Implementation Guidance for Title V of the E-Government Act, Confidential Information Protection and Statistical Efficiency Act of 2002 (CIPSEA), 33362-33377 [E7-11542]

Download as PDF 33362 Federal Register / Vol. 72, No. 115 / Friday, June 15, 2007 / Notices OFFICE OF MANAGEMENT AND BUDGET Implementation Guidance for Title V of the E-Government Act, Confidential Information Protection and Statistical Efficiency Act of 2002 (CIPSEA) Office of Management and Budget, Executive Office of the President. ACTION: Notice of decision. AGENCY: SUMMARY: The Confidential Information Protection and Statistical Efficiency Act of 2002 (CIPSEA) can provide strong confidentiality protections for statistical information collections, such as surveys and censuses, as well as for other statistical activities, such as data analysis, modeling, and sample design, that are sponsored or conducted by Federal agencies. The Office of Management and Budget (OMB) is issuing Implementation Guidance for Title V of the E-Government Act, the Confidential Information Protection and Statistical Efficiency Act of 2002 (Pub. L. 107–347). The purpose of the CIPSEA implementation guidance is to inform agencies about the requirements for using CIPSEA and to clarify the circumstances under which CIPSEA can be used. Authority: 31 U.S.C. 1104(d); 44 U.S.C. 3504 (specifically (a)(1)(B)(iii) and (v), (e)(1), (3) and (5), and (g)(1)); Pub. L. 107–347 section 503(a), 44 U.S.C. 3501 note. FOR FURTHER INFORMATION CONTACT: sroberts on PROD1PC70 with NOTICES Brian Harris-Kojetin, Ph.D., Statistical and Science Policy Office, Office of Information and Regulatory Affairs, Office of Management and Budget, NEOB, Room 10201, 725 17th Street, NW., Washington, DC 20503. Telephone: 202–395–3093. SUPPLEMENTARY INFORMATION: A. Background Statistics collected and published by the Federal Government constitute a significant portion of the available information about the United States’ economy, population, natural resources, environment, and public and private institutions. There are more than 70 Federal agencies or organizational units that carry out statistical activities as their principal mission or in conjunction with other program missions, such as providing services or enforcing regulations. In addition to these 70 agencies, many other Federal agencies or units may collect statistical information to use for specific program needs. Prior to the enactment of CIPSEA, a patchwork of legislative protections governed the confidentiality of data VerDate Aug<31>2005 21:40 Jun 14, 2007 Jkt 211001 gathered for statistical purposes by the different agencies and units. Some agencies had strong statutory authority to protect the confidentiality of the data they gathered for statistical purposes, while other agencies had weak or no legislative authority to protect confidentiality. In addition, the ability of the designated statistical agencies to share information to improve the efficiency of the Federal statistical system was limited by statutory constraints affecting those agencies. By establishing a uniform policy for all Federal statistical collections, this law will reduce public confusion, uncertainty, and concern about the treatment of confidential statistical information by different Federal agencies. By establishing consistent rational principles and processes to buttress confidentiality pledges, the guidance that implements the law will harmonize confidentiality claims and set minimum standards for safeguarding confidential statistical information. Such consistent protection of confidential statistical information will, in turn, reduce the perceived risks of more efficient working relationships among statistical agencies, relationships that can reduce both the cost and reporting burden imposed by statistical programs. B. Development and Review In 2003, OMB and the other members of the Interagency Council on Statistical Policy (ICSP) formed an interagency group to discuss issues that OMB and the agencies anticipated would arise in the implementation of CIPSEA. OMB was particularly interested in understanding the questions and concerns that these statistical agencies had about the new law and how it would affect their activities. OMB also sought to incorporate the best practices of these agencies for handling confidential statistical information. An initial draft of this implementation guidance was reviewed by the ICSP members, and OMB revised the draft guidance in response to the comments that we received. Based on the use of the law by agencies over the past three years, OMB has also addressed in the guidance specific issues that have arisen, such as nonstatistical agencies’ use of CIPSEA. C. Summary of and Response to Comments Received in Response to the October 16, 2006 Federal Register Notice OMB issued proposed Implementation Guidance for Title V of the E-Government Act, Confidential Information Protection and Statistical PO 00000 Frm 00002 Fmt 4701 Sfmt 4703 Efficiency Act of 2002 (CIPSEA)(Pub. L. 107–347) in October 2006 (71 FR 60,772–60,773). Five public comments were received in response to OMB’s request. OMB reviewed the public comments on the guidance and made some modifications in response to the comments. The complete text of the public comments and this document are available on the OMB Web site at http:// www.whitehouse.gov/omb/inforeg/ statpolicy.html. General Comments One commenter expressed support for the guidance and stated that ‘‘the proposed guidelines establish principles and policies that will protect the confidentiality of the data provided by respondents to federal statistical surveys’’ and noted that the guidance provides ‘‘reasonable approaches to protecting confidentiality, and thereby will reduce the costs and reporting burdens imposed by statistical programs.’’ The commenter also noted that it was ‘‘especially useful to see guidelines for statistical agency interactions with outside analysts (e.g., contractors) authorized to see the confidential data.’’ I. Introduction Identifiability One commenter believed the discussion of the identifiability of personal information in the proposed guidance was insufficient. Although the commenter noted the technical references to Statistical Policy Working Paper #22 1 and to the Federal Committee on Statistical Methodology’s Confidentiality and Data Access Committee’s disclosure review checklist,2 she asked for ‘‘more specific guidance about the meaning of the terms reasonably inferred and direct or indirect means’’ [emphasis in original] and ‘‘how the CIPSEA standard specifically relates to the HIPAA standards of no reasonable basis to believe and risk is very small [emphasis in original] * * * ‘‘whether a risk assessment is required, how to conduct that risk assessment, what data sources (public and private) must be considered in assessing identifiability’’ as well as how much effort and cost are reasonable. In response to this comment, OMB has included a definition of ‘‘personally identifiable information’’ in footnote 21 and provided an example of indirect identification in footnote 23, as follows: 1 Available at http://www.fcsm.gov/reports/. at http://www.fcsm.gov/committees/ cdac/cdac.html. 2 Available E:\FR\FM\15JNN3.SGM 15JNN3 Federal Register / Vol. 72, No. 115 / Friday, June 15, 2007 / Notices 21 ‘‘personally identifiable information’’ refers to information which can be used to distinguish or trace an individual’s identity, such as his or her name, social security number, biometric records, etc., alone, or when combined with other personal or identifying information that is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc. 23 Indirect identification refers to using information in conjunction with other data elements to reasonably infer the identity of a respondent. For example, data elements such as a combination of gender, race, date of birth, geographic indicators, or other descriptors may be used to identify an individual respondent. sroberts on PROD1PC70 with NOTICES However, it is beyond the scope of this implementation guidance to provide lists of other data sources that could be used to reidentify respondents or specific risk assessment techniques agencies must employ. As the commenter noted, OMB does provide references to more technical resources that address these issues, such as Statistical Policy Working Paper #22, and a citation to the HIPAA privacy rule has been added. Federal statistical agencies are in the best position to know about the sensitivity of their confidential statistical information and to take appropriate steps to assess and mitigate the risks of reidentification. Because this area is a ‘‘moving target,’’ as the commenter noted, OMB, through its Federal Committee on Statistical Methodology, sponsors the Confidentiality and Data Access Committee, which facilitates the sharing and adoption of best practices and latest techniques in disclosure avoidance across Federal agencies. Relation of CIPSEA to Other Laws One commenter noted that ‘‘subsection (b) of the Privacy Act of 1974 authorizes numerous disclosures, many of which are inappropriate for CIPSEA records. For example, disclosures for law enforcement purposes’’ as well as many routine uses. The commenter asked OMB to ‘‘elaborate on the intersection between CIPSEA and the Privacy Act of 1974.’’ As OMB has noted in the guidance, agencies are responsible for ensuring that information protected under CIPSEA is used exclusively for statistical purposes. OMB recognizes that the Privacy Act does permit routine uses that are nonstatistical; these uses are not permitted for CIPSEA-protected information. OMB believes that the minimum standards in the guidance for safeguarding confidential information make clear that agencies need to develop appropriate policies and procedures for CIPSEA-protected VerDate Aug<31>2005 21:40 Jun 14, 2007 Jkt 211001 information that go beyond those that exist for Privacy Act systems of records; however, we have added the following language to make this explicit in Part I.F. of the guidance: On the other hand, if an agency pledges to use the information for only for statistical purposes, then the agency shall not use any other authorities it has available to use the information for non-statistical purposes, because those uses would be contrary to the agency’s pledge. For example, if information is protected by CIPSEA and the Privacy Act, some of the routine uses permitted under the Privacy Act would no longer be allowed because they are not for statistical purposes. Agencies Authorized To Designate Agents One commenter cited Footnote 31 on page 11 of the proposed guidance 3 that tells agencies that they should consult with OMB regarding use of agents and stated that the use of agents should be subject to public notice and comment. In this footnote, OMB was referring specifically to the review and legal interpretation of a nonstatistical agency’s statute and whether that would meet the requirements of CIPSEA and permit the agency to designate agents under CIPSEA. Generally, legal analysis and interpretation are accomplished by the agency. However, when agencies are applying a new statute that OMB has responsibility for, agencies should consult with OMB to ensure a government-wide perspective. Commenters also had questions about other specific matters that will be addressed during implementation. II. Requirements for Agencies Collecting or Acquiring Information Protected Under CIPSEA Non-CIPSEA Pledges One commenter objected to agencies being restricted from using both the terms ‘‘confidential’’ and ‘‘statistical purposes’’ together if CIPSEA did not cover the collection. The commenter noted that these terms have meaning independent of CIPSEA and agencies should be able to use them as they see fit. The commenter suggested that ‘‘Rather than prohibit the use of the terms ‘confidential’ and ‘exclusively statistical purposes,’ we suggest that OMB advise agencies, as it has in prior guidance, to ensure that they do not use terms that are confusing. OMB could also prohibit the mention of CIPSEA when it is not applicable and require that agencies invoke coverage by CIPSEA only by the mention of that law directly to survey respondents.’’ 3 This footnote appears as footnote 40 in this final document. PO 00000 Frm 00003 Fmt 4701 Sfmt 4703 33363 OMB agrees that the terms ‘‘confidential’’ and ‘‘statistical purposes’’ have meaning independent of CIPSEA; however, when used together in a pledge to respondents, they clearly meet the requirements of CIPSEA and the protection of this law. Sec. 512 of CIPSEA simply requires that the information be ‘‘acquired by an agency under a pledge of confidentiality and for exclusively statistical purposes.’’ The law does not require that CIPSEA be mentioned explicitly, and OMB would certainly prohibit an agency from mentioning the law if it did not apply. It would clearly be confusing to respondents for different protections to be implied by two different agencies both pledging that the information would be confidential and used for exclusively statistical purposes. Thus, it is necessary to ensure that CIPSEA protections or greater protections apply when an agency makes this pledge to respondents. CIPSEA Pledges One commenter supported the shorter version of the pledge, but expressed concerns about its comprehensibility. The commenter then suggested that OMB consider developing a formal statistical confidentiality seal that would provide an identifiable marker that would tell individuals what level of protection the information they provide will receive under the law. Specifically the commenter suggested as an example that OMB consider a green-yellow-red color scheme: Green would mean respond with confidence because answers receive the highest level of legal confidentiality protection; yellow would mean respond with caution because answers receive some confidentiality protection but less than the highest level of legal protection; and red would mean no legal confidentiality protections at all. The CIPSEA pledge was based on a pledge that was thoroughly tested; however, OMB has encouraged further cognitive testing of this pledge by agencies. OMB agrees that it would also be helpful to have more testing on a shortened version. OMB also appreciates the commenter’s suggestions regarding potential ‘‘seals’’ that would be easy for respondents to understand and recognize, and agrees that this idea is worthy of further investigation and testing. We also agree that this will require a considerable amount of research not only to develop a recognizable seal but also to figure out appropriate ways to present it in different modes. If this research proves fruitful, OMB will consider revising this E:\FR\FM\15JNN3.SGM 15JNN3 33364 Federal Register / Vol. 72, No. 115 / Friday, June 15, 2007 / Notices implementation guidance and/or issuing other guidance for use of a seal. III. Minimum Standards for Safeguarding Confidential Information Acquired Under CIPSEA Costs and Burden of Security Requirements One commenter noted that during a time of reduced funding resources the implementation requirements call for annual recertification of employees, increased physical and information security, additional record keeping requirements, and additional staff time (to ensure that appropriate confidentiality and security protocols are followed). Providing appropriate security for agency information and information systems does require resources. As with any ongoing program, agencies need to incorporate into their budgets the costs for protecting confidential information throughout the lifecycle of the statistical activities. Security of Confidential Information in Laptop Computers One commenter noted that ‘‘recent events have highlighted the particular vulnerability of laptop computers to loss and theft,’’ and suggested that additional information be included in the guidance about the security of laptops, PDAs, or other types of devices. OMB agrees with the comment and has modified language in the section on physical and information systems security in Part III. B, which also applies to Part IV. D of the proposed guidance referenced on page 22, so that it now reads: Agencies are required to establish appropriate administrative and technical safeguards to ensure that the security of all media containing confidential information is protected against unauthorized disclosures and anticipated threats or hazards to their security or integrity. For example, agencies must ensure that security requirements are followed for reports, documents, printouts, information collection instruments, laptops, PDA’s, zip drives, floppy disks, CD-ROMs, or any other IT devices that contain confidential information to prevent access by unauthorized persons. sroberts on PROD1PC70 with NOTICES VII. Data Sharing Under Subtitle B of CIPSEA Data Linking and Data Sharing One comment requested that OMB include administrative data as well as other agencies under the data sharing provisions of Subtitle B of CIPSEA to further improve efficiency. OMB notes that Subtitle B is limited in statute to the three designated statistical agencies (BLS, BEA, and Census) and applies VerDate Aug<31>2005 21:40 Jun 14, 2007 Jkt 211001 only to business data. While OMB appreciates the potential benefits suggested in this comment, CIPSEA does not authorize any other data sharing or authorize additional agencies to share data. However, CIPSEA did not alter other existing authorities for data sharing among Federal agencies. VIII. Annual Reporting and Review Requirements Annual Reports to OMB One commenter requested that the annual reports that agencies provide to OMB be made public and posted on agency Web sites. In the interest of transparency, agencies will now be required to post their reports on their Web sites. Susan E. Dudley, Administrator, Office of Information and Regulatory Affairs. Implementation Guidance for Title V of the E-Government Act, Confidential Information Protection and Statistical Efficiency Act of 2002 (CIPSEA) I. Introduction A. Overview Issues of privacy and confidentiality are of increasing concern to respondents to Federal government surveys. Agencies often seek to assuage these concerns by pledging to respondents that the agency will protect the information that respondents provide, and by using whatever statutory authority that the agency has to substantiate this pledge. However, many agencies do not have strong confidentiality provisions in their authorizing statutes. In this case, agencies may be able to use governmentwide statutes such as the Privacy Act or exemptions under the Freedom of Information Act as the basis for a pledge to respondents, but these statutes still do not apply to many Federal surveys. The Confidential Information Protection and Statistical Efficiency Act of 2002 (CIPSEA) is a new governmentwide law that can provide strong confidentiality protections to many Federal agencies conducting statistical information collections, such as surveys and censuses as well as other statistical activities including data analysis and modeling, sample design, etc. The purpose of this guidance is to inform agencies about the requirements for using CIPSEA and clarify the circumstances under which CIPSEA can be used. There are several key definitions and distinctions in CIPSEA regarding statistical and nonstatistical agencies, and statistical and nonstatistical PO 00000 Frm 00004 Fmt 4701 Sfmt 4703 purposes, that affect whether CIPSEA can be used by an agency to acquire and protect information. Below is a brief description of these major definitions and distinctions, as well as of issues related to data sharing under CIPSEA, and additional requirements for using CIPSEA that are addressed in greater detail in this guidance. 1. Is the agency a statistical or nonstatistical agency? CIPSEA distinguishes between statistical and nonstatistical agencies or units and imposes different requirements and privileges on these different types of agencies. Briefly, statistical agencies or units are those whose activities are predominantly the collection, compilation, processing, or analysis of information for statistical purposes. More detail and a listing of statistical agencies and units is provided in section I., part G of this section of the guidance. 2. Is the information used for statistical or nonstatistical purposes? CIPSEA provides protection for information acquired for statistical purposes under a pledge of confidentiality. Under CIPSEA, a statistical purpose includes the description, estimation, or analysis of the characteristics of groups, without identifying the individuals or organizations that comprise such groups, while nonstatistical purposes include any administrative, regulatory, law enforcement, adjudicatory, or other purpose that affects the rights, privileges, or benefits of a particular respondent. Information acquired and protected under CIPSEA may only be used for statistical purposes. 3. Is the information being acquired by the Federal agency itself? Agencies acquire information in different ways from a wide variety of respondents. Agencies often acquire information directly from a respondent to a Federal survey. In some cases, these respondents are local or State governments that have themselves collected the information from a respondent. Any agency that directly acquires information from a respondent, including a local or State government, under a pledge of confidentiality for exclusively statistical purposes, is bound by CIPSEA. However, CIPSEA does not restrict or diminish confidentiality protections in law that otherwise apply to a collection of statistical data or information. Agencies protecting information under CIPSEA must follow the requirements specified in section II of this guidance and include an appropriate pledge to respondents. All agencies that have information protected under CIPSEA E:\FR\FM\15JNN3.SGM 15JNN3 sroberts on PROD1PC70 with NOTICES Federal Register / Vol. 72, No. 115 / Friday, June 15, 2007 / Notices must also follow the procedures in section III for safeguarding the security of this information. 4. Is the information being acquired for the Federal agency by contractors or others acting on behalf of the agency? Many agencies acquiring information from respondents do not directly collect the information themselves from respondents but do so through intermediaries such as contractors or researchers who are operating under cooperative agreements or grants at the direction of the agency. CIPSEA defines contractors and their employees, researchers, and employees of private organizations or institutions of higher learning who have a contract or agreement with a Federal agency as ‘‘agents’’ and authorizes only some agencies to use agents to acquire information that will be protected under CIPSEA or access CIPSEA-protected information. 5. How can statistical agencies use CIPSEA? Statistical agencies or units that directly acquire information from respondents, including State and local governments, may protect the confidentiality of that information under CIPSEA. Statistical agencies or units may also designate agents to acquire information for the agency under CIPSEA as well as perform other exclusively statistical activities for the agency on CIPSEA-protected information. Statistical activities include the collection, compilation, processing, or analysis of data for the purposes of describing or making estimates concerning the whole, or relevant groups or components within, the economy, society, or the natural environment. Statistical activities also include the development of methods or resources that support these activities, such as measurement methods, models, statistical classifications, or sampling frames. More information is provided in section IV about the requirements for statistical agencies designating agents under CIPSEA. 6. How can nonstatistical agencies use CIPSEA? Nonstatistical agencies can use CIPSEA to protect information they are authorized to acquire directly themselves from respondents, including State and local governments. However, nonstatistical agencies or units are not permitted to designate agents under CIPSEA. Therefore, nonstatistical agencies or units may not protect information under CIPSEA if they are using a contractor or other persons who fall under the CIPSEA definition of agents to acquire that information unless they have the authority to designate agents to collect information or perform other statistical activities VerDate Aug<31>2005 21:40 Jun 14, 2007 Jkt 211001 under some other statute. More information on how nonstatistical agencies can acquire and protect information under CIPSEA is provided in section VI of this guidance. 7. What if a statistical agency acquires information for nonstatistical purposes? OMB expects that the vast majority of information collections conducted by statistical agencies or units will be subject to CIPSEA because these agencies generally collect information for exclusively statistical purposes and pledge confidentiality. Statistical agencies or units that are collecting information that may be used for nonstatistical purposes need to ensure that respondents understand these nonstatistical uses and that CIPSEA does not apply to the specific collection. Requirements for statistical agencies collecting information that may be used for nonstatistical purposes are covered in section V. 8. What data sharing does CIPSEA authorize? Subtitle B of CIPSEA explicitly provides the ability for three designated statistical agencies, the Bureau of Economic Analysis, the Bureau of Labor Statistics, and the Bureau of the Census to share business data. Requirements for data sharing among these designated statistical agencies are outlined in section VII. 9. What other requirements are there for using CIPSEA? Agencies should carefully review this guidance to determine whether CIPSEA applies to any of their information collections or statistical activities. Agencies using CIPSEA are responsible for following all requirements in this guidance. In addition, OMB is requiring agencies that use CIPSEA to report annually to OMB on their use of this law in order to effectively monitor the implementation of CIPSEA across Federal agencies. All agencies that use CIPSEA for their collections are asked to report to OMB annually the information collections CIPSEA applies to and affirm that all of the requirements in this guidance are being met. Statistical agencies protecting information under CIPSEA are further required to report on their use of agents, and the three designated statistical agencies in Subtitle B of CIPSEA are required to report annually on their data sharing activities under CIPSEA. Further information on the reporting requirements is in section VIII of this guidance. B. Purposes of CIPSEA The Confidential Information Protection and Statistical Efficiency Act of 2002 (CIPSEA), Title V of the EGovernment Act of 2002 (Pub. L. 107– 347), has two subtitles. PO 00000 Frm 00005 Fmt 4701 Sfmt 4703 33365 Subtitle A, Confidential Information Protection, concerns confidentiality and statistical uses of information. The purposes of Subtitle A are: 1. To ensure that information supplied by individuals or organizations to an agency for statistical purposes under a pledge of confidentiality is used exclusively for statistical purposes; 2. To ensure that individuals or organizations who supply information under a pledge of confidentiality to agencies for statistical purposes will neither have that information disclosed in identifiable form to anyone not authorized by this title nor have that information used for any purpose other than a statistical purpose; and 3. To safeguard the confidentiality of individually identifiable information acquired under a pledge of confidentiality for statistical purposes by controlling access to, and uses made of, such information.4 CIPSEA Subtitle A protects information that is acquired for exclusively statistical purposes under a pledge of confidentiality. This subtitle of the law applies to all Federal agencies that acquire information under these carefully prescribed conditions. The protection of information collected under this law is supported by a penalty of a Class E Felony for a knowing and willful disclosure of confidential information. This includes imprisonment for up to five years and fines up to $250,000.5 Thus, for many agencies this law strengthens the protections afforded to confidential statistical information. CIPSEA Subtitle B promotes statistical efficiency through limited sharing of business data among three designated statistical agencies, the Bureau of the Census (Census), the Bureau of Economic Analysis (BEA), and the Bureau of Labor Statistics (BLS). The purposes of Subtitle B are: 1. To authorize the sharing of business data among Census, BEA, and BLS for exclusively statistical purposes; 2. To reduce the paperwork burdens imposed on businesses that provide requested information to the Federal Government; 3. To improve the comparability and accuracy of Federal economic statistics by allowing Census, BEA, and BLS to update sample frames, develop consistent classifications of establishments and companies into industries, improve coverage, and reconcile significant differences in data produced by the three agencies; and 4 Sec. 5 Sec. E:\FR\FM\15JNN3.SGM 511(b). 513. 15JNN3 33366 Federal Register / Vol. 72, No. 115 / Friday, June 15, 2007 / Notices 4. To increase understanding of the United States economy, especially for key industry and regional statistics, to develop more accurate measures of the impact of technology on productivity growth, and to enhance the reliability of the Nation’s most important economic indicators, such as the National Income and Product Accounts.6 The remainder of this section of the guidance provides background information on CIPSEA and its applicability to Federal agencies. Sections II through VI provide implementation guidance on CIPSEA Subtitle A, and Section VII provides implementation guidance on Subtitle B. Section VIII covers agency reporting requirements to OMB on the implementation of CIPSEA. sroberts on PROD1PC70 with NOTICES C. Background There are more than 70 Federal agencies or organizational units that carry out statistical activities as their principal mission or in conjunction with other program missions, such as providing services or enforcing regulations.7 In addition to these 70 agencies, many other Federal agencies or units may collect statistical information to use for specific program needs. Prior to the enactment of CIPSEA, a patchwork of legislative protections governed the confidentiality of data gathered for statistical purposes by the different agencies and units. Some agencies had strong statutory authority to protect the confidentiality of the data they gathered for statistical purposes, while other agencies had weak or no legislative authority to protect confidentiality. In addition, the ability of the designated statistical agencies to share information to improve the efficiency of the Federal statistical system was limited by statutory constraints affecting those agencies. Over the years, there have been numerous attempts both to shore up legal protection for the confidentiality of statistical information, and to permit some limited sharing of data for statistical purposes. Strengthening and standardizing statutory protections for the confidentiality of individually identifiable data that are collected for statistical purposes as well as enhancing the capability of Federal agencies to share information for exclusively statistical purposes have always been goals. 6 Sec. 521(b). Programs of the U.S. Government FY 2007, Office of Management and Budget, Washington, DC. 7 Statistical VerDate Aug<31>2005 21:40 Jun 14, 2007 Jkt 211001 In 1971, the President’s Commission on Federal Statistics recommended that the term confidential should always mean that disclosure of data in a manner that would allow public identification of the respondent or would in any way be harmful to him should be prohibited. In addition, the Commission recommended that a promise to hold data in confidence should not be made unless the agency has legal authority to uphold such a promise, and that legislation should be enacted authorizing agencies collecting data for statistical purposes to promise confidentiality as the term was defined by the Commission.8 In July 1977, the Privacy Protection Study Commission stated that ‘‘no record or information * * * collected or maintained for a research or statistical purpose under Federal authority * * * may be used in individually identifiable form to make any decision or take any action directly affecting the individual to whom the record pertains * * *’’ 9 In October 1977, the President’s Commission on Federal Paperwork endorsed the confidentiality and ‘‘functional separation’’ concepts, but applied them directly and simply to statistical programs, saying that: • Information collected or maintained for statistical purposes must never be used for administrative or regulatory purposes or disclosed in identifiable form, except to another statistical agency with assurances that it will be used solely for statistical purposes; and • Information collected for administrative and regulatory purposes must be made available for statistical use, with appropriate confidentiality and security safeguards, when assurances are given that the information will be used solely for statistical purposes.10 The policy discussions generated by the three Commissions came together in a bipartisan outpouring of support for the Paperwork Reduction Act of 1980, which largely addressed the efficiency recommendations of the Paperwork Commission. The legislative history of that Act recognized the unfinished work of fitting the ‘‘functional separation’’ of statistical information into the overall scheme. In 1993, a National Academy of Sciences panel on confidentiality and data access recommended that ‘‘Statistical records across all federal 8 Federal Statistics—Report of the President’s Commission, Volume 1, p. 222, September, 1971. 9 Personal Privacy in an Information Society— Report of the Privacy Protection Study Commission, p. 574, July, 1977. 10 Statistics—A Report of the Commission on Federal Paperwork, p. 128, October, 1977. PO 00000 Frm 00006 Fmt 4701 Sfmt 4703 agencies should be governed by a consistent set of statutes and regulations meeting standards for the maintenance of such records, including the following features of fair statistical information practices: (a) A definition of statistical data that incorporates the principle of functional separation as defined by the Privacy Protection Study Commission, (b) a guarantee of confidentiality for data, * * * (g) legal sanctions for those who violate confidentiality requirements.’’ 11 To clarify and make consistent government policy protecting the privacy and confidentiality interests of individuals and organizations who furnish data for Federal statistical programs, OMB issued an ‘‘Order Providing for the Confidentiality of Statistical Information’’ in June 1997.12 This order applied the principles of functional separation and protection of confidential information gathered for statistical purposes to twelve principal statistical agencies. CIPSEA builds upon these and other efforts of the Executive and Legislative branches including H.R. 2885 (the Statistical Efficiency Act of 1999, originally offered by Representative Stephen Horn, and unanimously passed by the House of Representatives) and H.R. 2136 (the Confidential Information Protection Act, originally offered by Representative Tom Sawyer in 2001). Introducing CIPSEA, H.R. 5215, on July 25, 2002, Representative Horn indicated, ‘‘The bill’s enhanced confidentiality protections will improve the quality of Federal statistics by encouraging greater cooperation on the part of respondents. Even more important, these protections ensure that the Federal Government does not abuse the trust of those who provide data to it under a pledge of confidentiality. * * * the Confidential Information Protection and Statistical Efficiency Act of 2002 makes important, common sense and long overdue improvements in our Nation’s statistical programs. It is a bipartisan, good Government measure that has the Administration’s strong support. I urge my colleagues to join with us to achieve prompt enactment of the bill.’’ 13 In this guidance, OMB is establishing a uniform policy for all Federal statistical collections to reduce public confusion, uncertainty, and concern about the application of the newlyenacted confidentiality requirements associated with protected statistical information acquired by different Federal agencies. By establishing consistent rational principles and 11 Private Lives and Public Policies, 1993, National Academy Press, Washington, DC. 12 62 FR 35,044–35,050. 13 Congressional Record, July 25, 2002, p. E1397. E:\FR\FM\15JNN3.SGM 15JNN3 Federal Register / Vol. 72, No. 115 / Friday, June 15, 2007 / Notices processes to buttress confidentiality pledges, the law codifies confidentiality claims and sets minimum standards for safeguarding confidential statistical information. Establishing consistent protection of confidential statistical information will, in turn, reduce the perceived risks of more efficient working relationships among statistical agencies, relationships that can reduce both the cost and reporting burden imposed by statistical programs. D. Authority sroberts on PROD1PC70 with NOTICES The Paperwork Reduction Act (PRA) of 1980 (as amended in 1986 and 1995) requires the Office of Information and Regulatory Affairs (OIRA) within OMB to develop policies, principles, standards, and guidelines for privacy and confidentiality generally; the integrity of confidentiality pledges; and the confidentiality of information collected for statistical purposes.14 In addition, the Act tasks OIRA to oversee agency compliance with related requirements of the Act and with the policies referenced above.15 For example, agencies are required to ‘‘inform respondents fully and accurately about the sponsors, purposes, and uses of statistical surveys and studies.’’ 16 With respect to statistical policy and coordination, the PRA directs OMB to: • Coordinate the activities of the Federal statistical system to ensure— Æ The efficiency and effectiveness of the system; and Æ The integrity, objectivity, impartiality, utility, and confidentiality of information collected for statistical purposes; * * * • Develop and oversee the implementation of Governmentwide policies, principles, standards, and guidelines * * * • Promote the sharing of information collected for statistical purposes consistent with privacy rights and confidentiality pledges; 17 In addition, Title V of the EGovernment Act of 2002 authorizes the Director of the Office of Management and Budget to coordinate and oversee the confidentiality and disclosure policies established by CIPSEA. The Director is authorized to promulgate rules or provide other guidance to ensure the consistent interpretation of this title by the affected agencies.18 14 44 U.S.C. 3504(e)(1), 3504(e)(5), and 3504(g)(1). U.S.C. 3506(b)(1)(C), 3506(e)(2)–(4), and 3506(g)(1). 16 44 U.S.C. 3506(e)(2). 17 44 U.S.C. 3504(e). 18 Sec. 503(a). 15 44 VerDate Aug<31>2005 21:40 Jun 14, 2007 Jkt 211001 E. Affected Agencies Executive agencies as defined in 31 U.S.C. 102 or 44 U.S.C. 3502 19 are subject to the provisions and penalties in CIPSEA Subtitle A if they (1) Acquire information for exclusively statistical purposes under a pledge of confidentiality, or (2) they possess or access information protected by CIPSEA, unless even stronger confidentiality protections apply.20 CIPSEA also imposes additional requirements on statistical agencies or units, which are defined to include ‘‘an agency or organizational unit of the executive branch whose activities are predominantly the collection, compilation, processing, or analysis of information for statistical purposes.’’ 21 CIPSEA Subtitle B applies only to the designated statistical agencies, i.e., the Bureau of the Census of the Department of Commerce, the Bureau of Economic Analysis of the Department of Commerce, and the Bureau of Labor Statistics of the Department of Labor.22 F. Applicability of CIPSEA Federal agencies collect and acquire information for a wide variety of purposes and uses, including benefit determinations, program planning and management, program evaluation, measurement of compliance with laws and regulations, and research, as well as for general purpose statistics. When acquiring information, an agency must inform the person or organization being asked to provide information whether or not it will be treated as confidential and the purpose(s) for which the information will be used.23 CIPSEA protection applies to any identifiable information acquired by the agency under a pledge of confidentiality for exclusively statistical purposes. For purposes of CIPSEA, this information includes personally identifiable information 24 as well as information that permits the identity of any respondent, such as business establishments, institutions, or State or 19 Sec. 502(1). 512(a) and 512(b). Agencies may also be governed by other statutes that may have additional restrictions on the use and disclosure of confidential statistical information that apply beyond CIPSEA (Sec. 504(h); Sec. 512(b)(3)). 21 Sec. 502(8). 22 Sec. 522. 23 5 CFR 1320.8(b)(3). 24 The term ‘‘personally identifiable information’’ refers to information that can be used to distinguish or trace an individual’s identity, such as his or her name, social security number, biometric records, etc., alone, or when combined with other personal or identifying information that is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc. 20 Sec. PO 00000 Frm 00007 Fmt 4701 Sfmt 4703 33367 local governments,25 to be reasonably inferred by either direct or indirect means.26 In this guidance, the terms confidential information and confidential data refer to information that is protected by CIPSEA. CIPSEA can apply only when an agency pledges both to protect the confidentiality of the information it acquires and to use the information only for statistical purposes. CIPSEA defines a statistical purpose to include the description, estimation, or analysis of the characteristics of groups, without identifying the individuals or organizations that comprise such groups and includes the development, implementation, or maintenance of methods, technical or administrative procedures, or information resources that support the above purposes.27 If information is collected or acquired for any nonstatistical purpose, then CIPSEA shall not be used to protect the confidentiality of the information.28 A nonstatistical purpose means the use of information in identifiable form for anything other than a statistical 25 Statistical agencies may collect information from a State or local government that is in the public domain, and, therefore, the statistical agency would typically not pledge to keep that information confidential under CIPSEA or other legal authorities. 26 Sec. 502(4). Indirect identification refers to using information in conjunction with other data elements to reasonably infer the identity of a respondent. For example, data elements such as a combination of gender, race, date of birth, geographic indicators, or other descriptors may be used to identify an individual respondent. 27 Sec. 502(9). 28 There are some authorized, nonstatistical uses of information collected for statistical purposes, such as the use of Decennial Census information for genealogical research, that are noted in Section 504 of CIPSEA. CIPSEA was intended to apply to these collections that are intended for statistical purposes and have only very narrow exceptions for specific nonstatistical uses that do not result in any actions directly affecting the respondent. Agencies acquiring or protecting information under CIPSEA with similar nonstatistical uses of the information should consult with OMB on the applicability of CIPSEA for the information collection. Unless there is a specific exception noted in Section 504 of CIPSEA, CIPSEA clearly prohibits disclosures for administrative, regulatory, law enforcement, or adjudicatory purposes that affect the rights, privileges, or benefits of a particular identifiable respondent absent informed consent. Since some State or Federal laws may require notification of authorities if, for example, child abuse is reported by the respondent, agencies collecting such information shall inform respondents at the time of collection that revelations of this type of information must be reported to legal authorities. Agencies may conduct these collections under CIPSEA if any such nonstatistical uses are clearly described in advance to the respondent (with the respondent providing informed consent), and these procedures are clearly stated in the notices and supporting materials described in Section II. Agencies should also consult with their institutional review boards to determine circumstances when informed consent is appropriate or necessary. E:\FR\FM\15JNN3.SGM 15JNN3 sroberts on PROD1PC70 with NOTICES 33368 Federal Register / Vol. 72, No. 115 / Friday, June 15, 2007 / Notices purpose, including any administrative, regulatory, law enforcement, adjudicative, or other purpose that affects the rights, privileges or benefits of a particular identifiable respondent. Providing confidential information in response to a Freedom of Information Act (FOIA) request is also considered a nonstatistical purpose.29 Since the CIPSEA statute is a (b)(3) statute under FOIA, confidential information covered under CIPSEA is exempt from release pursuant to a FOIA request (5 U.S.C. 552(b)(3)). Agencies acquire information in different ways from a wide variety of respondents. An agency may collect information directly (e.g., surveys) from individuals, households, businesses, organizations, or institutions, or the agency may acquire information through secondary sources (e.g., from State government agencies).30 This guidance, in accordance with the law, will use as the more general term, ‘‘acquire,’’ to include both agency collections of information directly from respondents, and acquisitions of information from secondary sources. In many cases, agencies acquire information directly from respondents (including local or State governments) to a Federal survey; in other cases, agencies do not themselves directly acquire information from respondents but do so through intermediaries, such as contractors or researchers who are operating under cooperative agreements or grants at the direction of the agency. CIPSEA defines contractors and their employees, researchers, and employees of private organizations or institutions of higher learning that have a contract or agreement with a Federal agency as ‘‘agents.’’ 31 Any agency that directly acquires information from a respondent, including a local or State government, under a pledge of confidentiality for exclusively statistical purposes, can use CIPSEA to protect the information. However, if an agency is using an agent, such as a contractor, to acquire information for exclusively statistical purposes, the agency may not be able to protect the information under CIPSEA unless it is a statistical agency (see part G). In these situations, nonstatistical agencies should use their existing statutory authority to protect the confidentiality of this information. Generally, the applicable statute with the strongest confidentiality protections for the information governs the use and disclosure of the information. CIPSEA does not restrict or diminish any other confidentiality protections or penalties for unauthorized disclosure that an agency may otherwise have for information collected for statistical purposes.32 Accordingly, if an agency has any stronger protections in its statutes, these protections would remain in effect. For example, the more restrictive use and disclosure provisions of the Census Act and the International Investment and Trade in Services Survey Act would take precedence over the broader statistical uses permitted under CIPSEA. In another example, if an agency’s authorizing statute prohibited disclosure with informed consent, the agency would not be able to disclose the information with informed consent, which could be permissible under CIPSEA under certain circumstances.33 On the other hand, if an agency pledges to use the information for only statistical purposes, then the agency shall not use any other authorities it has available to use the information for nonstatistical purposes, because those uses would be contrary to the agency’s pledge. For example, if information is protected by CIPSEA and the Privacy Act, some of the routine uses permitted under the Privacy Act would no longer be allowed because they are not for statistical purposes. G. Use of CIPSEA by Statistical and Nonstatistical Agencies or Units Although any Federal agency can acquire and protect information under CIPSEA, CIPSEA provides additional authority and imposes additional requirements on statistical agencies or units. These additional provisions have implications for how and whether an agency can use CIPSEA to acquire information; these provisions are discussed in later sections of this guidance. CIPSEA defines a statistical agency or unit as ‘‘an agency or organizational unit of the executive branch whose activities are predominantly the collection, compilation, processing, or analysis of information for statistical purposes.’’ 34 OMB shall determine whether an agency or unit can be considered a statistical agency or unit for purposes of CIPSEA. OMB recognized 12 statistical agencies or units in its 1997 Confidentiality Order: 35 • Department of Agriculture Æ Economic Research Service 32 Sec. 504(h); Sec. 512(b)(3). 512(b). 34 Sec. 502(8). 35 62 FR 35,044–35,050. 29 Sec. 502(5)(B). 30 Sec. 502(6). 31 Sec. 502(2). VerDate Aug<31>2005 21:40 Jun 14, 2007 33 Sec. Jkt 211001 PO 00000 Frm 00008 Fmt 4701 Sfmt 4703 Æ National Agricultural Statistics Service • Department of Commerce Æ Bureau of Economic Analysis Æ Census Bureau • Department of Education Æ National Center for Education Statistics • Department of Energy Æ Energy Information Administration • Department of Health and Human Services Æ National Center for Health Statistics • Department of Justice Æ Bureau of Justice Statistics • Department of Labor Æ Bureau of Labor Statistics • Department of Transportation Æ Bureau of Transportation Statistics • Department of the Treasury Æ Statistics of Income Division of the Internal Revenue Service • National Science Foundation Æ Division of Science Resources Statistics Since this guidance was issued in proposed form in October 2006, OMB has recognized two statistical organizational units: the Office of Applied Studies within the Substance Abuse and Mental Health Services Administration in the Department of Health and Human Services, and the Microeconomic Surveys Unit of the Board of Governors of the Federal Reserve. Other agencies or units that wish to be recognized as statistical agencies or units for purposes of CIPSEA must send a request to the Chief Statistician at OMB. The request must come from the head of the agency or unit and have the concurrence of the larger organization within which the agency or unit resides. This request should include a statement of the organizational definition of the agency or unit, its mission, statistical activities, and any nonstatistical activities, and demonstrate that its activities are predominantly statistical. Statistical activities include the collection, compilation, processing, or analysis of data for the purpose of describing the characteristics of groups or making estimates concerning the whole or relevant groups, or components within, the economy, society, or the natural environment. Statistical activities also include the development of methods or resources that support these activities, such as measurement methods, models, statistical classifications, or sampling frames. A listing of OMB recognized statistical agencies and units will be posted and maintained on OMB’s Web site. Both statistical and nonstatistical agencies can use CIPSEA to protect information they acquire directly from E:\FR\FM\15JNN3.SGM 15JNN3 Federal Register / Vol. 72, No. 115 / Friday, June 15, 2007 / Notices respondents, including State and local governments. However, only statistical agencies or units are authorized under CIPSEA to designate agents to perform exclusively statistical activities, which include data collection, subject to CIPSEA limitations and penalties.36 Because data collection contractors are agents under CIPSEA,37 only statistical agencies may designate contractors to acquire information that will be protected under CIPSEA. In order for the collections of nonstatistical agencies to fall within the protections of CIPSEA, nonstatistical agencies must acquire the information themselves directly from respondents. Nonstatistical agencies cannot empower contractors or other agents to acquire information or carry out any other statistical activities for the agency under CIPSEA.38 The following sections II and III of this guidance describe in detail the requirements for all agencies using CIPSEA. Additional requirements for statistical agencies or units designating agents are covered in section IV. Because it is generally expected that statistical agencies or organizational units will be collecting information for exclusively statistical purposes under a pledge of confidentiality, statistical agencies or units that conduct or sponsor a collection that will not be for exclusively statistical purposes must follow additional requirements as described in section V. Additional requirements for nonstatistical agencies or units are provided in section VI. II. Requirements for Agencies Collecting or Acquiring Information Protected Under CIPSEA CIPSEA provides strong protection for information obtained for exclusively statistical purposes under a pledge of confidentiality. For CIPSEA to have its intended effect of reinforcing public confidence in Federal confidentiality pledges, all Federal agencies that make the CIPSEA pledge must provide CIPSEA protection to that information. A Federal agency should not make a CIPSEA pledge unless the agency is fully committed to taking all the actions that are necessary to provide CIPSEA 36 Sec. 512(d). 502(2)(iii). 38 Some nonstatistical agencies may have specific statutory authority to designate agents that meets the requirements of CIPSEA, allowing the agency to use agents to perform exclusively statistical activities, including data collection, for the agency. Agencies should consult with OMB on the applicability of their statute for purposes of using CIPSEA before making plans to designate agents. Agencies should also clearly describe how their authority meets the requirements for CIPSEA designation of agents in their information collection requests to OMB. sroberts on PROD1PC70 with NOTICES 37 Sec. VerDate Aug<31>2005 21:40 Jun 14, 2007 Jkt 211001 level protection; making the CIPSEA pledge means giving CIPSEA level protection to the collected information. To faithfully maintain this commitment requires that agencies meet a number of minimum requirements that are described in detail in the remainder of this guidance. Specifically, agencies must: • Inform the respondents about the confidentiality protection and use of the information (section II.); • Collect and handle confidential information to minimize risk of disclosure, including properly training employees (section III.); • Ensure the information is used only for statistical purposes (section III. A.); • Review information to be disseminated to prevent identifiable information from being reasonably inferred by either direct or indirect means (section III. F.); and • Supervise and control agents who have access to confidential information (section IV.). A. Requirements for Public Notice Prior to Data Collection Agencies are required under the PRA to: • Publish a notice in the Federal Register allowing 60 days for the public to comment on information collections and otherwise consult with members of the public and affected agencies concerning each proposed collection of information; 39 • Publish a notice in the Federal Register at the time OMB approval is being sought, and allow the public 30 days to comment; and • ‘‘Describe any assurance of confidentiality provided to respondents and the basis for the assurance in statute, regulation, or agency policy’’ in their PRA supporting statements submitted to OMB.40 When agencies are acquiring information that will be protected under CIPSEA, they shall: 41 39 5 CFR 1320.8(d)(1). for Supporting Statement for Paperwork Reduction Act submissions and 5 CFR 1320.8(b)(3). 41 Agencies conducting an OMB-approved information collection prior to passage of CIPSEA or issuance of this guidance, such as a periodic or longitudinal survey, can also protect that collection under CIPSEA if the collection is intended for exclusively statistical purposes, the agency pledges confidentiality, and the agency will follow this guidance in implementing CIPSEA. In this case, the agency should consult with OMB about the change in confidentiality protection for the collection and plan appropriate consultation with stakeholders and respondents. OMB may require agencies to provide Federal Register notices concerning the change in policy and to contact respondents for comments before the agency can make a CIPSEA pledge. 40 Instructions PO 00000 Frm 00009 Fmt 4701 Sfmt 4703 33369 • State that the information will be protected under CIPSEA, and cite any other authority they have to protect the confidentiality of the data in their PRA supporting statements; and • State in their Federal Register notices if there is a substantive change in the confidentiality protection of the information being collected, such as using CIPSEA to protect the information for an ongoing collection when similar protection was not available previously. B. Requirements for Informing Respondents at the Time of Information Collection At the time of the information collection, agencies are required under the PRA to adequately inform potential respondents about the uses of the information they provide.42 This description must include the following information related to the confidentiality of their responses: • The reasons the information is planned to be and/or has been collected; • The way such information is planned to be and/or has been used to further the proper performance of the functions of the agency; and • The nature and extent of confidentiality protection to be provided, if any.43 When agencies are collecting information that they want to be protected under CIPSEA, they are required by law at the time of collection to do the following:44 • Pledge to keep the data or information confidential, and • Pledge that the information will be used for exclusively statistical purposes. Agencies that are not protecting information under CIPSEA must ensure that the public is able to distinguish easily between pledges that reflect the protections provided by CIPSEA and those affording less protection than CIPSEA. In particular, the pledge for collections not protected to the extent afforded by CIPSEA shall not contain all the elements related to CIPSEA found in the pledges below—specifically, the pledge shall not state both that the data are confidential and that they are for exclusively statistical use (in such cases CIPSEA would apply even if not stated).45 The degree to which the 42 5 CFR 1320.8(b)(3); Additional requirements are imposed if the collection involves a Privacy Act system of records (5 U.S.C. 552a(e)(3) as amended). 43 5 CFR 1320.8(b)(3). 44 Sec. 512(a). 45 As noted at the end of this subsection (and in footnote 17), CIPSEA does not restrict or diminish any other confidentiality protections or penalties for unauthorized disclosure that an agency may otherwise have for information collected for E:\FR\FM\15JNN3.SGM Continued 15JNN3 33370 Federal Register / Vol. 72, No. 115 / Friday, June 15, 2007 / Notices pledge differs from the CIPSEA pledge needs to be based on the laws and regulations governing the collection and determined in collaboration with the agency legal staff, agency confidentiality officer, and PRA clearance officer. A pledge of confidentiality for collections not protected by CIPSEA must specifically cite the statutory authorization protecting the confidentiality of the data being collected and accurately describe the extent of that protection. If an agency elects to collect information under laws affording less protection than CIPSEA, OMB will not approve an agency’s proposed non-CIPSEA pledge that is too similar to the CIPSEA pledge (e.g., one that includes the term ‘confidential’ and states that the information will be used for exclusively statistical purposes). The following examples of confidentiality pledges under CIPSEA are sufficient to inform respondents of the protections afforded. Agencies shall use the following model and customize the wording in accordance with their needs. Parentheses indicate options and italics are instructions. Comparable pledge language may be substituted, but that alternative wording shall be included in the PRA supporting statements to OMB and should be cognitively tested. A complete confidentiality pledge shall be developed from the following: sroberts on PROD1PC70 with NOTICES The information (choose one—you, your household, your establishment—as needed) provide(s) will be used for statistical purposes only. In accordance with the Confidential Information Protection provisions of Title V, Subtitle A, Public Law 107–347 (option to add or substitute laws that are stronger or more restrictive than CIPSEA) and other applicable Federal laws (option to list them, but it is not necessary to be exhaustive), your responses will be kept confidential and will not be disclosed in identifiable form to anyone other than employees (option to add ‘‘or agents’’ if applicable, or another term the agency uses) (option to add—without your consent).46 By law, every (your agency here) employee (optional—including the Director), (if applicable, option to add ‘‘as well as every agent such as then list as appropriate— contractors, field representatives, statistical purposes, and any stronger protections would remain in effect (Sec. 504(h); Sec. 512(b)(3)). 46 Use the phrase ‘‘without your consent’’ only in cases where an agency can reasonably anticipate such consent will be requested. VerDate Aug<31>2005 21:40 Jun 14, 2007 Jkt 211001 telephone interviewers, authorized researchers,47 etc’’.48), (optional—has taken an oath and) is subject to a jail term (optional—of up to 5 years), a fine (optional—of up to $250,000), or both if he or she willfully discloses ANY identifiable information about (choose one—you, your household, your establishment). The above pledge may be placed on the survey instrument (e.g., form), in the instructions, or on the back side of the cover letter. A shorter, more userfriendly version may be used in introductory statements, on the cover of the instrument, or in the body of the cover letter as long as there is a reference to the full pledge. In addition, the agency may place the full pledge on the agency’s web site and point respondents to that site. To illustrate the actual pledge wording, an agency could implement this pledge as follows: The information you provide will be used for statistical purposes only. In accordance with the Confidential Information Protection provisions of Title V, Subtitle A, Public Law 107–347 and other applicable Federal laws, your responses will be kept confidential and will not be disclosed in identifiable form to anyone other than employees or agents. By law, every ABC employee as well as every agent has taken an oath and is subject to a jail term of up to 5 years, a fine of up to $250,000, or both if he or she willfully discloses ANY identifiable information about you. Agencies may choose to employ a shortened version of the pledge, such as the following, when conducting telephone surveys or in other similar circumstances as long as respondents are given access to the longer version in some other manner such as posting on the agency’s Web site: The information you provide about (choose one—yourself, household, establishment) will be used for statistical purposes only. In accordance with the Confidential Information Protection provisions in Public Law 107–347 (option to add and other applicable Federal laws), your responses will be kept confidential and will not be disclosed in identifiable form (optional—without your consent).49 By law, everyone working on this (your agency here) survey is subject to a jail term, a fine, or both if he or she willfully discloses ANY information that could identify you. 47 Agencies that plan to provide access to confidential information for statistical purposes should include mention of this in their pledge. 48 Designated statistical agencies (as defined under CIPSEA Subtitle B) may include ‘‘employees of partner statistical agencies’’ for collections of confidential business information that may be used in data sharing agreements as authorized under that Subtitle. 49 Use ‘‘without your consent’’ only if consent is asked or may be in the future—omitting this phrase could create difficulties if the agency later wants to ask for consent. PO 00000 Frm 00010 Fmt 4701 Sfmt 4703 Agencies whose statutory authority provides confidentiality protections more restrictive than CIPSEA for information acquired for exclusively statistical purposes under a pledge of confidentiality may use the CIPSEA pledge or their existing pledges that are similar as long as they make clear what confidentiality protections cover the information and the statutory authority for those protections. In such cases, the resemblance of an agency’s pledge to the CIPSEA pledge does not imply that any provisions in CIPSEA would overrule the agency’s stronger confidentiality statute. CIPSEA does not restrict or diminish any other confidentiality protections or penalties for unauthorized disclosure that an agency may otherwise have for information collected for statistical purposes, and any stronger protections would remain in effect.50 III. Minimum Standards for Safeguarding Confidential Information Acquired Under CIPSEA These standards for safeguarding confidential information apply to information protected under CIPSEA. Federal agencies shall follow the minimum standards in this section. In addition, some best practices are provided that agencies are encouraged to adopt but are not required to implement. 51 The central objective of these standards is to ensure that a Federal agency that pledges confidentiality for statistical information honors that pledge. Each Federal agency remains ultimately responsible and accountable for the confidential information that the agency acquires under a CIPSEA pledge. Any inappropriate use or disclosure of CIPSEA-protected information violates the law and can undermine public trust. Therefore, there is no ‘‘acceptable’’ level of non-compliance with the CIPSEA pledge. These minimum standards have been developed according to the principle of disclosure risk, which considers both the probability of an unauthorized disclosure and the expected harm from such a disclosure. These minimum standards apply to data for which the disclosure risk has been deemed relatively low by the Federal agency responsible for the information. Federal agencies shall set higher standards as the disclosure risk increases. At a minimum, such standards shall make clear that each person having 50 Sec. 504(h); Sec. 512(b)(3). practices that agencies are encouraged but not required to implement are designated as items that agencies ‘‘may’’ do, while requirements are noted as items that agencies ‘‘shall’’ do. 51 Best E:\FR\FM\15JNN3.SGM 15JNN3 Federal Register / Vol. 72, No. 115 / Friday, June 15, 2007 / Notices access to confidential information understands his/her responsibility related to maintaining the confidentiality of that information. In addition, these standards shall make clear who is accountable for each part of the information protection, including: • Determining and monitoring procedures for collection and release; • Evaluating the reason for accessing the information and controlling access to the information; and • Maintaining physical and information systems security. A. Principles and Procedures for Protecting Confidential Information Agencies or organizational units protecting information under CIPSEA shall incorporate the costs for protecting confidential information throughout the lifecycle of the statistical activity. This will ensure that sufficient resources are available to develop and implement procedures to ensure that: • The confidentiality of the information is protected; • Confidential information is used exclusively for statistical purposes; • Access to confidential information is controlled, and only authorized persons have access to the information; • All persons having access to confidential information understand Æ The obligations of confidentiality protection, Æ That unauthorized access to confidential information is prohibited, and Æ The penalties for unauthorized access to and unauthorized use of confidential information; and • A person or persons are designated to oversee all procedures for handling confidential information, and that such persons are responsible for all agency confidentiality procedures, reviews, and compliance with confidentiality laws. sroberts on PROD1PC70 with NOTICES B. Physical and Information Systems Security Each agency shall ensure the physical security and information systems security where data protected under CIPSEA are accessed and stored. Agencies are required to establish appropriate administrative and technical safeguards to ensure the security of all media containing confidential information is protected against unauthorized disclosures and anticipated threats or hazards to their security or integrity. For example, agencies must ensure that security requirements are followed for reports, documents, printouts, information collection instruments, laptops, PDA’s, zip drives, floppy disks, CD–ROMs, or any other IT devices that contain VerDate Aug<31>2005 21:40 Jun 14, 2007 Jkt 211001 confidential information to prevent access by unauthorized persons. Agencies must also ensure that only persons authorized by the head of the statistical agency or unit are permitted access to confidential information stored in information systems. Agencies are required to assess and secure their information and information systems in accord with the Federal Information Security Management Act (FISMA) which appears as Title III of the E-Government Act of 2002. OMB has issued guidance on implementing FISMA, and the National Institute of Standards and Technology (NIST) has issued compulsory and binding standards used to identify the level of impact and controls for maintaining the confidentiality, integrity, and availability of all information collected or maintained on behalf of an agency.52 One of three security objectives for information and information systems that FISMA defines is confidentiality. The security category of an information type is determined by its potential impact on agencies should there be a breach of security, i.e., a loss of confidentiality.53 Because agencies handle many different types of information, an agency should determine what the potential impact of a security breach on the agency is (including mission, function, image, and reputation), and take into account CIPSEA requirements that the information be used for exclusively statistical purposes as well as the penalties that CIPSEA imposes for disclosure. Privacy Impact Assessments (PIAs) are also required of agencies developing or procuring information systems or projects that maintain or handle confidential information in identifiable form about members of the public, and agencies initiating new electronic collections of information in identifiable form.54 C. Confidentiality Training Each agency with information protected under CIPSEA shall ensure 52 For more information about existing security and privacy requirements, see http:// www.whitehouse.gov/omb/inforeg/infopoltech.html, FIPS PUB 199, Standards for Security Categorization of Federal Information and Information Systems, Gaithersburg, MD:U.S. Department of Commerce, and related publications. 53 See FIPS PUB 199, Standards for Security Categorization of Federal Information and Information Systems, Gaithersburg, MD:U.S. Department of Commerce; and related publications such as NIST Special Publication 800–60. 54 See OMB Memorandum M–03–22, September 26, 2003, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002. PO 00000 Frm 00011 Fmt 4701 Sfmt 4703 33371 that all individuals having access to such confidential information have a current understanding of confidentiality rules and procedures. Confidentiality training shall include at a minimum: • An overview of information protection procedures, • The importance of ‘‘need to know’’ for an authorized purpose in accessing confidential information, • Physical and information systems security procedures, and • The penalties for unauthorized access, use and disclosures. Employees who have access to confidential information shall be recertified annually to ensure their understanding of confidentiality requirements. D. Record Keeping Agencies shall establish and maintain a system of records 55 that identifies individuals accessing confidential information. Agencies shall also be prepared to document their compliance with the safeguard principles to OMB.56 E. Information Collection, Processing, or Analysis Contracts Prior to award, agencies shall review any contracts that involve CIPSEA protected information to ensure language is included that informs the contractor of the requirements of CIPSEA and of the contractor’s obligations under the law and penalties for noncompliance (see Section IV). F. Guidelines for Review of Information Prior to Dissemination For CIPSEA protected information, the agency as well as any agent accessing the information shall ensure that any dissemination of information based on confidential information is done in a manner that preserves the confidentiality of the information. To accomplish this, agencies shall: • Review their information products prior to public release for disclosures of confidential information, and • Apply appropriate statistical disclosure limitation (SDL) techniques 55 Agencies should assess for themselves the nature of these records and requirements for record keeping, including whether what an agency does for this purpose qualifies as a system of records under the Privacy Act. OMB is not implying in this guidance what form these record keeping systems should take and is leaving that determination to the agency. 56 OMB recognizes that in some cases agencies have very detailed documentation on access to confidential information that itself is treated as confidential by the agency. In this case, it is sufficient for the agency simply to demonstrate that the basic safeguard principles are being followed; agencies should not reveal specific individuals or specific procedures that would compromise the protection of the information. E:\FR\FM\15JNN3.SGM 15JNN3 33372 Federal Register / Vol. 72, No. 115 / Friday, June 15, 2007 / Notices sroberts on PROD1PC70 with NOTICES to preserve the confidentiality of the information. For further guidance on SDL techniques, agencies can refer to practices described in Statistical Policy Working Paper #22, Report on Statistical Disclosure Limitation Methodology 57 and utilize other resources such as the disclosure review checklist provided by the Federal Committee on Statistical Methodology’s Confidentiality and Data Access Committee.58 Additional guidelines are provided below for handling confidential information protected under CIPSEA in conjunction with information not protected by CIPSEA. Tabular Information When a table includes both data protected under CIPSEA and other data not protected under CIPSEA, all data shall be treated as confidential, and identifiable respondent information shall not be present in the table. When a table includes both data protected under CIPSEA and nonconfidential data, the agency: • Shall apply SDL techniques to ensure protection of any table cells based on information protected under CIPSEA; • May have a table cell that reveals nonconfidential identifiable respondent information. However, the agency shall take special care to ensure that the presentation of the nonconfidential information in no way jeopardizes confidential information. Æ If the table includes any identifiable nonconfidential respondent information, the agency shall distinguish what information is protected under CIPSEA in the accompanying text or notes to the table. Æ If the table does not include any identifiable nonconfidential respondent information, there is no need to distinguish these data from those protected under CIPSEA. • A special case exists when a table cell value reflects a combination of CIPSEA protected data and nonconfidential data (e.g., a ratio or weighted average). In this case, these data elements are considered confidential and shall not be disseminated in a manner where any respondent could be identified. The agency shall determine how the disclosure limitation methods used on the data affect the users and thus what information about confidentiality at http://www.fcsm.gov/reports/. http://www.fcsm.gov/committees/cdac/ cdac.html. Agencies may also wish to consult HIPAA standards for deidentification of protected health information at 45 CFR 164.514. protection shall be included with tabular presentation. Microdata 59 The confidentiality provisions and limits on uses of microdata shall be completely discussed in the documentation or mentioned with a reference for details. For microdata protected under CIPSEA, SDL techniques shall be applied prior to public release. There are two possible scenarios to consider for the dissemination of microdata in which some elements are protected under CIPSEA and other elements are not (e.g., not confidential or confidential under other laws/ authorities). • If variables protected under CIPSEA are linked to other variables that are not, the most restrictive law (in terms of promising confidentiality and limiting the use of the information) shall apply. For example: Æ If an agency links data protected under CIPSEA with nonconfidential administrative data from another source and releases a linked public use microdata file, the restrictions of CIPSEA apply. Æ If an agency links data protected under CIPSEA with confidential administrative data from another source (e.g., IRS data) and releases a linked public use microdata file, the most restrictive law (in terms of promising confidentiality and limiting the use of the information) shall prevail. • If data from some respondents are protected under CIPSEA and data from other respondents are not, an agency may keep the data in separate files or combine the data sets and include a variable that tells the source for each record. Keeping the data in separate files may be the best choice because it would help highlight the difference in confidentiality provisions and limits on uses. IV. Requirements and Guidelines for Statistical Agencies or Organizational Units When Designating Agents to Acquire or Access Confidential Information Protected Under CIPSEA Statistical agencies or organizational units may under CIPSEA designate agents by contract or by entering into a special agreement to perform exclusively statistical activities that are subject to CIPSEA limitations and penalties.60 To ensure that the protections of CIPSEA apply to the 57 Available 58 See VerDate Aug<31>2005 21:40 Jun 14, 2007 Jkt 211001 59 Microdata are data about individual respondents (e.g., persons, households, organizations, companies, farms, etc.) 60 Sec. 512(d). PO 00000 Frm 00012 Fmt 4701 Sfmt 4703 information that a statistical agency or unit acquires, the agency shall follow the requirements in this section when designating agents to acquire information for the agency for exclusively statistical purposes under a pledge of confidentiality. Because CIPSEA has a broad definition of agents, statistical agencies and organizational units may use CIPSEA to designate a variety of individuals as agents to allow them to access confidential information for exclusively statistical purposes.61 A statistical agency may designate agents to perform exclusively statistical activities, at its discretion, subject to the agency’s needs, resources, and other requirements. The agency that possesses the confidential information shall ensure that all agents comply with the agency’s confidentiality procedures and shall follow the requirements in this section when designating agents to access confidential information for exclusively statistical purposes. Information protected under CIPSEA must be used only for statistical purposes. When entering into contracts or special agreements with agents to acquire or access confidential information, an agency shall consider: • The sensitivity of the confidential information, • The risk of disclosure, and • The resources required to maintain supervision and control of agents. Agencies are responsible for protecting the confidentiality of their data and may establish standards beyond those in this guidance. This section thus provides the minimum requirements as well as additional guidelines for statistical agencies or units to designate agents to perform exclusively statistical activities, including data collection. It is important to note that neither CIPSEA nor this guidance requires any statistical agency or unit to designate agents; the decision to enter into these agreements is at the discretion of the statistical agency or unit. Therefore, an agency may decline to designate agents in accordance with its authorities or practices.62 If a statistical agency or unit chooses to designate agents, the agency remains responsible for all confidential information protected under CIPSEA, and statistical agencies or units should not designate agents unless the agencies 61 Sec. 512(a). example is the authority granted the Census Bureau under Title 13, Section 23(c) that permits the use of temporary staff to assist in the performance of work authorized by Title 13. Whereas CIPSEA puts no limits on the statistical uses made by agents, Title 13 limits the statistical uses to those that support the work of the agency. 62 An E:\FR\FM\15JNN3.SGM 15JNN3 Federal Register / Vol. 72, No. 115 / Friday, June 15, 2007 / Notices or units are able to ensure that all CIPSEA requirements in this guidance will be met and faithfully carried out by their agents. Carrying out these responsibilities will take agency resources, and thus, will limit the extent to which a statistical agency or unit should consider designating agents. A. Designating Agents Under CIPSEA, a statistical agency or unit may designate as an agent 63 any of the following: • An employee of a private organization or a researcher affiliated with an institution of higher learning; • Someone who is working under the authority of a government entity; • Someone who is a self-employed researcher, a consultant, a contractor, or an employee of a contractor; or • Someone who is a contractor or an employee of a contractor, and who is engaged by the agency to design or maintain the systems for handling or storage of data received under this title.64 Statistical agencies or units designating agents must do so through contracts or other agreements that require the agent to agree in writing to comply with all provisions of law that affect information acquired by that agency.65 Any statistical agencies or units that designate agents shall exercise supervision and/or control of the agents to ensure the confidentiality and appropriate use of the information. B. Requirements for Agents To Request Access to Confidential Information Protected Under CIPSEA Some statistical agencies and units receive requests from outside researchers and others who wish to obtain access to confidential data for statistical purposes as agents of the statistical agency. Most agencies that receive these kinds of requests have found it useful to first obtain a written proposal from the prospective agent. Agencies may require prospective agents to submit a proposal that includes some or all of the following in order to properly evaluate the proposed access and use of their confidential data: 63 Sec. 502(2)(A); Sec. 512(d). includes as agents contractors maintaining systems for handling or storage of data. Such information technology personnel provide support and have direct contact with confidential information not because they would necessarily use the information for statistical purposes, but because they would be responsible for the protection of the information from use for nonstatistical purposes and for ensuring appropriate security. As agents, these contractors and their employees are bound by CIPSEA to protect the confidentiality of the information. 65 Sec. 502(2)(B). sroberts on PROD1PC70 with NOTICES 64 CIPSEA VerDate Aug<31>2005 21:40 Jun 14, 2007 Jkt 211001 • A clear and detailed description of the purpose of the access, • The specific confidential information needed, • How the information will be used, • Plans for disseminating information as well as the products planned for public distribution, • A list of persons involved in the project who will have access to the information, • A security plan (information systems and physical security) for protecting the information [applicable only for off-site access arrangements], and • A timeframe for access. After an agency receives the proposal and reviews it, the agency may provide comments and may request changes or may request the prospective agent to complete a written agreement (see section IV.C).66 Agencies shall deny any proposal that does not meet the requirements described in this guidance. Whether or not a prospective agent has submitted a proposal to an agency, access to confidential information shall not be granted until the agency has entered into a written agreement with the agent, and the agent has met the requirements contained in this guidance and in agency standards for accessing the data. Prior to the enactment of CIPSEA, some statistical agencies and units had statutory authority to authorize agents to access confidential information. Agencies have developed a variety of mechanisms that balance permitting access to confidential data, while controlling that access. This area is evolving rapidly, and the following examples are included only as illustrations: • Onsite at Agency: An external analyst works at an agency as an agent to participate in statistical activities involving confidential data. This work shall be done either in collaboration with or otherwise under the direct control and supervision of agency staff, per the terms of a written agreement. The agent’s work is subject to review by the supervising staff. • Data Center: An agent visits a controlled access secure facility maintained by the agency or unit to conduct analyses on confidential data held by the agency. The facility must be equipped with secure computers and staffed by agency personnel who review all outputs for the purposes of confidentiality. There may be additional 66 If the agency chooses, the agent may submit the proposal in conjunction with a completed written agreement. PO 00000 Frm 00013 Fmt 4701 Sfmt 4703 33373 constraints on what the agent may bring to or remove from the center. • Off-site License Agreement: An agent is granted access to confidential information from an agency or unit for use at the agent’s facility. The organization the agent is affiliated with shall enter into a legally binding written agreement as described in section IV.C with the agency that possesses the confidential information. C. Written Agreements for Agent Access to Confidential Information Protected Under CIPSEA Some statistical agencies or units use contractors to acquire information and/ or perform other statistical activities. Under CIPSEA, the contractor and the contractor’s employees are considered agents. For any data that will be acquired by the contractor under CIPSEA, or if the contractor will have access to any confidential information protected by CIPSEA, the legally binding contract shall include the provisions shown in the Appendix. If a statistical agency or unit provides designated agents access to confidential information protected under CIPSEA for exclusively statistical purposes, then all such access shall require a written, legally binding contract or other agreement between the agency and the responsible management level official from the institution with which the agent(s) is(are) affiliated.67 The information required as part of that written agreement is shown in the Appendix. D. Physical and Information Systems Security for Confidential Information Protected Under CIPSEA: On-Site and Off-Site Agencies have the responsibility to ensure the security of physical and information systems for on-site as well as off-site access (if applicable) to confidential information and must follow applicable OMB Guidance and NIST standards and publications.68 In addition to the security requirements described in section III.B, agencies allowing agents access to confidential information protected under CIPSEA 67 For situations in which agents are not affiliated with an institution, the agreement will be signed as legally binding by the agent(s). The latter arrangements would include those with a single agent operating independently as a sole proprietor as well as those with multiple agents operating independently. 68 For more information about existing security and privacy requirements, see http:// www.whitehouse.gov/omb/inforeg/infopoltech.html, FIPS PUB 199, Standards for Security Categorization of Federal Information and Information Systems, Gaithersburg, MD:U.S. Department of Commerce, and related publications. E:\FR\FM\15JNN3.SGM 15JNN3 33374 Federal Register / Vol. 72, No. 115 / Friday, June 15, 2007 / Notices outside of the collecting agency or a facility under the agency’s control shall require that the written access agreement, described in section IV.C, stipulate the agency’s right to conduct inspections of the off-site facility. In order to ensure the physical and information systems security of the confidential information, agencies shall conduct inspections of any off-site facility that harbors confidential information protected under CIPSEA. (If the off-site facility is another Federal statistical agency or unit, agencies may at their option conduct inspections but are not required to inspect these facilities.) These inspections shall be conducted according to the following principles: • The inspections shall assess and document whether the protection procedures outlined in the written agreement and in the agent’s security plan are being implemented. • While an inspection of the off-site facility is encouraged prior to release of the information to the agent, it is not required. (The inspection may occur any time during the access agreement period, preferably as soon as possible.) • Inspections shall be conducted at all off-site facilities at some time during the timeframe of access. Agencies may prioritize their selection of sites for inspections based on risk, but must still inspect all off-site facilities; however, agencies may coordinate and collaborate on inspections of off-site facilities that harbor confidential data from multiple agencies. Agencies may choose not to inform the agent of the timing of such inspections. E. Confidentiality Training All persons with access to confidential information protected under CIPSEA shall participate in agency-provided confidentiality training (see section III.(C) prior to accessing the confidential information as stipulated in the written agreement (section IV.C) between the agency and the agent’s organization or institution.69 The agency possessing the confidential data shall certify or receive notification that each project staff member has undergone the training. Agents shall also be required to be recertified annually. sroberts on PROD1PC70 with NOTICES F. Record Keeping Agencies shall establish and maintain a system of records 70 that identifies 69 For situations in which agents are not affiliated with an institution, the agreement will be signed as legally binding by the agent(s). 70 Agencies should assess for themselves the nature of these records and requirements for record keeping, including whether what an agency does for VerDate Aug<31>2005 21:40 Jun 14, 2007 Jkt 211001 designated agents accessing confidential information protected under CIPSEA and the project for which the information was authorized. V. Requirements for Statistical Agencies or Organizational Units Acquiring Information That May Be Used for Nonstatistical Purposes CIPSEA defines a statistical agency or unit to be ‘‘an agency or organizational unit of the executive branch whose activities are predominantly the collection, compilation, processing, or analysis of information for statistical purposes.’’ 71 Because the public should expect that a statistical agency or unit will be collecting information for exclusively statistical purposes, CIPSEA requires a statistical agency to ‘‘clearly distinguish any data or information it collects for nonstatistical purposes (as authorized by law) and provide notice to the public, before the data or information is collected, that the data or information could be used for nonstatistical purposes.’’ 72 A. Requirements for Public Notice If a statistical agency or unit will collect information that may be subject to use for nonstatistical purposes, the statistical agency or unit shall use the notices in the Federal Register that are required under the PRA to inform the public about the nonstatistical uses of the information during the process of requesting OMB approval of the information collection. As noted in section II.A, OMB’s regulations for Controlling Paperwork Burdens on the Public 73 set forth public notification requirements for agencies conducting or sponsoring an information collection. Agencies are required under the PRA to: • Publish a notice in the Federal Register allowing 60 days for the public to comment on information collections and otherwise consult with members of the public and affected agencies concerning each proposed collection of information; 74 • Publish a notice in the Federal Register at the time OMB approval is being sought, and allow the public 30 days to comment; and • ‘‘Describe any assurance of confidentiality provided to respondents this purpose qualifies as a system of records under the Privacy Act. OMB is not implying in this guidance what form these record keeping systems should take, and is leaving that determination to the agency. 71 Sec. 502(8). 72 Sec. 512(c). 73 5 CFR 1320. 74 5 CFR 1320.8(d)(1). PO 00000 Frm 00014 Fmt 4701 Sfmt 4703 and the basis for the assurance in statute, regulation, or agency policy’’ in their PRA supporting statements submitted to OMB.75 Both Federal Register notices (i.e., the initial one seeking public comments for consideration by the agency and the later one seeking public comments for consideration by OMB) must explicitly address what information the statistical agency or unit plans to collect that may be used for nonstatistical purposes. B. Requirements for Informing and Making Pledges to Respondents As noted in section II.B, at the time of the information collection, agencies are required under the PRA to adequately inform potential respondents about the uses of the information they provide.76 This description must include the following information related to the confidentiality of their responses: • The reasons the information is planned to be and/or has been collected; • The way such information is planned to be and/or has been used; and • The nature and extent of confidentiality to be provided, if any.77 The statistical agency or unit must clearly explain the confidentiality provisions, if any, for all information not protected under CIPSEA. As appropriate, the explanation shall include: • What information will be treated as confidential and the basis (e.g., laws) for any confidentiality pledge; • What information will be treated as nonconfidential; • What information, if any, is limited to use for exclusively statistical purposes and the agency’s basis (e.g., laws) for such assurances; • What information, if any, is not limited to use for exclusively statistical purposes and may be used for nonstatistical purposes; and • Any limitations on the confidentiality provisions (e.g., the information will be kept confidential only to the extent that it satisfies a criterion for exemption in the Freedom of Information Act (FOIA), the information may be shared with other Federal government agencies for official uses, etc.). Agencies must ensure that the public is able to distinguish easily between their CIPSEA pledge and any nonCIPSEA pledge covering information 75 Instructions for Supporting Statement for Paperwork Reduction Act submissions and 5 CFR 1320.8(b)(3). 76 5 CFR 1320.8(b)(3); Additional requirements are imposed if the collection involves a Privacy Act system of records (5 U.S.C. 552a(e)(3) as amended). 77 5 CFR 1320.8(b)(3). E:\FR\FM\15JNN3.SGM 15JNN3 Federal Register / Vol. 72, No. 115 / Friday, June 15, 2007 / Notices that will be used for nonstatistical purposes. The degree to which the pledge differs from the CIPSEA pledge needs to be based on the laws and regulations governing the collection and determined in collaboration with the agency legal staff, agency confidentiality officer, and PRA clearance officer. The pledge shall be in compliance with section 512(c) of CIPSEA—requiring notice that any data could be used for nonstatistical purposes. The approach a statistical agency or unit uses in crafting wording for confidentiality pledges for information not protected under CIPSEA must be done with care and take into account the laws governing the particular agency, and the agency is strongly encouraged to test changes from currently used wording. In particular, the pledge for collections not protected under CIPSEA (because, for example, the information would be used for nonstatistical purposes) shall not contain all the elements related to CIPSEA found in the pledges given in section II—for example, the pledge shall not state both that the data are confidential and that they are for exclusively statistical use (in such cases CIPSEA would apply even if not stated). For example, a pledge for data that are legally permitted to be accessed for nonstatistical purposes may state: The information you provide will be protected to the fullest extent allowable under (name the law). This law allows for the (name specific nonstatistical uses). Information will be protected from public disclosure by (your agency). Results from this survey will be reported publicly only in statistical summaries, so that individuals cannot be identified. To illustrate the actual pledge wording, an agency could implement this pledge as follows: The information you provide will be protected and will not be disclosed to the public to the extent that it satisfies the criteria for exemption under the Freedom of Information Act (FOIA), 5 U.S.C. Sec. 552, and the Trade Secrets Act, 18 U.S.C. Sec. 1905. sroberts on PROD1PC70 with NOTICES To ensure public understanding and avoid confusion (about whether the agency will provide CIPSEA protection to the data), the above pledges do not use the word ‘‘confidential’’ because use of this term could give rise to confusion. VI. Requirements and Guidelines for Nonstatistical Agencies or Units Acquiring and Handling Information Protected Under CIPSEA Nonstatistical agencies seeking to acquire information that will be protected under CIPSEA can take two general approaches: (1) They can directly acquire the information VerDate Aug<31>2005 21:40 Jun 14, 2007 Jkt 211001 themselves from respondents, or (2) they can enter into an agreement with a statistical agency to acquire the information. As noted in Section I. G., Subtitle A of CIPSEA may be used by any Federal agency that directly acquires information from respondents for exclusively statistical purposes under a pledge of confidentiality. Nonstatistical agencies that acquire information in this manner must follow all of the requirements in sections II and III of this guidance for confidential information protected by CIPSEA. Nonstatistical agencies or units that will not collect the information themselves directly from respondents will need to carefully consider their plans for acquiring and using information if they want to use CIPSEA to protect the information. Although nonstatistical agencies and units do acquire information directly from respondents, they frequently use contractors or other agencies to acquire information for them that is used for statistical purposes. CIPSEA did not authorize nonstatistical agencies or units to designate agents, such as contractors, university researchers, or others included within the definition of agents,78 to perform exclusively statistical activities, including data collection. Because nonstatistical agencies or units are not empowered under CIPSEA to designate agents, who are subject to CIPSEA limitations and penalties, they will not be able to protect the information under CIPSEA if they employ contractors or other agents to acquire the information or if they plan to allow access to the information by anyone outside of authorized agency employees, even if they intend to use the information for exclusively statistical purposes and want to keep it confidential.79 As an alternative to collecting the data directly themselves, nonstatistical agencies or units that wish to acquire information with CIPSEA protection may want to consider entering into an agreement with a Federal statistical agency or unit. Because the statistical agency or unit would be responsible for protecting all confidential information 78 See Sec. 502(2)(A). nonstatistical agencies may have specific statutory authority to designate agents that meets the requirements of CIPSEA, allowing the agency to use agents to perform exclusively statistical activities, including data collection, for the agency. Agencies should consult with OMB on the applicability of their statute for purposes of using CIPSEA before making plans to designate agents. Agencies should also clearly describe how their authority meets the requirements for CIPSEA designation of agents in their information collection requests to OMB. 79 Some PO 00000 Frm 00015 Fmt 4701 Sfmt 4703 33375 acquired under the CIPSEA pledge, carrying out these responsibilities will take resources that non-statistical agencies should be prepared to provide to the statistical agency. Statistical agencies or units may designate agents under CIPSEA, but must follow the requirements in Section IV of this guidance to do so. Employees within a nonstatistical agency or unit may serve as agents for a statistical agency or unit to perform exclusively statistical activities on confidential information and be bound by CIPSEA provided that the statistical agency or unit and the agents have followed all of the requirements given in section IV. An agreement between the statistical agency and the nonstatistical agency could be used to make the statistical agency or unit responsible for the control of the confidential information. The statistical agency could then designate a contractor to acquire the information and perform other exclusively statistical activities. The statistical agency could also designate as agents select employees of the nonstatistical agency or unit to have access to the information for exclusively statistical purposes. As noted earlier, all requirements in sections II, III, and IV would have to be met; and, therefore, all agents would be subject to penalties under CIPSEA for any disclosure. VII. Data Sharing Under Subtitle B of CIPSEA Subtitle B, Statistical Efficiency, provides only for the sharing of business data for exclusively statistical purposes and provides for that sharing only among three statistical agencies designated in Subtitle B. Subtitle B of CIPSEA does not authorize the sharing of confidential business data among any Federal agencies other than the three designated statistical agencies, nor does it authorize any sharing of demographic or other types of data among any Federal agencies.80 The following brief guidance in this section applies to the three designated statistical agencies sharing business data. These three agencies are currently working to implement the data sharing provisions of CIPSEA. OMB is working closely with them and may issue additional guidance to these three agencies as needed to implement the data sharing provisions of CIPSEA. 80 Although CIPSEA Subtitle B only authorizes the sharing of confidential business information among BEA, BLS, and the Census Bureau, CIPSEA did not alter other existing authorities for data sharing among Federal agencies (see Sec. 504(a)). E:\FR\FM\15JNN3.SGM 15JNN3 33376 Federal Register / Vol. 72, No. 115 / Friday, June 15, 2007 / Notices A. Designated Statistical Agencies The three designated statistical agencies permitted by Subtitle B to share business data for exclusively statistical purposes are the Bureau of the Census, the Bureau of Economic Analysis, and the Bureau of Labor Statistics.81 B. Requirements When the Designated Statistical Agencies Share Data Prior to sharing any business data under CIPSEA, the designated statistical agencies shall inform respondents about their intentions to share the business data. If, prior to collection, the designated agencies anticipate that they will share business data, the agencies shall: • Include in their Federal Register notices required under the PRA notification that the business data may be shared with designated statistical agencies, and • Also include in their CIPSEA confidentiality pledges notification that the data may be shared with designated statistical agencies. When a designated statistical agency plans to share data that was collected under a legal requirement to supply the information without notice of the intent to share that information with one or more designated statistical agencies, the agency shall publish a notice of the proposed data sharing activity in the Federal Register and specify the business data to be shared and the statistical purposes for which the business data are to be used. This notice shall allow a minimum of 60 days for public comment,82 and a copy of this notice shall be sent to OMB when it is published. sroberts on PROD1PC70 with NOTICES C. Requirements for Written Agreements for Data Sharing Among Designated Statistical Agencies Designated statistical agencies shall enter into a written agreement before sharing any business data. The written agreement shall specify: • The business data to be shared; • The statistical purposes for which the business data are to be used; • The officers, employees, and agents authorized to examine the business data to be shared; and • Appropriate security procedures to safeguard the confidentiality of the business data. A copy of the written agreement shall be provided to OMB ten days prior to execution. 81 Sec. 82 Sec. 522. 524(d). VerDate Aug<31>2005 VIII. Annual Reporting and Review Requirements A. Reporting Requirements To coordinate and oversee the confidentiality and disclosure policies established under CIPSEA, the Office of Management and Budget is authorized under CIPSEA to require reports and other information regarding the implementation of this legislation by Federal agencies.83 In order to effectively monitor Federal agencies’ use of the different provisions in CIPSEA, all agencies shall report to OMB on (1) The use of the CIPSEA pledge, (2) the use of the CIPSEA agents provision, and (3) data sharing activities under Subtitle B. Use of the CIPSEA pledge. Any Federal agency acquiring data under CIPSEA Subtitle A shall report to OMB on an annual basis on those collections it has conducted under CIPSEA and affirm that the agency has followed the procedures in this guidance to ensure the confidentiality of the information is protected. Use of the agents provision in CIPSEA. Statistical agencies and units are authorized under Subtitle A of CIPSEA to designate agents, who may perform exclusively statistical activities, including data collection, and are bound to the same legal requirements as agency employees for maintaining the confidentiality of the information. Statistical agencies or units that choose to designate agents shall report to OMB on an annual basis on the number of agents designated; the kinds of statistical activities performed by agents, e.g., data collection, analysis, etc.; the different types of arrangements for access to confidential information (if applicable), e.g., on-site at the statistical agency, through an agency-controlled research data center, or off-site licensing agreement; and the kind of written agreement that is required for each type of access. Use of data sharing provisions under Subtitle B of CIPSEA. CIPSEA directs that the three designated agencies shall report annually to the Director of the Office of Management and Budget, the Committee on Government Reform of the House of Representatives, and the Committee on Governmental Affairs of the Senate on the actions taken to implement the sections of the law on sharing of business data. Designated agency reports shall be prepared on a calendar year basis, and shall include a summary of activities carried out under this law including the statistical purposes for sharing, any anticipated improvements to quality, and any anticipated or achieved reductions in cost or respondent burden due to the sharing of business data. The report shall include copies of each written agreement for the sharing of business data for the applicable year. The initial report to OMB shall cover any collections since the enactment of the legislation in December 2002 through December 2006, and subsequent reports shall cover a calendar year. Agencies shall submit their initial reports to OMB by May 30, 2007. Subsequent reports shall be submitted annually to OMB by April 30th of each year. Agencies shall also post copies of this report on their Web sites. B. OMB Review of Agency Rules Agencies are authorized to promulgate rules to implement CIPSEA.84 Agencies proposing rules to implement CIPSEA shall submit these proposed rules to OMB for review and approval.85 Appendix Requirements for Contracts and Written Agreements for Agents Acquiring or Accessing Confidential Information Under CIPSEA The following information shall be included in the contract or written agreement: • The identity and affiliation of both the legally responsible agent (e.g., contractor or requestor seeking access to confidential data) and agency official signing the agreement; • Whether the agent will be acquiring confidential information on behalf of the agency or only accessing confidential information the agency possesses; • A clear and detailed description of the purpose of the access; • The specific confidential information needed; • How the information will be used; • Any plans for disseminating information as well as the products planned for public distribution; • Legally binding signature lines for the agency, and the responsible management level official from the institution with which the agent(s) is (are) affiliated. When the agent is operating independently for these purposes and is unaffiliated with an institution, the agent will sign; • The legal authority under which the information was collected or acquired; • The legal authority from CIPSEA and other laws for providing the agent the ability to acquire or to access the information; 84 Sec. 83 Sec. 21:40 Jun 14, 2007 Jkt 211001 PO 00000 503. Frm 00016 85 Sec. Fmt 4701 Sfmt 4703 E:\FR\FM\15JNN3.SGM 503(b). 503(c). 15JNN3 Federal Register / Vol. 72, No. 115 / Friday, June 15, 2007 / Notices sroberts on PROD1PC70 with NOTICES • Penalties for violating confidentiality or unauthorized use of the information; • The timeframe for access; • A requirement that the agent provide and update as necessary a list of persons involved in the project who will have access to the information; • The agent’s responsibility to notify agency when Æ The agent no longer needs the information, Æ The agent plans a change in site access, and/or Æ The project purpose changes (agency approval must be obtained first); • Confidentiality training requirement for all persons who have access to confidential information; • The requirement that each person with access to confidential information sign a non-disclosure form that signifies an understanding of and agreement to the terms of access and agreement to comply with CIPSEA and any other applicable laws (see below for options on where to include this information); • The requirement that the agent submit any project information products to the agency for disclosure review (agencies may also include or reference reporting requirements or standards); VerDate Aug<31>2005 21:40 Jun 14, 2007 Jkt 211001 • For off-site access arrangements Æ A security plan (information systems and physical security) for protecting the information, Æ Procedures regarding the return or destruction of information when access is no longer necessary (may precede project’s end), and Æ The requirement that the agent allows the agency to carry out a physical and IT security inspection of the agent’s workplace; • Conditions requiring modification of the agreement; • Termination clause for the agreement; • Listing of contact persons for the agency and the responsible management level official from the institution with which the agent is affiliated. (When the agent is operating independently and is unaffiliated with an institution, the agent will designate a contact person.); and • As applicable, information on funding of project work, including any between the agency, agent(s), and/or agents’ institution. The following information may be included in the body of the agreement, added to the agreement as appendices, or made part of the agency’s official files for the actual agreement: PO 00000 Frm 00017 Fmt 4701 Sfmt 4703 33377 • Copy of the agency-approved proposal (if required); • Copies of all laws cited in the agreement; • The list of persons with access to confidential information; • Certification that all persons who have access to confidential information have completed confidentiality training; • Signed non-disclosure forms for all persons with access to confidential information; and • For each person with data access, a copy of the background certification supporting such access—details to be determined by agency (options could include fingerprinting, a sworn affidavit of nondisclosure, work history checks, etc.). Agencies may also include additional requirements in their written agreements. Examples of written agreements used by some agencies that conform to the above requirements will be available on the OMB Web site.86 [FR Doc. E7–11542 Filed 6–14–07; 8:45 am] BILLING CODE 3110–01–P 86 http://www.whitehouse.gov/omb go to ‘‘Statistical Programs and Standards.’’ E:\FR\FM\15JNN3.SGM 15JNN3

Agencies

[Federal Register Volume 72, Number 115 (Friday, June 15, 2007)]
[Notices]
[Pages 33362-33377]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: E7-11542]



[[Page 33361]]

-----------------------------------------------------------------------

Part IV





Office of Management and Budget





-----------------------------------------------------------------------



Implementation Guidance for Title V of the E-Government Act, 
Confidential Information Protection and Statistical Efficiency Act of 
2002 (CIPSEA); Notice

Federal Register / Vol. 72, No. 115 / Friday, June 15, 2007 / 
Notices

[[Page 33362]]


-----------------------------------------------------------------------

OFFICE OF MANAGEMENT AND BUDGET


Implementation Guidance for Title V of the E-Government Act, 
Confidential Information Protection and Statistical Efficiency Act of 
2002 (CIPSEA)

AGENCY: Office of Management and Budget, Executive Office of the 
President.

ACTION: Notice of decision.

-----------------------------------------------------------------------

SUMMARY: The Confidential Information Protection and Statistical 
Efficiency Act of 2002 (CIPSEA) can provide strong confidentiality 
protections for statistical information collections, such as surveys 
and censuses, as well as for other statistical activities, such as data 
analysis, modeling, and sample design, that are sponsored or conducted 
by Federal agencies. The Office of Management and Budget (OMB) is 
issuing Implementation Guidance for Title V of the E-Government Act, 
the Confidential Information Protection and Statistical Efficiency Act 
of 2002 (Pub. L. 107-347). The purpose of the CIPSEA implementation 
guidance is to inform agencies about the requirements for using CIPSEA 
and to clarify the circumstances under which CIPSEA can be used.

    Authority: 31 U.S.C. 1104(d); 44 U.S.C. 3504 (specifically 
(a)(1)(B)(iii) and (v), (e)(1), (3) and (5), and (g)(1)); Pub. L. 
107-347 section 503(a), 44 U.S.C. 3501 note.

FOR FURTHER INFORMATION CONTACT: Brian Harris-Kojetin, Ph.D., 
Statistical and Science Policy Office, Office of Information and 
Regulatory Affairs, Office of Management and Budget, NEOB, Room 10201, 
725 17th Street, NW., Washington, DC 20503. Telephone: 202-395-3093.

SUPPLEMENTARY INFORMATION:

A. Background

    Statistics collected and published by the Federal Government 
constitute a significant portion of the available information about the 
United States' economy, population, natural resources, environment, and 
public and private institutions. There are more than 70 Federal 
agencies or organizational units that carry out statistical activities 
as their principal mission or in conjunction with other program 
missions, such as providing services or enforcing regulations. In 
addition to these 70 agencies, many other Federal agencies or units may 
collect statistical information to use for specific program needs.
    Prior to the enactment of CIPSEA, a patchwork of legislative 
protections governed the confidentiality of data gathered for 
statistical purposes by the different agencies and units. Some agencies 
had strong statutory authority to protect the confidentiality of the 
data they gathered for statistical purposes, while other agencies had 
weak or no legislative authority to protect confidentiality. In 
addition, the ability of the designated statistical agencies to share 
information to improve the efficiency of the Federal statistical system 
was limited by statutory constraints affecting those agencies.
    By establishing a uniform policy for all Federal statistical 
collections, this law will reduce public confusion, uncertainty, and 
concern about the treatment of confidential statistical information by 
different Federal agencies. By establishing consistent rational 
principles and processes to buttress confidentiality pledges, the 
guidance that implements the law will harmonize confidentiality claims 
and set minimum standards for safeguarding confidential statistical 
information. Such consistent protection of confidential statistical 
information will, in turn, reduce the perceived risks of more efficient 
working relationships among statistical agencies, relationships that 
can reduce both the cost and reporting burden imposed by statistical 
programs.

B. Development and Review

    In 2003, OMB and the other members of the Interagency Council on 
Statistical Policy (ICSP) formed an interagency group to discuss issues 
that OMB and the agencies anticipated would arise in the implementation 
of CIPSEA. OMB was particularly interested in understanding the 
questions and concerns that these statistical agencies had about the 
new law and how it would affect their activities. OMB also sought to 
incorporate the best practices of these agencies for handling 
confidential statistical information.
    An initial draft of this implementation guidance was reviewed by 
the ICSP members, and OMB revised the draft guidance in response to the 
comments that we received. Based on the use of the law by agencies over 
the past three years, OMB has also addressed in the guidance specific 
issues that have arisen, such as nonstatistical agencies' use of 
CIPSEA.

C. Summary of and Response to Comments Received in Response to the 
October 16, 2006 Federal Register Notice

    OMB issued proposed Implementation Guidance for Title V of the E-
Government Act, Confidential Information Protection and Statistical 
Efficiency Act of 2002 (CIPSEA)(Pub. L. 107-347) in October 2006 (71 FR 
60,772-60,773). Five public comments were received in response to OMB's 
request. OMB reviewed the public comments on the guidance and made some 
modifications in response to the comments. The complete text of the 
public comments and this document are available on the OMB Web site at 
http://www.whitehouse.gov/omb/inforeg/statpolicy.html.

General Comments

    One commenter expressed support for the guidance and stated that 
``the proposed guidelines establish principles and policies that will 
protect the confidentiality of the data provided by respondents to 
federal statistical surveys'' and noted that the guidance provides 
``reasonable approaches to protecting confidentiality, and thereby will 
reduce the costs and reporting burdens imposed by statistical 
programs.'' The commenter also noted that it was ``especially useful to 
see guidelines for statistical agency interactions with outside 
analysts (e.g., contractors) authorized to see the confidential data.''
I. Introduction
Identifiability
    One commenter believed the discussion of the identifiability of 
personal information in the proposed guidance was insufficient. 
Although the commenter noted the technical references to Statistical 
Policy Working Paper 22 \1\ and to the Federal Committee on 
Statistical Methodology's Confidentiality and Data Access Committee's 
disclosure review checklist,\2\ she asked for ``more specific guidance 
about the meaning of the terms reasonably inferred and direct or 
indirect means'' [emphasis in original] and ``how the CIPSEA standard 
specifically relates to the HIPAA standards of no reasonable basis to 
believe and risk is very small [emphasis in original] * * * ``whether a 
risk assessment is required, how to conduct that risk assessment, what 
data sources (public and private) must be considered in assessing 
identifiability'' as well as how much effort and cost are reasonable.
---------------------------------------------------------------------------

    \1\ Available at http://www.fcsm.gov/reports/.
    \2\ Available at http://www.fcsm.gov/committees/cdac/cdac.html.
---------------------------------------------------------------------------

    In response to this comment, OMB has included a definition of 
``personally identifiable information'' in footnote 21 and provided an 
example of indirect identification in footnote 23, as follows:


[[Page 33363]]


    \21\ ``personally identifiable information'' refers to 
information which can be used to distinguish or trace an 
individual's identity, such as his or her name, social security 
number, biometric records, etc., alone, or when combined with other 
personal or identifying information that is linked or linkable to a 
specific individual, such as date and place of birth, mother's 
maiden name, etc.
    \23\ Indirect identification refers to using information in 
conjunction with other data elements to reasonably infer the 
identity of a respondent. For example, data elements such as a 
combination of gender, race, date of birth, geographic indicators, 
or other descriptors may be used to identify an individual 
respondent.

    However, it is beyond the scope of this implementation guidance to 
provide lists of other data sources that could be used to reidentify 
respondents or specific risk assessment techniques agencies must 
employ. As the commenter noted, OMB does provide references to more 
technical resources that address these issues, such as Statistical 
Policy Working Paper 22, and a citation to the HIPAA privacy 
rule has been added. Federal statistical agencies are in the best 
position to know about the sensitivity of their confidential 
statistical information and to take appropriate steps to assess and 
mitigate the risks of reidentification. Because this area is a ``moving 
target,'' as the commenter noted, OMB, through its Federal Committee on 
Statistical Methodology, sponsors the Confidentiality and Data Access 
Committee, which facilitates the sharing and adoption of best practices 
and latest techniques in disclosure avoidance across Federal agencies.
Relation of CIPSEA to Other Laws
    One commenter noted that ``subsection (b) of the Privacy Act of 
1974 authorizes numerous disclosures, many of which are inappropriate 
for CIPSEA records. For example, disclosures for law enforcement 
purposes'' as well as many routine uses. The commenter asked OMB to 
``elaborate on the intersection between CIPSEA and the Privacy Act of 
1974.''
    As OMB has noted in the guidance, agencies are responsible for 
ensuring that information protected under CIPSEA is used exclusively 
for statistical purposes. OMB recognizes that the Privacy Act does 
permit routine uses that are nonstatistical; these uses are not 
permitted for CIPSEA-protected information. OMB believes that the 
minimum standards in the guidance for safeguarding confidential 
information make clear that agencies need to develop appropriate 
policies and procedures for CIPSEA-protected information that go beyond 
those that exist for Privacy Act systems of records; however, we have 
added the following language to make this explicit in Part I.F. of the 
guidance:

    On the other hand, if an agency pledges to use the information 
for only for statistical purposes, then the agency shall not use any 
other authorities it has available to use the information for non-
statistical purposes, because those uses would be contrary to the 
agency's pledge. For example, if information is protected by CIPSEA 
and the Privacy Act, some of the routine uses permitted under the 
Privacy Act would no longer be allowed because they are not for 
statistical purposes.
Agencies Authorized To Designate Agents
    One commenter cited Footnote 31 on page 11 of the proposed guidance 
\3\ that tells agencies that they should consult with OMB regarding use 
of agents and stated that the use of agents should be subject to public 
notice and comment. In this footnote, OMB was referring specifically to 
the review and legal interpretation of a nonstatistical agency's 
statute and whether that would meet the requirements of CIPSEA and 
permit the agency to designate agents under CIPSEA. Generally, legal 
analysis and interpretation are accomplished by the agency. However, 
when agencies are applying a new statute that OMB has responsibility 
for, agencies should consult with OMB to ensure a government-wide 
perspective.
---------------------------------------------------------------------------

    \3\ This footnote appears as footnote 40 in this final document.
---------------------------------------------------------------------------

    Commenters also had questions about other specific matters that 
will be addressed during implementation.
II. Requirements for Agencies Collecting or Acquiring Information 
Protected Under CIPSEA
Non-CIPSEA Pledges
    One commenter objected to agencies being restricted from using both 
the terms ``confidential'' and ``statistical purposes'' together if 
CIPSEA did not cover the collection. The commenter noted that these 
terms have meaning independent of CIPSEA and agencies should be able to 
use them as they see fit. The commenter suggested that ``Rather than 
prohibit the use of the terms `confidential' and `exclusively 
statistical purposes,' we suggest that OMB advise agencies, as it has 
in prior guidance, to ensure that they do not use terms that are 
confusing. OMB could also prohibit the mention of CIPSEA when it is not 
applicable and require that agencies invoke coverage by CIPSEA only by 
the mention of that law directly to survey respondents.''
    OMB agrees that the terms ``confidential'' and ``statistical 
purposes'' have meaning independent of CIPSEA; however, when used 
together in a pledge to respondents, they clearly meet the requirements 
of CIPSEA and the protection of this law. Sec. 512 of CIPSEA simply 
requires that the information be ``acquired by an agency under a pledge 
of confidentiality and for exclusively statistical purposes.'' The law 
does not require that CIPSEA be mentioned explicitly, and OMB would 
certainly prohibit an agency from mentioning the law if it did not 
apply. It would clearly be confusing to respondents for different 
protections to be implied by two different agencies both pledging that 
the information would be confidential and used for exclusively 
statistical purposes. Thus, it is necessary to ensure that CIPSEA 
protections or greater protections apply when an agency makes this 
pledge to respondents.
CIPSEA Pledges
    One commenter supported the shorter version of the pledge, but 
expressed concerns about its comprehensibility. The commenter then 
suggested that OMB consider developing a formal statistical 
confidentiality seal that would provide an identifiable marker that 
would tell individuals what level of protection the information they 
provide will receive under the law. Specifically the commenter 
suggested as an example that OMB consider a green-yellow-red color 
scheme: Green would mean respond with confidence because answers 
receive the highest level of legal confidentiality protection; yellow 
would mean respond with caution because answers receive some 
confidentiality protection but less than the highest level of legal 
protection; and red would mean no legal confidentiality protections at 
all.
    The CIPSEA pledge was based on a pledge that was thoroughly tested; 
however, OMB has encouraged further cognitive testing of this pledge by 
agencies. OMB agrees that it would also be helpful to have more testing 
on a shortened version. OMB also appreciates the commenter's 
suggestions regarding potential ``seals'' that would be easy for 
respondents to understand and recognize, and agrees that this idea is 
worthy of further investigation and testing. We also agree that this 
will require a considerable amount of research not only to develop a 
recognizable seal but also to figure out appropriate ways to present it 
in different modes. If this research proves fruitful, OMB will consider 
revising this

[[Page 33364]]

implementation guidance and/or issuing other guidance for use of a 
seal.
III. Minimum Standards for Safeguarding Confidential Information 
Acquired Under CIPSEA
Costs and Burden of Security Requirements
    One commenter noted that during a time of reduced funding resources 
the implementation requirements call for annual recertification of 
employees, increased physical and information security, additional 
record keeping requirements, and additional staff time (to ensure that 
appropriate confidentiality and security protocols are followed). 
Providing appropriate security for agency information and information 
systems does require resources. As with any ongoing program, agencies 
need to incorporate into their budgets the costs for protecting 
confidential information throughout the lifecycle of the statistical 
activities.
Security of Confidential Information in Laptop Computers
    One commenter noted that ``recent events have highlighted the 
particular vulnerability of laptop computers to loss and theft,'' and 
suggested that additional information be included in the guidance about 
the security of laptops, PDAs, or other types of devices. OMB agrees 
with the comment and has modified language in the section on physical 
and information systems security in Part III. B, which also applies to 
Part IV. D of the proposed guidance referenced on page 22, so that it 
now reads:

    Agencies are required to establish appropriate administrative 
and technical safeguards to ensure that the security of all media 
containing confidential information is protected against 
unauthorized disclosures and anticipated threats or hazards to their 
security or integrity. For example, agencies must ensure that 
security requirements are followed for reports, documents, 
printouts, information collection instruments, laptops, PDA's, zip 
drives, floppy disks, CD-ROMs, or any other IT devices that contain 
confidential information to prevent access by unauthorized persons.
VII. Data Sharing Under Subtitle B of CIPSEA
Data Linking and Data Sharing
    One comment requested that OMB include administrative data as well 
as other agencies under the data sharing provisions of Subtitle B of 
CIPSEA to further improve efficiency. OMB notes that Subtitle B is 
limited in statute to the three designated statistical agencies (BLS, 
BEA, and Census) and applies only to business data. While OMB 
appreciates the potential benefits suggested in this comment, CIPSEA 
does not authorize any other data sharing or authorize additional 
agencies to share data. However, CIPSEA did not alter other existing 
authorities for data sharing among Federal agencies.
VIII. Annual Reporting and Review Requirements
Annual Reports to OMB
    One commenter requested that the annual reports that agencies 
provide to OMB be made public and posted on agency Web sites. In the 
interest of transparency, agencies will now be required to post their 
reports on their Web sites.

Susan E. Dudley,
Administrator, Office of Information and Regulatory Affairs.

Implementation Guidance for Title V of the E-Government Act, 
Confidential Information Protection and Statistical Efficiency Act of 
2002 (CIPSEA)

I. Introduction

A. Overview

    Issues of privacy and confidentiality are of increasing concern to 
respondents to Federal government surveys. Agencies often seek to 
assuage these concerns by pledging to respondents that the agency will 
protect the information that respondents provide, and by using whatever 
statutory authority that the agency has to substantiate this pledge. 
However, many agencies do not have strong confidentiality provisions in 
their authorizing statutes. In this case, agencies may be able to use 
government-wide statutes such as the Privacy Act or exemptions under 
the Freedom of Information Act as the basis for a pledge to 
respondents, but these statutes still do not apply to many Federal 
surveys.
    The Confidential Information Protection and Statistical Efficiency 
Act of 2002 (CIPSEA) is a new government-wide law that can provide 
strong confidentiality protections to many Federal agencies conducting 
statistical information collections, such as surveys and censuses as 
well as other statistical activities including data analysis and 
modeling, sample design, etc. The purpose of this guidance is to inform 
agencies about the requirements for using CIPSEA and clarify the 
circumstances under which CIPSEA can be used.
    There are several key definitions and distinctions in CIPSEA 
regarding statistical and nonstatistical agencies, and statistical and 
nonstatistical purposes, that affect whether CIPSEA can be used by an 
agency to acquire and protect information. Below is a brief description 
of these major definitions and distinctions, as well as of issues 
related to data sharing under CIPSEA, and additional requirements for 
using CIPSEA that are addressed in greater detail in this guidance.
    1. Is the agency a statistical or nonstatistical agency? CIPSEA 
distinguishes between statistical and nonstatistical agencies or units 
and imposes different requirements and privileges on these different 
types of agencies. Briefly, statistical agencies or units are those 
whose activities are predominantly the collection, compilation, 
processing, or analysis of information for statistical purposes. More 
detail and a listing of statistical agencies and units is provided in 
section I., part G of this section of the guidance.
    2. Is the information used for statistical or nonstatistical 
purposes? CIPSEA provides protection for information acquired for 
statistical purposes under a pledge of confidentiality. Under CIPSEA, a 
statistical purpose includes the description, estimation, or analysis 
of the characteristics of groups, without identifying the individuals 
or organizations that comprise such groups, while nonstatistical 
purposes include any administrative, regulatory, law enforcement, 
adjudicatory, or other purpose that affects the rights, privileges, or 
benefits of a particular respondent. Information acquired and protected 
under CIPSEA may only be used for statistical purposes.
    3. Is the information being acquired by the Federal agency itself? 
Agencies acquire information in different ways from a wide variety of 
respondents. Agencies often acquire information directly from a 
respondent to a Federal survey. In some cases, these respondents are 
local or State governments that have themselves collected the 
information from a respondent. Any agency that directly acquires 
information from a respondent, including a local or State government, 
under a pledge of confidentiality for exclusively statistical purposes, 
is bound by CIPSEA. However, CIPSEA does not restrict or diminish 
confidentiality protections in law that otherwise apply to a collection 
of statistical data or information. Agencies protecting information 
under CIPSEA must follow the requirements specified in section II of 
this guidance and include an appropriate pledge to respondents. All 
agencies that have information protected under CIPSEA

[[Page 33365]]

must also follow the procedures in section III for safeguarding the 
security of this information.
    4. Is the information being acquired for the Federal agency by 
contractors or others acting on behalf of the agency? Many agencies 
acquiring information from respondents do not directly collect the 
information themselves from respondents but do so through 
intermediaries such as contractors or researchers who are operating 
under cooperative agreements or grants at the direction of the agency. 
CIPSEA defines contractors and their employees, researchers, and 
employees of private organizations or institutions of higher learning 
who have a contract or agreement with a Federal agency as ``agents'' 
and authorizes only some agencies to use agents to acquire information 
that will be protected under CIPSEA or access CIPSEA-protected 
information.
    5. How can statistical agencies use CIPSEA? Statistical agencies or 
units that directly acquire information from respondents, including 
State and local governments, may protect the confidentiality of that 
information under CIPSEA. Statistical agencies or units may also 
designate agents to acquire information for the agency under CIPSEA as 
well as perform other exclusively statistical activities for the agency 
on CIPSEA-protected information. Statistical activities include the 
collection, compilation, processing, or analysis of data for the 
purposes of describing or making estimates concerning the whole, or 
relevant groups or components within, the economy, society, or the 
natural environment. Statistical activities also include the 
development of methods or resources that support these activities, such 
as measurement methods, models, statistical classifications, or 
sampling frames. More information is provided in section IV about the 
requirements for statistical agencies designating agents under CIPSEA.
    6. How can nonstatistical agencies use CIPSEA? Nonstatistical 
agencies can use CIPSEA to protect information they are authorized to 
acquire directly themselves from respondents, including State and local 
governments. However, nonstatistical agencies or units are not 
permitted to designate agents under CIPSEA. Therefore, nonstatistical 
agencies or units may not protect information under CIPSEA if they are 
using a contractor or other persons who fall under the CIPSEA 
definition of agents to acquire that information unless they have the 
authority to designate agents to collect information or perform other 
statistical activities under some other statute. More information on 
how nonstatistical agencies can acquire and protect information under 
CIPSEA is provided in section VI of this guidance.
    7. What if a statistical agency acquires information for 
nonstatistical purposes? OMB expects that the vast majority of 
information collections conducted by statistical agencies or units will 
be subject to CIPSEA because these agencies generally collect 
information for exclusively statistical purposes and pledge 
confidentiality. Statistical agencies or units that are collecting 
information that may be used for nonstatistical purposes need to ensure 
that respondents understand these nonstatistical uses and that CIPSEA 
does not apply to the specific collection. Requirements for statistical 
agencies collecting information that may be used for nonstatistical 
purposes are covered in section V.
    8. What data sharing does CIPSEA authorize? Subtitle B of CIPSEA 
explicitly provides the ability for three designated statistical 
agencies, the Bureau of Economic Analysis, the Bureau of Labor 
Statistics, and the Bureau of the Census to share business data. 
Requirements for data sharing among these designated statistical 
agencies are outlined in section VII.
    9. What other requirements are there for using CIPSEA? Agencies 
should carefully review this guidance to determine whether CIPSEA 
applies to any of their information collections or statistical 
activities. Agencies using CIPSEA are responsible for following all 
requirements in this guidance. In addition, OMB is requiring agencies 
that use CIPSEA to report annually to OMB on their use of this law in 
order to effectively monitor the implementation of CIPSEA across 
Federal agencies. All agencies that use CIPSEA for their collections 
are asked to report to OMB annually the information collections CIPSEA 
applies to and affirm that all of the requirements in this guidance are 
being met. Statistical agencies protecting information under CIPSEA are 
further required to report on their use of agents, and the three 
designated statistical agencies in Subtitle B of CIPSEA are required to 
report annually on their data sharing activities under CIPSEA. Further 
information on the reporting requirements is in section VIII of this 
guidance.

B. Purposes of CIPSEA

    The Confidential Information Protection and Statistical Efficiency 
Act of 2002 (CIPSEA), Title V of the E-Government Act of 2002 (Pub. L. 
107-347), has two subtitles.
    Subtitle A, Confidential Information Protection, concerns 
confidentiality and statistical uses of information. The purposes of 
Subtitle A are:
    1. To ensure that information supplied by individuals or 
organizations to an agency for statistical purposes under a pledge of 
confidentiality is used exclusively for statistical purposes;
    2. To ensure that individuals or organizations who supply 
information under a pledge of confidentiality to agencies for 
statistical purposes will neither have that information disclosed in 
identifiable form to anyone not authorized by this title nor have that 
information used for any purpose other than a statistical purpose; and
    3. To safeguard the confidentiality of individually identifiable 
information acquired under a pledge of confidentiality for statistical 
purposes by controlling access to, and uses made of, such 
information.\4\
---------------------------------------------------------------------------

    \4\ Sec. 511(b).
---------------------------------------------------------------------------

    CIPSEA Subtitle A protects information that is acquired for 
exclusively statistical purposes under a pledge of confidentiality. 
This subtitle of the law applies to all Federal agencies that acquire 
information under these carefully prescribed conditions. The protection 
of information collected under this law is supported by a penalty of a 
Class E Felony for a knowing and willful disclosure of confidential 
information. This includes imprisonment for up to five years and fines 
up to $250,000.\5\ Thus, for many agencies this law strengthens the 
protections afforded to confidential statistical information.
---------------------------------------------------------------------------

    \5\ Sec. 513.
---------------------------------------------------------------------------

    CIPSEA Subtitle B promotes statistical efficiency through limited 
sharing of business data among three designated statistical agencies, 
the Bureau of the Census (Census), the Bureau of Economic Analysis 
(BEA), and the Bureau of Labor Statistics (BLS). The purposes of 
Subtitle B are:
    1. To authorize the sharing of business data among Census, BEA, and 
BLS for exclusively statistical purposes;
    2. To reduce the paperwork burdens imposed on businesses that 
provide requested information to the Federal Government;
    3. To improve the comparability and accuracy of Federal economic 
statistics by allowing Census, BEA, and BLS to update sample frames, 
develop consistent classifications of establishments and companies into 
industries, improve coverage, and reconcile significant differences in 
data produced by the three agencies; and

[[Page 33366]]

    4. To increase understanding of the United States economy, 
especially for key industry and regional statistics, to develop more 
accurate measures of the impact of technology on productivity growth, 
and to enhance the reliability of the Nation's most important economic 
indicators, such as the National Income and Product Accounts.\6\
---------------------------------------------------------------------------

    \6\ Sec. 521(b).
---------------------------------------------------------------------------

    The remainder of this section of the guidance provides background 
information on CIPSEA and its applicability to Federal agencies. 
Sections II through VI provide implementation guidance on CIPSEA 
Subtitle A, and Section VII provides implementation guidance on 
Subtitle B. Section VIII covers agency reporting requirements to OMB on 
the implementation of CIPSEA.

C. Background

    There are more than 70 Federal agencies or organizational units 
that carry out statistical activities as their principal mission or in 
conjunction with other program missions, such as providing services or 
enforcing regulations.\7\ In addition to these 70 agencies, many other 
Federal agencies or units may collect statistical information to use 
for specific program needs. Prior to the enactment of CIPSEA, a 
patchwork of legislative protections governed the confidentiality of 
data gathered for statistical purposes by the different agencies and 
units. Some agencies had strong statutory authority to protect the 
confidentiality of the data they gathered for statistical purposes, 
while other agencies had weak or no legislative authority to protect 
confidentiality. In addition, the ability of the designated statistical 
agencies to share information to improve the efficiency of the Federal 
statistical system was limited by statutory constraints affecting those 
agencies.
---------------------------------------------------------------------------

    \7\ Statistical Programs of the U.S. Government FY 2007, Office 
of Management and Budget, Washington, DC.
---------------------------------------------------------------------------

    Over the years, there have been numerous attempts both to shore up 
legal protection for the confidentiality of statistical information, 
and to permit some limited sharing of data for statistical purposes. 
Strengthening and standardizing statutory protections for the 
confidentiality of individually identifiable data that are collected 
for statistical purposes as well as enhancing the capability of Federal 
agencies to share information for exclusively statistical purposes have 
always been goals.
    In 1971, the President's Commission on Federal Statistics 
recommended that the term confidential should always mean that 
disclosure of data in a manner that would allow public identification 
of the respondent or would in any way be harmful to him should be 
prohibited. In addition, the Commission recommended that a promise to 
hold data in confidence should not be made unless the agency has legal 
authority to uphold such a promise, and that legislation should be 
enacted authorizing agencies collecting data for statistical purposes 
to promise confidentiality as the term was defined by the 
Commission.\8\
---------------------------------------------------------------------------

    \8\ Federal Statistics--Report of the President's Commission, 
Volume 1, p. 222, September, 1971.
---------------------------------------------------------------------------

    In July 1977, the Privacy Protection Study Commission stated that 
``no record or information * * * collected or maintained for a research 
or statistical purpose under Federal authority * * * may be used in 
individually identifiable form to make any decision or take any action 
directly affecting the individual to whom the record pertains * * *'' 
\9\
---------------------------------------------------------------------------

    \9\ Personal Privacy in an Information Society--Report of the 
Privacy Protection Study Commission, p. 574, July, 1977.
---------------------------------------------------------------------------

    In October 1977, the President's Commission on Federal Paperwork 
endorsed the confidentiality and ``functional separation'' concepts, 
but applied them directly and simply to statistical programs, saying 
that:
     Information collected or maintained for statistical 
purposes must never be used for administrative or regulatory purposes 
or disclosed in identifiable form, except to another statistical agency 
with assurances that it will be used solely for statistical purposes; 
and
     Information collected for administrative and regulatory 
purposes must be made available for statistical use, with appropriate 
confidentiality and security safeguards, when assurances are given that 
the information will be used solely for statistical purposes.\10\
---------------------------------------------------------------------------

    \10\ Statistics--A Report of the Commission on Federal 
Paperwork, p. 128, October, 1977.
---------------------------------------------------------------------------

    The policy discussions generated by the three Commissions came 
together in a bipartisan outpouring of support for the Paperwork 
Reduction Act of 1980, which largely addressed the efficiency 
recommendations of the Paperwork Commission. The legislative history of 
that Act recognized the unfinished work of fitting the ``functional 
separation'' of statistical information into the overall scheme.
    In 1993, a National Academy of Sciences panel on confidentiality 
and data access recommended that ``Statistical records across all 
federal agencies should be governed by a consistent set of statutes and 
regulations meeting standards for the maintenance of such records, 
including the following features of fair statistical information 
practices: (a) A definition of statistical data that incorporates the 
principle of functional separation as defined by the Privacy Protection 
Study Commission, (b) a guarantee of confidentiality for data, * * * 
(g) legal sanctions for those who violate confidentiality 
requirements.'' \11\
---------------------------------------------------------------------------

    \11\ Private Lives and Public Policies, 1993, National Academy 
Press, Washington, DC.
---------------------------------------------------------------------------

    To clarify and make consistent government policy protecting the 
privacy and confidentiality interests of individuals and organizations 
who furnish data for Federal statistical programs, OMB issued an 
``Order Providing for the Confidentiality of Statistical Information'' 
in June 1997.\12\ This order applied the principles of functional 
separation and protection of confidential information gathered for 
statistical purposes to twelve principal statistical agencies.
---------------------------------------------------------------------------

    \12\ 62 FR 35,044-35,050.
---------------------------------------------------------------------------

    CIPSEA builds upon these and other efforts of the Executive and 
Legislative branches including H.R. 2885 (the Statistical Efficiency 
Act of 1999, originally offered by Representative Stephen Horn, and 
unanimously passed by the House of Representatives) and H.R. 2136 (the 
Confidential Information Protection Act, originally offered by 
Representative Tom Sawyer in 2001). Introducing CIPSEA, H.R. 5215, on 
July 25, 2002, Representative Horn indicated,

``The bill's enhanced confidentiality protections will improve the 
quality of Federal statistics by encouraging greater cooperation on 
the part of respondents. Even more important, these protections 
ensure that the Federal Government does not abuse the trust of those 
who provide data to it under a pledge of confidentiality. * * * the 
Confidential Information Protection and Statistical Efficiency Act 
of 2002 makes important, common sense and long overdue improvements 
in our Nation's statistical programs. It is a bipartisan, good 
Government measure that has the Administration's strong support. I 
urge my colleagues to join with us to achieve prompt enactment of 
the bill.'' \13\
---------------------------------------------------------------------------

    \13\ Congressional Record, July 25, 2002, p. E1397.

    In this guidance, OMB is establishing a uniform policy for all 
Federal statistical collections to reduce public confusion, 
uncertainty, and concern about the application of the newly-enacted 
confidentiality requirements associated with protected statistical 
information acquired by different Federal agencies. By establishing 
consistent rational principles and

[[Page 33367]]

processes to buttress confidentiality pledges, the law codifies 
confidentiality claims and sets minimum standards for safeguarding 
confidential statistical information. Establishing consistent 
protection of confidential statistical information will, in turn, 
reduce the perceived risks of more efficient working relationships 
among statistical agencies, relationships that can reduce both the cost 
and reporting burden imposed by statistical programs.

D. Authority

    The Paperwork Reduction Act (PRA) of 1980 (as amended in 1986 and 
1995) requires the Office of Information and Regulatory Affairs (OIRA) 
within OMB to develop policies, principles, standards, and guidelines 
for privacy and confidentiality generally; the integrity of 
confidentiality pledges; and the confidentiality of information 
collected for statistical purposes.\14\ In addition, the Act tasks OIRA 
to oversee agency compliance with related requirements of the Act and 
with the policies referenced above.\15\ For example, agencies are 
required to ``inform respondents fully and accurately about the 
sponsors, purposes, and uses of statistical surveys and studies.'' \16\
---------------------------------------------------------------------------

    \14\ 44 U.S.C. 3504(e)(1), 3504(e)(5), and 3504(g)(1).
    \15\ 44 U.S.C. 3506(b)(1)(C), 3506(e)(2)-(4), and 3506(g)(1).
    \16\ 44 U.S.C. 3506(e)(2).
---------------------------------------------------------------------------

    With respect to statistical policy and coordination, the PRA 
directs OMB to:
     Coordinate the activities of the Federal statistical 
system to ensure--
    [cir] The efficiency and effectiveness of the system; and
    [cir] The integrity, objectivity, impartiality, utility, and 
confidentiality of information collected for statistical purposes; * * 
*
     Develop and oversee the implementation of Governmentwide 
policies, principles, standards, and guidelines * * *
     Promote the sharing of information collected for 
statistical purposes consistent with privacy rights and confidentiality 
pledges; \17\
---------------------------------------------------------------------------

    \17\ 44 U.S.C. 3504(e).
---------------------------------------------------------------------------

    In addition, Title V of the E-Government Act of 2002 authorizes the 
Director of the Office of Management and Budget to coordinate and 
oversee the confidentiality and disclosure policies established by 
CIPSEA. The Director is authorized to promulgate rules or provide other 
guidance to ensure the consistent interpretation of this title by the 
affected agencies.\18\
---------------------------------------------------------------------------

    \18\ Sec. 503(a).
---------------------------------------------------------------------------

E. Affected Agencies

    Executive agencies as defined in 31 U.S.C. 102 or 44 U.S.C. 3502 
\19\ are subject to the provisions and penalties in CIPSEA Subtitle A 
if they (1) Acquire information for exclusively statistical purposes 
under a pledge of confidentiality, or (2) they possess or access 
information protected by CIPSEA, unless even stronger confidentiality 
protections apply.\20\ CIPSEA also imposes additional requirements on 
statistical agencies or units, which are defined to include ``an agency 
or organizational unit of the executive branch whose activities are 
predominantly the collection, compilation, processing, or analysis of 
information for statistical purposes.'' \21\ CIPSEA Subtitle B applies 
only to the designated statistical agencies, i.e., the Bureau of the 
Census of the Department of Commerce, the Bureau of Economic Analysis 
of the Department of Commerce, and the Bureau of Labor Statistics of 
the Department of Labor.\22\
---------------------------------------------------------------------------

    \19\ Sec. 502(1).
    \20\ Sec. 512(a) and 512(b). Agencies may also be governed by 
other statutes that may have additional restrictions on the use and 
disclosure of confidential statistical information that apply beyond 
CIPSEA (Sec. 504(h); Sec. 512(b)(3)).
    \21\ Sec. 502(8).
    \22\ Sec. 522.
---------------------------------------------------------------------------

F. Applicability of CIPSEA

    Federal agencies collect and acquire information for a wide variety 
of purposes and uses, including benefit determinations, program 
planning and management, program evaluation, measurement of compliance 
with laws and regulations, and research, as well as for general purpose 
statistics. When acquiring information, an agency must inform the 
person or organization being asked to provide information whether or 
not it will be treated as confidential and the purpose(s) for which the 
information will be used.\23\
---------------------------------------------------------------------------

    \23\ 5 CFR 1320.8(b)(3).
---------------------------------------------------------------------------

    CIPSEA protection applies to any identifiable information acquired 
by the agency under a pledge of confidentiality for exclusively 
statistical purposes. For purposes of CIPSEA, this information includes 
personally identifiable information \24\ as well as information that 
permits the identity of any respondent, such as business 
establishments, institutions, or State or local governments,\25\ to be 
reasonably inferred by either direct or indirect means.\26\ In this 
guidance, the terms confidential information and confidential data 
refer to information that is protected by CIPSEA.
---------------------------------------------------------------------------

    \24\ The term ``personally identifiable information'' refers to 
information that can be used to distinguish or trace an individual's 
identity, such as his or her name, social security number, biometric 
records, etc., alone, or when combined with other personal or 
identifying information that is linked or linkable to a specific 
individual, such as date and place of birth, mother's maiden name, 
etc.
    \25\ Statistical agencies may collect information from a State 
or local government that is in the public domain, and, therefore, 
the statistical agency would typically not pledge to keep that 
information confidential under CIPSEA or other legal authorities.
    \26\ Sec. 502(4). Indirect identification refers to using 
information in conjunction with other data elements to reasonably 
infer the identity of a respondent. For example, data elements such 
as a combination of gender, race, date of birth, geographic 
indicators, or other descriptors may be used to identify an 
individual respondent.
---------------------------------------------------------------------------

    CIPSEA can apply only when an agency pledges both to protect the 
confidentiality of the information it acquires and to use the 
information only for statistical purposes. CIPSEA defines a statistical 
purpose to include the description, estimation, or analysis of the 
characteristics of groups, without identifying the individuals or 
organizations that comprise such groups and includes the development, 
implementation, or maintenance of methods, technical or administrative 
procedures, or information resources that support the above 
purposes.\27\ If information is collected or acquired for any 
nonstatistical purpose, then CIPSEA shall not be used to protect the 
confidentiality of the information.\28\
---------------------------------------------------------------------------

    \27\ Sec. 502(9).
    \28\ There are some authorized, nonstatistical uses of 
information collected for statistical purposes, such as the use of 
Decennial Census information for genealogical research, that are 
noted in Section 504 of CIPSEA. CIPSEA was intended to apply to 
these collections that are intended for statistical purposes and 
have only very narrow exceptions for specific nonstatistical uses 
that do not result in any actions directly affecting the respondent. 
Agencies acquiring or protecting information under CIPSEA with 
similar nonstatistical uses of the information should consult with 
OMB on the applicability of CIPSEA for the information collection. 
Unless there is a specific exception noted in Section 504 of CIPSEA, 
CIPSEA clearly prohibits disclosures for administrative, regulatory, 
law enforcement, or adjudicatory purposes that affect the rights, 
privileges, or benefits of a particular identifiable respondent 
absent informed consent. Since some State or Federal laws may 
require notification of authorities if, for example, child abuse is 
reported by the respondent, agencies collecting such information 
shall inform respondents at the time of collection that revelations 
of this type of information must be reported to legal authorities. 
Agencies may conduct these collections under CIPSEA if any such 
nonstatistical uses are clearly described in advance to the 
respondent (with the respondent providing informed consent), and 
these procedures are clearly stated in the notices and supporting 
materials described in Section II. Agencies should also consult with 
their institutional review boards to determine circumstances when 
informed consent is appropriate or necessary.
---------------------------------------------------------------------------

    A nonstatistical purpose means the use of information in 
identifiable form for anything other than a statistical

[[Page 33368]]

purpose, including any administrative, regulatory, law enforcement, 
adjudicative, or other purpose that affects the rights, privileges or 
benefits of a particular identifiable respondent. Providing 
confidential information in response to a Freedom of Information Act 
(FOIA) request is also considered a nonstatistical purpose.\29\ Since 
the CIPSEA statute is a (b)(3) statute under FOIA, confidential 
information covered under CIPSEA is exempt from release pursuant to a 
FOIA request (5 U.S.C. 552(b)(3)).
---------------------------------------------------------------------------

    \29\ Sec. 502(5)(B).
---------------------------------------------------------------------------

    Agencies acquire information in different ways from a wide variety 
of respondents. An agency may collect information directly (e.g., 
surveys) from individuals, households, businesses, organizations, or 
institutions, or the agency may acquire information through secondary 
sources (e.g., from State government agencies).\30\ This guidance, in 
accordance with the law, will use as the more general term, 
``acquire,'' to include both agency collections of information directly 
from respondents, and acquisitions of information from secondary 
sources.
---------------------------------------------------------------------------

    \30\ Sec. 502(6).
---------------------------------------------------------------------------

    In many cases, agencies acquire information directly from 
respondents (including local or State governments) to a Federal survey; 
in other cases, agencies do not themselves directly acquire information 
from respondents but do so through intermediaries, such as contractors 
or researchers who are operating under cooperative agreements or grants 
at the direction of the agency. CIPSEA defines contractors and their 
employees, researchers, and employees of private organizations or 
institutions of higher learning that have a contract or agreement with 
a Federal agency as ``agents.'' \31\
---------------------------------------------------------------------------

    \31\ Sec. 502(2).
---------------------------------------------------------------------------

    Any agency that directly acquires information from a respondent, 
including a local or State government, under a pledge of 
confidentiality for exclusively statistical purposes, can use CIPSEA to 
protect the information. However, if an agency is using an agent, such 
as a contractor, to acquire information for exclusively statistical 
purposes, the agency may not be able to protect the information under 
CIPSEA unless it is a statistical agency (see part G). In these 
situations, nonstatistical agencies should use their existing statutory 
authority to protect the confidentiality of this information.
    Generally, the applicable statute with the strongest 
confidentiality protections for the information governs the use and 
disclosure of the information. CIPSEA does not restrict or diminish any 
other confidentiality protections or penalties for unauthorized 
disclosure that an agency may otherwise have for information collected 
for statistical purposes.\32\ Accordingly, if an agency has any 
stronger protections in its statutes, these protections would remain in 
effect. For example, the more restrictive use and disclosure provisions 
of the Census Act and the International Investment and Trade in 
Services Survey Act would take precedence over the broader statistical 
uses permitted under CIPSEA. In another example, if an agency's 
authorizing statute prohibited disclosure with informed consent, the 
agency would not be able to disclose the information with informed 
consent, which could be permissible under CIPSEA under certain 
circumstances.\33\
---------------------------------------------------------------------------

    \32\ Sec. 504(h); Sec. 512(b)(3).
    \33\ Sec. 512(b).
---------------------------------------------------------------------------

    On the other hand, if an agency pledges to use the information for 
only statistical purposes, then the agency shall not use any other 
authorities it has available to use the information for non-statistical 
purposes, because those uses would be contrary to the agency's pledge. 
For example, if information is protected by CIPSEA and the Privacy Act, 
some of the routine uses permitted under the Privacy Act would no 
longer be allowed because they are not for statistical purposes.

G. Use of CIPSEA by Statistical and Nonstatistical Agencies or Units

    Although any Federal agency can acquire and protect information 
under CIPSEA, CIPSEA provides additional authority and imposes 
additional requirements on statistical agencies or units. These 
additional provisions have implications for how and whether an agency 
can use CIPSEA to acquire information; these provisions are discussed 
in later sections of this guidance.
    CIPSEA defines a statistical agency or unit as ``an agency or 
organizational unit of the executive branch whose activities are 
predominantly the collection, compilation, processing, or analysis of 
information for statistical purposes.'' \34\
     OMB shall determine whether an agency or unit can be considered a 
statistical agency or unit for purposes of CIPSEA.
---------------------------------------------------------------------------

    \34\ Sec. 502(8).
---------------------------------------------------------------------------

    OMB recognized 12 statistical agencies or units in its 1997 
Confidentiality Order: \35\
---------------------------------------------------------------------------

    \35\ 62 FR 35,044-35,050.
---------------------------------------------------------------------------

     Department of Agriculture
    [cir] Economic Research Service
    [cir] National Agricultural Statistics Service
     Department of Commerce
    [cir] Bureau of Economic Analysis
    [cir] Census Bureau
     Department of Education
    [cir] National Center for Education Statistics
     Department of Energy
    [cir] Energy Information Administration
     Department of Health and Human Services
    [cir] National Center for Health Statistics
     Department of Justice
    [cir] Bureau of Justice Statistics
     Department of Labor
    [cir] Bureau of Labor Statistics
     Department of Transportation
    [cir] Bureau of Transportation Statistics
     Department of the Treasury
    [cir] Statistics of Income Division of the Internal Revenue Service
     National Science Foundation
    [cir] Division of Science Resources Statistics
    Since this guidance was issued in proposed form in October 2006, 
OMB has recognized two statistical organizational units: the Office of 
Applied Studies within the Substance Abuse and Mental Health Services 
Administration in the Department of Health and Human Services, and the 
Microeconomic Surveys Unit of the Board of Governors of the Federal 
Reserve. Other agencies or units that wish to be recognized as 
statistical agencies or units for purposes of CIPSEA must send a 
request to the Chief Statistician at OMB. The request must come from 
the head of the agency or unit and have the concurrence of the larger 
organization within which the agency or unit resides. This request 
should include a statement of the organizational definition of the 
agency or unit, its mission, statistical activities, and any 
nonstatistical activities, and demonstrate that its activities are 
predominantly statistical. Statistical activities include the 
collection, compilation, processing, or analysis of data for the 
purpose of describing the characteristics of groups or making estimates 
concerning the whole or relevant groups, or components within, the 
economy, society, or the natural environment. Statistical activities 
also include the development of methods or resources that support these 
activities, such as measurement methods, models, statistical 
classifications, or sampling frames. A listing of OMB recognized 
statistical agencies and units will be posted and maintained on OMB's 
Web site.
    Both statistical and nonstatistical agencies can use CIPSEA to 
protect information they acquire directly from

[[Page 33369]]

respondents, including State and local governments. However, only 
statistical agencies or units are authorized under CIPSEA to designate 
agents to perform exclusively statistical activities, which include 
data collection, subject to CIPSEA limitations and penalties.\36\ 
Because data collection contractors are agents under CIPSEA,\37\ only 
statistical agencies may designate contractors to acquire information 
that will be protected under CIPSEA. In order for the collections of 
nonstatistical agencies to fall within the protections of CIPSEA, 
nonstatistical agencies must acquire the information themselves 
directly from respondents. Nonstatistical agencies cannot empower 
contractors or other agents to acquire information or carry out any 
other statistical activities for the agency under CIPSEA.\38\
---------------------------------------------------------------------------

    \36\ Sec. 512(d).
    \37\ Sec. 502(2)(iii).
    \38\ Some nonstatistical agencies may have specific statutory 
authority to designate agents that meets the requirements of CIPSEA, 
allowing the agency to use agents to perform exclusively statistical 
activities, including data collection, for the agency. Agencies 
should consult with OMB on the applicability of their statute for 
purposes of using CIPSEA before making plans to designate agents. 
Agencies should also clearly describe how their authority meets the 
requirements for CIPSEA designation of agents in their information 
collection requests to OMB.
---------------------------------------------------------------------------

    The following sections II and III of this guidance describe in 
detail the requirements for all agencies using CIPSEA. Additional 
requirements for statistical agencies or units designating agents are 
covered in section IV. Because it is generally expected that 
statistical agencies or organizational units will be collecting 
information for exclusively statistical purposes under a pledge of 
confidentiality, statistical agencies or units that conduct or sponsor 
a collection that will not be for exclusively statistical purposes must 
follow additional requirements as described in section V. Additional 
requirements for nonstatistical agencies or units are provided in 
section VI.

II. Requirements for Agencies Collecting or Acquiring Information 
Protected Under CIPSEA

    CIPSEA provides strong protection for information obtained for 
exclusively statistical purposes under a pledge of confidentiality. For 
CIPSEA to have its intended effect of reinforcing public confidence in 
Federal confidentiality pledges, all Federal agencies that make the 
CIPSEA pledge must provide CIPSEA protection to that information. A 
Federal agency should not make a CIPSEA pledge unless the agency is 
fully committed to taking all the actions that are necessary to provide 
CIPSEA level protection; making the CIPSEA pledge means giving CIPSEA 
level protection to the collected information.
    To faithfully maintain this commitment requires that agencies meet 
a number of minimum requirements that are described in detail in the 
remainder of this guidance. Specifically, agencies must:
     Inform the respondents about the confidentiality 
protection and use of the information (section II.);
     Collect and handle confidential information to minimize 
risk of disclosure, including properly training employees (section 
III.);
     Ensure the information is used only for statistical 
purposes (section III. A.);
     Review information to be disseminated to prevent 
identifiable information from being reasonably inferred by either 
direct or indirect means (section III. F.); and
     Supervise and control agents who have access to 
confidential information (section IV.).

A. Requirements for Public Notice Prior to Data Collection

    Agencies are required under the PRA to:
     Publish a notice in the Federal Register allowing 60 days 
for the public to comment on information collections and otherwise 
consult with members of the public and affected agencies concerning 
each proposed collection of information; \39\
---------------------------------------------------------------------------

    \39\ 5 CFR 1320.8(d)(1).
---------------------------------------------------------------------------

     Publish a notice in the Federal Register at the time OMB 
approval is being sought, and allow the public 30 days to comment; and
     ``Describe any assurance of confidentiality provided to 
respondents and the basis for the assurance in statute, regulation, or 
agency policy'' in their PRA supporting statements submitted to 
OMB.\40\
---------------------------------------------------------------------------

    \40\ Instructions for Supporting Statement for Paperwork 
Reduction Act submissions and 5 CFR 1320.8(b)(3).
---------------------------------------------------------------------------

    When agencies are acquiring information that will be protected 
under CIPSEA, they shall: \41\
---------------------------------------------------------------------------

    \41\ Agencies conducting an OMB-approved information collection 
prior to passage of CIPSEA or issuance of this guidance, such as a 
periodic or longitudinal survey, can also protect that collection 
under CIPSEA if the collection is intended for exclusively 
statistical purposes, the agency pledges confidentiality, and the 
agency will follow this guidance in implementing CIPSEA. In this 
case, the agency should consult with OMB about the change in 
confidentiality protection for the collection and plan appropriate 
consultation with stakeholders and respondents. OMB may require 
agencies to provide Federal Register notices concerning the change 
in policy and to contact respondents for comments before the agency 
can make a CIPSEA pledge.
---------------------------------------------------------------------------

     State that the information will be protected under CIPSEA, 
and cite any other authority they have to protect the confidentiality 
of the data in their PRA supporting statements; and
     State in their Federal Register notices if there is a 
substantive change in the confidentiality protection of the information 
being collected, such as using CIPSEA to protect the information for an 
ongoing collection when similar protection was not available 
previously.

B. Requirements for Informing Respondents at the Time of Information 
Collection

    At the time of the information collection, agencies are required 
under the PRA to adequately inform potential respondents about the uses 
of the information they provide.\42\ This description must include the 
following information related to the confidentiality of their 
responses:
---------------------------------------------------------------------------

    \42\ 5 CFR 1320.8(b)(3); Additional requirements are imposed if 
the collection involves a Privacy Act system of records (5 U.S.C. 
552a(e)(3) as amended).
---------------------------------------------------------------------------

     The reasons the information is planned to be and/or has 
been collected;
     The way such information is planned to be and/or has been 
used to further the proper performance of the functions of the agency; 
and
     The nature and extent of confidentiality protection to be 
provided, if any.\43\
---------------------------------------------------------------------------

    \43\ 5 CFR 1320.8(b)(3).
---------------------------------------------------------------------------

    When agencies are collecting information that they want to be 
protected under CIPSEA, they are required by law at the time of 
collection to do the fol