What GAO Found
The Office of Management and Budget (OMB) is responsible for developing guidelines and providing assistance to agencies on implementing the Computer Matching Act, while agencies have a variety of implementation responsibilities. Agency responsibilities include (1) developing computer matching agreements (CMA) containing specific elements for each proposed matching program and notifying Congress, OMB, and the public of such activities; (2) conducting cost-benefit analyses for proposed matching programs; and (3) establishing data integrity boards to oversee matching programs.
The seven agencies GAO reviewed (the Departments of Agriculture, Education, Health and Human Services, Homeland Security, Labor, Veterans Affairs, and the Social Security Administration) have taken a number of steps to implement the act's requirements. They have all established processes for creating CMAs, and the agreements generally included the elements required by the act. However, implementation among these agencies was inconsistent in several ways. First, the selected agencies differed in their understanding of whether CMAs were required for data queries. OMB's guidance is not clear on whether such queries are covered by the act. Second, while the selected agencies generally developed cost-benefit analyses for their CMAs, they did not consistently address key elements needed to assess the value of computer matching programs. OMB stated in 1989 that it would issue specific guidance for cost-benefit analyses of computer matching programs, but it has not done so. Finally, agency data integrity boards have not consistently reported to OMB on agencies' computer matching activities as required by the act. OMB guidance requires biennial reporting, which varies from the act's requirement for annual reports. The lack of clear guidance from OMB has contributed to the inconsistent implementation of the act at the agencies GAO reviewed.
Several agency and office of inspector general officials stated that the act's rigorous requirements and short time frames discouraged them from pursuing CMAs. Officials at six agencies stated that CMA review processes were lengthy and resource-intensive and that statutory durations for conducting matching activities were too short. Similarly, officials from offices of the inspector general at four agencies stated that the length of the approval process and the requirement that proposed agreements be approved by data integrity boards discouraged them from computer matching.
Why GAO Did This Study
Computerized matching of data from two or more information systems is one method of data analysis that can assist in detecting and preventing fraud, waste, and abuse in government programs, and it is commonly used to help identify improper payments in federal benefit programs and activities. However, computer matching may also pose privacy risks to individuals. To ensure that federal agency computer matching programs protect individuals' privacy rights, from 1988 through 1990 Congress enacted amendments to the Privacy Act of 1974 (collectively referred to in this report as the Computer Matching Act).
GAO was asked to review issues relating to computer matching. This report examines (1) agencies' responsibilities under the Computer Matching Act, (2) how selected agencies are implementing the act with regard to federal benefits programs, and (3) the views of officials at selected agencies on the process of developing and implementing computer matching agreements. GAO reviewed the act's provisions and OMB guidance. It also interviewed officials and examined documents at seven agencies with high expenditures in benefits and assistance programs.
What GAO Recommends
GAO is recommending that OMB revise its guidance and that selected agencies develop and implement policies and procedures for cost-benefit analyses and ensure annual reviews and reporting. In their comments, agencies concurred with GAO's recommendations, with the exception of Education. OMB did not state whether the agency agreed or disagreed. GAO continues to believe that the recommendations are valid, as discussed in the report.
For more information, contact Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov.
