December 21, 2004
Richard S. Flahavan
Associate Director
Office of public and Intergovernmental Affairs
Selective Service System
National Headquarters
Arlington, Virginia 22209-2425
Re: Comments on Selective Service and Department of Education Data Matching Agreement
Dear Mr. Flahavan:
Pursuant to the notice[1] published by the Selective Service System (SSS) regarding computer matching between the agency and the Department of Education, the Electronic Privacy Information Center, Privacy Journal, Consumer Action, Privacy Rights Now Coalition, Privacy Rights Clearinghouse, American Association of University Professors, and the World Privacy Forum, submit the following comments.
In the notice, the SSS proposes to automatically match its registration records with a database of federal loan recipients held by the Department of Education. This data matching program raises significant privacy risks, as an unverified computer match may disrupt the academic progress of a student. More generally, data matching raises important privacy risks that Congress sought to address in passing the Computer Matching Act. In eight different aspects, the data matching as proposed violates privacy and security safeguards specified by the Computer Matching Act. We request that this data matching system be suspended unless it can be brought into full compliance with the Computer Matching and Privacy Acts.
The Privacy Act and Computer Matching Amendments
In enacting the Privacy Act,[2] Congress found that:
(1) the privacy of an individual is directly affected by the collection, maintenance, use, and dissemination of personal information by Federal agencies;(2) the increasing use of computers and sophisticated information technology, while essential to the efficient operations of the Government, has greatly magnified the harm to individual privacy that can occur from any collection, maintenance, use, or dissemination of personal information;(3) the opportunities for an individual to secure employment, insurance, and credit, and his right to due process, and other legal protections are endangered by the misuse of certain information systems;(4) the right to privacy is a personal and fundamental right protected by the Constitution of the United States; and(5) in order to protect the privacy of individuals identified in information systems maintained by Federal agencies, it is necessary and proper for the Congress to regulate the collection, maintenance, use, and dissemination of information by such agencies.
All five of these Congressionally-recognized interests are implicated by the computer matching program sought by SSS. In 1988, Congress amended the Privacy Act to ensure that computer matching was subject to privacy protections. The Computer Matching and Privacy Protection Act requires federal agencies to follow certain procedures to ensure fairness in data matching.[3] The SSS notice of computer matching does not meet the Act's requirements.
The SSS/DoE Matching Proposal Is Deficient
The SSS matching proposal does not meet several key elements of the Privacy Act. First, under the Act, the SSS must state the anticipated results of the program and a specific estimate of any savings.[4] This justification of the matching program is not provided in the SSS notice.
Second, the Act requires a description of each data element that will be used in the matching and the approximate number of records that will be matched.[5] While the notice identifies the categories of records, the data elements are not identified, nor has the agency estimated the number of records involved.
Third, the Act requires that the SSS specify procedures for individuals to receive notice of the data matching.[6] The SSS has not published these procedures in the notice.
Fourth, the Act requires that SSS specify procedures for verifying information produced in the matching program.[7] The SSS has not published these procedures in the notice. This is particularly troublesome, as students who are marked as having a match could have their academic careers disrupted.
Fifth, the Act requires that SSS specify procedures for retention and destruction of records in the matching program.[8] The SSS has not published these procedures in the notice.
Sixth, the Act requires that SSS specify administrative, technical, and physical security procedures for the data involved in the program.[9] The SSS has not published these procedures in the notice.
Seventh, the Act requires that SSS specify prohibitions on duplication and redisclosure of records involved in the data matching. The SSS has not published these procedures in the notice.
Eighth, the Act requires SSS to publish information on assessments made on the accuracy of the records that will be used.[10] The SSS has not published an assessment in the notice.
Conclusion
The notice of data matching between the SSS and Department of Education does not comply with the Computer Matching or Privacy Acts. We call upon the SSS to suspend this data matching program.
Respectfully submitted,
| Chris Jay Hoofnagle |
Robert Ellis Smith |
|
Ken McEldowney |
Remar Sutton |
|
Tena Friery
|
Mark F. Smith |
|
Pam Dixon |
|
CC:
William J. Leidinger
Chief Information Officer
Department of Education
FOB-6 Room Number 2W311
400 Maryland Avenue, SW
Washington, DC 20202
Gaston Naranjo, SSS
[1] Computer Matching Between the Selective Service System and the Department of Education, 69 Fed. Reg. 64353 (Nov. 4, 2004), http://a257.g.akamaitech.net/7/257/2422/06jun20041800/edocket.access.gpo.gov/2004/04-24634.htm.
[2] P.L. 93-579, 88 Stat. 1896 (1974).
[3] P.L. 100-503 (1988).
[4] 5 U.S.C. 552a (o)(1)(B).
[5] 5 U.S.C. 552a (o)(1)(C).
[6] 5 U.S.C. 552a (o)(1)(D).
[7] 5 U.S.C. 552a (o)(1)(E).
[8] 5 U.S.C. 552a (o)(1)(F).
[9] 5 U.S.C. 552a (o)(1)(G).
[10] 5 USC 552a (o)(1)(J).
Last Updated:
December 21, 2004
Page URL: http://www.epic.org/privacy/student/sssdatamatch.html