13 CFR § 102.40 - Computer matching.

The OCIO will enforce the computer matching provisions of the Privacy Act. The FOI/PA Office will review and concur on all computer matching agreements prior to their activation and/or renewal.

(a) Matching agreements. SBA will comply with the Computer Matching and Privacy Protection Act of 1988 (5 U.S.C. 552a(o), 552a notes) . The Privacy Protection Act establishes procedures Federal agencies must use if they want to match their computer lists. SBA shall not disclose any record which is contained in a system of records to a recipient agency or non-Federal agency for use in a computer matching program except pursuant to a written agreement between SBA and the recipient agency or non-Federal agency specifying:

(1) The purpose and legal authority for conducting the program;

(2) The justification for the purpose and the anticipated results, including a specific estimate of any savings;

(3) A description of the records that will be matched, including each data element that will be used, the approximate number of records that will be matched, and the projected starting and completion dates of the matching program;

(4) Procedures for providing individualized notice at the time of application, and periodically thereafter as directed by the Data Integrity Board, that any information provided by any of the above may be subject to verification through matching programs to:

(i) Applicants for and recipients of financial assistance or payments under Federal benefit programs, and

(ii) Applicants for and holders of positions as Federal personnel.

(5) Procedures for verifying information produced in such matching program as required by paragraph (c) of this section.

(6) Procedures for the retention and timely destruction of identifiable records created by a recipient agency or non-Federal agency in such matching program;

(7) Procedures for ensuring the administrative, technical, and physical security of the records matched and the results of such programs;

(8) Prohibitions on duplication and redisclosure of records provided by SBA within or outside the recipient agency or non-Federal agency, except where required by law or essential to the conduct of the matching program;

(9) Procedures governing the use by a recipient agency or non-Federal agency of records provided in a matching program by SBA, including procedures governing return of the records to SBA or destruction of records used in such programs;

(10) Information on assessments that have been made on the accuracy of the records that will be used in such matching programs; and

(11) That the Comptroller General may have access to all records of a recipient agency or non-Federal agency that the Comptroller General deems necessary in order to monitor or verify compliance with the agreement.

(b) Agreement specifications. A copy of each agreement entered into pursuant to paragraph (a) of this section shall be transmitted to OMB, the Committee on Governmental Affairs of the Senate and the Committee on Governmental Operations of the House of Representatives and be available upon request to the public.

(1) No such agreement shall be effective until 30 days after the date on which a copy is transmitted.

(2) Such an agreement shall remain in effect only for such period, not to exceed 18 months, as the Data Integrity Board determines is appropriate in light of the purposes, and length of time necessary for the conduct, of the matching program.

(3) Within three (3) months prior to the expiration of such an agreement, the Data Integrity Board may without additional review, renew the matching agreement for a current, ongoing matching program for not more than one additional year if:

(i) Such program will be conducted without any change; and

(ii) Each party to the agreement certifies to the Board in writing that the program has been conducted in compliance with the agreement.

(c) Verification. In order to protect any individual whose records are used in matching programs, SBA and any recipient agency or non-Federal agency may not suspend, terminate, reduce, or make a final denial of any financial assistance or payment under the Federal benefit program to such individual, or take other adverse action against such individual as a result of information produced by such matching programs until such information has been independently verified.

(1) Independent verification requires independent investigation and confirmation of any information used as a basis for an adverse action against an individual including, where applicable:

(i) The amount of the asset or income involved,

(ii) Whether such individual actually has or had access to such asset or income or such individual's own use, and

(iii) The period or periods when the individual actually had such asset or income.

(2) SBA and any recipient agency or non-Federal agency may not suspend, terminate, reduce, or make a final denial of any financial assistance or payment under a Federal benefit program, or take other adverse action as a result of information produced by a matching program,

(i) Unless such individual has received notice from such agency containing a statement of its findings and information of the opportunity to contest such findings, and

(ii) Until the subsequent expiration of any notice period provided by the program's governing statute or regulations, or 30 days. Such opportunity to contest may be satisfied by notice, hearing, and appeal rights governing such Federal benefit program. The exercise of any such rights shall not affect rights available under the Privacy Act.

(3) SBA may take any appropriate action otherwise prohibited by the above if SBA determines that the public health or safety may be adversely affected or significantly threatened during the notice period required by paragraph (c)(2)(ii) of this section.

(d) Sanctions. Notwithstanding any other provision of law, SBA may not disclose any record which is contained in a system of records to a recipient agency or non-Federal agency for a matching program if SBA has reason to believe that the requirements of paragraph (c) of this section, or any matching agreement entered into pursuant to paragraph (b) of this section or both, are not being met by such recipient agency.

(1) SBA shall not renew a matching agreement unless,

(i) The recipient agency or non-Federal agency has certified that it has complied with the provisions of that agreement; and

(ii) SBA has no reason to believe that the certification is inaccurate.

(e) Review annually each ongoing matching program in which the Agency has participated during the year, either as a source or as a matching agency in order to assure that the requirements of the Privacy Act, OMB guidance, and any Agency regulations and standard operating procedures, operating instructions, or guidelines have been met.

(f) Data Integrity Board. SBA shall establish a Data Integrity Board (Board) to oversee and coordinate the implementation of the matching program. The Board shall consist of the senior officials designated by the Administrator, to include the Inspector General (who shall not serve as chairman), and the Senior Agency Official for Privacy. The Board shall:

(1) Review, approve and maintain all written agreements for receipt or disclosure of Agency records for matching programs to ensure compliance with paragraph (a) of this section and with all relevant statutes, regulations, and guidance;

(2) Review all matching programs in which SBA has participated during the year, determine compliance with applicable laws, regulations, guidelines, and Agency agreements, and assess the costs and benefits of such programs;

(3) Review all recurring matching programs in which SBA has participated during the year, for continued justification for such disclosures;

(4) At the instruction of OMB, compile a report to be submitted to the Administrator and OMB, and made available to the public on request, describing the matching activities of SBA, including,

(i) Matching programs in which SBA has participated;

(ii) Matching agreements proposed that were disapproved by the Board;

(iii) Any changes in membership or structure of the Board in the preceding year;

(iv) The reasons for any waiver of the requirement described below for completion and submission of a cost-benefit analysis prior to the approval of a matching program;

(v) Any violations of matching agreements that have been alleged or identified and any corrective action taken; and

(vi) Any other information required by OMB to be included in such report;

(5) Serve as clearinghouse for receiving and providing information on the accuracy, completeness, and reliability of records used in matching programs;

(6) Provide interpretation and guidance to SBA offices and personnel on the requirements for matching programs;

(7) Review Agency recordkeeping and disposal policies and practices for matching programs to assure compliance with the Privacy Act; and

(8) May review and report on any SBA matching activities that are not matching programs.

(g) Cost-benefit analysis. Except as provided in paragraphs (e)(2) and (3) of this section, the Data Integrity Board shall not approve any written agreement for a matching program unless SBA has completed and submitted to such Board a cost-benefit analysis of the proposed program and such analysis demonstrates that the program is likely to be cost effective. The Board may waive these requirements if it determines, in writing, and in accordance with OMB guidelines, that a cost-benefit analysis is not required. Such an analysis also shall not be required prior to the initial approval of a written agreement for a matching program that is specifically required by statute.

(h) Disapproval of matching agreements. If a matching agreement is disapproved by the Data Integrity Board, any party to such agreement may appeal to OMB. Timely notice of the filing of such an appeal shall be provided by OMB to the Committee on Governmental Affairs of the Senate and the Committee on Government Operations of the House of Representatives.

(1) OMB may approve a matching agreement despite the disapproval of the Data Integrity Board if OMB determines that:

(i) The matching program will be consistent with all applicable legal, regulatory, and policy requirements;

(ii) There is adequate evidence that the matching agreement will be cost-effective; and

(iii) The matching program is in the public interest.

(2) The decision of OMB to approve a matching agreement shall not take effect until 30 days after it is reported to the committees described in paragraph (h) of this section.

(3) If the Data Integrity Board and the OMB disapprove a matching program proposed by the Inspector General, the Inspector General may report the disapproval to the Administrator and to the Congress.