32 CFR 310.53 - Computer matching agreements (CMAs).
(a) If a match is to be conducted internally within DoD, a memorandum of understanding (MOU) shall be prepared. It shall contain the same elements as a CMA, except as otherwise indicated in paragraph (b)(4)(ii) of this section.
(b) A CMA shall contain the following elements:
(1) Purpose. Why the match is being proposed and what will be achieved by conducting the match.
(2) Legal authority. What is the Federal or state statutory or regulatory basis for conducting the match. The Privacy Act does not constitute independent authority for matching. Other legal authority shall be identified.
(3) Justification and expected results. Explain why computer matching as opposed to some other administrative means is being proposed and what the expected results will be, including a specific estimate of any savings (see paragraph (b)(13) of this section).
(4) Records description. Identify:
(i) The system of records or non-Federal records. For DoD systems of records, provide the Federal Register citation for the system notice;
(ii) The specific routine use in the system notice if records are to be disclosed outside the Department of Defense (see § 310.22(c)). If records are disclosed within the Department of Defense for an internal match, disclosures are permitted pursuant to paragraph (a) of § 310.22.
(iii) The number of records involved;
(iv) The data elements to be included in the match;
(v) The projected start and completion dates of the match. CMAs remain in effect for 18 months but can be renewed for an additional 12 months provided:
(A) The match will be conducted without any change, and
(B) Each party to the match certifies in writing that the program has been conducted in compliance with the CMA or MOU.
(vi) How frequently will the records be matched.
(5) Records accuracy assessment. Provide an assessment by the source and recipient agencies as to the quality of the information that will be used for the match. The poorer the quality, the more likely that the program will not be cost-effective.
(6) Notice procedures. Identify what direct and indirect means will be used to inform individuals that matching will take place.
(i) Direct notice. Indicate whether the individual is advised that matching may be conducted when he or she applies for a Federal benefit program. Such an advisory should normally be part of the Privacy Act Statement that is contained in the application for benefits. Individual notice sometimes is provided by a separate notice that is furnished the individual upon receipt of the benefit.
(ii) Indirect notice. Indicate whether the individual is advised that matching may be conducted by constructive notice. Indirect or constructive notice is achieved by publication of a routine use in the Federal Register when the matching is between agencies or is achieved by publication of the match notice in the Federal Register.
(7) Verification procedures. Explain how information produced as a result of the match will be independently verified to ensure any adverse information obtained is that of the individual identified in the match.
(8) Due process procedures. Describe what procedures will be used to notify individuals of any adverse information uncovered as a result of the match and to give such individuals an opportunity to either explain the information or how to contest the information. No adverse action shall be taken against the individual until the due process procedures have been satisfied.
(i) Unless other statutory or regulatory authority provides for a longer period of time, the individual shall be given 30 calendar days from the date of the notice to respond to the notice.
(ii) If an individual contacts the agency within the notice period and indicates his or her acceptance of the validity of the adverse information, the agency may take final action. If the period expires without a response, the agency may take final action.
(iii) If the agency determines that there is a potentially significant effect on public health or safety, it may take appropriate action notwithstanding the due process provisions.
(9) Security procedures. Describe the administrative, technical, and physical safeguards that will be established to preserve and protect the privacy and confidentiality of the records involved in the match. The level of security must be commensurate with the level of the sensitivity of the records.
(10) Records usage, duplication, and redisclosure restrictions. Describe any restrictions imposed by the source agency or by statute or regulation on the collateral uses of the records. Recipient agencies may not use the records obtained for matching purposes for any other purpose absent a specific statutory requirement or where the disclosure is essential to the conduct of the matching program.
(11) Disposition procedures. Clearly state that the records used in the match will be retained only for the time required for conducting the match. Once the matching purpose has been achieved, the records will be destroyed unless the records must be retained as directed by other legal authority. Unless the source agency requests that the records be returned, identify the means by which destruction will occur, i.e., shredding, burning, electronic erasure, etc.
(13) Cost-benefit analysis.
(i) A cost-benefit analysis shall be conducted for the proposed computer matching program unless:
(A) The Data Integrity Board waives the requirement, or
(B) The matching program is required by a specific statute.
(ii) The analysis must demonstrate that the program is likely to be cost-effective. This analysis is to ensure agencies are following sound management practices. The analysis provides an opportunity to examine the programs and to reject those that will only produce marginal results.