Privacy Law and Policy Reporter
A report by the US General Accounting Office (GAO), Computer matching: quality of decisions and supporting analyses little affected by 1988 Act, has found serious deficiencies in implementation of the US Federal Computer Matching and Privacy Protection Act 1988, which regulates the use of computer matching by federal agencies. Computer matching, the identification of similarities or dissimilarities in data found in two or more computer files, is frequently used to identify delinquent debtors or ineligible program recipients. Among the problems identified by GAO were inadequate cost-benefit analyses and inadequate supervision by data integrity boards.
The Act requires that matching programs include an analysis of the costs and benefits of the matching. One of the purposes of the Act was to limit the use of matching to instances where the technique was cost effective. GAO found many problems with implementation of this requirement, including poor quality or non-existent analyses. In 41% of cases, no attempt was made to estimate costs or benefits or both. In 59 per cent of cases when costs and benefits were estimated, GAO found that not all reasonable costs and benefits were considered; that inadequate analyses were provided to support savings claims; and that no effort was made after the match to validate estimates.
The Act requires agencies involved in matching activities to establish a Data Integrity Board to oversee the process. GAO found that the Boards were not providing full and earnest reviews of proposed matches. It did not find any instance in which a Board permanently cancelled an ongoing matching program or refused to approve a newly proposed one. GAO did not find evidence that the requirements of the Computer Matching Act were used by the Boards to determine if a match should be approved. It also found that the implementation of the new procedures does not appear to have had major effects on the most important review process, the decision to conduct the match.
GAO found that the Data Integrity Boards generally accepted agencies' and States' cost-benefit analyses despite their ''severe methodological flaws and lack of documentation'. The documentation often failed to show how costs and benefits were calculated or the time period for expected savings. Agencies rarely estimated the most significant costs. Overall, GAO found that the Data Integrity Boards provide less than a full and earnest review of matching agreements to determine whether to proceed with proposed matches, but rather a regularisation of the approval process.
The report can be obtained free of charge from GAO by calling 202-512-6000.
In releasing the report, Rep Gary A Condit (Democrat, California), chairman of the Subcommittee on Information, Justice, Transportation, and Agriculture (House of Representatives Committee on Government Operations), said:
Most federal agencies have done a lousy job of complying with the Computer Matching Act. Agencies ignore the law or interpret it to suit their own bureaucratic convenience, without regard for the privacy interests that the law was designed to protect.
As a result, we don't have any idea when computer matching is a cost-effective technique for preventing fraud, waste, and abuse. I support reasonable computer matching that saves money. But if we are losing money, wasting resources, and invading privacy, then it makes no sense.
A broader issue is whether agencies can be expected to police their own operations that affect the privacy of the average citizen. Certainly OMB [the Office of Management and the Budget] has done little to assist. We may need a different approach to overseeing federal privacy-related activities.
Graham Greenleaf (adapted from a press release by Rep Condit)
Next issue includes: Report on 0055 Reverse Phone Directory Service (Senate Select Committee on Community Standards Relevant to the Supply of Services Utilising Electronic Technologies); Report to the Minister for Communications: Wireless Personal Communications Services (AUSTEL).