Hey everyone, it's Chris Stevens. I'm the privacy grumbling. I'm also the info second institute instructor for its information privacy essentials for cyber security professionals learning path. In this video, we're going to continue our discussion on important US laws, privacy related laws. In this session, we're going to talk about the computer matching and Privacy Protection Act of 1988, which amends the Privacy Act of 1974. Now, the Congress had realized that US federal government executive branch agencies were using computer matching to determine the eligibility of individuals for benefits and services or to reduce or eliminate those benefits and services. I wanted to make sure that it provided this guidance to those executive branch agency that was sharing information between data basis themselves matching information or sharing for US Federal Government agency sharing information with nine federal government agencies at the state level and local levels. What are we going to talk about? We're going to look at the purpose of the computer matching and Privacy Protection Act of 1988. We're going to talk about some definitions, there are always important. We'll talk about what it means when we define imagining agreement, what are some of those individual privacy protections provided by this Act. How do you have to give notice of matching programs, much like we talked about when we talked about our systems of record notifications, giving notification to the public posting their information in the Federal Register for 30 days, notifying own being and Congress also. We're talking about some of those topics covered in that process, and you'll end up with a discussion on the Data Integrity boards. Every agency must have one oversee their computer matching process and programs to make sure they're compliant with the law. What is the purpose? No, what does this active? It puts in place a framework by which federal government agencies can share information between databases when they're done computer matching and make a determination on the eligibility, my apologies of benefits and services for American citizens, legal permanent residents. It has enlists as exemptions. It puts in place and procedural safeguards to protect the privacy of individuals. We remember when we first talked about the Privacy Act of 1974, we weren't in an air where we were wildly using database and automated collection of information, using computers and information technologies to support those activities. In 1988, we saw the advent the ward iss of computers and databases. Again, what this act does is, it puts in place regulations by which federal government agencies that are matching person identifiable information contained in records. We talked about records doing our privacy Act discussion or that maintain the system to records. It allows any matches for statistical and other purposes, but it's statistical research, law enforcement tags and other purposes and are subject to this regulation. What it does, it allows you to be able to compare those computerized records are in system of records to determine whether URI is an American citizen. If you are a legal permanent resident, key area are eligible for benefits or services granted by the US government. Now, men's the privacy activation, if you have those safeguards in place when a company is conducting and computer matching activities. Now we're going to talk about matching program, recipient agency. We're going to define non-federal agencies, Source agency, federal benefit program, and federal personnel. Let's get to it. What is a matching program that's when you have two or more automated system of records. That it compare records with other federal government records or nine federal government records. Maybe at the state level. The reason we want to do that is agencies will use computer match to determine whether you are an American citizen or a legal permanent resident, is authorized on dialogue and be a recipient or benefits or services or receive payments from the federal government for certain programs. They use it also to be able to recoup payments or delinquent debts from federal government programs. Case in point. If you had defaulted on a student loan. Department of education will match records with. Again, the Department of Treasury, and then also state level rubbing to offices to determine whether you were going to receive a return on your taxes. Then by using this computer-matching process, they can determine if you're going to receive any tax return payments, and then they can keep that information and use it to pay off your student debt. That's just one example. Now, again, the computer-matching process doesn't cover when you're using data aggregation to match databases for tax purposes, for law enforcement purposes. What's a recipient agency? That's any agency that's receiving records contained in a record's assessment from the actual agency, the source agency that owns that data. If we're talking about a non-federal agency, we are talking about the state or local government agency that's going to receive those records contained in a system of records from that source agency that could be a federal government agency that they're going to use in this computer-matching process. The source agency is the agency that owns that information, those records contained in assessment records that they're using as part of that matching program. Then under the law, can that information be with any other federal government agency or it can be with the state or local government agency? What's a federal benefit program? That's any program that's administered by the federal government, or by a state or local government on the behalf of the federal government that looks at making payments for benefits, grants, loans to individuals. Federal personnel are those employees and officers that work for those federal government agencies. What is a matching agreement? So what this act says is, is that a source agency can't share record contained as a system of records unless there's a written agreement in place between its source agency and their recipient agency or that non-federal agency. It also specify the purpose and legal authority, why are you conducting this program? The justification and the benefits, any estimated savings, you've got to ascribe the records that you're going to be matching, each of the data elements, the approximate number of fields or records that you're going to be matching, when the matching program starts and when it ends. You also have to have procedures in place to give notice to the individuals. Also, as directed by the Data Integrity Board, they're said to oversee this process to make sure that again, ensuring the integrity of your matching program. You got to make sure that information is there to verify the accuracy of the information that's going to be used, that's contained in a record as part of a system of records. You got to make sure you have a data retention, data destruction plan in place that's created by that recipient of those records as part of those systems of records, or by the non-federal government agencies, state and local governments. Make sure you have the appropriate administrative, physical, and technical safeguards in place for those records that are being matched. You can't have the duplication or disclosure of these records that are provided by the source agency, by the recipient agency, and non-recipient agency unless it's allowed by law. Then also, you have to ensure that the use of the records by the recipient agency , the non-federal agency, as part of a matching program, have processes in place for returning those records when the source agency requires the destruction of those records as part of the program. So let's continue our discussion. Like I said, again, you have to have that written agreement in place between all parties. Before you can take an adverse action against an individual based on the results of a computer-matching program, again, you have to give them notice and allow them to be able to address that. You got to do independent verification of the adverse action. You got to make sure that the amount of income asset involved. You got to make sure whether the individual had access to that asset or income for his or her own use. You got to determine the period or periods when that individual actually had assets or income. Again, you also can't take adverse action without giving notice to that individual. Then they have within 30 days of being able to respond or dispute the findings of the computer-matching program before you can take action. You can suspend or terminate a benefit, or service, or payment for those benefits or services. Give notice. You've got to put if you're going to have a computer matching program, much like we talked about under the Privacy Act of 1974, you got to put that in the public register and it has to be there for a period of 30 days for comments by the public and others. You have to notify Congress and OMB. They have to give them 10 days to review the computer matching program. As much like what we talked about during the Privacy Act of 1974. It is a requirement that you post us in the Federal Register over a period of 30 days. If you make any changes or modifications to the computer matching program, then again, you have to give notice to Congress and to OMB. They have 10 days in which review that information. What are data integrity boards? They're there to oversee these computer matching programs and make sure they're compliant with the computer matching act and Consumer Protection Act itself. They are there to make sure that the rights and freedoms of American citizens legal permanent residents are respected at all time. There is going to be the head of that federal government agency that's going to establish this data integrity board. It's going to have be a senior member appointed by the head of that agency, the IG or inspector general of that agency. What does that data integrity board do? It's there to make sure that it reviews, approves, and maintains all written agreements for the receipt and disclosure of agency records of matching programs. It's there to review all of those computer matching agreements that have been put in place within a year. Either from the perspective of the source agency or the recipient agency and determine if they're compliant with all applicable laws. Then they go and do a cost benefit analysis of the costs and benefits associated with those computer matching programs. Just like we have to do with PIA, privacy impact assessments, system of records notifications, your computer matching programs have to be reported to the office of management budget annually and made available to the public upon request that give the details of those computer matching programs. They're there to serve as a clearing house and make sure that they enter the term the integrity, the accuracy, the reliability and timeliness of the data that's contained in the records as part of these system of records. They have to do good record keeping of both activities, then show that these computer matching programs are compliant with this law. Then if an agency is engaging in matching activities that aren't considered a matching program, the DIB is also supposed to review those. Let's talk about the computer magic and Privacy a Protection Act of 1988. It amends the Privacy Act of 1974, it's there to regulate the use of computer matching programs by source agencies, recipient agencies or receiving agencies. Also between federal government agencies and the executive branch, or non federal government agencies that might be at the state and local benefit. It doesn't extend to matching perform for statistical research, law enforcement taxes and other periods that fall outside the scope of the law. It allows government agencies to baby use computer matching to determine the eligibility for benefits of services for payments or also to suspend and terminate those and recoup payments that have been received in an unauthorized manner. Instead, to make sure that it goes protections and do process protections to individuals that are subject to these computer matching programs that might be subject to some type of adverse action because of the results of the computer matching program. It says that their rights are that they have within 30 days by notification to dispute the information that was used for the computer matching programs container records as part of systems of records. It requires for the government agency that's comply with the computer matching and Privacy Protection Act of 1988 to ensure that they have a data integrity board that's there to oversee the computer matching programs [inaudible] complying with this law. As always it's my pleasure to be your instructor. I hope that you, your family members and significant others are having a wonderful day. I look forward to seeing you in our next discussion. Take care.