Computer Matching and Privacy Protection Act: Data Integration and Individual Rights

December 6, 2022 R47325

Computer Matching and Privacy Protection
December 6, 2022
Act: Data Integration and Individual Rights
Natalie R. Ortiz
Computers and information technologies have increased the amount of data that can be collected,
Analyst in Government
stored, and processed. Computers make it easier to exchange, share, and match data on
Organization and
individuals across programmatic and agency boundaries, enabling the use of that data for various
Management
executive branch operations.

The Computer Matching and Privacy Protection Act of 1988 (CMPPA) provides the

requirements and processes by which agencies may, for certain purposes, conduct a matching
program using individuals’ data. Congress passed the CMPPA to increase the administrative controls and oversight of
matching programs. The CMPPA amended provisions enacted by the Privacy Act of 1974 and operates within the Privacy
Act’s statutory framework.
The CMPPA covers how agencies may conduct a computerized comparison of automated records to administer federal
benefit programs or to use federal personnel and payroll records. A matching program may involve two or more federal
agencies or a federal agency and a state or local government agency.
Matching programs are used throughout the executive branch at agencies such as the Department of Health and Human
Services, the Department of Homeland Security, the Federal Communications Commission, the Small Business
Administration, the Social Security Administration, and the Treasury Department. A matching program may exchange and
compare any number of records, and some match millions of records.
The CMPPA establishes a number of requirements for agencies conducting matching programs. These requirements include
the execution of written matching agreements that contain a number of specifics on the conduct of matching programs, cost-
benefit analyses of matching programs and documentation of specific savings, and the establishment of a Data Integrity
Board (DIB) within each federal agency that conducts or participates in a matching program to approve matching agreements
and oversee matching programs. Matching agreements are to be available to the public and may be published on an agency’s
website. An agency’s DIB is required to submit to the agency head and the Office of Management and Budget (OMB) an
annual report that describes the agency’s matching activities.
The CMPPA requires agencies to notify individuals of the use of their information in a matching program and verify the
accuracy of information produced in a matching program before suspending, reducing, terminating, or denying assistance or
payment under a federal benefit program or taking another adverse action against an individual. The law requires that
individuals be given the opportunity to contest the accuracy of information used in a matching program.
OMB is required to issue guidance to agencies on implementing the law, provide ongoing assistance to agencies, and provide
oversight of implementation. The Government Accountability Office found varying agency interpretations of the scope of the
CMPPA and partially attributed the variation to unclear guidance from OMB.
Several uses of computer matching are excepted by statute from the CMPPA’s requirements. In addition, the CMPPA does
not authorize disclosures of information for matching except to a federal, state, or local government agency, and the act does
not apply to federal agency matches involving nongovernment parties and data.
Matching program oversight by Congress may support implementation of the CMPPA. There are a number of areas Congress
may want to consider and some possible directions for future oversight or legislation. These areas include (1) clarifying the
scope of the CMPPA, (2) developing an accurate accounting of matching programs, (3) ensuring sufficient and
contemporaneous OMB guidance, and (4) assessing regulation and oversight of data matching.
Congressional Research Service

Computer Matching and Privacy Protection Act: Data Integration and Individual Rights

Introduction
Federal agencies collect a significant amount of data about individuals’ current and past
circumstances. This information includes tax filings, mailing address, domestic and international
travel, military enlistment, Medicare history, permits applied for, and federal financial assistance
received, among other data. The executive branch has collected data on nearly every American in
support of its various operations and services.
Congress has long recognized that privacy is directly affected and placed at risk when agencies
collect and use data on individuals.1 Computers and information technologies greatly increase the
amount of data that can be collected, stored, and processed while also enabling innovative uses of
that data. Computers make it easier to exchange, share, and match data on individuals across
programmatic and agency boundaries. Congress acknowledged the threat computers pose to
individual privacy when it passed the Privacy Act of 1974 (Privacy Act).2
Since at least in the 1970s, federal agencies have been sharing and matching data on individuals.
One of the first well-known uses of a federal agency matching data was in 1977 for “Project
Match.”3 The then-Department of Health, Education, and Welfare compared federal payroll
records with records on recipients of the then-Aid to Families with Dependent Children program
to find federal personnel who were receiving improper payments.4
In 1988, the House Committee on Government Operations5 observed that the Office of
Management and Budget’s (OMB’s) interpretations of the Privacy Act’s disclosure restrictions
had permitted disclosures to support computer matching.6 The committee stated that it was “not
aware of any computer match that could not be conducted because of Privacy Act disclosure
rules.”
Over many Congresses, various statutes have required agencies to exchange and match data on
individuals for a specific purpose, such as determining eligibility for a federal benefit program.7

1 See Section 2(a)(1) of the Privacy Act of 1974 (P.L. 93-579; 88 Stat. 1896): “The privacy of an individual is directly
affected by the collection, maintenance, use, and dissemination of personal information by federal agencies.”
2 See Section 2(a)(2) of the Privacy Act of 1974 (P.L. 93-579; 88 Stat. 1896): “The increasing use of computers and
sophisticated information technology, while essential to the efficient operations of the government, has greatly
magnified the harm to individual privacy that can occur from any collection, maintenance, use, or dissemination of
personal information.” The Privacy Act is codified at Title 5, Section 552a, of the U.S. Code.
3 U.S. Congress, House Committee on Government Operations, Computer Matching and Privacy Protection Act of
1988, report to accompany H.R. 4699, 100th Cong., 2nd sess., July 27, 1988, H.Rept. 100-802, pp. 2-3; U.S. Congress,
Senate Committee on Governmental Affairs, The Computer Matching and Privacy Protection Act of 1987, report to
accompany S. 496, 100th Cong., 2nd sess., September 15, 1988, S.Rept. 100-516, p. 2.
4 U.S. Congress, House Committee on Government Operations, Computer Matching and Privacy Protection Act of
1988, report to accompany H.R. 4699, 100th Cong., 2nd sess., July 27, 1988, H.Rept. 100-802, pp. 2-3. The Department
of Health, Education, and Welfare was renamed the Department of Health and Human Services upon the establishment
of the Department of Education (P.L. 96-88).
5 The House Committee on Government Operations was renamed the House Committee on Government Reform and
Oversight by P.L. 104-14, Section 1(a)(6). In the 106th Congress, the committee’s name was changed to Committee on
Government Reform by H.Res. 5. The name was changed again in the 110th Congress to Committee on Oversight and
Government Reform by H.Res. 6. The 116th Congress changed the name to Committee on Oversight and Reform by
H.Res. 6.
6 U.S. Congress, House Committee on Government Operations, Computer Matching and Privacy Protection Act of
1988, report to accompany H.R. 4699, 100th Cong., 2nd sess., July 27, 1988, H.Rept. 100-802, p. 5.
7 For example, the Deficit Reduction Act of 1984 (P.L. 98-369), established that every state that administers certain
Congressional Research Service

1

link to page 41 Computer Matching and Privacy Protection Act: Data Integration and Individual Rights

The Computer Matching and Privacy Protection Act of 19888 (CMPPA) establishes procedures
for agencies when they disclose and match data on individuals for certain purposes. These
purposes are for determining eligibility for federal benefit programs, recouping payments and
debts under those programs, and comparing records of federal personnel.9 Computer matching
conducted for these purposes is called a matching program.
Matching programs are used throughout the executive branch of the federal government. For
example, in 2022, the Department of Justice (DOJ) and Internal Revenue Service (IRS)
established a matching program so that DOJ could locate people who owe debts to the United
States. Specifically, DOJ sends to the IRS the names and Social Security numbers (SSNs) of
people who owe debts. The IRS then provides the mailing addresses of those people to DOJ so
that DOJ can locate those debtors, initiate litigation, and enforce debt collection.10
This report provides an overview of the CMPPA and discusses its key statutory requirements for
matching programs and how matching program has been interpreted and implemented by OMB
and various executive agencies. This overview of the CMPPA leads to a discussion of issues for
Congress and explores where it might consider modifying the CMPPA specifically and the use of
data matching in the executive branch more generally.
What Is the Computer Matching and Privacy
Protection Act (CMPPA)?
The CMPPA provides the requirements and processes by which agencies may, for certain
purposes, conduct computer matching involving individuals’ data. The act emerged from several
congressional concerns at the time that the administrative controls and oversight of agency
matching were inadequate and that the due process rights of individuals were not adequately
protected from adverse actions stemming from inaccurate information.11 Additionally, the extent
of computer matching in the executive branch was unknown, partly because the practice itself
was not clearly defined.12
The CMPPA amended provisions originally enacted by the Privacy Act. Thus, implementation of
the CMPPA operates within the Privacy Act’s statutory framework. The CMPPA, like the Privacy

Social Security programs must have an income and eligibility verification system that uses wage, income, and other
information from the Social Security Administration and Internal Revenue Service and verifies immigration status with
the then-Immigration and Naturalization Service if the applicant for a program is not a citizen or U.S. national (42
U.S.C. §1320b-7).
8 P.L. 100-503.
9 5 U.S.C. §552a(8)(A)(i-ii).
10 For more information on this specific matching program, see DOJ, “Privacy Act of 1974; Matching Program,” 87
Federal Register 36344-36345, June 16, 2022. See also IRS, DOJ, “Computer Matching Agreement between
Department of the Treasury Internal Revenue Service and Department of Justice for the Taxpayer Address Request
Program,” July 30, 2022, https://www.justice.gov/doj_irs_tar_cma_2022/download.
11 U.S. Congress, House Committee on Government Operations, Computer Matching and Privacy Protection Act of
1988, report to accompany H.R. 4699, 100th Cong., 2nd sess., July 27, 1988, H.Rept. 100-802, p. 6; U.S. Congress,
Senate Committee on Governmental Affairs, The Computer Matching and Privacy Protection Act of 1987, report to
accompany S. 496, 100th Cong., 2nd sess., September 15, 1988, S.Rept. 100-516, pp. 6-9. For more on the history
surrounding the development of CMPPA, including computer matching prior to the CMPPA, see Appendix A.
12 U.S. Congress, House Committee on Government Operations, Computer Matching and Privacy Protection Act of
1988, report to accompany H.R. 4699, 100th Cong., 2nd sess., July 27, 1988, H.Rept. 100-802, p. 7.
Congressional Research Service

2

link to page 10 Computer Matching and Privacy Protection Act: Data Integration and Individual Rights

Act, concerns records of U.S. citizens or permanent legal residents.13 A record generally includes
personal identifiers as well as other characteristics that can be ascribed to individuals. Records are
contained within a system of records, which is generally understood as a group of records under
an agency’s control.14
According to a report by the Office of Technology Assessment (OTA) in 1986, computers and
data communication technology increased the exchange of records in ways that could not be
envisioned when the Privacy Act was passed in 1974,15 including, for example, locating student
loan defaulters who were federal government employees and using federal tax information to
evaluate a Medicaid claim to be paid to a physician.16 OTA argued in its 1986 report that “agency
use of new electronic technologies in processing [individual] information has eroded the
protections of the Privacy Act of 1974.”17
The CMPPA does not define computer matching or matching per se and instead defines matching
program (see text box, “Defining Matching Program”).18 In the simplest terms, a matching
program involves the computerized comparison of records from two or more automated systems
for determining eligibility for federal benefits or using the information of federal personnel,
including payroll information. The act, as its name implies, is specifically concerned with
computers comparing data and does not apply to matches that are done manually.19
Notably, the CMPPA does not independently authorize matching or create a new authority for
agencies to match records. Instead, the CMPPA establishes requirements, processes, and
institutional roles for matching authorized by other laws.

13 Record is defined at Title 5, Section 552a(a)(4), of the U.S. Code as “any item, collection, or grouping of information
about an individual that is maintained by an agency, including, but not limited to, their education, financial
transactions, medical history, and criminal or employment history and that contains their name, or the identifying
number, symbol, or other identifying particular assigned to the individual, such as a finger or voice print or a
photograph.” Neither the Privacy Act nor Section 552a uses or defines the term personally identifiable information, or
PII.
14 System of records is defined at Title 5, Section 552a(a)(5), of the U.S. Code as “a group of any records under the
control of any agency from which information is retrieved by the name of the individual or by some identifying
number, symbol, or other identifying particular assigned to the individual.” For more discussion about the Privacy Act,
see DOJ, Overview of the Privacy Act of 1974, 2020, https://www.justice.gov/opcl/overview-privacy-act-1974-2020-
edition. See also CRS Report R47058, Access to Government Information: An Overview, by Meghan M. Stuessy.
15 OTA, Federal Government Information Technology: Electronic Record Systems and Individual Privacy, June 1986,
p. 3. The OTA was established within the legislative branch by the Technology Assessment Act of 1972 (P.L. 92-484).
The basic function of OTA was to “provide early indications of the probable beneficial and adverse impacts of the
applications of technology and to develop other coordinate information which may assist the Congress” (86 Stat. 797).
Congress eliminated funding for OTA in 1995. For more information, see CRS Report R46327, The Office of
Technology Assessment: History, Authorities, Issues, and Options, by John F. Sargent Jr.
16 OTA, Federal Government Information Technology, p. 4.
17 OTA, Federal Government Information Technology, p. 99.
18 5 U.S.C. §552a(a)(8). For elaboration and discussion of the concept of computer matching as it relates to the
CMPPA’s definition of matching program, see in this report “Defining Matching for the Purposes of the CMPPA.”
19 OMB, “Privacy Act of 1974; Final Guidance Interpreting the Provisions of P.L. 100-503, the Computer Matching
and Privacy Protection Act of 1988,” 54 Federal Register 25822, June 19, 1989. Emphasizing the specific use of a
computer might have had more significance in the late 1980s because computers were not as ubiquitous then as they
are now. However, the salience of the computer in the decades since the CMPPA was enacted also emphasizes the act’s
ongoing importance.
Congressional Research Service

3

Computer Matching and Privacy Protection Act: Data Integration and Individual Rights

Defining Matching Program
A matching program is a computerized comparison of
1. “two or more automated systems of records or a system of records with nonfederal records” for the purposes
of

establishing or verifying eligibility for or compliance with statutory and regulatory requirements for a
federal benefit program or

to recoup delinquent debts and improper payments made to recipients, beneficiaries, participants, or
providers of services under these benefit programs;20 or
2. “two or more automated federal personnel or payroll systems of records or a system of federal personnel or
payroll records with nonfederal records.”21
The CMPPA establishes a number of requirements for agencies conducting matching programs.
These requirements include the execution of written matching agreements between the agencies
involved in a specific matching program.22 Agencies must also conduct cost-benefit analyses of
matching programs23 and document specific estimates of savings in matching agreements.24
Additionally, the CMPPA requires that each federal agency that conducts or participates in a
matching program must establish a Data Integrity Board, which is to approve and oversee such
programs.25 The act also requires individuals to be notified of the use of their information in a
matching program26 and given the opportunity to contest the accuracy of the information.27
The act prescribes certain roles and responsibilities to federal agencies involved in matching
programs based on whether they receive records or are the source of such records. For the
purposes of the CMPPA and this report, a federal agency includes any executive department or
establishment in the executive branch.28 The CMPPA also identifies and establishes some
requirements for nonfederal agencies—defined as a state or local government, or an agency
thereof, that receives records contained in a system of records from a federal source agency.29
Congressional Interest in Data Matching
Congress has focused on the CMPPA because of the role it plays for people seeking assistance
from federal government programs and in relation to the integrity of federal programs.

20 5 U.S.C. §552a(a)(8)(A)(i).
21 5 U.S.C. §552a(a)(8)(A)(ii).
22 5 U.S.C. §552a(o).
23 5 U.S.C. §552a(u)(4)(A).
24 5 U.S.C. §552a(o)(1)(B).
25 5 U.S.C. §552a(u).
26 5 U.S.C. §552a(o)(1)(D).
27 5 U.S.C. §552a(p)(1)(B).
28 5 U.S.C. §552a(a)(1). While Section 552a(a)(1) is for the definition of agency provided at Section 552(e), the
subsection was redesignated as 552(f) by P.L. 99-570, the Anti-Drug Abuse Act of 1986 (100 Stat. 3207-49). The
statutory definition of agency also includes military departments, federal government corporations, corporations
controlled by the federal government, and any independent regulatory agency. The CMPPA and the Privacy Act use the
same definition of agency as the Freedom of Information Act (5 U.S.C. §552(f)), which is based on the definition of
agency enacted by the Administrative Procedure Act (5 U.S.C. §551(1)).
29 5 U.S.C. §552a(a)(10).
Congressional Research Service

4

Computer Matching and Privacy Protection Act: Data Integration and Individual Rights

For example, the House Committee on Ways and Means held a hearing in the 112th Congress on
the use of data matching to improve customer service, program integrity, and taxpayer savings,
including the ways the CMPPA complicates the ability of agencies to share and match data.30 The
chair of committee said:
As often happens in the government, Washington, D.C. is the lagging indicator with
legislation versus where technology in the rest of the country is. The Computer Matching
and Privacy Protection Act of 1988 went into action at a time that we lived in a different
technology world, with different methods of sharing information…. And realistically,
when we look at this, and trying to tie this information together … that matching done
right, in an integrated fashion, will free capacity to manage by exception, instead of having
to spend an inordinate amount of time…. We have disconnected processes, and that can’t
be fixed in the current data environment. And we have many of our citizens, many
frustrated agency workers that are trying to be good stewards of the taxpayers’ money that
lose this in process.31
Congress has grappled with the CMPPA’s provisions in drafting new legislation. For example, in
the 117th Congress, H.R. 7275 would require data exchanges and the sharing of claims and
payment data to detect and prevent duplicate medical payments. While the bill would require the
Secretary of Veterans Affairs, the Secretary of Defense, and the administrator of the Centers for
Medicare & Medicaid Services to enter into a data matching agreement, the bill specifically does
not require such an agreement to comply with the CMPPA’s requirement for matching
agreements. Also introduced in the 117th Congress, H.R. 8416 would exempt from the CMPPA an
information sharing system that would “facilitate the administration of the universal application
for federal disaster assistance” and “detect, prevent, and investigate waste, fraud, abuse, or
discrimination in the administration of disaster assistance programs.”
The CMPPA arguably helps facilitate other laws and their implementation, such as benefits
administration. In other cases, however, it may be seen as complicating implementation of
legislation. For example, the Fraud Reduction and Data Analytics Act of 2015 (P.L. 114-186)
required OMB to develop guidelines for agencies to (1) establish financial and administrative
controls to identify and assess fraud risk and (2) design and implement control activities that
would prevent, detect, and respond to fraud.32 The act further required OMB to base these
guidelines on the Government Accountability Office’s (GAO’s) “Framework for Managing Fraud
Risks in Federal Programs.”33 GAO’s framework includes data matching and combining data
across programs and from separate databases, if legally permissible, to facilitate reporting and
analytics.34 However, GAO noted in its framework that agencies cited the CMPPA as a hindrance
to detecting fraud.35
The Payment Integrity Information Act of 2019 (P.L. 116-117) superseded the Fraud Reduction
and Data Analytics Act. The Payment Integrity Information Act permits the head of each
executive agency to enter into matching agreements with other agencies to allow for ongoing

30 U.S. Congress, House Committee on Ways and Means, Subcommittee on Human Resources, On the Use of Data
Matching to Improve Customer Service, Program Integrity, and Taxpayer Savings, committee print, 112th Cong., 1st
sess., March 11, 2011, Serial 112-HR2.
31 Ibid., p. 60.
32 130 Stat. 546.
33 See GAO, A Framework for Managing Fraud Risks in Federal Programs, GAO-15-593SP, July 2015,
https://www.gao.gov/assets/gao-15-593sp.pdf.
34 GAO, A Framework for Managing Fraud Risks in Federal Programs, p. 23.
35 GAO, A Framework for Managing Fraud Risks in Federal Programs, p. 7.
Congressional Research Service

5

link to page 19 link to page 16 Computer Matching and Privacy Protection Act: Data Integration and Individual Rights

automated data matching to detect and prevent improper payments.36 The law also allows
matching agreements to terminate in three years (or less) and to be extended for up to three
years.37 For a discussion of matching agreements, see “Matching Agreements” within this report.
Defining Matching for the Purposes of the CMPPA
The concept of computer matching and the statutory definition of matching program are separate
and distinct. The CMPPA does not define computer matching as the activity to be regulated.
Rather, the CMPPA defines what constitutes a matching program and is thus subject to the act’s
requirements. While computer matching may invoke various methods and have various
applications, the scope of the CMPPA is limited to what the statute has defined as a matching
program.
The separation between computer matching and a matching program, however, creates ambiguity
as to whether certain methods of computer matching are consistent with the statutory definition of
matching program, including how OMB has interpreted the definition of matching program.
According to a 2014 GAO report, ambiguity in the definition affects consistent implementation of
the act across agencies and creates confusion among agencies as to what types of computer
matching activities are covered by the CMPPA:38
Varying agency interpretations of the scope of the act are partially due to unclear guidance
from OMB on this subject. OMB’s 1989 matching guidance includes examples of front-
end verification programs that are covered by the act, but none of OMB’s guidance
documents indicate specifically whether queries are subject to the act.39

36 31 U.S.C. §3354(d)(1)(A).
37 31 U.S.C. §3354(d)(1)(A)(C).
38 For further discussion, see in this report “GAO’s 2014 Report on Agency Interpretations of Matching Programs.”
39 GAO, Computer Matching Act: OMB and Selected Agencies Need to Ensure Consistent Implementation, GAO-14-
44, January 2014, p. 17.
Congressional Research Service

6

Computer Matching and Privacy Protection Act: Data Integration and Individual Rights

Key Terms and Related Concepts in the CMPPA
Classic computer matching is a way to compare at once many records from different sources (e.g., different
agencies).
Computer matching agreement is the written agreement between a source agency and recipient agency that
specifies the details of the matching program (5 U.S.C. §552a(o)).
Data integrity board is a body within a federal agency that participates in a matching program. It makes
decisions about computer matching agreements (5 U.S.C. §552a(u)).
Front-end verification compares a single record with information from another source (e.g., a different agency).
An example of front-end verification is querying a database for a single record.
Matching program is a computerized comparison of automated federal records or of federal records with state
or local government records to determine eligibility for a federal benefit program, to recover debts and improper
payments made under federal benefit programs, or to compare federal personnel or payroll records (5 U.S.C.
§552a(a)(8)).
Recipient agency is the agency in a matching program that receives records disclosed by a source agency (5
U.S.C. §552a(a)(9)).
Source agency is the agency in a matching program that discloses records (5 U.S.C. §552a(a)(11)).
Scoping Computer Matching and Methods for How Records Are
Compared
When considering the CMPPA bill introduced in the House (H.R. 4699), the Committee on
Government Operations characterized computer matching as “the computerized comparison of
records” for specific purposes.40 The committee then discussed two methods for computer
matching—“classic computer matching” and “front end verification.”
Classic computer matching “involves all the records in one record system with all the records in a
second system.”41 All records are reviewed without selection or specific targeting.42 Front-end
verification is more narrowly focused on “comparing a single record with the contents of separate
record system.”43 The committee noted the lack of federal guidelines and statutory and
administrative controls for front-end verification.44
The Committee on Governmental Affairs45 did not describe methods for computer matching in its
report on the Senate’s CMPPA bill (S. 496) but described computer matching as the “computer-
assisted comparison of two or more automated lists or files to identify inconsistencies or
irregularities among the lists or files.”46 The committee included “so-called front-end eligibility
verification matches” as one of the categories of computer matches that would meet the definition
of matching program.47 The committee reported:

40 U.S. Congress, House Committee on Government Operations, Computer Matching and Privacy Protection Act of
1988, report to accompany H.R. 4699, 100th Cong., 2nd sess., July 27, 1988, H.Rept. 100-802, p. 1.
41 Ibid., p. 4.
42 Ibid.
43 Ibid.
44 Ibid., p. 10.
45 The Committee on Governmental Affairs was subsequently renamed the Committee on Homeland Security and
Governmental Affairs by S.Res. 445 in the 108th Congress.
46 U.S. Congress, Senate Committee on Governmental Affairs, The Computer Matching and Privacy Protection Act of
1987, report to accompany S. 496, 100th Cong., 2nd sess., September 15, 1988, S.Rept. 100-516, p. 2.
47 Ibid., p. 10.
Congressional Research Service

7

link to page 41 link to page 41 Computer Matching and Privacy Protection Act: Data Integration and Individual Rights

Unlike current OMB guidelines which do not apply to front-end eligibility verification or
to matching programs that do not compare a substantial number of records, checks on
specific individuals to verify data … are subject to the bill.48
As part of its role in implementing the Privacy Act, OMB issued guidance in 1979 on matching
programs and revised guidance in 1982.49 The 1979 guidance stated that matching programs do
not include checks on specific individuals to verify information.50 The 1982 guidance maintained
that matching programs do not include checks on specific individuals when done within a certain
time frame.51
A CMPPA bill (S. 2756) introduced in the 99th Congress, identified “front-end eligibility
verification programs” as a specific method of matching subject to the requirements for matching
programs. S. 2756 defined front-end verification programs as “the certification of accuracy of
information supplied by an applicant for federal financial assistance by matching such
information against a computerized data base.” However, the CMPPA bills introduced in the 100th
Congress did not use nor define front-end eligibility verification programs. For more discussion
on the legislative history of the CMPPA, see Appendix A of this report.
While the provisions of law enacted by the CMPPA do not reference either classic computer
matching or front-end verification, the terms have been used in committee reports, the guidance
issued by OMB, and review by GAO of OMB guidance and agency implementation. This
suggests these terms are relevant to how agencies conduct matching programs.
Methods of Computer Matching: Classic Computer Matching and
Front-End Verification
Classic Computer Matching
The House Committee on Government Operations described “classic computer matching” as
comparing many individual or organizational records from two or more separate databases.52
These records may be matched on name, SSN, address, government contract number, or other
identifiers.53 When the identification criterion for one record matches the same identification
criterion in another record, this is called “a match.”54

48 Ibid., p. 11.
49 See Appendix A for a perspective from the House Committee on Government Operations on OMB’s guidance on
matching programs.
50 OMB, “Privacy Act of 1974; Supplemental Guidance for Matching Programs,” 44 Federal Register 23139, April 18,
1979.
51 OMB, “Privacy Act of 1974; Revised Supplemental Guidance for Conducting Matching Programs,” 47 Federal
Register 21657, May 19, 1982.
52 U.S. Congress, House Committee on Government Operations, Computer Matching and Privacy Protection Act of
1988, report to accompany H.R. 4699, 100th Cong., 2nd sess., July 27, 1988, H.Rept. 100-802, p. 4.
53 U.S. Congress, Senate Committee on Governmental Affairs, The Computer Matching and Privacy Protection Act of
1987, report to accompany S. 496, 100th Cong., 2nd sess., September 15, 1988, S.Rept. 100-516, p. 2.
54 A match might also be called a “hit” or “raw hit” (see U.S. Congress, House Committee on Government Operations,
Computer Matching and Privacy Protection Act of 1988, report to accompany H.R. 4699, 100th Cong., 2nd sess., July
27, 1988, H.Rept. 100-802, p. 4; U.S. Congress, Senate Committee on Governmental Affairs, The Computer Matching
and Privacy Protection Act of 1987, report to accompany S. 496, 100th Cong., 2nd sess., September 15, 1988, S.Rept.
100-516, p. 16).
Congressional Research Service

8

Computer Matching and Privacy Protection Act: Data Integration and Individual Rights

Classic computer matching may be used to identify people enrolled in two programs, such as all
federal employees who receive a particular benefit under a federal benefit program.55 It may also
be used to identify and compare records that have a particular characteristic, such as to compare
federal program beneficiaries’ records with financial records to identify financial assets in excess
of a certain, specified amount.56
Front-End Verification
In “front-end verification,” matching is the technique of comparing information provided by a
single program applicant with data in other federal government files or with data in a separate
record system.57 This method of computer matching usually occurs at a very early stage—or the
front-end—of a longer application process for benefits, assistance, or employment. Front-end
verification acts as an initial filter for determining eligibility by verifying information provided
by an applicant.58 It may affect whether an individual can proceed to the next stage of the
application process and have the application further considered.
Matching Programs: Computer Matching for
Specific Purposes
The CMPPA defines matching program as any computerized comparison of two or more
automated systems of records or a system of records with nonfederal records for one of the
purposes defined in the CMPPA.59 Specifically, the CMPPA covers how agencies conduct
matching programs related to (1) federal benefit program administration and (2) the use of federal
personnel and payroll records.60
Administration of Federal Benefit Programs
The CMPPA covers computerized comparisons that are used for verifying or establishing the
eligibility of applicants for federal benefit programs, including those that provide cash, in-kind
assistance, and payments.61 These matching programs include those that determine the ongoing
eligibility of a current benefit program participant, such as confirming compliance with program-
specific statutory or regulatory requirements.
Computerized comparisons that are for the purpose of recouping of payments and debts made
under benefit programs are also covered by the CMPPA as matching programs.62

55 U.S. Congress, House Committee on Government Operations, Computer Matching and Privacy Protection Act of
1988, report to accompany H.R. 4699, 100th Cong., 2nd sess., July 27, 1988, H.Rept. 100-802, p. 4.
56 Ibid.
57 Ibid.
58 Ibid.
59 5 U.S.C. §552a(a)(8)(A)(i).
60 5 U.S.C. §552a(a)(8).
61 5 U.S.C. §552a(a)(8)(A)(i)(I).
62 5 U.S.C. §552a(a)(8)(A)(i)(II).
Congressional Research Service

9

Computer Matching and Privacy Protection Act: Data Integration and Individual Rights

Using Federal Personnel and Payroll Records
The CMPPA also covers computerized comparisons of automated federal personnel or payroll
records.63 Whereas the CMPPA states the particular purposes under which a matching program
can be used in benefit program administration, there is no direct reference to a particular purpose
with respect to federal personnel or payroll records.
In its report on the CMPPA, the Senate Committee on Governmental Affairs noted the risk
involved in matches of federal personnel or payroll records:
[H]istorically, many matching programs have involved the records of federal employees or
federal retirees…. Because the files on these individuals are most readily available to
agencies for use in matching programs, concerns have been raised that these individuals
are “captives” of matching programs and could, unless protected, be most vulnerable to
breaches of privacy in matching programs.64
OMB Guidance on Matching Programs Covered by
the CMPPA
The CMPPA requires OMB to issue guidance to agencies on implementing the law.65 OMB’s
Final Guidance Interpreting the Provisions of P.L. 100-503, the Computer Matching and Privacy
Protection Act of 1988 discusses the definition of matching program to include federal personnel
or payroll matches and federal benefit matches.66
Of federal personnel or payroll matches, OMB states that matches must be done for reasons other
than routine administrative purposes for the CMPPA to cover it as a matching program.67
Furthermore, OMB characterizes these matching programs to include “matches whose purpose is
to take any adverse financial, personnel, disciplinary, or other adverse action against federal
personnel.”68
Four Elements of Matching Programs Involving Federal Benefit
Programs
OMB’s guidance includes four elements within its characterization of a “federal benefits
matching program:” (1) the computerized comparison of data, (2) categories of subjects covered,
(3) types of programs covered, and (4) matching purpose. According to OMB, all four elements
must be present to be a matching program covered by the CMPPA.69

63 5 U.S.C. §552a(a)(8)(A)(ii).
64 U.S. Congress, Senate Committee on Governmental Affairs, The Computer Matching and Privacy Protection Act of
1987, report to accompany S. 496, 100th Cong., 2nd sess., September 15, 1988, S.Rept. 100-516, p. 11.
65 5 U.S.C. §552a(v)(1).
66 OMB, “Privacy Act of 1974; Final Guidance Interpreting the Provisions of P.L. 100-503, the Computer Matching
and Privacy Protection Act of 1988,” 54 Federal Register 25822-25823, June 19, 1989 (cited hereinafter as OMB,
“Final Guidance Interpreting the CMPPA”).
67 OMB, “Final Guidance Interpreting the CMPPA,” p. 25823.
68 OMB, “Final Guidance Interpreting the CMPPA,” p. 25824.
69 OMB, “Final Guidance Interpreting the CMPPA,” pp. 25822-25823.
Congressional Research Service

10

link to page 28 Computer Matching and Privacy Protection Act: Data Integration and Individual Rights

Computerized Comparison of Data
In its guidance, OMB states that to be considered a matching program, the activity must involve a
computerized comparison and records from two or more automated systems of records or from an
agency’s automated system of records and automated records maintained by a nonfederal agency
(i.e., an agency or agent of state or local government).70 OMB provides three examples of
computerized comparisons of data.71
1. A state government employee accesses an automated federal system of records
and enters data received from an applicant that is maintained in an automated
form by the state government. The state employee matches this data with the
federal information, makes an eligibility determination, and updates the state’s
database.
2. A state government employee enters data about applicants for a federal benefit
program into an automated database. At the end of the week, the state
government sends current applicant “tapes” to a federal agency, which matches
the data with information in its automated system of records.72 The federal
agency reports results from the match to the state.
3. A federal agency operating a benefits program sends a tape with the information
of defaulters to the Office of Personnel Management (OPM) to match against an
OPM automated system of records that contains information about federal
retirees in order to locate defaulters.
OMB also addresses whether information received orally from an applicant by a state employee
and entered into a federal system of records constitutes a matching program.73 OMB believed that
the state government would likely create and maintain a record using information it had received
orally and entered into a federal system of records and, therefore, would be covered by the
CMPPA.74
OMB’s guidance does not directly mention or include front-end verification in its discussion of
the computerized comparison of data or its definition of matching program. However, front-end
eligibility verification programs is a term used by OMB in the context of one of the law’s
requirements for providing notice to individuals that their records may be used in a matching
program.75
Categories of Subjects
OMB’s guidance also describes three categories of subjects that are part of the definition of
matching program and thus covered by the CMPPA: (1) applicants for federal benefit programs

70 OMB, “Final Guidance Interpreting the CMPPA,” p. 25822.
71 OMB, “Final Guidance Interpreting the CMPPA.”
72 Data storage includes many technologies, which are constantly evolving. Despite the age of OMB’s guidance using
the term tape, the National Institute of Standards and Technology references tapes among other storage types in its
Security Guidelines for Storage Infrastructure, which was published in 2020. See Ramaswamy Chandramouli and
Doron Pinhas, Security Guidelines for Storage Infrastructure, U.S. Department of Commerce, National Institute of
Standards and Technology, October 2020, https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-209.pdf.
73 OMB, “Final Guidance Interpreting the CMPPA,” p. 25819.
74 OMB, “Final Guidance Interpreting the CMPPA.”
75 OMB, “Final Guidance Interpreting the CMPPA,” p. 25825. The requirement to provide notice is discussed in
“Notifying Individuals of the Use of Their Information in a Matching Program.”
Congressional Research Service

11

Computer Matching and Privacy Protection Act: Data Integration and Individual Rights

(i.e., applicants initially applying for a benefits program); (2) program beneficiaries (i.e., program
participants who currently receive or formerly received benefits); and (3) providers of services
that support federal benefit programs (i.e., those that derive income from a program but are not its
primary beneficiaries).76
Types of Federal Benefit Programs
OMB defines matching program to cover federal benefit programs that provide cash or in-kind
assistance to individuals.77 For the purposes of the CMPPA, in-kind assistance includes payments,
grants, loans, or loan guarantees.78 Any program that does not involve cash or in-kind assistance
does not meet the definition of matching program and is not covered by the CMPPA.79
OMB also clarifies in its guidance that the benefit program has to be using records of citizens or
of aliens lawfully admitted for permanent residence for the matching to be subject to the
CMPPA.80
Matching Purpose
OMB’s guidance includes the purpose of matches as an element of matching programs involving
federal benefits. The CMPPA defines these purposes: to establish or verify eligibility for a federal
benefits program, verify compliance with a program’s statutory or regulatory requirements, and
recoup payments and debts under such benefit programs.81
OMB goes further, however, and states that should any element be missing—for example, a
matching purpose—then such matching would not be a matching program and would therefore
not be covered by the CMPPA.82
OMB provides an example of two agencies—the Department of Education and the Department of
Veterans Affairs—matching information of student loan recipients and education benefit
recipients. The purpose of the match is to maintain current addresses for these program
beneficiaries. Because the match is not for a purpose defined by the CMPPA, it is not a matching
program.83
GAO’s 2014 Report on Agency Interpretations of
Matching Programs
There is a lack of consistency across agencies in their interpretation of what constitutes a
matching program,84 which ultimately affects compliance. OMB, as part of its guidance

76 OMB, “Final Guidance Interpreting the CMPPA,” pp. 25822-25823.
77 OMB, “Final Guidance Interpreting the CMPPA,” p. 25823.
78 5 U.S.C. §552a(a)(12).
79 OMB, “Final Guidance Interpreting the CMPPA,” p. 25823.
80 OMB, “Final Guidance Interpreting the CMPPA,” The Privacy Act’s definition of individual—provided at 5 U.S.C.
§552a(a)(2)—applies to the CMPPA. Individual means “a citizen of the United States or an alien lawfully admitted for
permanent residence.”
81 OMB, “Final Guidance Interpreting the CMPPA;” 5 U.S.C. §552a(a)(8)(A)(I-II).
82 OMB, “Final Guidance Interpreting the CMPPA,” p. 25823.
83 OMB, “Final Guidance Interpreting the CMPPA,” p. 25823.
84 GAO, Computer Matching Act, p. 28.
Congressional Research Service

12

link to page 45 Computer Matching and Privacy Protection Act: Data Integration and Individual Rights

interpreting the CMPPA, warned agencies against “engaging in activities intended to frustrate the
normal application of the act.”85 OMB also states that it is “extremely concerned that agencies not
adopt data exchange practices that deliberately avoid the reach of the act where compliance
would otherwise be required.”86
According to a 2014 report, GAO found that three of the seven agencies it reviewed had narrow
understandings of the scope of matching program.87 Officials at these three agencies had
interpreted that compliance with the CMPPA was required only when matching programs
involved an entire system of records against another database,88 similar to the “classic computer
matching” method. For example, some agencies believed that the act did not apply to matching of
a single record, single-record queries of systems of records, or front-end verification even if such
matching was for one of the purposes defined by the CMPPA.89 Conversely, GAO found that
another three of the seven agencies it reviewed considered front-end verification or front-end
queries to require compliance with the CMPPA.90 GAO stated that
varying agency interpretations of the scope of the act are partially due to unclear guidance
from OMB on this subject. OMB’s 1989 matching guidance includes examples of front-
end verification programs that are covered by the act, but none of OMB’s guidance
documents indicate specifically whether queries are subject to the act…. Without clear
guidance on the scope of the act, agencies are likely to continue to interpret what the act
covers in varying ways, and its privacy protections are likely to continue to be
inconsistently applied.91
Defining Parties to a Matching Program
A matching program involves two or more federal agencies or a federal agency and a state or
local government or an agency thereof.92 The CMPPA accounts for the different roles an agency
plays by defining recipient agency and source agency.93
A recipient agency receives information contained in a system of records from a source agency.94
A source agency discloses information to a recipient agency.95 A recipient agency may disclose
information that it matches back to the source agency.96

85 OMB, “Final Guidance Interpreting the CMPPA,” p. 25818.
86 OMB, “Final Guidance Interpreting the CMPPA,” p. 25818.
87 GAO, Computer Matching Act, pp. 14-17.
88 GAO, Computer Matching Act, p. 15.
89 GAO, Computer Matching Act, p. 15.
90 GAO, Computer Matching Act, p. 16.
91 GAO, Computer Matching Act, p. 17.
92 Two or more federal agencies are usually involved in a matching program because matches that use only records
from one agency’s system of records are excepted from the definition of matching program. See OMB, “Final
Guidance Interpreting the CMPPA,” p. 25824; 5 U.S.C. §552a(a)(8)(B)(v)(II).
93 Recipient agency is defined at Title 5, Section 552a(a)(9), of the U.S. Code. Source agency is defined at Title 5,
Section 552a(a)(11).
94 5 U.S.C. §552a(a)(9).
95 5 U.S.C. §552a(a)(11).
96 For example, the IRS sends back to DOJ the addresses it has found for the individuals from whom DOJ is seeking to
collect debts (see IRS, DOJ, “Computer Matching Agreement Between Department of the Treasury Internal Revenue
Service and Department of Justice for the Taxpayer Address Request Program”). In 0 there are examples of matching
programs where the recipient agency does not send records back to the source agency.
Congressional Research Service

13

Computer Matching and Privacy Protection Act: Data Integration and Individual Rights

A source agency is either a (1) federal executive branch agency or (2) a state or local government,
including an agency thereof.97 A recipient agency is a federal agency or one of its contractors. The
CMPPA does not specifically name nonfederal agencies (i.e., state or local governments) in the
definition of recipient agency. Certain federal benefit programs, however, may address
circumstances when a nonfederal agency receives records disclosed to it by a federal agency.
State and Local Governments as Recipients of Federal Data
Existing statutes may imply that a state or local government can be the recipient of records from a
federal agency, even if nonfederal governments are not specifically included in the definition of
recipient agency enacted by the CMPPA.
The definition of nonfederal agency in the CMPPA references state and local governments
receiving records from a federal agency for a matching program. As defined by the CMPPA,
nonfederal agency means any state or local government, or agency thereof, that receives records
contained in a system of records from a federal source agency for use in a matching program.98
For example, the Food and Nutrition Service (FNS) within the U.S. Department of Agriculture
published a notice in the Federal Register of a matching program between FNS and the state
agencies that administer the Supplemental Nutrition Assistance Program (SNAP).99 The matching
notice indicates that state agencies are able to access a national database—the Electronic
Disqualified Recipient System (eDRS)—maintained by FNS to determine whether an applicant
for SNAP has been disqualified from receiving SNAP benefits in any state because of an
intentional program violation (IPV).100 FNS previously published a rule requiring each state
agency to (1) report to eDRS information on individuals disqualified from SNAP because of an
IPV and (2) access eDRS to check for disqualifications.101
According to a set of matching notices published in the Federal Register, the Federal
Communications Commission, via the Universal Service Administrative Company, sends
information on Emergency Broadband Benefit Program (EBBP) applicants to certain state
agencies, including, at a minimum, names, birth dates, and the last four digits of SSNs.102 These
state government agencies then match that information to their SNAP and Medicaid recipient
records to confirm eligibility for the EBBP.

97 5 U.S.C. §552a(a)(11).
98 5 U.S.C. §552a(a)(10).
99 FNS, “Privacy Act of 1974; Computer Matching Program,” 86 Federal Register 54-55, January 4, 2021. The
CMPPA requires published notice in the Federal Register of a new or revised matching program (5 U.S.C.
§552a(e)(12)).
100 FNS, “Privacy Act of 1974; Computer Matching Program,” 86 Federal Register 55, January 4, 2021.
101 7 C.F.R. §273.16(i)(2); 7 C.F.R. §273.16(i)(4).
102 Federal Communications Commission, “Privacy Act of 1974; Matching Program,” 86 Federal Register 56266,
October 8, 2021 (notice of a matching program with the Connecticut Department of Social Services); Federal
Communications Commission, “Privacy Act of 1974; Matching Program,” 87 Federal Register 12167-12168, March 3,
2022 (notice of a matching program with the Virginia Department of Social Services); Federal Communications
Commission, “Privacy Act of 1974; Matching Program,” 87 Federal Register 12454, March 4, 2022 (notice of a
matching program with the Washington State Department of Social and Health Services, Economic Services
Administration).
Congressional Research Service

14

link to page 32 link to page 45 Computer Matching and Privacy Protection Act: Data Integration and Individual Rights

Key Statutory Requirements for Matching Programs
Matching Agreements
Generally, the CMPPA requires a written matching agreement between a source agency and a
recipient agency prior to the disclosure and matching of records.103 The law also prescribes the
information that must be included in a matching agreement.104 Among other details, matching
agreements are to include:
 the justification for the program and the anticipated results, including a specific
estimate of any savings;
 a description of the records that will be matched, including each data element to
be used, the approximate number of records that will be matched, and the
anticipated start and completion dates of the matching program (see Table B-1
for examples);
 procedures for providing notice to an individual that information provided may
be subject to verification through a matching program; and
 procedures for verifying information produced in a matching program.105
A matching agreement is not effective until 30 days after a copy has been sent to the Senate
Committee on Homeland Security and Governmental Affairs and the House Committee on
Oversight and Reform.106 For more information on the roles committees play in receiving
information on matching programs, see “Reporting from Agencies to OMB and Congress” within
this report.
Matching agreements are valid for an initial 18-month period.107 Within three months of the
expiration of the initial agreement, the agreement may be renewed for one additional year if the
matching program will be conducted without any change.108
Matching agreements are also to be made available to the public.109 In OMB’s Circular No. A-
108, “Federal Agency Responsibilities for Review, Reporting, and Publication under the Privacy
Act,” each agency with one or more matching programs is to list and provide links to up-to-date
matching agreements for all active matching programs on the agency’s Privacy Act website.110

103 5 U.S.C. §552a(o)(1).
104 5 U.S.C. §552a(o)(1)(A-K).
105 For a complete enumeration of what matching agreements are to include, see 5 U.S.C. §552a(o)(1)(A-K). These
requirements are also summarized in 0.
106 5 U.S.C. §552a(o)(2)(B). The statute provides the names of committees that have since been renamed. The
committee names used here are the most current.
107 5 U.S.C. §552a(o)(2)(C).
108 5 U.S.C. §552a(o)(2)(D).
109 5 U.S.C. §552a(o)(2)(A)(ii).
110 In Circular No. A-108, OMB directs agencies to create a webpage that includes, at a minimum, various materials
related to the agency’s implementation of the Privacy Act, including the CMPPA. See OMB, Circular No. A-108,
“Federal Agency Responsibilities for Review, Reporting, and Publication under the Privacy Act,” December 23, 2016,
p. 30, https://www.whitehouse.gov/wp-content/uploads/legacy_drupal_files/omb/circulars/A108/omb_circular_a-
108.pdf.
Congressional Research Service

15

link to page 21 Computer Matching and Privacy Protection Act: Data Integration and Individual Rights

Data Integrity Boards
An agency that conducts a matching program—either as a source or recipient agency—must
establish a Data Integrity Board (DIB).111 Nonfederal agencies are not required to establish
DIBs.112
An agency’s DIB approves or declines a proposed matching program and executes matching
agreements. Among other responsibilities under the CMPPA, the board is to assess cost-benefit
analyses of matching programs and review on an annual basis any existing matching programs in
which the agency participates to assess the continued justification for the agency’s
participation.113 The board is to compile an annual report describing the agency’s matching
activities and submit the report to OMB and the head of the agency.114
The CMPPA directs the head of the agency participating in a matching program to appoint certain
senior officials within the agency to the DIB. Each DIB must include any senior official within
the agency responsible for implementation of the Privacy Act and the inspector general (IG) if the
agency has an IG.115 The IG, however, cannot chair the board.116 OMB recommends that the
agency Privacy Act officer be secretary of the board.117 OMB also suggests that much of the
board’s work, except for the approval of matching agreements, can be delegated to less senior
members.118 Agencies must report changes to the board’s membership in the annual report
compiled by the DIB.119
Table 1 shows examples of the variation in DIB membership composition across three agencies,
including variation in the number of board members and in titles and roles represented on the
board. One of the examples is of an agency where a member of the board—the chief privacy
officer—has designated members to the board.120

111 5 U.S.C. §552a(u)(1).
112 OMB, “Final Guidance Interpreting the CMPPA,” p. 25825.
113 5 U.S.C. §552a(u)(3).
114 5 U.S.C. §552a(u)(3)(D).
115 5 U.S.C. §552a(u)(2). For more information on IGs within agencies, see CRS Report R45450, Statutory Inspectors
General in the Federal Government: A Primer, by Ben Wilhelm.
116 5 U.S.C. §552a(u)(2).
117 OMB, “Final Guidance Interpreting the CMPPA,” p. 25827.
118 OMB, “Final Guidance Interpreting the CMPPA,” pp. 25827-25828.
119 5 U.S.C. §552a(u)(3)(D)(iii).
120 U.S. Department of Homeland Security, Privacy Office, Computer Matching Agreements Annual Report Covering
the Period January 1, 2020-December 31, 2020, October 21, 2021, pp. 4-5, https://www.dhs.gov/sites/default/files/
publications/2020_cma_annual_report.pdf.
Congressional Research Service

16

Computer Matching and Privacy Protection Act: Data Integration and Individual Rights

Table 1. Data Integrity Board Membership Composition for Selected Agencies
In Calendar Year 2020
Department of Homeland
Department of Health and
Social Security Administration
Security
Human Services
Chief Privacy Officer (Chairperson)
Assistant Secretary for
Executive Director, Office of
Inspector General
Administration (Chairperson)
Privacy and Disclosure
(Chairperson)
Senior Director of Policy and
Deputy Agency Chief Freedom of
Oversight, Privacy Office
Information Act Officer and Privacy
Deputy Commissioner for
Act Senior Agency Official for
Retirement and Disability Policy
Attorney, Office of General
Privacy
Counsel
Deputy Commissioner for Systems
Principal Deputy Inspector General
and Chief Information Officer
Members designated by the Chief
Privacy Officer:
Assistant Deputy Associate General Deputy Commissioner for
Counsel
Operations
Chief Information Officer
Inspector General for Social
Deputy Officer for Programs and
Security
Compliance
Deputy Commissioner for Budget,
Deputy Director of Operations,
Finance, and Management
U.S. Citizenship and Immigration
Services
Deputy Commissioner for
Legislation and Congressional
Associate Administrator, Office of
Affairs
Policy and Program Analysis,
Federal Emergency Management
Agency
Chief Data Officer/Assistant
Director, Immigration and Customs
Enforcement
Sources: U.S. Department of Homeland Security, Privacy Office, Computer Matching Agreements Annual Report
Covering the Period January 1, 2020-December 31, 2020, October 21, 2021, https://www.dhs.gov/sites/default/files/
publications/2020_cma_annual_report.pdf; U.S. Department of Health and Human Services, “2020 HHS Annual
Computer Matching Report,” December 13, 2021, https://www.hhs.gov/foia/privacy/cmas/2020-hhs-annual-
computer-matching-report.html; Social Security Administration, “2020 Annual Matching Activity Report,”
https://www.ssa.gov/privacy/cma/2020%20Annual%20Matching%20Activity%20Report.pdf.
Notes: Agencies selected based on the availability of the DIBs’ annual report for 2020. The agencies included in
the table were among those also selected by GAO for its 2014 report, “Computer Matching Act: OMB and
Selected Agencies Need to Ensure Consistent Implementation,” because of their benefits and assistance program
expenditures (p. 2).
Cost-Benefit Analyses
The House Committee on Government Operations in 1988 noted in its report accompanying H.R.
4699 that proponents of computer matching believed it yielded savings to the federal government
through reductions in fraud, waste, and abuse in benefit programs.121
The committee thought that computer matching should be permitted only if a benefit to the
government could be demonstrated.122 It stated that “the cost effectiveness of computer matching
has yet to be clearly demonstrated. This is the conclusion that can be drawn from recent studies

121 U.S. Congress, House Committee on Government Operations, Computer Matching and Privacy Protection Act of
1988, report to accompany H.R. 4699, 100th Cong., 2nd sess., July 27, 1988, H.Rept. 100-802, p. 11.
122 Ibid.
Congressional Research Service

17

Computer Matching and Privacy Protection Act: Data Integration and Individual Rights

by GAO and OTA.”123 The committee, however, citing a GAO report, saw value in cost-benefit
analyses for determining the cost effectiveness of matching programs.124
The CMPPA generally requires an agency to assess the costs and benefits of a proposed matching
program before approving a matching agreement.125 These cost-benefit analyses are to
demonstrate that the computer matching is likely to be cost effective in order for the matching
agreement to receive approval.126 Matching agreements are to include the specific estimate of
savings.127
In its guidance, OMB advises that a recipient agency conduct the cost-benefit analysis for a
proposed matching program and share the results with the source agency to aid in the source
agency’s decisionmaking to participate in the matching program.128
While a matching agreement is to include specific estimates of any savings, OMB’s guidance
cautions against literal interpretations of the cost-effectiveness requirement. In an example, OMB
says that the first year of a matching program may yield a highly favorable benefit-to-cost ratio,
but the ratio may be less favorable in subsequent years because its deterrent effect on fraud, for
example, is no longer as dramatic.129 OMB also advises agencies to consider the costs of not
conducting a matching program when estimating costs and benefits.130
Waiving the Cost-Benefit Analysis Requirement
The CMPPA’s requirement to assess costs and benefits can be waived under one of two
circumstances:
1. The DIB determines that, in accordance with guidance issued by OMB, a cost-
benefit analysis is not required; or
2. An existing statute requires a matching program.131
In the latter scenario, a cost-benefit analysis is to be performed upon the expiration of the initial
18-month matching agreement and before the DIB approves a renewal of the agreement.132
Furthermore, according to OMB’s guidance, cost-benefit analyses of matching programs required
by statute do not need to demonstrate a financial savings or suggest cost-effectiveness, but the
analysis must be done nevertheless to extend the matching program for one year.133

123 Ibid., p. 13.
124 Ibid., p. 12.
125 5 U.S.C. §552a(u)(4).
126 5 U.S.C. §552a(u)(4)(A).
127 5 U.S.C. §552a(o)(1)(B).
128 OMB, “Final Guidance Interpreting the CMPPA,” p. 25825.
129 OMB, “Final Guidance Interpreting the CMPPA,” p. 25828.
130 OMB, “Final Guidance Interpreting the CMPPA,” p. 25828.
131 5 U.S.C. §552a(u)(4)(B); 5 U.S.C. §552a(u)(4)(C).
132 5 U.S.C. §552a(o)(2)(C-D).
133 OMB, “Final Guidance Interpreting the CMPPA,” p. 25828.
Congressional Research Service

18

link to page 24 Computer Matching and Privacy Protection Act: Data Integration and Individual Rights

Cost-Benefit Analysis Methods
The CMPPA does not specify the elements to be considered in a cost-benefit analysis of a
matching program but rather directs OMB to develop guidance to agencies on implementation.134
OMB’s guidance suggests agencies consult the 1986 GAO report “Computer Matching:
Assessing its Costs and Benefits” to inform their cost-benefit analyses.135 GAO’s cost-benefit
methodology includes estimating two key costs (personnel and computer costs) and two key
benefits: (1) avoidance of future improper payments and (2) recovery of improper payments and
debts.136
In its 2014 report, GAO found that most matching agreements for the agencies GAO examined
did not assess the key elements included in GAO’s 1986 methodology report.137 In its guidance,
OMB stated that it would develop “a checklist providing a step-by-step methodology for
accomplishing benefit-cost analysis,”138 but it appears to GAO that no such checklist has been
made available to agencies.139
Table 2 provides an illustration of the reported savings, costs, and cost-benefit ratios reported in
the matching agreements of some matching programs. In these examples, some agreements report
only costs or only savings. Without both costs and savings, it is difficult to ascertain the financials
of matching programs. Even where matching is required by law, missing information in matching
agreements on costs and savings is consequential for understanding the economics of matching
that Congress required in statute.

134 5 U.S.C. §552a(v)(1); GAO, Computer Matching Act, p. 11.
135 OMB, “Final Guidance Interpreting the CMPPA,” p. 25828; GAO, Computer Matching: Assessing Its Costs and
Benefits, PEMD-87-2, November 10, 1986.
136 GAO, in its 2014 report, characterizes its 1986 report as identifying these four key elements (GAO, Computer
Matching Act, p. 18). In its 1986 report, GAO is less specific about there being only two components within the cost
category, instead identifying five major cost categories of computer matching to include “all resources spent on its
activities,” such as (1) personnel, (2) time, (3) facilities, (4) materials, and (5) travel costs. However, GAO’s 1986
report describes only two categories of benefits: “In terms of dollars, the two major benefits are (1) the avoidance of
overpayments and (2) the recovery of overpayments and debts” (GAO, Computer Matching, pp. 53, 71).
137 GAO, Computer Matching Act, p. 19.
138 OMB, “Final Guidance Interpreting the CMPPA,” p. 25821.
139 GAO, Computer Matching Act, p. 19.
Congressional Research Service

19

link to page 26 link to page 26 link to page 26 link to page 26
Table 2. Reported Savings of Selected Matching Programs
Conducted in Calendar Year 2022
Benefit-
Purpose of Matching
Statutory
Matching
Estimated
Estimated
Cost
Program
Requirement
Requireda
Source Agency
Recipient Agency
Savings
Costs
Ratio
(1) To identify Housing and
Prevent
No
HUD
Department of
$101,500,000b
$791,585b
128:1
Urban Development (HUD)
duplication of
Homeland Security
program recipients
assistance because
(DHS), FEMA
participating in Federal
of a major disaster
Emergency Management
of emergency
Agency (FEMA) programs
under any
because of a declared
program, from
disaster or emergency and
insurance, or
return them to HUD housing through any other
assistance and prevent
source (42 U.S.C.
duplication of benefits; (2) to
§5155)
develop funding formulas to
request additional
appropriations from
Congress and to allocate
funding for Community
Development Block Grant-
Disaster Recovery grant
awards; and to prevent
duplication of benefits
To assist in determining
Determine
Yes (42 U.S.C.
DHS, U.S.
Department of
Not specified
$30,500,000
Not
whether an applicant is
whether an
§18081(c)(4)(A))
Citizenship and
Health and Human
specifiedc
lawfully present, a qualified
individual enrolling
Immigration
Services (HHS),
non-citizen, a naturalized or
in a Qualified
Services
Centers for
derived citizen and whether
Health Plan is a
Medicare and
the five-year waiting period
U.S. citizen,
Medicaid Services
applies and has been satisfied
national, or non-
(CMS)
for the purpose of
citizen lawfully
determining eligibility for
present (42 U.S.C.
enrollment in a Qualified
§18081(c)(2)(B))
Health Plan or for one or
more exemptions
CRS-20

link to page 26 link to page 27
Benefit-
Purpose of Matching
Statutory
Matching
Estimated
Estimated
Source Agency
Recipient Agency
Cost
Program
Requirement
Requireda
Savings
Costs
Ratio
To determine eligibility for
Unearned income
No
Department of
Department of
$52,620,000e
Not specified
Not
and amount of benefits for
information from
Treasury, Internal
Veterans Affairs
specified
applicants and beneficiaries of tax returns may
Revenue Service
(VA), Veterans
needs-based benefits and to
be disclosed for
(IRS)
Benefit
adjust income-dependent
the purposes of
Administration
benefit payments
determining
eligibility and
amount of
benefits (Internal
Revenue Code of
1986, Section
7(B))
Sources: Information in the table is from matching agreements reviewed by CRS that were publicly available. See HUD, FEMA, “Computer Matching Agreement
between United States Department of Homeland Security (DHS) Federal Emergency Management Agency (FEMA) and United States Department of Housing and Urban
Development (HUD),” https://www.dhs.gov/sites/default/files/2022-02/3.%20DHS%20FEMA%20Department%20HUD%20CMA_0.pdf; DHS, HHS, “Computer Matching
Agreement between Department of Health and Human Services Centers for Medicare and Medicaid Services and the Department of Homeland Security United States
Citizenship and Immigration Services for the Verification of United States Citizenship and Immigration Status Data for Eligibility Determinations,” https://www.dhs.gov/
sites/default/files/publications/4-2020_final_cms_cma.pdf; DHS, SBA, “Computer Matching Agreement between U.S. Small Business Administration and U.S. Department
of Homeland Security Federal Emergency Management Agency,” https://www.dhs.gov/sites/default/files/publications/2-fema_sba.pdf; HHS, SSA, “Computer Matching
Agreement between Social Security Administration and U.S. Department of Health and Human Services Administration for Children and Families Office of Child Support
Enforcement,” https://www.hhs.gov/sites/default/files/acf-ssa-cma-2003.pdf; IRS, VA, “Computer Matching Agreement between the Department of Treasury Internal
Revenue Service and the Department of Veterans Affairs Veterans Benefits Administration for the Disclosure of Information to Federal, State, and Local Agencies
(DIFSLA),” https://www.oprm.va.gov/docs/CMA/DIFSLA_Restablishment_CMA_IRS_VBA_01012021_06302022_Final.pdf.
Notes: Matching agreements were selected with effective dates that included one or more months in calendar year 2022. The agencies included in the table were among
those also selected by GAO for its 2014 report “Computer Matching Act: OMB and Selected Agencies Need to Ensure Consistent Implementation” because of their
benefits and assistance programs expenditures (p. 2). Dollar amounts are provided as they are reported in the matching agreements to which they correspond and have
not been adjusted for any inflation. In some cases, the estimate is a total calculated by CRS based on components of costs or savings as they are reported in the matching
agreement to which they corresponded.
a. The statute requirement may not specifically or explicitly require a matching program as defined in the CMPPA and, instead, may refer to a “matching” requirement
generically. Despite the lack of precision in the statutory language, the table includes examples from agencies that have entered into matching agreements and
conduct such matching under the requirements for matching programs established by the CMPPA.
b. CRS calculation of information provided in the matching agreement. The ratio is provided in the agreement.
c. The matching agreement states that the cost-benefit analysis covers this matching program between DHS and CMS and seven other mandatory “marketplace”
matching programs that CMS conducts with other federal agencies. Therefore, the cost reported is the total for all eight matching programs. Furthermore, the
matching agreement states that the cost-benefit analysis “does not quantify direct government cost saving benefits sufficient to estimate whether they offset such
CRS-22

costs. The[analysis], therefore, does not demonstrate that the matching program is likely to be cost-effective and does not provide a favorable benefit/cost ratio” (p.
8).
d. The matching agreement refers to an “SBA Cost Benefit Analysis document” in a footnote to the estimated savings (p. 6). That document is not part of the matching
agreement CRS accessed and downloaded from DHS’s “Computer Matching Agreements and Notices” webpage. Costs may have been estimated in that document
but were not available to CRS.
e. The estimated savings for the matching program between IRS and VA are for FY2021 and FY2022. Matching agreements take various approaches to the time frames
for the estimates they include. For example, the matching agreement between HHS and SSA (row four of the table) references costs and savings for FY2018; the
specific matching agreement that includes such savings was effective as of May 27, 2020, for the next 18-months (expiring November 26, 2022). In the matching
agreement between FEMA and HUD, the costs and savings are for a seven-year period of time that includes, but also extends beyond, the term of the matching
agreement.

CRS-23

Computer Matching and Privacy Protection Act: Data Integration and Individual Rights

Notifying Individuals of the Use of Their Information in a
Matching Program
A source agency must obtain an individual’s consent as a condition of disclosing that individual’s
records to a recipient agency in a matching program.140 The agency disclosing records can either
(1) obtain written consent directly from the individual or (2) use an exception to consent as
permitted in Title 5, Section 552a(b), of the U.S. Code.141
The CMPPA requires that matching agreements include procedures for providing individualized
notice at the time of application, and periodic notice thereafter, to (1) applicants for and recipients
of financial assistance or payments under federal benefit programs and (2) applicants for and
holders of positions as federal personnel.142
OMB identifies two ways an agency can provide notice to individuals: direct notice and
constructive notice.143
Direct Notice
OMB describes direct notice as when there is some form of contact between the government and
the individual.144 It may include information provided on an application form. For “front-end
eligibility verification programs,” OMB suggests that agencies enlarge the statement on an
application form that is required by Title 5, Section 552a(e)(3), to notify individuals that the
information they provide is subject to matching.145
Providers of services should also be given notice on the form they use to apply for reimbursement
for the services they provide.146
After an initial notice to an individual at the time of application, the CMPPA requires periodic
notice as directed by the DIB and subject to OMB guidance.147 The act does not define periodic
or impose any specific timing requirements. OMB’s guidance to agencies is that periodic notice
should be provided whenever the application is renewed, or at least while the match is authorized,
and that such periodic notice should accompany the benefit.148

140 OMB, “Final Guidance Interpreting the CMPPA,” p. 25825.
141 OMB, “Final Guidance Interpreting the CMPPA,” p. 25825.
142 5 U.S.C. §552a(o)(1)(D)(i-ii).
143 OMB, “Final Guidance Interpreting the CMPPA,” p. 25825.
144 OMB, “Final Guidance Interpreting the CMPPA,” p. 25825.
145 OMB, “Final Guidance Interpreting the CMPPA,” p. 25825.Title 5, Section 552a(e)(3), of the U.S. Code requires
that an agency inform individuals whom it asks to supply information, on a form used to collect such information, of
the following: (1) the authority that authorizes the solicitation of the information and whether the disclosure of that
information is mandatory or voluntary, (2) the principal purpose(s) for which the information is intended to be used, (3)
the routine uses that may be made of the information, and (4) the effects of not providing any or all of the requested
information.
146 OMB, “Final Guidance Interpreting the CMPPA,” p. 25825.
147 5 U.S.C. §552a(o)(1)(D).
148 OMB, “Final Guidance Interpreting the CMPPA,” p. 25825.
Congressional Research Service

24

Computer Matching and Privacy Protection Act: Data Integration and Individual Rights

Constructive Notice
Another way of providing notice to individuals is through constructive notice. This type of notice
includes notices that are published in the Federal Register. The CMPPA requires a recipient
agency to publish a notice in the Federal Register of a matching program 30 days prior to starting
such program.149 OMB’s Circular No. A-108 indicates that if a nonfederal agency is the recipient
agency, then the federal agency providing the records (i.e., the source agency) is required to
publish the notice.150
OMB stipulates that such constructive notice for a matching program might be necessary in
“emergency situations where health and safety reasons argue for a swift completion of a match,”
in cases where the matching program is to locate a person, or in other situations where it is not
possible to provide direct notice to individuals.151
Notice to an individual of a matching program is effectively constructive when an agency relies
on one of the Privacy Act’s statutory exceptions to written consent, because the recipient agency
is still required to publish notice of a matching program in the Federal Register.
For example, notice procedures are detailed in the matching agreement between the Small
Business Administration (SBA) and the Department of Homeland Security (DHS).152 The
agreement specifies that each agency has published a system of records notice153 in the Federal
Register that notifies applicants and recipients of the respective programs that their information
may be subject to verification through a matching program.154 Additionally, the agreement states
that for SBA recipients specifically, several of SBA’s application forms provide notice to
applicants that information may be disclosed under a routine use155 published in the system of
records notice.156
Verifying the Accuracy of Information Produced in Matching
Programs
The CMPPA requires agencies to independently verify the accuracy of information produced in a
matching program prior to suspending, terminating, reducing, or making a final denial of any
assistance or payment to an individual.157 When first passed in 1988, the CMPPA provided that no
agency was to take adverse action against an individual whose records are matched in a matching

149 5 U.S.C. §552a(e)(12).
150 OMB, Circular No. A-108, p. 19.
151 OMB, “Final Guidance Interpreting the CMPPA,” p. 25825.
152 SBA, DHS, “Computer Matching Agreement Between U.S. Small Business Administration and U.S. Department of
Homeland Security Federal Emergency Management Agency,” https://www.dhs.gov/sites/default/files/2022-02/
2.%20FEMA%20%26%20SBA%20CMA.pdf.
153 Agencies are required to publish a system of records notice in the Federal Register by Title 5, Section 552a(e)(4), of
the U.S. Code.
154 SBA, DHS, “Computer Matching Agreement Between U.S. Small Business Administration and U.S. Department of
Homeland Security Federal Emergency Management Agency,” p. 9, https://www.dhs.gov/sites/default/files/2022-02/
2.%20FEMA%20%26%20SBA%20CMA.pdf.
155 Routine use is defined at Title 5, Section 552a(a)(7), of the U.S. Code. The Privacy Act permits an agency to
disclose a record without written request or prior written consent of the individual to whom the record pertains for a
routine use (5 U.S.C. §552a(b)(3)).
156 SBA, DHS, “Computer Matching Agreement,” p. 10.
157 5 U.S.C. §552a(p)(1)(A)(i).
Congressional Research Service

25

Computer Matching and Privacy Protection Act: Data Integration and Individual Rights

program without first independently verifying any information that was produced by the matching
program and used as a basis for the adverse action.158 This requirement was amended in 1990 to
add a role for an agency’s DIB and to resolve conflicts that stemmed from existing laws
governing federal benefit programs.159
The 1990 amendment to the CMPPA allows either for an agency to independently verify
information, as before, or for the DIB of the recipient agency to waive the requirement.160 As the
statute stands today, the DIB can waive the independent verification requirement if (1) it
determines that the information used as the basis for an adverse decision against an individual is
specific to the information identifying the individual (e.g., name, address, an identification
number) and to the amount of benefits paid to the individual by the source agency;161 and (2) it
has a “high degree of confidence” in the accuracy of the information received from the source
agency that is used in the match.162
On the amended verification requirement, the House Committee on Government Operations
reported:
The purpose of the independent verification requirement is to assure that the rights of
individuals are not affected automatically by computers without human involvement and
without taking reasonable steps to determine that the information relied upon is accurate,
complete, and timely. No one should be denied any right, benefit, or privilege simply
because his or her name was identified in a match as a “raw hit.” There can be no general
presumption that information obtained from a computer is necessarily correct.163
Some matching programs may still use independent verification procedures despite the waiver
provision enacted by Congress in 1990. For example, HHS provides access to new hire and
quarterly wage information from the National Directory of New Hires (NDNH) to the state
agencies that administer the unemployment compensation program.164 The matching agreement
between HHS and the state agency includes the following condition:
[T]he state agency understands that information obtained from the NDNH is not conclusive
evidence of the address and employment information of an identified individual and must,

158 P.L. 100-503, §2 (102 Stat. 2508-2509). Specifically, Title 5, Section 552a(p)(2) at the time specified “any
information used as a basis for an adverse action against an individual, including, where applicable—(A) the amount of
the asset or income involved; (B) whether such individual actually has or had access to such asset or income for such
individual’s own use, and (C) the period or periods when the individual actually had such asset or income.”
159 P.L. 101-508, §7201 (104 Stat 1388-334); U.S. Congress, Committee on Government Operations, Computer
Matching and Privacy Protection Amendments of 1990, report to accompany H.R. 5450, 101st Cong., 2nd sess.,
September 27, 1990, H.Rept. 101-768, pp. 4-5, 7.
160 The Committee on Government Operations said in its report on H.R. 5450, “The role of the Data Integrity Board in
the alternate verification process is to determine that information is limited to identification and amount of benefits paid
by the source agency under a federal benefit program and that there is a high degree of confidence that the information
provided to the recipient agency is accurate. These determinations must be made by the Data Integrity Board of the
recipient agency” (U.S. Congress, Committee on Government Operations, Computer Matching and Privacy Protection
Amendments of 1990, report to accompany H.R. 5450, 101st Cong., 2nd sess., September 27, 1990, H.Rept. 101-768, p.
5).
161 U.S. Congress, Committee on Government Operations, Computer Matching and Privacy Protection Amendments of
1990, report to accompany H.R. 5450, 101st Cong., 2nd sess., September 27, 1990, H.Rept. 101-768, p. 4.
162 Ibid., p. 5; 5 U.S.C. §552a(p).
163 U.S. Congress, Committee on Government Operations, Computer Matching and Privacy Protection Amendments of
1990, report to accompany H.R. 5450, 101st Cong., 2nd sess., September 27, 1990, H.Rept. 101-768, p. 4.
164 For more information on the NDNH, see CRS Report RS22889, The National Directory of New Hires: In Brief, by
Jessica Tollestrup.
Congressional Research Service

26

Computer Matching and Privacy Protection Act: Data Integration and Individual Rights

in accordance with 5 U.S.C. §552a(p)(2), independently verify the NDNH information
before taking adverse action to deny, reduce, or terminate benefits.165
OMB’s Guidance on Verification Procedures
Congress instructed OMB to issue guidance on implementing the 1990 amendment on
verification procedures.166 OMB published proposed guidance in the Federal Register and sought
comments, including on the types of evidence that may permit a DIB to reach a “high degree of
confidence” in the accuracy of data produced in a matching program.167 No guidance in final form
was subsequently published, but OMB provides a link to the proposed guidance on its
Information and Regulatory Affairs webpage with privacy guidance, suggesting that the proposed
guidance is, at least, the prevailing guidance to agencies.168
Providing Individuals with an Opportunity to Contest Information
Used Against Them
The CMPPA also requires an agency to provide notice to an individual if its findings from a
matching program will result in denying, terminating, suspending, or reducing any financial
assistance or payment to that individual under a federal benefit program.169 Additionally,
individuals are allowed time to contest such findings.170
When the CMPPA was first passed, it required all federal benefit programs to allow 30 days for
individuals to respond to notices.171 However, some programs at the time were operating under
statutes or regulations that permitted fewer than 30 days.172 The 1990 amendment to the CMPPA
allowed the notice period to vary with program-specific statutes and regulations.173 Thus, how
much time an individual has to respond depends on whether statute or regulation for the specific
benefit program establishes a time period to respond or, if no such statute or regulation exists,
within 30 days of receiving notice.174

165 HHS, “Computer Matching Agreement between U.S. Department of Health and Human Services, Administration
for Children and Families, Office of Child Support Enforcement and State Agency Administering the Unemployment
Compensation Program,” p. 12, https://www.hhs.gov/sites/default/files/acf-uc-cma-2001.pdf.
166 P.L. 101-508, §7201(b); 104 Stat. 1388-334-1388-335.
167 OMB, “The Computer Matching and Privacy Protection Amendments of 1990 and the Privacy Act of 1974,” 56
Federal Register 18599-18601, April 23, 1991.
168 OMB, Office of Information and Regulatory Affairs, “Privacy Guidance, 1990s,” webpage, accessed on September
14, 2022, https://www.whitehouse.gov/omb/information-regulatory-affairs/privacy/.
169 5 U.S.C. §552a(p)(1)(B).
170 5 U.S.C. §552a(p)(1)(B).
171 P.L. 100-503, §2; 102 Stat. 209.
172 U.S. Congress, House Committee on Government Operations, Subcommittee on Government Information, Justice,
and Agriculture, Computer Matching and Privacy Protection Amendments of 1990, hearing on H.R. 5450, 101st Cong.,
2nd sess., September 11, 1990, pp. 9-10.
173 U.S. Congress, House Committee on Government Operations, Computer Matching and Privacy Protection
Amendments of 1990, report to accompany H.R. 5450, 101st Cong., 2nd sess., September 27, 1990, H.Rept. 101-768, p.
7.
174 5 U.S.C. §552a(p)(1)(C)(i-ii). The 30-day period starts when the notice is either mailed or otherwise provided to the
individual (5 U.S.C. §552a(p)(1)(C)(ii)).
Congressional Research Service

27

Computer Matching and Privacy Protection Act: Data Integration and Individual Rights

Reporting
The CMPPA included several reporting mechanisms that have changed over the years through
various congressional actions.
Reporting from OMB to Congress
Congress included in the CMPPA a requirement for OMB to report to Congress.175 This reporting
was to consolidate the reports that DIBs submitted to OMB and, specifically, was to include
details on the cost-benefit analyses of matching programs, including the waiver of those analyses
by DIBs.176
In addition, OMB is to biennially report to Congress more broadly on the implementation and
administration of the Privacy Act, including the CMPPA.177 This reporting requirement, however,
effectively ceased when Congress passed the Federal Reports Elimination and Sunset Act of 1995
(P.L. 104-66) and the Federal Reports Elimination Act of 1998 (P.L. 105-362).178
Reporting from Agencies to OMB and Congress
Some reporting on matching programs is still required, however, including the annual report by
an agency’s DIB to the head of the agency and to OMB.179
In addition, an agency is to report proposals for new, re-established, or significantly modified
matching programs to OMB, the House Committee on Oversight and Reform, and the Senate
Committee on Homeland Security and Governmental Affairs in order to permit an evaluation of
the probable or potential effect of the proposal on the privacy or other rights of individuals.180
Potentially significant modifications include those that (1) change the purpose of the program, (2)
change the authority to conduct the matching program, (3) expand the types or categories or
significantly increase the number of records being matched, (4) expand the categories of
individuals whose records are being matched, and (5) change the source or recipient agencies.181
OMB clarifies in Circular No. A-108 that submitting notice of a new or significantly modified
matching program to OMB and Congress occurs prior to public notice in the Federal Register
and, furthermore, that OMB will have 30 days to review the new or modified matching

175 P.L. 100-503, §4 (102 Stat. 2511). The requirement was an annual report for the first three years following
enactment and a biennial report thereafter.
176 P.L. 100-503, §4 (102 Stat. 2511).
177 5 U.S.C. §552a(s).
178 P.L. 104-66, Section 3003, effectively eliminated the Privacy Act report to Congress (190 Stat. 735). P.L. 105-362,
Section 1301(d), eliminated the specific reporting by OMB that consolidated the DIB reports and included information
on cost-benefit analyses (112 Stat. 3293). For more information about the Federal Reports Elimination and Sunset Act
of 1995, see “Contrast with Current Authorities and Previous Efforts” in CRS Report R42490, Reexamination of
Agency Reporting Requirements: Annual Process Under the GPRA Modernization Act of 2010 (GPRAMA), by Clinton
T. Brass.
179 5 U.S.C. §552a(u)(3)(D).
180 5 U.S.C. §552a(r). Statute provides the names of committees that have since been renamed. The committee names
used here are the most current.
181 OMB, Circular No. A-108, pp. 18-19. OMB notes that the list it provides is not exhaustive.
Congressional Research Service

28

Computer Matching and Privacy Protection Act: Data Integration and Individual Rights

program.182 As a result, a new matching program cannot begin for at least 60 days following the
approval of the matching agreement by the DIBs at the source and recipient agencies.183
When an agency plans to re-establish a matching program, including plans approved by the
agency’s DIB to renew a matching program for one-year beyond the expiration of the current
matching agreement, it is to provide at least 60 days of advance notice to OMB and Congress.184
Exceptions to the CMPPA’s Coverage
Several uses of computer matching are excepted from the CMPPA’s requirements. While some of
these exceptions were included in the law when it was first passed in 1988, others represent
amendments passed in the years since.
Matches that are excepted may be arranged into six different categories. Broadly, the categories
include (1) research and statistics; (2) matching with no adverse impact to federal employees; (3)
law enforcement, security, and intelligence; (4) administration of taxes, levies, and certain savings
programs; (5) inspectors general and fraud, waste, and abuse; and (6) selected matches by SSA
involving incarcerated and other justice-system-involved individuals.
Research and Statistics
The CMPPA does not cover matching for research and statistics. This includes:
 producing aggregate statistical data without any personal identifiers185 and
 when the specific data involved are not used to make decisions concerning the
rights, benefits, or privileges of specific individuals.186
Matching with No Adverse Impact to Federal Employees
Matching that does not have an adverse impact on federal personnel is also excepted.187 This
exception includes matches that:
 relate to federal personnel and are conducted for routine administrative purposes
as per OMB guidance188 or

182 OMB, Circular No. A-108, p. 20.
183 OMB may request agencies to incorporate changes or clarifications stemming from its review. In addition, agencies
may have to address comments from the public that stem from the public notice period. As such, agencies may have to
delay the start of a matching program longer than the 60 days implied in statute and guidance (see Table, Illustration of
Standard Review Process for Matching Programs, in OMB, Circular No. A-108, p. 21).
184 OMB, Circular No. A-108, p. 20.
185 5 U.S.C. §552a(a)(8)(B)(i).
186 5 U.S.C. §552a(a)(8)(B)(ii). OMB’s guidance indicates that “pilot matches”—or small-scale matches that an agency
might conduct to assess the costs and benefits of a full computer matching program and are not used to make decisions
that affect the rights, benefits, or privilege of any specific individual—do not require compliance with the CMPPA
because such pilots are not matching programs (OMB, “Final Guidance Interpreting the CMPPA,” p. 25823).
187 5 U.S.C. §552a(a)(8)(B)(v).
188 5 U.S.C. §552a(a)(8)(B)(v)(I). OMB’s guidance indicates that predominately means that the number of records
relating to federal personnel is greater than the number of any other category of records not related to federal personnel
(OMB, “Final Guidance Interpreting the CMPPA,” p. 25824).
Congressional Research Service

29

Computer Matching and Privacy Protection Act: Data Integration and Individual Rights

 use only records from systems of records maintained by that agency if the
purpose of the match is not to take any adverse financial, personnel, disciplinary,
or other action against federal personnel.189
Law Enforcement, Security, and Intelligence
Several types of matching done for the purpose of law enforcement and security are also
excepted. These matches include those that:
 investigate a person that has been specifically identified and named for the
purpose of gathering evidence against such person as part of an investigation if
the investigation is performed by an agency or a component of an agency with a
principal function of criminal law enforcement,190
 assist foreign counterintelligence,191 or
 produce background checks for security clearances of federal personnel or the
personnel of a federal contractor.192
Administration of Taxes, Levies, and Certain Savings Programs
The CMPPA, when originally passed in 1988, included several tax-related matches that were
excluded from the definition of matching program. In the years since, Congress has expanded
upon the types of tax-related matches excluded from the purposes of the CMPPA.193 These
matches include those that:
 are for the purposes of tax administration, including the management and
application of internal revenue laws or related statutes, as well as the
development of tax policy;194
 enable allowable disclosures, including to state tax agencies, to administer state
tax laws or to locate an individual who may be entitled to a refund;195

189 5 U.S.C. §552a(a)(8)(B)(v)(II). According to OMB’s guidance, the implication of this exception is that an agency
may match records from its systems of records and take adverse action against individuals without needing to comply
with the CMPPA’s requirements for matching programs so long as those individuals are not federal personnel (OMB,
“Final Guidance Interpreting the CMPPA,” p. 25824).
190 5 U.S.C. §552a(a)(8)(B)(iii).
191 5 U.S.C. §552a(a)(8)(B)(vi).
192 5 U.S.C. §552a(a)(8)(B)(vi).
193 P.L. 100-503 enacted Title 5, Section 552a(a)(8)(B)(iv), of the U.S. Code, which specifies a number of tax-related
matches (see footnotes 194, 195, and 196). P.L. 105-34 enacted Title 5, Section 552a(a)(8)(B)(vii), which specified that
matches incident to a levy described in Section 6103(k)(8) of the Internal Revenue Code of 1986 is not a matching
program (see footnote 198). P.L. 113-295 enacted Title 5, Section 552a(a)(8)(B)(x), of the U.S. Code, which specified
that matches performed pursuant to Section 3(d)(4) of the Achieving a Better Life Experience Act of 2014 is not a
matching program (see footnote 199).
194 5 U.S.C. §552a(a)(8)(B)(iv). Tax administration as defined by Section 6103(b)(4) of the Internal Revenue Code of
1986 “(A) means (i) the administration, management, conduct, direction, and supervision of the execution and
application of the internal revenue laws or related statutes (or equivalent laws and statutes of a State) and tax
conventions to which the United States is a party, and (ii) the development and formulation of Federal tax policy
relating to existing or proposed internal revenue laws, related statutes, and tax conventions, and (B) includes
assessment, collection, enforcement, litigation, publication, and statistical gathering functions under such laws, statutes,
or conventions.”
195 5 U.S.C. §552a(a)(8)(B)(iv) as pursuant to Section 6103(d) of the Internal Revenue Code of 1986.
Congressional Research Service

30

Computer Matching and Privacy Protection Act: Data Integration and Individual Rights

 intercept a tax refund due to an individual196 or for any other tax refund intercept
program that is authorized by statute that OMB determines to have verification,
notice, and hearing requirements that are substantially similar to those required
for state income and eligibility verification systems under the Social Security
Act, as amended;197
 are conducted incidental to the collection of an unpaid government payment,198 or
 are conducted pursuant to a qualified Achieving a Better Life Experience
program.199
Inspectors General and Fraud, Waste, and Abuse
Matches that IGs may use as part of their fraud, waste, and abuse prevention and investigation
activities are not matching programs for the purposes of the CMPPA. Specifically, this includes
matches that are:
 conducted by an IG for an audit, investigation, inspection, evaluation, or other
review authorized under the Inspector General Act of 1978, as amended;200 or
 conducted by the Secretary or IG of HHS with respect to potential fraud, waste,
and abuse.201
Selected Matches by SSA Involving Incarcerated and Other Justice-
System-Involved Individuals
Some matches SSA may perform are excepted from the CMPPA. Specifically, these are matches
where:
 any federal or state agency makes available to the SSA the names and SSNs of
any individuals who are confined in jails, prisons, or other penal institutions
following conviction of a criminal offense, are confined by court order because
of certain types of verdicts or court findings, or meet certain other related
criteria,202 or
 the SSA seeks on a monthly basis from a state or local correctional facility—
including jails and prisons, or similar institutions that confine individuals—the

196 5 U.S.C. §552a(a)(8)(B)(iv) as under the authority granted by Sections 404(e), 464, or 1137 of the Social Security
Act (42 U.S.C. §604(e), 42 U.S.C. §664, or 42 U.S.C. §1320b-7, respectively).
197 5 U.S.C. §552a(a)(8)(B)(iv); such systems and their requirements are contained in Section 1137 of the Social
Security Act (42 U.S.C. §1320b-7).
198 5 U.S.C. §552a(a)(8)(B)(vii). Such a levy is described in Section 6103(k)(8) of the Internal Revenue Code of 1986.
199 Title 5, Section 552a(a)(8)(B)(x), includes “matches performed pursuant to section 3(d)(4) of the Achieving a Better
Life Experience Act of 2014” (P.L. 113-295, Division B). Neither P.L. 113-295 Division B nor Section 529A of
Chapter 5 of the U.S. Code contain a Section 3(d)(4) despite its reference in Title 5, Section 552a(a)(8)(B)(x). For more
information on Achieving a Better Life Experience programs, see CRS In Focus IF10363, Achieving a Better Life
Experience (ABLE) Programs, by William R. Morton and Kirsten J. Colello.
200 5 U.S.C. App. §6(j)(2). Where Title 5, Section 552a(a)(8)(B), enumerates several exceptions to matching programs,
the exception of matches conducted by IGs is not enumerated therein. This exception was enacted by P.L. 114-317
(Inspector General Empowerment Act of 2016) and is found at Title 5, Section 6(j)(2), of the U.S. Code.
201 5 U.S.C. §552a(a)(8)(B)(ix).
202 5 U.S.C. §552a(a)(8)(B)(viii), pursuant to Section 202(x)(3) of the Social Security Act (42 U.S.C. §402(x)(3)).
Congressional Research Service

31

link to page 10 link to page 10 Computer Matching and Privacy Protection Act: Data Integration and Individual Rights

names, SSNs, and other specific information of any individuals confined in those
facilities.203
Issues for Congress
OTA concluded in 1986 that information technology capabilities and uses had changed so
dramatically since the Privacy Act of 1974 that they eroded the privacy protections of the law.204
Such dramatic changes in information technology and its uses also characterize the 30-plus years
since the CMPPA went into effect.
Agencies in the executive branch have conducted computer matching since at least the 1970s.
Congress devoted particular attention to computer matching through the 1970s and late 1980s,
which ultimately resulted in the CMPPA.
In the decades since, there have been minimal updates to OMB guidance on CMPPA
implementation and a decrease in the number of hearings by Congress that specifically examine
matching programs. Yet agencies continue to actively implement the law. Congress continues to
view data matching as a policy option for reducing fraud and improper payments, and agencies
continue to rely upon matching programs to comply with various laws.205
Congress might assess whether there are opportunities to improve computer matching in
government operations and management. Matching program oversight by Congress may aid
implementation of the CMPPA. There are a number of areas Congress may want to contemplate
and some possible directions for future oversight or legislation. These areas are (1) clarifying the
scope of the CMPPA, (2) developing an accurate accounting of matching programs, (3) ensuring
sufficient and contemporaneous OMB guidance, and (4) assessing regulation and oversight of
data matching.
Clarifying the Scope of the CMPPA
Congressional committees provided some definition of specific methods of computer matching
when the CMPPA was first considered (see in this report, “Defining Matching for the Purposes of
the CMPPA”). However, the law itself does not provide information on the computer matching
methods that are within the purview of the CMPPA, such as single-record or many-record
comparisons.
Separate analyses by OTA and GAO found definitional issues with matching programs since as
early as the 1980s and as late as the 2010s.206 While the statutory definition of matching program
includes the words any computerized comparison, the absence of methods that meet the definition
permits agencies to derive their own interpretations of what types of methods are covered by the

203 5 U.S.C. §552a(a)(8)(B)(viii), pursuant to Section 1611(e)(1) of the Social Security Act (42 U.S.C. §1382(e)(1)).
204 OTA, Federal Government Information Technology, pp. 4, 99.
205 See, for example, CRS Report R46789, Unemployment Insurance: Legislative Issues in the 117th Congress, First
Session, by Katelin P. Isaacs and Julie M. Whittaker, p. 19 and p. 25; U.S. Congress, House Oversight and Reform
Select Subcommittee on the Coronavirus Crisis, Examining Federal Efforts to Prevent, Detect, and Prosecute
Pandemic Relief Fraud to Safeguard Funds for All Eligible Americans, 117th Cong., 2nd sess., June 14, 2022; U.S.
Congress, House Committee on Oversight and Reform, Subcommittee on Government Operations, Follow the Money:
Tackling Improper Payments, hearing, 117th Cong., 2nd sess., Serial No. 117-75, March 31, 2022, pp. 3, 6.
206 OTA, Federal Government Information Technology, pp. 14-17.
Congressional Research Service

32

link to page 46 Computer Matching and Privacy Protection Act: Data Integration and Individual Rights

CMPPA. The result is that some agencies’ activities may potentially avoid the reach of the
CMPPA.207
The lack of a consistent understanding across executive agencies of the types of matching
methods subject to the CMPPA’s provisions leaves questions about what protections are afforded
to individuals in cases where an agency believes its matching methods to be outside of the scope
of the CMPPA.
Congress could amend the statute to define matching methods or provide language that makes
clear the number of records in a computerized comparison to constitute a matching program.
OMB could also update its guidance to clarify the scope of methods and enforce compliance
accordingly.
Developing an Accurate Accounting of Matching Programs
It is challenging to determine the number of matching programs that are being conducted at any
given time. The House Committee on Government Operations recognized the need to establish
administrative controls for matching programs, in part, because of the difficulty in ascertaining
their prevalence.208
There is no accessible database or cataloging of current active matching programs. This makes it
difficult to determine the number of matching programs, including the number of individual
records that are disclosed for matching programs. As illustrated in Appendix B, some matching
programs involve the use of millions of individual records. Congress may want to establish
requirements for a centralized database of matching programs.
Although OMB directs agencies to maintain webpages that include information on their matching
agreements and public notices of matching programs, there is no enforcement mechanism of the
requirement. This leaves the public dependent on each agency to maintain webpages with current
information. For example, the Department of Education updated its matching agreements
webpage in October 2022 and lists one matching program in operation.209 Yet the department
published notice in the Federal Register in August 2021 of a matching program to begin in
September 2021 that would continue for 18 months, putting it in operation until March 2023.210
Requirements for Federal Register notices assume public knowledge about the Federal Register
and, arguably, assumes that the public frequently and easily peruses it for notices that may pertain
to them.
Congress may consider establishing a deadline for when information about matching programs is
posted on agency websites. There are laws that provide general requirements for federal
websites,211 but there is wide variation across agencies in the frequency of website updates.

207 GAO, Computer Matching Act, p. 17.
208 U.S. Congress, House Committee on Government Operations, Computer Matching and Privacy Protection Act of
1988, report to accompany H.R. 4699, 100th Cong., 2nd sess., July 27, 1988, H.Rept. 100-802, p. 7.
209 U.S. Department of Education, “Department of Education’s Computer Matching Agreements (CMA),”
https://www2.ed.gov/about/offices/list/om/pirms/cma.html.
210 U.S. Department of Education, “Privacy Act of 1974; Matching Program,” 86 Federal Register 47092-47093,
August 23, 2021.
211 For example, the E-Government Act of 2002 (P.L. 107-347) required certain types of information to be available on
agency websites. The 21st Century Integrated Digital Experience Act (P.L. 115-336) furthered expectations for agency
websites that are created or redesigned following the act’s enactment.
Congressional Research Service

33

Computer Matching and Privacy Protection Act: Data Integration and Individual Rights

Congress may also consider how to monitor compliance and provide effective enforcement of
timeliness.
The reporting requirement for the Privacy Act and CMPPA was terminated by the Federal Reports
Elimination and Sunset Act of 1995. This eliminated reporting on the number of matching
programs and their purposes through OMB’s reports to Congress.212 Congress may wish to
reinstate this requirement for OMB, or establish it for an agency such as GAO, to gain an
accurate accounting of matching programs that could assist in the management and oversight of
such matching programs across the federal government.
Ensuring Sufficient and Contemporaneous OMB Guidance
Congress directed OMB to issue guidance to agencies213 and provide continuing assistance and
oversight of the CMPPA’s implementation.214
OMB issued guidance to agencies in 1989 subsequent to the passage of the CMPPA.215 At that
time, OMB commented, “Although the following guidance is published in final form, OMB
realizes that the implementation of this complex act will undoubtedly require the issuance of
additional and clarifying guidance and intends to monitor the agencies’ implementation closely to
that end.”216
As part of its report on implementation of the CMPPA, GAO made four recommendations to
OMB,217 three of which were not implemented, including a recommendation to revise guidance
and clarify requirements. According to GAO, “In August 2017, OMB stated that it does not intend
to address the recommendation [to revise its guidance] because it believes that the current
guidance is sufficient.”218
In December 2016, OMB updated Circular No. A-108, “Federal Agency Responsibilities for
Review, Reporting, and Publication Under the Privacy Act,”219 including information to agencies
on when agency DIBs should submit their annual reports to OMB, where to email them, and
instructions to post the reports on the agencies’ websites.220
Congress may consider examining OMB’s guidance, including whether revised guidance is
needed, whether the guidance meets the current data and information technology environment
and opportunities, and how revised guidance may improve the ongoing implementation of the
CMPPA.

212 For an example of what OMB had produced, see “Matching Programs Conducted in 1994 and 1995,” at
https://obamawhitehouse.archives.gov/omb/inforeg_match/.
213 5 U.S.C. §552a(v)(1).
214 5 U.S.C. §552a(v)(2).
215 OMB, “Final Guidance Interpreting the CMPPA,” pp. 25818-25829.
216 OMB, “Final Guidance Interpreting the CMPPA,” p. 25818.
217 See GAO, “Recommendations for Executive Action,” https://www.gao.gov/products/gao-14-44.
218 GAO, “Recommendations for Executive Action.”
219 OMB, Circular No. A-108, “Federal Agency Responsibilities for Review, Reporting, and Publication under the
Privacy Act,” December 23, 2016, https://www.whitehouse.gov/wp-content/uploads/legacy_drupal_files/omb/circulars/
A108/omb_circular_a-108.pdf.
220 OMB, Circular No. A-108, p. 28.
Congressional Research Service

34

Computer Matching and Privacy Protection Act: Data Integration and Individual Rights

GAO reported that OMB has provided little assistance to agencies and that OMB assistance has
been inconsistent.221 Congress may want to investigate what OMB has learned in the decades it
has spent providing assistance and oversight of implementation of the CMPPA.
Assessing Regulation and Oversight of Data Matching
Several types of matching are excepted from the CMPPA. Little is known, however, about how
frequently or how much of this excepted matching is conducted by federal agencies.
OMB and Congress are, by statute, required to receive notice of matching programs to permit the
evaluation of the potential effects of such programs on individual privacy or other rights.222
However, there is no oversight mechanism designated to evaluate the impacts of matching that is
excepted from the CMPPA, no centralized reporting on the matching that qualifies as an
exception, and few government-wide administrative controls for such matching excepted from the
CMPPA. Congress could consider oversight hearings to determine if current controls and
mechanisms are effective for the several types of matching conducted outside of the CMPPA’s
scope.
Because the definition of source agency in the CMPPA limits the purview of the law to
government agencies, some agencies that match individual information with nongovernment data
sources may do so with varying degrees of privacy protections in place. The CMPPA’s rules of
construction specifically provide that “nothing in the amendments made by this act shall be
construed to authorize the disclosure of records for computer matching except to a Federal, State,
or local agency.”223 The Senate’s original CMPPA bill, however, included nonfederal entity—
defined as a state or local government or an agency thereof, partnership, corporation, association,
or public or private organization—as a party to matching programs,224 indicating that regulation
of matching programs between agencies and nongovernment entities was a consideration before
being removed from the scope of the bill by the House.225 Congress may wish to consider
oversight mechanisms for when agencies match data with nongovernment data sources.
GAO conducted a review in 2016 on the use of commercial data services to help agencies identify
fraud and improper payments.226 GAO noted a comment from OMB that agencies must consider
relevant provisions of the CMPPA when using commercial data to conduct program integrity
activities.227 But the CMPPA’s rules of construction and definitions for recipient agency and
source agency limit disclosures for matching programs to federal, state, and local governments.
The House Committee on the Judiciary held hearings in July 2022 on federal law enforcement’s
purchase of personal data from LexisNexis, a private corporation.228 More than 30 years before

221 GAO, Computer Matching Act, p. 23.
222 5 U.S.C. §552a(r).
223 P.L. 100-503, §9(4); 102 Stat. 2514.
224 Floor consideration of S. 496, Congressional Record, vol. 133, part 10 (May 21, 1987), p. 13543.
225 U.S. Congress, Senate Committee on Governmental Affairs, The Computer Matching and Privacy Protection Act of
1987, report to accompany S. 496, 100th Cong., 2nd sess., September 15, 1988, S.Rept. 100-516, pp. 10, 30.
226 GAO, Program Integrity: Views on the Use of Commercial Data Services to Help Identify Fraud and Improper
Payments, GAO-16-624, June 30, 2016.
227 GAO, Program Integrity, p. 12.
228 U.S. Congress, House Committee on the Judiciary, Digital Dragnets: Examining the Government’s Access to Your
Personal Data, hearing, 117th Cong., 2nd sess., July 19, 2022. See also Elizabeth Goitein, “The Government Can’t Seize
Your Digital Data. Except by Buying It,” Washington Post, April 28, 2021.
Congressional Research Service

35

Computer Matching and Privacy Protection Act: Data Integration and Individual Rights

these hearings, the Senate Committee on Governmental Affairs warned that matching programs
used by law enforcement, “if uncontrolled, can too easily become ‘fishing expeditions’ to find
information about individuals when there is no suspicion of wrongdoing, risking violation of the
Fourth Amendment.”229 Congress may wish to extend CMPPA’s controls and procedures to
federal law enforcement’s use of data compiled by private corporations.
Agencies may differ in the protections they afford to individuals against erroneous or adverse
decisions that depend on data from nongovernment sources. Congress may wish to evaluate the
definitions of source agency and recipient agency in the CMPPA and consider including
nongovernments as parties to matching programs.
The House Committee on Government Operations acknowledged the disjointed nature of federal
law concerning privacy and matching in the late 1980s.230 The committee offered that the Privacy
Act predates the computer matching era. The CMPPA predates the current era of information
technology, “big data,” data integration, and data analytics. Congress may want to consider
assessing the executive branch’s matching of data on individuals and may look to consider
exceptions to the CMPPA specifically as part of this oversight.

229 U.S. Congress, Senate Committee on Governmental Affairs, The Computer Matching and Privacy Protection Act of
1987, report to accompany S. 496, 100th Cong., 2nd sess., September 15, 1988, S.Rept. 100-516, p. 12.
230 U.S. Congress, House Committee on Government Operations, Computer Matching and Privacy Protection Act of
1988, report to accompany H.R. 4699, 100th Cong., 2nd sess., July 27, 1988, H.Rept. 100-802, p. 8.
Congressional Research Service

36

Computer Matching and Privacy Protection Act: Data Integration and Individual Rights

Appendix A. Computer Matching Prior to the
CMPPA
The concept of data matching predates the 1980s and the rapid growth of data matching in the
executive branch. An academic article published in 1959 discussed the “automatic linking” of
vital records and how computers, such as the “Datatron,” could be used to bring together “two or
more separately recorded pieces of information concerning a particular individual or family.”231
Matching data on individuals directly impacts their privacy. The CMPPA amended Title 5,
Section 552a, of the U.S. Code, which codifies the Privacy Act. While the Privacy Act is
generally concerned with the unauthorized disclosure of information collected by agencies on
individuals, the law does allow the disclosure of individual information under 12 exceptions.232
One of these exceptions is routine use.233
The routine use exception allows for information to be disclosed—or, in practice, shared—“for a
purpose which is compatible with the purpose for which it was collected.”234 Prior to the passage
of the CMPPA, a House Committee on Government Operations report stated:
The legality of some disclosures that are necessary to support computer matching has been
questioned since 1977. A primary question revolves around the “routine use” provision of
the Privacy Act. Where records are disclosed by one agency to another for use in matching,
the normal legal authority for the disclosure comes from a routine use.235
Historically, the exchange and matching of records between federal agencies had been primarily
for the prevention and reduction of fraud, waste, and abuse.236 The first major computer matching
program created by the federal government was reportedly Project Match in 1977.237 It was
created to support the detection of improper benefit payments to federal employees by comparing
records from the Department of Health, Education, and Welfare with records from wage reporting
systems in 18 states, the District of Columbia, and a handful of major localities.238

231 H. B. Newcombe et al., “Automatic Linkage of Vital Records,” Science, vol. 130, no. 3381 (October 16, 1959), p.
954.
232 5 U.S.C §552a(b).
233 5 U.S.C §552a(b)(3).
234 Routine use is defined at Title 5, Section 552a(a)(7), of the U.S. Code. The routine use of information contained in a
system of records has to first be published in the Federal Register, and the public has to be given notice of the routine
use before a disclosure of records occurs (OMB, “Privacy Act Guidelines—July 1, 1975: Implementation of Section
552a of Title 5 of the United States,” 40 Federal Register 28949, July 9, 1975).
235 U.S. Congress, House Committee on Government Operations, Computer Matching and Privacy Protection Act of
1988, report to accompany H.R. 4699, 100th Cong., 2nd sess., July 27, 1988, H.Rept. 100-802, p. 21. See also OTA,
Federal Government Information Technology, pp. 5, 37, 41-42. OTA characterized routine use as a catchall exception
permitting a variety of exchanges (p. 5).
236 OTA, Federal Government Information Technology, pp. 37-43. Within this page range, OTA provides a background
on computer matching to detect fraud, waste, and abuse, including examples and policy history.
237 U.S. Congress, House Committee on Government Operations, Computer Matching and Privacy Protection Act of
1988, report to accompany H.R. 4699, 100th Cong., 2nd sess., July 27, 1988, H.Rept. 100-802, pp. 2-3; U.S. Congress,
Senate Committee on Governmental Affairs, The Computer Matching and Privacy Protection Act of 1987, report to
accompany S. 496, 100th Cong., 2nd sess., September 15, 1988, S.Rept. 100-516, p. 2.
238 OTA, Federal Government Information Technology, p. 41.
Congressional Research Service

37

Computer Matching and Privacy Protection Act: Data Integration and Individual Rights

Congress passed several laws in the years prior to the CMPPA that specifically permitted the
sharing and comparing of individual information from systems of records maintained by
agencies.239 According to OTA, these laws included:
 The Tax Reform Act of 1976 (P.L. 94-455), which allowed the Secretary of the
Treasury to disclose information from the IRS to federal, state, and local child
support agencies to establish and collect child support obligations and locate
individuals who owe such obligations;
 The Debt Collection Act of 1982 (P.L. 97-365), which allowed an agency to
disclose to a consumer reporting agency a record that indicates that an individual
is responsible for repayment of a claim the agency is attempting to collect; and
 The Deficit Reduction Act of 1984 (P.L. 98-369), which established that every
state that administers certain Social Security Act programs must have an income
and eligibility verification system that uses wage, income, and other information
from the Social Security Administration and IRS and that verifies immigration
status with the then-Immigration and Naturalization Service if the applicant for a
program is not a citizen or U.S. national.240
According to OTA, even the Paperwork Reduction Act of 1980 (PRA; P.L. 96-511) was perceived
at the time to encourage information sharing and potential matching between agencies in lieu of
information collections to the extent such activities were permissible under other provisions of
law.241 The PRA enacted Title 44, Section 3510, of the U.S. Code, which authorizes the director of
OMB to direct or allow an agency to make available to another agency, or an agency may make
available to another agency, information obtained pursuant to an information collection if the
disclosure is not inconsistent with any applicable law.
In their respective reports on the PRA, both the House Committee on Government Operations and
the Senate Committee on Governmental Affairs indicated that they expected information sharing
to be inconsistent with applicable law only if the applicable law specifically prohibited the
sharing of information between agencies or the disclosure to anyone outside of the agency.242 The
committees did not perceive a prohibition on disclosure to the public to flatly prohibit sharing
information with another agency.

239 OTA, Federal Government Information Technology, pp. 43-46.
240 See also 42 U.S.C. §1320b-7. Programs referenced in the law included Medicaid, unemployment compensation, Aid
to Families with Dependent Children (replaced by the Temporary Assistance for Needy Families program), food
stamps (replaced with the Supplemental Nutrition Assistance Program), old age assistance, Social Security Insurance,
aid for people visually impaired, and aid for people permanently and totally disabled.
241 OTA, Federal Government Information Technology, p. 44. The PRA of 1995 (P.L. 104-13) significantly amended
the PRA of 1980. For more information on the PRA and federal information collections, see CRS In Focus IF11837,
The Paperwork Reduction Act and Federal Collections of Information: A Brief Overview, by Maeve P. Carey.
242 U.S. Congress, House Committee on Government Operations, Paperwork Reduction Act of 1980, report to
accompany H.R. 6410, 96th Cong., 2nd sess., March 19, 1980, H.Rept. 96-835, p. 30; U.S. Congress, Senate Committee
on Governmental Affairs, Paperwork Reduction Act of 1980, report to accompany S. 1411, 96th Cong., 2nd sess.,
S.Rept. 96-930, September 8, 1980, p. 50.
Congressional Research Service

38

Computer Matching and Privacy Protection Act: Data Integration and Individual Rights

OMB Guidance to Agencies on Matching Programs in 1979 and
1982
1979 Guidance
In 1979, OMB supported implementation of the Privacy Act by publishing guidelines for federal
agencies on conducting matching programs.243 The guidelines were largely seen as being
procedural and addressed some of the legal questions surrounding matching programs.244 Some
observers believed that the guidelines created bureaucratic obstacles that deterred some
activities.245
The 1979 guidelines directed executive agencies to conduct cost-benefit analyses using specific
considerations, including any potential harm caused to individuals, before conducting a matching
program.246
Additionally, an agency was to submit to the director of OMB, the Speaker of the House, and the
President of the Senate a report that contained certain information on the matching program, such
as the source agency, how the privacy and other rights of individuals would be protected, and the
safeguards that would prevent unauthorized access to individuals’ personal information.247 The
guidelines also differentiated reporting requirements for antifraud matching programs from
matching programs conducted for other purposes.248
The 1979 guidelines also specified that matching programs should be conducted “in house” rather
than by a contractor.249
1982 Guidance
OMB revised the guidelines in 1982 based on comments from the President’s Council on
Integrity and Efficiency.250 According to the House Committee on Operations, OMB issued the
revised guidelines without a public comment period.251

243 OMB, “Privacy Act of 1974; Supplemental Guidance for Matching Programs,” 44 Federal Register 23139, April
18, 1979.
244 U.S. Congress, House Committee on Government Operations, Who Cares about Privacy? Oversight of the Privacy
Act of 1974 by the Office of Management and Budget and by the Congress, 98th Cong., 1st sess., November 1, 1983,
H.Rept. 98-455, p. 11.
245 Jake Kirchner, “Privacy: A History of Computer Matching in Federal Government,” Computerworld, December 14,
1981, as cited in U.S. Congress, House Committee on Government Operations, Who Cares about Privacy? Oversight
of the Privacy Act of 1974 by the Office of Management and Budget and by the Congress, 98th Cong., 1st sess.,
November 1, 1983, H.Rept. 98-455, p. 12.
246 OMB, “Privacy Act of 1974; Supplemental Guidance for Matching Programs,” 44 Federal Register 23139, April
18, 1979.
247 Ibid., p. 23140.
248 Ibid., p. 23139 (specifically the section titled, “Guidelines for Agencies Conducting Anti-Fraud Matching
Programs”) and p. 23142 (specifically the section, “Guidelines for Conducting Other Matching Programs”).
249 Ibid., p. 23140.
250 OMB, “Privacy Act of 1974: Revised Supplemental Guidance for Conducting Matching Programs,” 47 Federal
Register 21656, May 19, 1982. The guidance referred to “the President’s Council on Integrity and Efficiency in
Government” and likely meant the President’s Council on Integrity and Efficiency,” which was established by
Executive Order 12301.
251 U.S. Congress, House Committee on Government Operations, Who Cares about Privacy? Oversight of the Privacy
Congressional Research Service

39

Computer Matching and Privacy Protection Act: Data Integration and Individual Rights

The revised guidelines no longer distinguished between antifraud and other matching programs
and excluded from the definition of matching program matches that did not compare a
“substantial” number of records.252
OMB also required a written agreement between agencies involved in a matching program.253 The
agreement was to prescribe the conditions under which the data from one agency could be used
by another agency.
OMB continued to advise agencies to use their own employees instead of contractors.254 Where
this was impractical, the guidelines offered some procedures for using contractors, including
requirements that the contract include a clause about complying with the Privacy Act.255
Additionally, the 1982 guidelines replaced any reporting provided to OMB and Congress under
the 1979 guidelines with publication in the Federal Register.256
Congressional Hearings and Reports
A Senate committee held hearings in December 1982 titled, “Oversight of Computer Matching to
Detect Fraud and Mismanagement in Government Programs.”257
Subsequent House hearings were held in June 1983 on Privacy Act oversight that also raised
various issues with matching programs and the routine use exception.258 For example, the former
counsel to the Subcommittee on Intergovernmental Relations of the Senate Committee on
Government Operations testified:
I think we needed to do something to clarify the routine use exception. Everyone
recognized at the time of the adoption of the [Privacy Act] that you could not have a blanket
prohibition on the exchange of information from one agency to another. The search for a
solution resulted in the routine use provision.
The routine use provision, unfortunately, was probably a bad choice of words because it
was created to allow exchanges of information that were compatible with the original
purpose for which the material was collected, not routinely used by agencies, as it was
more commonly interpreted.259

Act of 1974 by the Office of Management and Budget and by the Congress, 98th Cong., 1st sess., November 1, 1983,
H.Rept. 98-455, p. 12.
252 OMB, “Privacy Act of 1974: Revised Supplemental Guidance for Conducting Matching Programs,” 47 Federal
Register 21657, May 19, 1982.
253 Ibid., p. 21657.
254 Ibid., p. 21658.
255 Ibid.
256 Ibid.
257 U.S. Congress, Senate Committee on Governmental Affairs, Subcommittee on Oversight of Government
Management, Oversight of Computer Matching to Detect Fraud and Mismanagement in Government Programs,
hearings, 97th Cong., 2nd sess., December 15-16, 1982.
258 U.S. Congress, House Committee on Government Operations, Subcommittee on Government Information, Justice,
and Agriculture, Oversight of the Privacy Act of 1974, hearings, 98th Cong., 1st sess., June 7-8, 1983.
259 Ibid., p. 45.
Congressional Research Service

40

Computer Matching and Privacy Protection Act: Data Integration and Individual Rights

In 1983, the House Committee on Government Operations issued a report in which it noted that
OMB’s 1982 guidelines on matching programs “were revised and weakened in 1982”260 and “are
significant to [the] review of OMB Privacy Act activities.”261
In 1984, Congress heard testimony on the sharing of tax records for matching purposes
authorized under law.262
In the 99th Congress, the CMPPA of 1986 was introduced in the Senate (S. 2756). The CMPPA of
1987 was introduced in the Senate in the 100th Congress (S. 496)263 with some changes to the bill
that had been introduced in the previous Congress.
The Senate passed S. 496 with an amendment in May 1987.264 A House version of the CMPPA
(H.R. 4699) was introduced in May 1988 and passed the House in August 1988.265 The House
substituted the language contained in H.R. 4699 for the Senate’s language in S. 496 and passed S.
496.266
The Senate agreed to the House amendments to S. 496 with its own amendment,267 and the House
concurred with the amended bill.268 The CMPPA was signed into law on October 18, 1988.

260 U.S. Congress, House Committee on Government Operations, Who Cares about Privacy? Oversight of the Privacy
Act of 1974 by the Office of Management and Budget and by the Congress, 98th Cong., 1st sess., November 1, 1983,
H.Rept. 98-455, p. 2.
261 Ibid., p. 10.
262 U.S. Congress, Senate Committee on Governmental Affairs, Subcommittee on Oversight of Government
Management, Computer Matching: Taxpayer Records, hearing, 98th Cong., 2nd sess., June 6, 1984.
263 Introduction of S. 496, Congressional Record, vol. 133, part 3 (February 5, 1987), pp. 3084-3087.
264 Senate consideration of S. 496, Congressional Record, vol. 133, part 28 (May 21, 1987), pp. 13539-13543.
265 CMPPA of 1988, Congressional Record, vol. 134, part 14 (August 1, 1988), p. 19679.
266 CMPPA of 1988, Congressional Record, vol. 134, part 14 (August 1, 1988), p. 19681.
267 CMPPA of 1988, Congressional Record, vol. 134, part 17 (September 20, 1988), p. 24597.
268 House of Representatives roll call vote number 382; CMPPA of 1988, Congressional Record, vol. 134, part 19
(October 3, 1988), p. 27908.
Congressional Research Service

41

Computer Matching and Privacy Protection Act: Data Integration and Individual Rights

Appendix B. Information Disclosed and Data
Matched in Matching Programs
Matching agreements are required to include specific information, including:
 the purpose of and legal authority for the matching program;
 the justification for the matching program and the anticipated results, including
specific estimates of any savings;
 a description of the records that will be matched, including each data element that
will be used, the approximate number of records that will be matched, and the
anticipated start and completion dates of the matching program;
 procedures for providing individualized notice at the time of application, and
notice periodically thereafter, to applicants and recipients of federal benefit
program assistance and to applicants for and holders of federal personnel
positions that information provided may be subject to verification through
matching programs;
 procedures for verifying information produced in matching programs;
 procedures for the retention and timely destruction of identifiable records created
by a recipient agency or a nonfederal agency;
 procedures for ensuring the administrative, technical, and physical security of the
records matched and the results of such matched records;
 prohibitions on duplication and redisclosure of records provided by the source
agency within or outside the recipient agency or the nonfederal agency except
where required by law or essential to the conduct of the matching program;
 procedures governing the use of records from a source agency by a recipient
agency or nonfederal agency, including procedures for returning records to the
source agency or destroying such records;
 information on accuracy assessments of records to be used in the matching
program; and
 a notice that the Comptroller General may have access to all records of a
recipient agency or a nonfederal agency that the Comptroller General deems
necessary to monitor or verify compliance with the agreement.269
Table B-1 provides examples of some of the information contained in matching agreements for
matching programs that were active in 2022, including any information that is subsequently
disclosed by the recipient agency to the source agency and whether the disclosure is cited as using
the routine use exception permitted by the Privacy Act.270

269 5 U.S.C. §552a(o)(1)(A-K).
270 5 U.S.C. §552a(b)(3).
Congressional Research Service

42

Table B-1. Examples of Purposes, Information Disclosed, and Data Elements Matched for Matching Programs
In Calendar Year 2022
Number of
Information
Data Matched and Information
Disclosure Under
Purpose of the
Records
Disclosed to
Disclosed by Recipient Agency to
Routine Use
Matching
Source
Recipient
Effective
Disclosed by
Recipient Agency
Source Agency
Exception
Program
Agency
Agency
Dates
Source Agency
To identify children
Department of
Department of
February
approximately
Name
None; however, ED will inform schools
Yes
whose parent or
Defense,
Education (ED)
27, 2021,
6,651
Date of birth
listed on the student’s Free Application for
guardian was a
Defense
to August
Social Security
Federal Student Aid that the student is
member of the U.S.
Manpower Data
26, 2022
number
eligible to receive additional financial
Armed Forces and
Center
Parent or guardian’s
assistance under Title IV of the Higher
died as a result of
date of death
Education Act
performing military
service in Iraq or
Afghanistan after
September 11, 2001,
as such persons may
be eligible for
increased amounts of
student assistance as
authorized by law
To determine
Social Security
Department of
June 26,
approximately 10
Name
In request to savings securities registration
No
continued eligibility
Administration
Treasury,
2021, to
million
Social Security
information:
for Supplemental
Bureau of the
December
number
Denomination of the security
Security Income
Fiscal Service
25, 2022
Serial number
applicants and
Series
recipients or the
Issue date of the security
correct benefit
Current redemption value
amount for
Return date of the finder file
recipients and

deemors who did
In request to savings securities
not report or
information:
incorrectly reported
Purchase amount
ownership of savings
Account number and confirmation number
securities
Series
Issue date of the security
Current redemption value
Return date of the finder file
CRS-43

Number of
Information
Data Matched and Information
Disclosure Under
Purpose of the
Records
Disclosed to
Disclosed by Recipient Agency to
Routine Use
Matching
Source
Recipient
Effective
Disclosed by
Recipient Agency
Source Agency
Exception
Program
Agency
Agency
Dates
Source Agency
To assist the
HUD
Department of
July 28,
approximately 9.9
First name
From new hire file:
Yes
Department of
Health and
2021, to
million
Last name
New hire processed date
Housing and Urban
Human Services January
Date of birth
Employee name
Development (HUD)
(HHS),
27, 2023
Social Security
Employee address
in verifying the
Administration
number
Employee date of hire
employment and
for Children
Employee state of hire
income of
and Families,
Federal Employer Identification Number
participants in
Office of Child
State Employer Identification Number
certain rental
Support
Department of Defense code
assistance programs
Enforcement
Employer name
Employer address
Transmitter agency code
Transmitter state code
Transmitter state or agency name

From quarterly wage file:
Quarterly wage processed date
Employee name
Federal Employer Identification number
State Employer Identification number
Department of Defense code
Employer name
Employer address
Employee wage amount
Quarterly wage reporting period
Transmitter agency code
Transmitter state code
Transmitter state or agency name

From unemployment insurance file:
Unemployment insurance processed date
Claimant name
Claimant address
Claimant benefit amount
Unemployment insurance reporting period
Transmitter state code
Transmitter state or agency name
CRS-44

To verify an
OPM
HHS, Centers
June 8,
approximately 2
Disclosed monthly:
CMS will not share any data with OPM
Yes
applicant’s or
for Medicare
2021, to
million
Record type
under the agreement
enrollee’s eligibility
and Medicaid
December
Record number
for minimum
Services (CMS)
7, 2023
Unique person ID
essential coverage
Social Security
through an Office of
number
Personnel
Last name
Management (OPM)
Middle name
Health Benefits Plan
First name
Last name suffix
Gender
Date of birth
Health plan code

Disclosed annually:
State
Plan
Option
Enrollment code
Current total
biweekly premium
Future total biweekly
premium
Future government
pays biweekly
premium
Future employee pays
biweekly premium
Future change in
employee payment
biweekly premium
Current total
monthly premium
Future total monthly
premium
Future government
pays monthly
premium
Future employee pays
monthly premium
Future change in
employee payment
monthly premium
CRS-45

Source: Information in the table is from matching agreements reviewed by CRS. See Department of Defense, ED, “Computer Matching Agreement between the U.S.
Department of Education and the Defense Manpower Data Center of U.S. Department of Defense,” https://dpcld.defense.gov/Portals/49/Documents/Privacy/CMAs/
CMA14_2021_Establish.pdf; Social Security Administration, Treasury, “Computer Matching Agreement between the Social Security Administration and the Bureau of the
Fiscal Service Department of the Treasury,” https://www.ssa.gov/privacy/cma/Agreement%201038%2012.30.2020_Signed%20(1).pdf; HUD, HHS, “Computer Matching
Agreement between U.S. Department of Health and Human Services Administration for Children and Families Office of Child Support Enforcement and U.S. Department of
Housing and Urban Development,” https://www.hhs.gov/sites/default/files/acf-hud-cma-2107.pdf; OPM, CMS, “Computer Matching Agreement between the Department of
Health and Human Services Centers for Medicare and Medicaid Services and the Office of Personnel Management for Verification of Eligibility for Minimum Essential
Coverage Under the Patient Protection and Affordable Care Act Through an Office of Personnel Management Health Benefit Plan,” https://www.hhs.gov/sites/default/files/
cma-cms-opm-2104.pdf.
Notes: The agencies included in the table were among those also selected by GAO for its 2014 report Computer Matching Act: OMB and Selected Agencies Need to Ensure
Consistent Implementation because of their benefits and assistance program expenditures (p. 2).

CRS-46

Computer Matching and Privacy Protection Act: Data Integration and Individual Rights

Author Information

Natalie R. Ortiz

Analyst in Government Organization and
Management

Disclaimer
This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan
shared staff to congressional committees and Members of Congress. It operates solely at the behest of and
under the direction of Congress. Information in a CRS Report should not be relied upon for purposes other
than public understanding of information that has been provided by CRS to Members of Congress in
connection with CRS’s institutional role. CRS Reports, as a work of the United States Government, are not
subject to copyright protection in the United States. Any CRS Report may be reproduced and distributed in
its entirety without permission from CRS. However, as a CRS Report may include copyrighted images or
material from a third party, you may need to obtain the permission of the copyright holder if you wish to
copy or otherwise use copyrighted material.

Congressional Research Service
R47325 · VERSION 1 · NEW
47

Download PDF

Download EPUB

Revision History

Dec. 6, 2022

HTML · PDF

Metadata

Topic areas

Health Policy

Report Type: CRS Report

Source: CRSReports.Congress.gov

Raw Metadata: JSON