How Federal Agencies Protect Confidential Data

J. Neil Russell, Ph.D.

Demetra Collia, M.S., M.H.S.

U.S. Department of Transportation

Bureau of Transportation Statistics

2003 Traffic Record Forum

Outline

• Federal laws for protecting information

• New Federal law: 2002 CIPSEA

• CIPSEA’s affect on Federal agencies

• Procedures for protecting confidential information

• Protecting information prior to release2

Federal Laws for Protecting Data

• The Privacy Act of 1974

• The Freedom of Information Act (FOIA)

• Other Federal agency specific law– Focus on BTS’ information protection statute

3

The Privacy Act of 1974

• 5 U.S.C. 552a

• Information is confidential if:– Held by a Federal agency– About living U.S. citizen (or permanent resident)– Maintained in a “system of records”, that is

information can be retrieved by a unique identifier, e.g.: name or SSN

4

The Privacy Act of 1974(continued)

• However, permitted releases of information:– As required by the Freedom of Information Act– To other Federal agencies– Law enforcement agencies– Under a court order– For Federal debt collection– A compelling health or safety reason

5

The Privacy Act of 1974(continued)

• Privacy Act does not protect:– Non-citizens, non-permanent resident– Deceased persons– Businesses or other institutions– Indirect identifiers: sex, age, race, education,

occupation,or city of residence– Any other data element that is not a direct

personal identifier

6

The Freedom of Information Act(FOIA)

• 5 U.S.C. 552

• All information obtained by Federal agency is to be publicly available, except under certain exemptions:– # 4: proprietary information– # 6: personal or medical information

7

Other Federal Agency Laws

• Some Federal agencies’ have specific laws that require information protection (stronger protection than the Privacy Act):– Census Bureau: 13 U.S.C. 9– National Center for Education Statistics: 20 U.S.C. 9007– National Center for Health Statistics: 42 U.S.C. 242m– Bureau of Transportation Statistics (BTS): 49 U.S.C. 111(i)

8

BTS’ Information Protection Statute

• BTS employees and contractors shall not:– make any disclosure which could identify an individual

or organization;– use the information for a non-statistical purpose;– permit unauthorized persons to examine individual

reports;

• Prohibitions on data releases:– No government agency may require a copy of any

individual report;– Any copy of a report shall be immune from the legal

process (i.e.: courts cannot require a copy of any report).

9

New Legislation:Confidential Information Protection

and Statistical Efficiency Act of 2002 (CIPSEA)

• Public Law 107-347, Title V: E-Gov’t Act of 2002

• New law affects all executive branch Federal agencies

10

CIPSEA Subtitle A, Confidential Information Protection

• An agency may collect information under a pledge of confidentiality for statistical purposes

• This information may not be disclosed in identifiable form for any non-statistical purpose without the informed consent of a respondent

• The information collected is exempt from release under the Freedom of Information Act (FOIA)

11

CIPSEA Benefits for Federal Agencies

• Most agencies did not have specific laws ensuring confidentiality of information

• Agencies can now protect data when collected for statistical purposes only

• Better protection of confidential data may encourage respondents to participate in data collections

• Agencies can avoid disputes about withholding information under FOIA requests

12

Defining Information Types Under CIPSEA

• Statistical purposes - using information to describe or make estimates about whole or subgroups of the economy, society, or environment

• Non-statistical purposes - using information for administrative, regulatory, law enforcement, judicial, or other purposes that may affect the rights, privileges, or benefits of a respondent

13

Statistical Information Collected Under CIPSEA

• When information is collected for a statistical purpose only:– Information is categorized as confidential– Must protect information; cannot allow direct or indirect

identification of data provider– Data cannot be shared for non-statistical purposes– Information can be shared for statistical purposes by

written agreements; data user bound to provide same level of protection as agency gives

– Class E felony for disclosing confidential information (5 years prison and/or $250,000 fine)

14

Non-statistical Information Collected Under CIPSEA

• Non-statistical purposes– A Federal agency must clearly explain to data

provider before any information is collected, that it will be used for non-statistical purposes

– Information is not confidential

15

Protecting Confidential Data

• If information is collected for a statistical purpose - federal agency must have controls and procedures in place to protect the confidential information

• Agencies must act to protect the information:– Agency contractors are subject to CIPSEA– Agencies must have internal procedures– Must protect information prior to public

dissemination

16

Internal Agency Procedures

• If agency invokes CIPSEA, this could imply certain procedures for protecting confidential information:– Documented set of procedures– Training of employees on handling data– Non-disclosure affidavit when employee or

contractor enters or leaves agency– Review aggregated or microdata before public

release for disclosures of confidential data– Apply certain statistical methods to data to

prevent disclosures

17

Internal Agency Procedures (continued)

– Information security procedures for protecting electronic and hard copy data (work station, server, fax, print, work space)

– Review of contracts, interagency agreements, MOUs, reimbursable agreements for language that directs protection of information

– Review of information collection instruments for “pledge of confidentiality”

18

Protecting Data Prior to Public Release

• Information collected under CIPSEA for a statistical purpose must be reviewed for potential disclosures prior to public release:– Tabular data– Microdata

• Statistical disclosure limitation (SDL) methods are used to protect information prior to public release

19

SDL Methods for Tabular Data

• Aggregation – collapse columns or rows

• Perturbation – add “noise” to tabular data– Add random noise to cells in table– Round cell values– Controlled adjustment – target sensitive cells– Markov – unbiased cycle of cell modification– Add noise to microdata before creating tables

• Complementary cell suppression –– Blank out sensitive cells and cells used to

recover sensitive cells20

General Methods for Protecting Microdata

• Delete sensitive variable(s)

• Recode a categorical variable into fewer categories (perhaps using thresholds)

• Recode a continuous variable into categories

• Round continuous variables

• Top and/or bottom code variables

• Suppress small geographic areas

21

SDL Methods for Microdata

• Add noise

• Record swapping

• Blank and impute certain variables or records

• Microaggregation

• Multiple imputation/modeling to generate synthetic data

22

How BTS Protects Information

• BTS has a special law that require protecting information it collects (49 U.S.C. 111(i))

• Confidentiality Officer

• Manual on confidentiality procedures

• Disclosure Review Board (DRB)

23

Neil RussellConfidentiality OfficerBureau of Transportation Statistics202-493-2147neil.russell@bts.gov

24

Questions ?

Demetra ColliaBureau of Transportation Statistics202-366-1610demetra.collia@bts.gov