency will follow this
guidance in implementing CIPSEA. In this case, the
agency should consult with OMB about the change
in confidentiality protection for the collection and
plan appropriate consultation with stakeholders
and respondents. OMB may require agencies to
provide Federal Register notices concerning the
change in policy and to contact respondents for
comments before the agency can make a CIPSEA
pledge.
40 Instructions

PO 00000

Frm 00009

Fmt 4701

Sfmt 4703

33369

• State that the information will be
protected under CIPSEA, and cite any
other authority they have to protect the
confidentiality of the data in their PRA
supporting statements; and
• State in their Federal Register
notices if there is a substantive change
in the confidentiality protection of the
information being collected, such as
using CIPSEA to protect the information
for an ongoing collection when similar
protection was not available previously.
B. Requirements for Informing
Respondents at the Time of Information
Collection
At the time of the information
collection, agencies are required under
the PRA to adequately inform potential
respondents about the uses of the
information they provide.42 This
description must include the following
information related to the
confidentiality of their responses:
• The reasons the information is
planned to be and/or has been collected;
• The way such information is
planned to be and/or has been used to
further the proper performance of the
functions of the agency; and
• The nature and extent of
confidentiality protection to be
provided, if any.43
When agencies are collecting
information that they want to be
protected under CIPSEA, they are
required by law at the time of collection
to do the following:44
• Pledge to keep the data or
information confidential, and
• Pledge that the information will be
used for exclusively statistical purposes.
Agencies that are not protecting
information under CIPSEA must ensure
that the public is able to distinguish
easily between pledges that reflect the
protections provided by CIPSEA and
those affording less protection than
CIPSEA. In particular, the pledge for
collections not protected to the extent
afforded by CIPSEA shall not contain all
the elements related to CIPSEA found in
the pledges below—specifically, the
pledge shall not state both that the data
are confidential and that they are for
exclusively statistical use (in such cases
CIPSEA would apply even if not
stated).45 The degree to which the
42 5 CFR 1320.8(b)(3); Additional requirements
are imposed if the collection involves a Privacy Act
system of records (5 U.S.C. 552a(e)(3) as amended).
43 5 CFR 1320.8(b)(3).
44 Sec. 512(a).
45 As noted at the end of this subsection (and in
footnote 17), CIPSEA does not restrict or diminish
any other confidentiality protections or penalties
for unauthorized disclosure that an agency may
otherwise have for information collected for

E:\FR\FM\15JNN3.SGM

Continued

15JNN3

33370

Federal Register / Vol. 72, No. 115 / Friday, June 15, 2007 / Notices

pledge differs from the CIPSEA pledge
needs to be based on the laws and
regulations governing the collection and
determined in collaboration with the
agency legal staff, agency confidentiality
officer, and PRA clearance officer. A
pledge of confidentiality for collections
not protected by CIPSEA must
specifically cite the statutory
authorization protecting the
confidentiality of the data being
collected and accurately describe the
extent of that protection. If an agency
elects to collect information under laws
affording less protection than CIPSEA,
OMB will not approve an agency’s
proposed non-CIPSEA pledge that is too
similar to the CIPSEA pledge (e.g., one
that includes the term ‘confidential’ and
states that the information will be used
for exclusively statistical purposes).
The following examples of
confidentiality pledges under CIPSEA
are sufficient to inform respondents of
the protections afforded. Agencies shall
use the following model and customize
the wording in accordance with their
needs. Parentheses indicate options and
italics are instructions. Comparable
pledge language may be substituted, but
that alternative wording shall be
included in the PRA supporting
statements to OMB and should be
cognitively tested. A complete
confidentiality pledge shall be
developed from the following:

sroberts on PROD1PC70 with NOTICES

The information (choose one—you, your
household, your establishment—as needed)
provide(s) will be used for statistical
purposes only. In accordance with the
Confidential Information Protection
provisions of Title V, Subtitle A, Public Law
107–347 (option to add or substitute laws
that are stronger or more restrictive than
CIPSEA) and other applicable Federal laws
(option to list them, but it is not necessary
to be exhaustive), your responses will be kept
confidential and will not be disclosed in
identifiable form to anyone other than
employees (option to add ‘‘or agents’’ if
applicable, or another term the agency uses)
(option to add—without your consent).46 By
law, every (your agency here) employee
(optional—including the Director), (if
applicable, option to add ‘‘as well as every
agent such as then list as appropriate—
contractors, field representatives,

statistical purposes, and any stronger protections
would remain in effect (Sec. 504(h); Sec. 512(b)(3)).
46 Use the phrase ‘‘without your consent’’ only in
cases where an agency can reasonably anticipate
such consent will be requested.

VerDate Aug<31>2005

21:40 Jun 14, 2007

Jkt 211001

telephone interviewers, authorized
researchers,47 etc’’.48), (optional—has taken
an oath and) is subject to a jail term
(optional—of up to 5 years), a fine
(optional—of up to $250,000), or both if he
or she willfully discloses ANY identifiable
information about (choose one—you, your
household, your establishment).

The above pledge may be placed on
the survey instrument (e.g., form), in the
instructions, or on the back side of the
cover letter. A shorter, more userfriendly version may be used in
introductory statements, on the cover of
the instrument, or in the body of the
cover letter as long as there is a
reference to the full pledge. In addition,
the agency may place the full pledge on
the agency’s web site and point
respondents to that site.
To illustrate the actual pledge
wording, an agency could implement
this pledge as follows:
The information you provide will be used
for statistical purposes only. In accordance
with the Confidential Information Protection
provisions of Title V, Subtitle A, Public Law
107–347 and other applicable Federal laws,
your responses will be kept confidential and
will not be disclosed in identifiable form to
anyone other than employees or agents. By
law, every ABC employee as well as every
agent has taken an oath and is subject to a
jail term of up to 5 years, a fine of up to
$250,000, or both if he or she willfully
discloses ANY identifiable information about
you.

Agencies may choose to employ a
shortened version of the pledge, such as
the following, when conducting
telephone surveys or in other similar
circumstances as long as respondents
are given access to the longer version in
some other manner such as posting on
the agency’s Web site:
The information you provide about (choose
one—yourself, household, establishment)
will be used for statistical purposes only. In
accordance with the Confidential Information
Protection provisions in Public Law 107–347
(option to add and other applicable Federal
laws), your responses will be kept
confidential and will not be disclosed in
identifiable form (optional—without your
consent).49 By law, everyone working on this
(your agency here) survey is subject to a jail
term, a fine, or both if he or she willfully
discloses ANY information that could
identify you.
47 Agencies that plan to provide access to
confidential information for statistical purposes
should include mention of this in their pledge.
48 Designated statistical agencies (as defined
under CIPSEA Subtitle B) may include ‘‘employees
of partner statistical agencies’’ for collections of
confidential business information that may be used
in data sharing agreements as authorized under that
Subtitle.
49 Use ‘‘without your consent’’ only if consent is
asked or may be in the future—omitting this phrase
could create difficulties if the agency later wants to
ask for consent.

PO 00000

Frm 00010

Fmt 4701

Sfmt 4703

Agencies whose statutory authority
provides confidentiality protections
more restrictive than CIPSEA for
information acquired for exclusively
statistical purposes under a pledge of
confidentiality may use the CIPSEA
pledge or their existing pledges that are
similar as long as they make clear what
confidentiality protections cover the
information and the statutory authority
for those protections. In such cases, the
resemblance of an agency’s pledge to the
CIPSEA pledge does not imply that any
provisions in CIPSEA would overrule
the agency’s stronger confidentiality
statute. CIPSEA does not restrict or
diminish any other confidentiality
protections or penalties for
unauthorized disclosure that an agency
may otherwise have for information
collected for statistical purposes, and
any stronger protections would remain
in effect.50
III. Minimum Standards for
Safeguarding Confidential Information
Acquired Under CIPSEA
These standards for safeguarding
confidential information apply to
information protected under CIPSEA.
Federal agencies shall follow the
minimum standards in this section. In
addition, some best practices are
provided that agencies are encouraged
to adopt but are not required to
implement. 51
The central objective of these
standards is to ensure that a Federal
agency that pledges confidentiality for
statistical information honors that
pledge. Each Federal agency remains
ultimately responsible and accountable
for the confidential information that the
agency acquires under a CIPSEA pledge.
Any inappropriate use or disclosure of
CIPSEA-protected information violates
the law and can undermine public trust.
Therefore, there is no ‘‘acceptable’’ level
of non-compliance with the CIPSEA
pledge.
These minimum standards have been
developed according to the principle of
disclosure risk, which considers both
the probability of an unauthorized
disclosure and the expected harm from
such a disclosure. These minimum
standards apply to data for which the
disclosure risk has been deemed
relatively low by the Federal agency
responsible for the information. Federal
agencies shall set higher standards as
the disclosure risk increases.
At a minimum, such standards shall
make clear that each person having
50 Sec.

504(h); Sec. 512(b)(3).
practices that agencies are encouraged but
not required to implement are designated as items
that agencies ‘‘may’’ do, while requirements are
noted as items that agencies ‘‘shall’’ do.
51 Best

E:\FR\FM\15JNN3.SGM

15JNN3

Federal Register / Vol. 72, No. 115 / Friday, June 15, 2007 / Notices
access to confidential information
understands his/her responsibility
related to maintaining the
confidentiality of that information. In
addition, these standards shall make
clear who is accountable for each part
of the information protection, including:
• Determining and monitoring
procedures for collection and release;
• Evaluating the reason for accessing
the information and controlling access
to the information; and
• Maintaining physical and
information systems security.
A. Principles and Procedures for
Protecting Confidential Information
Agencies or organizational units
protecting information under CIPSEA
shall incorporate the costs for protecting
confidential information throughout the
lifecycle of the statistical activity. This
will ensure that sufficient resources are
available to develop and implement
procedures to ensure that:
• The confidentiality of the
information is protected;
• Confidential information is used
exclusively for statistical purposes;
• Access to confidential information
is controlled, and only authorized
persons have access to the information;
• All persons having access to
confidential information understand
Æ The obligations of confidentiality
protection,
Æ That unauthorized access to
confidential information is prohibited,
and
Æ The penalties for unauthorized
access to and unauthorized use of
confidential information; and
• A person or persons are designated
to oversee all procedures for handling
confidential information, and that such
persons are responsible for all agency
confidentiality procedures, reviews, and
compliance with confidentiality laws.

sroberts on PROD1PC70 with NOTICES

B. Physical and Information Systems
Security
Each agency shall ensure the physical
security and information systems
security where data protected under
CIPSEA are accessed and stored.
Agencies are required to establish
appropriate administrative and
technical safeguards to ensure the
security of all media containing
confidential information is protected
against unauthorized disclosures and
anticipated threats or hazards to their
security or integrity. For example,
agencies must ensure that security
requirements are followed for reports,
documents, printouts, information
collection instruments, laptops, PDA’s,
zip drives, floppy disks, CD–ROMs, or
any other IT devices that contain

VerDate Aug<31>2005

21:40 Jun 14, 2007

Jkt 211001

confidential information to prevent
access by unauthorized persons.
Agencies must also ensure that only
persons authorized by the head of the
statistical agency or unit are permitted
access to confidential information
stored in information systems.
Agencies are required to assess and
secure their information and
information systems in accord with the
Federal Information Security
Management Act (FISMA) which
appears as Title III of the E-Government
Act of 2002. OMB has issued guidance
on implementing FISMA, and the
National Institute of Standards and
Technology (NIST) has issued
compulsory and binding standards used
to identify the level of impact and
controls for maintaining the
confidentiality, integrity, and
availability of all information collected
or maintained on behalf of an agency.52
One of three security objectives for
information and information systems
that FISMA defines is confidentiality.
The security category of an information
type is determined by its potential
impact on agencies should there be a
breach of security, i.e., a loss of
confidentiality.53 Because agencies
handle many different types of
information, an agency should
determine what the potential impact of
a security breach on the agency is
(including mission, function, image, and
reputation), and take into account
CIPSEA requirements that the
information be used for exclusively
statistical purposes as well as the
penalties that CIPSEA imposes for
disclosure.
Privacy Impact Assessments (PIAs)
are also required of agencies developing
or procuring information systems or
projects that maintain or handle
confidential information in identifiable
form about members of the public, and
agencies initiating new electronic
collections of information in identifiable
form.54
C. Confidentiality Training
Each agency with information
protected under CIPSEA shall ensure
52 For

more information about existing security
and privacy requirements, see http://
www.whitehouse.gov/omb/inforeg/infopoltech.html,
FIPS PUB 199, Standards for Security
Categorization of Federal Information and
Information Systems, Gaithersburg, MD:U.S.
Department of Commerce, and related publications.
53 See FIPS PUB 199, Standards for Security
Categorization of Federal Information and
Information Systems, Gaithersburg, MD:U.S.
Department of Commerce; and related publications
such as NIST Special Publication 800–60.
54 See OMB Memorandum M–03–22, September
26, 2003, OMB Guidance for Implementing the
Privacy Provisions of the E-Government Act of 2002.

PO 00000

Frm 00011

Fmt 4701

Sfmt 4703

33371

that all individuals having access to
such confidential information have a
current understanding of confidentiality
rules and procedures. Confidentiality
training shall include at a minimum:
• An overview of information
protection procedures,
• The importance of ‘‘need to know’’
for an authorized purpose in accessing
confidential information,
• Physical and information systems
security procedures, and
• The penalties for unauthorized
access, use and disclosures.
Employees who have access to
confidential information shall be
recertified annually to ensure their
understanding of confidentiality
requirements.
D. Record Keeping
Agencies shall establish and maintain
a system of records 55 that identifies
individuals accessing confidential
information. Agencies shall also be
prepared to document their compliance
with the safeguard principles to OMB.56
E. Information Collection, Processing, or
Analysis Contracts
Prior to award, agencies shall review
any contracts that involve CIPSEA
protected information to ensure
language is included that informs the
contractor of the requirements of
CIPSEA and of the contractor’s
obligations under the law and penalties
for noncompliance (see Section IV).
F. Guidelines for Review of Information
Prior to Dissemination
For CIPSEA protected information,
the agency as well as any agent
accessing the information shall ensure
that any dissemination of information
based on confidential information is
done in a manner that preserves the
confidentiality of the information. To
accomplish this, agencies shall:
• Review their information products
prior to public release for disclosures of
confidential information, and
• Apply appropriate statistical
disclosure limitation (SDL) techniques
55 Agencies should assess for themselves the
nature of these records and requirements for record
keeping, including whether what an agency does for
this purpose qualifies as a system of records under
the Privacy Act. OMB is not implying in this
guidance what form these record keeping systems
should take and is leaving that determination to the
agency.
56 OMB recognizes that in some cases agencies
have very detailed documentation on access to
confidential information that itself is treated as
confidential by the agency. In this case, it is
sufficient for the agency simply to demonstrate that
the basic safeguard principles are being followed;
agencies should not reveal specific individuals or
specific procedures that would compromise the
protection of the information.

E:\FR\FM\15JNN3.SGM

15JNN3

33372

Federal Register / Vol. 72, No. 115 / Friday, June 15, 2007 / Notices

sroberts on PROD1PC70 with NOTICES

to preserve the confidentiality of the
information.
For further guidance on SDL
techniques, agencies can refer to
practices described in Statistical Policy
Working Paper #22, Report on
Statistical Disclosure Limitation
Methodology 57 and utilize other
resources such as the disclosure review
checklist provided by the Federal
Committee on Statistical Methodology’s
Confidentiality and Data Access
Committee.58
Additional guidelines are provided
below for handling confidential
information protected under CIPSEA in
conjunction with information not
protected by CIPSEA.
Tabular Information
When a table includes both data
protected under CIPSEA and other data
not protected under CIPSEA, all data
shall be treated as confidential, and
identifiable respondent information
shall not be present in the table.
When a table includes both data
protected under CIPSEA and
nonconfidential data, the agency:
• Shall apply SDL techniques to
ensure protection of any table cells
based on information protected under
CIPSEA;
• May have a table cell that reveals
nonconfidential identifiable respondent
information. However, the agency shall
take special care to ensure that the
presentation of the nonconfidential
information in no way jeopardizes
confidential information.
Æ If the table includes any
identifiable nonconfidential respondent
information, the agency shall
distinguish what information is
protected under CIPSEA in the
accompanying text or notes to the table.
Æ If the table does not include any
identifiable nonconfidential respondent
information, there is no need to
distinguish these data from those
protected under CIPSEA.
• A special case exists when a table
cell value reflects a combination of
CIPSEA protected data and
nonconfidential data (e.g., a ratio or
weighted average). In this case, these
data elements are considered
confidential and shall not be
disseminated in a manner where any
respondent could be identified.
The agency shall determine how the
disclosure limitation methods used on
the data affect the users and thus what
information about confidentiality
at http://www.fcsm.gov/reports/.
http://www.fcsm.gov/committees/cdac/
cdac.html. Agencies may also wish to consult
HIPAA standards for deidentification of protected
health information at 45 CFR 164.514.

protection shall be included with
tabular presentation.
Microdata 59
The confidentiality provisions and
limits on uses of microdata shall be
completely discussed in the
documentation or mentioned with a
reference for details. For microdata
protected under CIPSEA, SDL
techniques shall be applied prior to
public release.
There are two possible scenarios to
consider for the dissemination of
microdata in which some elements are
protected under CIPSEA and other
elements are not (e.g., not confidential
or confidential under other laws/
authorities).
• If variables protected under CIPSEA
are linked to other variables that are not,
the most restrictive law (in terms of
promising confidentiality and limiting
the use of the information) shall apply.
For example:
Æ If an agency links data protected
under CIPSEA with nonconfidential
administrative data from another source
and releases a linked public use
microdata file, the restrictions of
CIPSEA apply.
Æ If an agency links data protected
under CIPSEA with confidential
administrative data from another source
(e.g., IRS data) and releases a linked
public use microdata file, the most
restrictive law (in terms of promising
confidentiality and limiting the use of
the information) shall prevail.
• If data from some respondents are
protected under CIPSEA and data from
other respondents are not, an agency
may keep the data in separate files or
combine the data sets and include a
variable that tells the source for each
record. Keeping the data in separate
files may be the best choice because it
would help highlight the difference in
confidentiality provisions and limits on
uses.
IV. Requirements and Guidelines for
Statistical Agencies or Organizational
Units When Designating Agents to
Acquire or Access Confidential
Information Protected Under CIPSEA
Statistical agencies or organizational
units may under CIPSEA designate
agents by contract or by entering into a
special agreement to perform
exclusively statistical activities that are
subject to CIPSEA limitations and
penalties.60 To ensure that the
protections of CIPSEA apply to the

57 Available
58 See

VerDate Aug<31>2005

21:40 Jun 14, 2007

Jkt 211001

59 Microdata are data about individual
respondents (e.g., persons, households,
organizations, companies, farms, etc.)
60 Sec. 512(d).

PO 00000

Frm 00012

Fmt 4701

Sfmt 4703

information that a statistical agency or
unit acquires, the agency shall follow
the requirements in this section when
designating agents to acquire
information for the agency for
exclusively statistical purposes under a
pledge of confidentiality.
Because CIPSEA has a broad
definition of agents, statistical agencies
and organizational units may use
CIPSEA to designate a variety of
individuals as agents to allow them to
access confidential information for
exclusively statistical purposes.61 A
statistical agency may designate agents
to perform exclusively statistical
activities, at its discretion, subject to the
agency’s needs, resources, and other
requirements. The agency that possesses
the confidential information shall
ensure that all agents comply with the
agency’s confidentiality procedures and
shall follow the requirements in this
section when designating agents to
access confidential information for
exclusively statistical purposes.
Information protected under CIPSEA
must be used only for statistical
purposes. When entering into contracts
or special agreements with agents to
acquire or access confidential
information, an agency shall consider:
• The sensitivity of the confidential
information,
• The risk of disclosure, and
• The resources required to maintain
supervision and control of agents.
Agencies are responsible for
protecting the confidentiality of their
data and may establish standards
beyond those in this guidance. This
section thus provides the minimum
requirements as well as additional
guidelines for statistical agencies or
units to designate agents to perform
exclusively statistical activities,
including data collection.
It is important to note that neither
CIPSEA nor this guidance requires any
statistical agency or unit to designate
agents; the decision to enter into these
agreements is at the discretion of the
statistical agency or unit. Therefore, an
agency may decline to designate agents
in accordance with its authorities or
practices.62 If a statistical agency or unit
chooses to designate agents, the agency
remains responsible for all confidential
information protected under CIPSEA,
and statistical agencies or units should
not designate agents unless the agencies
61 Sec.

512(a).
example is the authority granted the Census
Bureau under Title 13, Section 23(c) that permits
the use of temporary staff to assist in the
performance of work authorized by Title 13.
Whereas CIPSEA puts no limits on the statistical
uses made by agents, Title 13 limits the statistical
uses to those that support the work of the agency.
62 An

E:\FR\FM\15JNN3.SGM

15JNN3

Federal Register / Vol. 72, No. 115 / Friday, June 15, 2007 / Notices
or units are able to ensure that all
CIPSEA requirements in this guidance
will be met and faithfully carried out by
their agents. Carrying out these
responsibilities will take agency
resources, and thus, will limit the extent
to which a statistical agency or unit
should consider designating agents.
A. Designating Agents
Under CIPSEA, a statistical agency or
unit may designate as an agent 63 any of
the following:
• An employee of a private
organization or a researcher affiliated
with an institution of higher learning;
• Someone who is working under the
authority of a government entity;
• Someone who is a self-employed
researcher, a consultant, a contractor, or
an employee of a contractor; or
• Someone who is a contractor or an
employee of a contractor, and who is
engaged by the agency to design or
maintain the systems for handling or
storage of data received under this
title.64
Statistical agencies or units
designating agents must do so through
contracts or other agreements that
require the agent to agree in writing to
comply with all provisions of law that
affect information acquired by that
agency.65 Any statistical agencies or
units that designate agents shall exercise
supervision and/or control of the agents
to ensure the confidentiality and
appropriate use of the information.
B. Requirements for Agents To Request
Access to Confidential Information
Protected Under CIPSEA
Some statistical agencies and units
receive requests from outside
researchers and others who wish to
obtain access to confidential data for
statistical purposes as agents of the
statistical agency. Most agencies that
receive these kinds of requests have
found it useful to first obtain a written
proposal from the prospective agent.
Agencies may require prospective
agents to submit a proposal that
includes some or all of the following in
order to properly evaluate the proposed
access and use of their confidential data:
63 Sec.

502(2)(A); Sec. 512(d).
includes as agents contractors
maintaining systems for handling or storage of data.
Such information technology personnel provide
support and have direct contact with confidential
information not because they would necessarily use
the information for statistical purposes, but because
they would be responsible for the protection of the
information from use for nonstatistical purposes
and for ensuring appropriate security. As agents,
these contractors and their employees are bound by
CIPSEA to protect the confidentiality of the
information.
65 Sec. 502(2)(B).

sroberts on PROD1PC70 with NOTICES

64 CIPSEA

VerDate Aug<31>2005

21:40 Jun 14, 2007

Jkt 211001

• A clear and detailed description of
the purpose of the access,
• The specific confidential
information needed,
• How the information will be used,
• Plans for disseminating information
as well as the products planned for
public distribution,
• A list of persons involved in the
project who will have access to the
information,
• A security plan (information
systems and physical security) for
protecting the information [applicable
only for off-site access arrangements],
and
• A timeframe for access.
After an agency receives the proposal
and reviews it, the agency may provide
comments and may request changes or
may request the prospective agent to
complete a written agreement (see
section IV.C).66 Agencies shall deny any
proposal that does not meet the
requirements described in this
guidance.
Whether or not a prospective agent
has submitted a proposal to an agency,
access to confidential information shall
not be granted until the agency has
entered into a written agreement with
the agent, and the agent has met the
requirements contained in this guidance
and in agency standards for accessing
the data.
Prior to the enactment of CIPSEA,
some statistical agencies and units had
statutory authority to authorize agents to
access confidential information.
Agencies have developed a variety of
mechanisms that balance permitting
access to confidential data, while
controlling that access. This area is
evolving rapidly, and the following
examples are included only as
illustrations:
• Onsite at Agency: An external
analyst works at an agency as an agent
to participate in statistical activities
involving confidential data. This work
shall be done either in collaboration
with or otherwise under the direct
control and supervision of agency staff,
per the terms of a written agreement.
The agent’s work is subject to review by
the supervising staff.
• Data Center: An agent visits a
controlled access secure facility
maintained by the agency or unit to
conduct analyses on confidential data
held by the agency. The facility must be
equipped with secure computers and
staffed by agency personnel who review
all outputs for the purposes of
confidentiality. There may be additional
66 If the agency chooses, the agent may submit the
proposal in conjunction with a completed written
agreement.

PO 00000

Frm 00013

Fmt 4701

Sfmt 4703

33373

constraints on what the agent may bring
to or remove from the center.
• Off-site License Agreement: An
agent is granted access to confidential
information from an agency or unit for
use at the agent’s facility. The
organization the agent is affiliated with
shall enter into a legally binding written
agreement as described in section IV.C
with the agency that possesses the
confidential information.
C. Written Agreements for Agent Access
to Confidential Information Protected
Under CIPSEA
Some statistical agencies or units use
contractors to acquire information and/
or perform other statistical activities.
Under CIPSEA, the contractor and the
contractor’s employees are considered
agents. For any data that will be
acquired by the contractor under
CIPSEA, or if the contractor will have
access to any confidential information
protected by CIPSEA, the legally
binding contract shall include the
provisions shown in the Appendix.
If a statistical agency or unit provides
designated agents access to confidential
information protected under CIPSEA for
exclusively statistical purposes, then all
such access shall require a written,
legally binding contract or other
agreement between the agency and the
responsible management level official
from the institution with which the
agent(s) is(are) affiliated.67 The
information required as part of that
written agreement is shown in the
Appendix.
D. Physical and Information Systems
Security for Confidential Information
Protected Under CIPSEA: On-Site and
Off-Site
Agencies have the responsibility to
ensure the security of physical and
information systems for on-site as well
as off-site access (if applicable) to
confidential information and must
follow applicable OMB Guidance and
NIST standards and publications.68 In
addition to the security requirements
described in section III.B, agencies
allowing agents access to confidential
information protected under CIPSEA
67 For situations in which agents are not affiliated
with an institution, the agreement will be signed as
legally binding by the agent(s). The latter
arrangements would include those with a single
agent operating independently as a sole proprietor
as well as those with multiple agents operating
independently.
68 For more information about existing security
and privacy requirements, see http://
www.whitehouse.gov/omb/inforeg/infopoltech.html,
FIPS PUB 199, Standards for Security
Categorization of Federal Information and
Information Systems, Gaithersburg, MD:U.S.
Department of Commerce, and related publications.

E:\FR\FM\15JNN3.SGM

15JNN3

33374

Federal Register / Vol. 72, No. 115 / Friday, June 15, 2007 / Notices

outside of the collecting agency or a
facility under the agency’s control shall
require that the written access
agreement, described in section IV.C,
stipulate the agency’s right to conduct
inspections of the off-site facility.
In order to ensure the physical and
information systems security of the
confidential information, agencies shall
conduct inspections of any off-site
facility that harbors confidential
information protected under CIPSEA. (If
the off-site facility is another Federal
statistical agency or unit, agencies may
at their option conduct inspections but
are not required to inspect these
facilities.) These inspections shall be
conducted according to the following
principles:
• The inspections shall assess and
document whether the protection
procedures outlined in the written
agreement and in the agent’s security
plan are being implemented.
• While an inspection of the off-site
facility is encouraged prior to release of
the information to the agent, it is not
required. (The inspection may occur any
time during the access agreement
period, preferably as soon as possible.)
• Inspections shall be conducted at
all off-site facilities at some time during
the timeframe of access. Agencies may
prioritize their selection of sites for
inspections based on risk, but must still
inspect all off-site facilities; however,
agencies may coordinate and collaborate
on inspections of off-site facilities that
harbor confidential data from multiple
agencies. Agencies may choose not to
inform the agent of the timing of such
inspections.
E. Confidentiality Training
All persons with access to
confidential information protected
under CIPSEA shall participate in
agency-provided confidentiality training
(see section III.(C) prior to accessing the
confidential information as stipulated in
the written agreement (section IV.C)
between the agency and the agent’s
organization or institution.69
The agency possessing the
confidential data shall certify or receive
notification that each project staff
member has undergone the training.
Agents shall also be required to be
recertified annually.

sroberts on PROD1PC70 with NOTICES

F. Record Keeping
Agencies shall establish and maintain
a system of records 70 that identifies
69 For

situations in which agents are not affiliated
with an institution, the agreement will be signed as
legally binding by the agent(s).
70 Agencies should assess for themselves the
nature of these records and requirements for record
keeping, including whether what an agency does for

VerDate Aug<31>2005

21:40 Jun 14, 2007

Jkt 211001

designated agents accessing confidential
information protected under CIPSEA
and the project for which the
information was authorized.
V. Requirements for Statistical
Agencies or Organizational Units
Acquiring Information That May Be
Used for Nonstatistical Purposes
CIPSEA defines a statistical agency or
unit to be ‘‘an agency or organizational
unit of the executive branch whose
activities are predominantly the
collection, compilation, processing, or
analysis of information for statistical
purposes.’’ 71
Because the public should expect that
a statistical agency or unit will be
collecting information for exclusively
statistical purposes, CIPSEA requires a
statistical agency to ‘‘clearly distinguish
any data or information it collects for
nonstatistical purposes (as authorized
by law) and provide notice to the
public, before the data or information is
collected, that the data or information
could be used for nonstatistical
purposes.’’ 72
A. Requirements for Public Notice
If a statistical agency or unit will
collect information that may be subject
to use for nonstatistical purposes, the
statistical agency or unit shall use the
notices in the Federal Register that are
required under the PRA to inform the
public about the nonstatistical uses of
the information during the process of
requesting OMB approval of the
information collection.
As noted in section II.A, OMB’s
regulations for Controlling Paperwork
Burdens on the Public 73 set forth public
notification requirements for agencies
conducting or sponsoring an
information collection. Agencies are
required under the PRA to:
• Publish a notice in the Federal
Register allowing 60 days for the public
to comment on information collections
and otherwise consult with members of
the public and affected agencies
concerning each proposed collection of
information; 74
• Publish a notice in the Federal
Register at the time OMB approval is
being sought, and allow the public 30
days to comment; and
• ‘‘Describe any assurance of
confidentiality provided to respondents
this purpose qualifies as a system of records under
the Privacy Act. OMB is not implying in this
guidance what form these record keeping systems
should take, and is leaving that determination to the
agency.
71 Sec. 502(8).
72 Sec. 512(c).
73 5 CFR 1320.
74 5 CFR 1320.8(d)(1).

PO 00000

Frm 00014

Fmt 4701

Sfmt 4703

and the basis for the assurance in
statute, regulation, or agency policy’’ in
their PRA supporting statements
submitted to OMB.75
Both Federal Register notices (i.e., the
initial one seeking public comments for
consideration by the agency and the
later one seeking public comments for
consideration by OMB) must explicitly
address what information the statistical
agency or unit plans to collect that may
be used for nonstatistical purposes.
B. Requirements for Informing and
Making Pledges to Respondents
As noted in section II.B, at the time
of the information collection, agencies
are required under the PRA to
adequately inform potential respondents
about the uses of the information they
provide.76
This description must include the
following information related to the
confidentiality of their responses:
• The reasons the information is
planned to be and/or has been collected;
• The way such information is
planned to be and/or has been used; and
• The nature and extent of
confidentiality to be provided, if any.77
The statistical agency or unit must
clearly explain the confidentiality
provisions, if any, for all information
not protected under CIPSEA. As
appropriate, the explanation shall
include:
• What information will be treated as
confidential and the basis (e.g., laws) for
any confidentiality pledge;
• What information will be treated as
nonconfidential;
• What information, if any, is limited
to use for exclusively statistical
purposes and the agency’s basis (e.g.,
laws) for such assurances;
• What information, if any, is not
limited to use for exclusively statistical
purposes and may be used for
nonstatistical purposes; and
• Any limitations on the
confidentiality provisions (e.g., the
information will be kept confidential
only to the extent that it satisfies a
criterion for exemption in the Freedom
of Information Act (FOIA), the
information may be shared with other
Federal government agencies for official
uses, etc.).
Agencies must ensure that the public
is able to distinguish easily between
their CIPSEA pledge and any nonCIPSEA pledge covering information
75 Instructions for Supporting Statement for
Paperwork Reduction Act submissions and 5 CFR
1320.8(b)(3).
76 5 CFR 1320.8(b)(3); Additional requirements
are imposed if the collection involves a Privacy Act
system of records (5 U.S.C. 552a(e)(3) as amended).
77 5 CFR 1320.8(b)(3).

E:\FR\FM\15JNN3.SGM

15JNN3

Federal Register / Vol. 72, No. 115 / Friday, June 15, 2007 / Notices
that will be used for nonstatistical
purposes. The degree to which the
pledge differs from the CIPSEA pledge
needs to be based on the laws and
regulations governing the collection and
determined in collaboration with the
agency legal staff, agency confidentiality
officer, and PRA clearance officer. The
pledge shall be in compliance with
section 512(c) of CIPSEA—requiring
notice that any data could be used for
nonstatistical purposes. The approach a
statistical agency or unit uses in crafting
wording for confidentiality pledges for
information not protected under
CIPSEA must be done with care and
take into account the laws governing the
particular agency, and the agency is
strongly encouraged to test changes
from currently used wording. In
particular, the pledge for collections not
protected under CIPSEA (because, for
example, the information would be used
for nonstatistical purposes) shall not
contain all the elements related to
CIPSEA found in the pledges given in
section II—for example, the pledge shall
not state both that the data are
confidential and that they are for
exclusively statistical use (in such cases
CIPSEA would apply even if not stated).
For example, a pledge for data that are
legally permitted to be accessed for
nonstatistical purposes may state:
The information you provide will be
protected to the fullest extent allowable
under (name the law). This law allows for the
(name specific nonstatistical uses).
Information will be protected from public
disclosure by (your agency). Results from this
survey will be reported publicly only in
statistical summaries, so that individuals
cannot be identified.

To illustrate the actual pledge
wording, an agency could implement
this pledge as follows:
The information you provide will be
protected and will not be disclosed to the
public to the extent that it satisfies the
criteria for exemption under the Freedom of
Information Act (FOIA), 5 U.S.C. Sec. 552,
and the Trade Secrets Act, 18 U.S.C. Sec.
1905.

sroberts on PROD1PC70 with NOTICES

To ensure public understanding and
avoid confusion (about whether the
agency will provide CIPSEA protection
to the data), the above pledges do not
use the word ‘‘confidential’’ because use
of this term could give rise to confusion.
VI. Requirements and Guidelines for
Nonstatistical Agencies or Units
Acquiring and Handling Information
Protected Under CIPSEA
Nonstatistical agencies seeking to
acquire information that will be
protected under CIPSEA can take two
general approaches: (1) They can
directly acquire the information

VerDate Aug<31>2005

21:40 Jun 14, 2007

Jkt 211001

themselves from respondents, or (2)
they can enter into an agreement with
a statistical agency to acquire the
information.
As noted in Section I. G., Subtitle A
of CIPSEA may be used by any Federal
agency that directly acquires
information from respondents for
exclusively statistical purposes under a
pledge of confidentiality. Nonstatistical
agencies that acquire information in this
manner must follow all of the
requirements in sections II and III of this
guidance for confidential information
protected by CIPSEA.
Nonstatistical agencies or units that
will not collect the information
themselves directly from respondents
will need to carefully consider their
plans for acquiring and using
information if they want to use CIPSEA
to protect the information. Although
nonstatistical agencies and units do
acquire information directly from
respondents, they frequently use
contractors or other agencies to acquire
information for them that is used for
statistical purposes. CIPSEA did not
authorize nonstatistical agencies or
units to designate agents, such as
contractors, university researchers, or
others included within the definition of
agents,78 to perform exclusively
statistical activities, including data
collection. Because nonstatistical
agencies or units are not empowered
under CIPSEA to designate agents, who
are subject to CIPSEA limitations and
penalties, they will not be able to
protect the information under CIPSEA if
they employ contractors or other agents
to acquire the information or if they
plan to allow access to the information
by anyone outside of authorized agency
employees, even if they intend to use
the information for exclusively
statistical purposes and want to keep it
confidential.79
As an alternative to collecting the data
directly themselves, nonstatistical
agencies or units that wish to acquire
information with CIPSEA protection
may want to consider entering into an
agreement with a Federal statistical
agency or unit. Because the statistical
agency or unit would be responsible for
protecting all confidential information
78 See

Sec. 502(2)(A).
nonstatistical agencies may have specific
statutory authority to designate agents that meets
the requirements of CIPSEA, allowing the agency to
use agents to perform exclusively statistical
activities, including data collection, for the agency.
Agencies should consult with OMB on the
applicability of their statute for purposes of using
CIPSEA before making plans to designate agents.
Agencies should also clearly describe how their
authority meets the requirements for CIPSEA
designation of agents in their information collection
requests to OMB.
79 Some

PO 00000

Frm 00015

Fmt 4701

Sfmt 4703

33375

acquired under the CIPSEA pledge,
carrying out these responsibilities will
take resources that non-statistical
agencies should be prepared to provide
to the statistical agency. Statistical
agencies or units may designate agents
under CIPSEA, but must follow the
requirements in Section IV of this
guidance to do so. Employees within a
nonstatistical agency or unit may serve
as agents for a statistical agency or unit
to perform exclusively statistical
activities on confidential information
and be bound by CIPSEA provided that
the statistical agency or unit and the
agents have followed all of the
requirements given in section IV.
An agreement between the statistical
agency and the nonstatistical agency
could be used to make the statistical
agency or unit responsible for the
control of the confidential information.
The statistical agency could then
designate a contractor to acquire the
information and perform other
exclusively statistical activities. The
statistical agency could also designate as
agents select employees of the
nonstatistical agency or unit to have
access to the information for exclusively
statistical purposes. As noted earlier, all
requirements in sections II, III, and IV
would have to be met; and, therefore, all
agents would be subject to penalties
under CIPSEA for any disclosure.
VII. Data Sharing Under Subtitle B of
CIPSEA
Subtitle B, Statistical Efficiency,
provides only for the sharing of business
data for exclusively statistical purposes
and provides for that sharing only
among three statistical agencies
designated in Subtitle B. Subtitle B of
CIPSEA does not authorize the sharing
of confidential business data among any
Federal agencies other than the three
designated statistical agencies, nor does
it authorize any sharing of demographic
or other types of data among any
Federal agencies.80
The following brief guidance in this
section applies to the three designated
statistical agencies sharing business
data. These three agencies are currently
working to implement the data sharing
provisions of CIPSEA. OMB is working
closely with them and may issue
additional guidance to these three
agencies as needed to implement the
data sharing provisions of CIPSEA.
80 Although CIPSEA Subtitle B only authorizes
the sharing of confidential business information
among BEA, BLS, and the Census Bureau, CIPSEA
did not alter other existing authorities for data
sharing among Federal agencies (see Sec. 504(a)).

E:\FR\FM\15JNN3.SGM

15JNN3

33376

Federal Register / Vol. 72, No. 115 / Friday, June 15, 2007 / Notices

A. Designated Statistical Agencies
The three designated statistical
agencies permitted by Subtitle B to
share business data for exclusively
statistical purposes are the Bureau of the
Census, the Bureau of Economic
Analysis, and the Bureau of Labor
Statistics.81
B. Requirements When the Designated
Statistical Agencies Share Data
Prior to sharing any business data
under CIPSEA, the designated statistical
agencies shall inform respondents about
their intentions to share the business
data. If, prior to collection, the
designated agencies anticipate that they
will share business data, the agencies
shall:
• Include in their Federal Register
notices required under the PRA
notification that the business data may
be shared with designated statistical
agencies, and
• Also include in their CIPSEA
confidentiality pledges notification that
the data may be shared with designated
statistical agencies.
When a designated statistical agency
plans to share data that was collected
under a legal requirement to supply the
information without notice of the intent
to share that information with one or
more designated statistical agencies, the
agency shall publish a notice of the
proposed data sharing activity in the
Federal Register and specify the
business data to be shared and the
statistical purposes for which the
business data are to be used. This notice
shall allow a minimum of 60 days for
public comment,82 and a copy of this
notice shall be sent to OMB when it is
published.

sroberts on PROD1PC70 with NOTICES

C. Requirements for Written Agreements
for Data Sharing Among Designated
Statistical Agencies
Designated statistical agencies shall
enter into a written agreement before
sharing any business data. The written
agreement shall specify:
• The business data to be shared;
• The statistical purposes for which
the business data are to be used;
• The officers, employees, and agents
authorized to examine the business data
to be shared; and
• Appropriate security procedures to
safeguard the confidentiality of the
business data.
A copy of the written agreement shall
be provided to OMB ten days prior to
execution.
81 Sec.
82 Sec.

522.
524(d).

VerDate Aug<31>2005

VIII. Annual Reporting and Review
Requirements
A. Reporting Requirements
To coordinate and oversee the
confidentiality and disclosure policies
established under CIPSEA, the Office of
Management and Budget is authorized
under CIPSEA to require reports and
other information regarding the
implementation of this legislation by
Federal agencies.83 In order to
effectively monitor Federal agencies’
use of the different provisions in
CIPSEA, all agencies shall report to
OMB on (1) The use of the CIPSEA
pledge, (2) the use of the CIPSEA agents
provision, and (3) data sharing activities
under Subtitle B.
Use of the CIPSEA pledge. Any
Federal agency acquiring data under
CIPSEA Subtitle A shall report to OMB
on an annual basis on those collections
it has conducted under CIPSEA and
affirm that the agency has followed the
procedures in this guidance to ensure
the confidentiality of the information is
protected.
Use of the agents provision in
CIPSEA. Statistical agencies and units
are authorized under Subtitle A of
CIPSEA to designate agents, who may
perform exclusively statistical activities,
including data collection, and are bound
to the same legal requirements as agency
employees for maintaining the
confidentiality of the information.
Statistical agencies or units that choose
to designate agents shall report to OMB
on an annual basis on the number of
agents designated; the kinds of
statistical activities performed by
agents, e.g., data collection, analysis,
etc.; the different types of arrangements
for access to confidential information (if
applicable), e.g., on-site at the statistical
agency, through an agency-controlled
research data center, or off-site licensing
agreement; and the kind of written
agreement that is required for each type
of access.
Use of data sharing provisions under
Subtitle B of CIPSEA. CIPSEA directs
that the three designated agencies shall
report annually to the Director of the
Office of Management and Budget, the
Committee on Government Reform of
the House of Representatives, and the
Committee on Governmental Affairs of
the Senate on the actions taken to
implement the sections of the law on
sharing of business data. Designated
agency reports shall be prepared on a
calendar year basis, and shall include a
summary of activities carried out under
this law including the statistical
purposes for sharing, any anticipated

improvements to quality, and any
anticipated or achieved reductions in
cost or respondent burden due to the
sharing of business data. The report
shall include copies of each written
agreement for the sharing of business
data for the applicable year.
The initial report to OMB shall cover
any collections since the enactment of
the legislation in December 2002
through December 2006, and subsequent
reports shall cover a calendar year.
Agencies shall submit their initial
reports to OMB by May 30, 2007.
Subsequent reports shall be submitted
annually to OMB by April 30th of each
year. Agencies shall also post copies of
this report on their Web sites.
B. OMB Review of Agency Rules
Agencies are authorized to
promulgate rules to implement
CIPSEA.84 Agencies proposing rules to
implement CIPSEA shall submit these
proposed rules to OMB for review and
approval.85
Appendix Requirements for Contracts
and Written Agreements for Agents
Acquiring or Accessing Confidential
Information Under CIPSEA
The following information shall be
included in the contract or written
agreement:
• The identity and affiliation of both
the legally responsible agent (e.g.,
contractor or requestor seeking access to
confidential data) and agency official
signing the agreement;
• Whether the agent will be acquiring
confidential information on behalf of
the agency or only accessing
confidential information the agency
possesses;
• A clear and detailed description of
the purpose of the access;
• The specific confidential
information needed;
• How the information will be used;
• Any plans for disseminating
information as well as the products
planned for public distribution;
• Legally binding signature lines for
the agency, and the responsible
management level official from the
institution with which the agent(s) is
(are) affiliated. When the agent is
operating independently for these
purposes and is unaffiliated with an
institution, the agent will sign;
• The legal authority under which the
information was collected or acquired;
• The legal authority from CIPSEA
and other laws for providing the agent
the ability to acquire or to access the
information;
84 Sec.

83 Sec.

21:40 Jun 14, 2007

Jkt 211001

PO 00000

503.

Frm 00016

85 Sec.

Fmt 4701

Sfmt 4703

E:\FR\FM\15JNN3.SGM

503(b).
503(c).

15JNN3

Federal Register / Vol. 72, No. 115 / Friday, June 15, 2007 / Notices

sroberts on PROD1PC70 with NOTICES

• Penalties for violating
confidentiality or unauthorized use of
the information;
• The timeframe for access;
• A requirement that the agent
provide and update as necessary a list
of persons involved in the project who
will have access to the information;
• The agent’s responsibility to notify
agency when
Æ The agent no longer needs the
information,
Æ The agent plans a change in site
access, and/or
Æ The project purpose changes
(agency approval must be obtained
first);
• Confidentiality training
requirement for all persons who have
access to confidential information;
• The requirement that each person
with access to confidential information
sign a non-disclosure form that signifies
an understanding of and agreement to
the terms of access and agreement to
comply with CIPSEA and any other
applicable laws (see below for options
on where to include this information);
• The requirement that the agent
submit any project information products
to the agency for disclosure review
(agencies may also include or reference
reporting requirements or standards);

VerDate Aug<31>2005

21:40 Jun 14, 2007

Jkt 211001

• For off-site access arrangements
Æ A security plan (information
systems and physical security) for
protecting the information,
Æ Procedures regarding the return or
destruction of information when access
is no longer necessary (may precede
project’s end), and
Æ The requirement that the agent
allows the agency to carry out a physical
and IT security inspection of the agent’s
workplace;
• Conditions requiring modification
of the agreement;
• Termination clause for the
agreement;
• Listing of contact persons for the
agency and the responsible management
level official from the institution with
which the agent is affiliated. (When the
agent is operating independently and is
unaffiliated with an institution, the
agent will designate a contact person.);
and
• As applicable, information on
funding of project work, including any
between the agency, agent(s), and/or
agents’ institution.
The following information may be
included in the body of the agreement,
added to the agreement as appendices,
or made part of the agency’s official files
for the actual agreement:

PO 00000

Frm 00017

Fmt 4701

Sfmt 4703

33377

• Copy of the agency-approved
proposal (if required);
• Copies of all laws cited in the
agreement;
• The list of persons with access to
confidential information;
• Certification that all persons who
have access to confidential information
have completed confidentiality training;
• Signed non-disclosure forms for all
persons with access to confidential
information; and
• For each person with data access, a
copy of the background certification
supporting such access—details to be
determined by agency (options could
include fingerprinting, a sworn affidavit
of nondisclosure, work history checks,
etc.).
Agencies may also include additional
requirements in their written
agreements. Examples of written
agreements used by some agencies that
conform to the above requirements will
be available on the OMB Web site.86
[FR Doc. E7–11542 Filed 6–14–07; 8:45 am]
BILLING CODE 3110–01–P
86 http://www.whitehouse.gov/omb go to
‘‘Statistical Programs and Standards.’’

E:\FR\FM\15JNN3.SGM

15JNN3


File Typeapplication/pdf
File TitleDocument
SubjectExtracted Pages
AuthorU.S. Government Printing Office
File Modified2010-06-02
File Created2010-06-02

© 2024 OMB.report | Privacy Policy