February 23, 2022
Federal Data Integration and Individual Rights: The Computer
Matching and Privacy Protection Act
Executive branch agencies face an ever-evolving policy,
receive, and compare identifiable, individual-level data for
regulatory, and technological landscape when seeking to
matching. A matching of records for one of the CMPPA’s
share or combine individual-level data across organizational
two purposes establishes a matching program (5 U.S.C.
or programmatic boundaries. Congress has deliberated and
§§552a(8)(A), 552a(o)). The CMPPA further requires an
legislated the use of data integration for more than 50 years,
agency with a matching program to ensure an individual is
aiming to promote the efficient administration of
afforded with due process prior to taking any adverse action
government programs while protecting individual privacy
against that individual, including suspending, terminating,
and maintaining the country’s trust in how the federal
reducing, or making a final denial of payment or assistance.
government uses information on individuals.
Certain matching activities excluded from the CMPPA.
The Computer Matching and Privacy Protection Act (P.L.
The CMPPA specifically excludes several types of
100-503; CMPPA) is a significant part of the statutory and
matching from its procedural and oversight requirements.
policy landscape shaping how agencies can share and
These include matches to support research and statistical
combine data sources. First passed in 1988, the CMPPA has
projects, the specific data of which may not be used to
been amended 10 times, most recently in 2014.
make adverse decisions affecting the rights, benefits, or
privileges of a specific individual. Other matching activities
The CMPPA addresses how agencies may do specific types
that are excluded from the CMPPA’s coverage are specified
of computer matching. This term refers to using a computer
in Title 5, Section 552a(8)(B), of the U.S. Code and in other
for the comparison of information on individuals from two
laws.
or more systems of records for either of two purposes:
Major Procedural Requirements
1. To establish or verify eligibility for a
The CMPPA sets forth multiple procedural requirements an
federal benefit program and to recoup
agency must meet when matching for one of the act’s
debts and improper payments made to
covered purposes. In addition to specifying agency
individuals under these benefit programs;
responsibilities, the law requires the Office of Management
and
and Budget (OMB) to develop guidelines and regulations
2. To manage federal personnel.
for agencies and to continually assist and oversee agencies’
implementation (5 U.S.C. §552a(v)).
The CMPPA emerged from congressional concerns that the
oversight of agency computer matching was inadequate. In
Agency Responsibilities
particular, the extent of computer matching in the executive
Source and recipient agencies. The CMPPA authorizes
branch was unknown, and the due process rights of
the matching of data between a federal government agency
individuals were not adequately protected from adverse
and another federal, state, or local government entity (P.L.
actions by an agency using inaccurate information.
100-503, §9; 5 U.S.C. §552a note). The CMPPA identifies
two parties to a matching program: a source agency that
This In Focus describes the CMPPA’s scope, procedural
discloses records and a recipient agency that receives those
requirements, mechanisms to promote agency oversight,
records. A source agency is defined as either a federal
and due process protections. The CMPPA establishes some
executive branch agency or a state or local government
boundaries on the use of computer matching and procedures
agency (5 U.S.C. §552a(a)(11)). A recipient agency is
for protecting individuals. Federal efforts to share and
defined as a federal executive branch agency or a contractor
combine data for decisionmaking, and for benefit program
of one.
administration specifically, implicate the CMPPA in
important ways, which may create ongoing and new issues
The CMPPA does not include nonfederal agencies in the
for Congress.
definition of recipient agency. Certain federal benefit
Scope of the CMPPA
programs may, however, address circumstances when a
federal agency may disclose records to a nonfederal agency.
Matching programs. The CMPPA amended provisions
OMB’s Circular No. A-108, Federal Agency
originally enacted in the Privacy Act of 1974 (5 U.S.C.
Responsibilities for Review, Reporting, and Publication
§552a). The Privacy Act generally restricts how executive
under the Privacy Act, describes some processes executive
agencies may disclose or share records that identify
branch agencies should use when a nonfederal agency is a
individuals in the absence of written consent, with certain
recipient of records for a matching program. An executive
exceptions. The CMPPA identifies the specific, narrow
agency may establish a regulation to require a nonfederal
purposes under which an executive agency may share,
recipient agency to comply with provisions of the CMPPA.
https://crsreports.congress.gov
Federal Data Integration and Individual Rights: The Computer Matching and Privacy Protection Act
Written agreement. A source and recipient agency are
An agency must provide periodic notice of matching to
required to enter into a detailed computer matching
individuals when determining continued eligibility for a
agreement (CMA) before records can be disclosed and
federal benefit program or during the periods of time when
matched. CMAs must include, among other details, the
the match is authorized to take place. OMB’s Final
legal authority, justification, and anticipated results of the
Guidance advises that public notice through the Federal
matching program; a description of the records and data
Register may serve as “constructive” notice in the absence
elements that will be matched; the procedures for ensuring
of direct notice to an individual (e.g., direct notice to an
the administrative, technical, and physical security of the
individual at the time of his or her application for benefits).
matched records and results; and the procedures for
OMB’s Circular No. A-108 indicates the agency receiving
providing notice to individuals and verifying information
records bears the responsibility of publishing a notice in the
produced in a matching program (5 U.S.C. §552a(o)).
Federal Register of its intent to conduct a matching
CMAs are valid for 18 months as a default in the CMPPA.
program. If a nonfederal agency is the recipient, the federal
They may be extended for one year so long as compliance
agency providing the records is required to publish the
with the original agreement is certified by the agency
notice.
receiving the records and the agency sourcing the records
believes the receiving agency to be in compliance with the
Opportunity to contest information. The CMPPA
agreement.
requires an agency to provide the subject of a computer
match the chance to address and correct information that
Agency decisionmaking. The CMPPA requires an agency
will be used to deny, suspend, or terminate a federal benefit
that discloses or receives individual records for the
(5 U.S.C. §552a(p)). An agency has two options to satisfy
purposes of a matching program to establish a Data
this requirement. Both options seek to establish the
Integrity Board of senior officials and the agency’s
accuracy of the information on the individual. The first
inspector general, if the agency has one (5 U.S.C.
option is independent verification and confirmation of
§552a(u)). An agency’s Data Integrity Board acts as a
information through manual investigative processes (5
decisionmaking body for approving or declining a proposed
U.S.C. §552a(p)(2)). The second option allows an agency’s
matching program and executes CMAs. It also reviews on
Data Integrity Board to waive the independent verification
an annual basis any existing matching programs in which
requirement if the board is confident in the accuracy of
the agency participates and assesses the continued
records (5 U.S.C. §552a(p)(1)(A)(ii)). Regardless of which
justification for the agency’s participation.
option an agency chooses, it must notify the individual that
an adverse decision is pending based on the information it
Reports to OMB and Congress. The CMPPA requires an
has and explain the process and timeline for the individual
agency to report certain information on its matching
to challenge the decision.
activities to OMB and Congress. When an agency considers
a new or significantly modified matching program, it must
Issues for Congress
provide advance notice to OMB, the Senate Committee on
The CMPPA brings into focus several potential questions in
Homeland Security and Governmental Affairs, and the
data matching policy that Congress might consider,
House Committee on Oversight and Reform (5 U.S.C.
including the following:
§552a(r)). This allows for evaluation of the effects of the
matching program on individual privacy and other rights. In
Under the CMPPA’s framework for transparency and
addition, copies of CMAs that have been entered into by
oversight, do Congress and the public have a sufficiently
agencies are to be submitted to Congress (5 U.S.C.
accurate and current understanding of how individual
§552a(o)(2)(A)). An agency’s Data Integrity Board must
records are shared and matched by federal agencies?
also submit an annual report to the head of the agency and
OMB describing specific aspects of its matching activities.
Certain matching activities may not be subject to the
While the CMPPA included a requirement for OMB to
CMPPA, including matching activities for benefit
report to Congress on matching programs and on OMB’s
programs using commercial or nongovernmental data.
implementation of the Privacy Act more generally, the
Are there mechanisms in place to oversee and
requirement was effectively terminated in 2000 (P.L. 104-
understand the implementation of those matching
66, §3003; 31 U.S.C. §1113 note).
activities?
Due Process and Individual Rights
How does an agency determine and monitor the quality
Consent and notice. A source agency must obtain an
and accuracy of information used in matches that may
individual’s consent as a condition of disclosing that
affect the determination of a person’s benefits? How
individual’s records to a receiving agency in a matching
does an agency determine the quality and accuracy of
program (OMB’s Final Guidance Interpreting the
information received from state and local governments?
Provisions of P.L. 100-503). The agency disclosing records
can either (1) obtain written consent directly from the
Congress may also want to better understand (1) matching
individual or (2) use an exception to consent as permitted in
programs that depend on direct written consent and notice
Title 5, Section 552a(b).
to individuals and (2) when agencies use exceptions to
direct consent and make use of constructive notice.
OMB’s Final Guidance also directs an agency to provide
notice in advance to individuals that they are the subject of
Natalie R. Ortiz, Analyst in Government Organization and
a computer match before the matching of records begins.
Management
https://crsreports.congress.gov
Federal Data Integration and Individual Rights: The Computer Matching and Privacy Protection Act
IF12053
Disclaimer
This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan shared staff to
congressional committees and Members of Congress. It operates solely at the behest of and under the direction of Congress.
Information in a CRS Report should not be relied upon for purposes other than public understanding of information that has
been provided by CRS to Members of Congress in connection with CRS’s institutional role. CRS Reports, as a work of the
United States Government, are not subject to copyright protection in the United States. Any CRS Report may be
reproduced and distributed in its entirety without permission from CRS. However, as a CRS Report may include
copyrighted images or material from a third party, you may need to obtain the permission of the copyright holder if you
wish to copy or otherwise use copyrighted material.
https://crsreports.congress.gov | IF12053 · VERSION 1 · NEW