UIPL19-12acc.pdf

ETA Advisory File Text

RESCISSIONS None EXPIRATION DATE Continuing EMPLOYMENT AND TRAINING ADMINISTRATION ADVISORY SYSTEM U.S. DEPARTMENT OF LABOR Washington D.C. 20210 CLASSIFICATION UI CORRESPONDENCE SYMBOL OUI DL DATE May 23 2012 ADVISORY UNEMPLOYMENT INSURANCE PROGRAM LETTER NO. 19-12 TO STATE WORKFORCE AGENCIES FROM JANE OATES s Assistant Secretary SUBJECT Disclosure of Confidential Unemployment Compensation UC Information to Private Entities Under 20 CFR 603.5 d 2 1. Purpose . To provide guidance on disclosure of confidential UC information to private entities seeking to serve as intermediaries between lenders and state unemployment insurance UI agencies. 2. References . Title III Social Security Act SSA 42 USC 501 et seq. Electronic Signatures in Global and National Commerce Act E-Sign 15 U.S.C. 7001 et seq. Fair Credit Reporting Act 15 USC 1681 et seq. 20 CFR Part 603 29 CFR Part 97 Unemployment Insurance Program Letter UIPL No. 23-96 superseded by regulation UIPL Nos. 24-04 and 24-04 changes 1 through 5 Office of Management and Budget Circular No. A-87 Cost Principles for State Local and Indian Tribal Governments codified at 2 CFR part 225 and United States Department of Health and Human Services Cost Principles and Procedures for Developing Cost Allocation Plans and Indirect Cost Rates for Agreements with the Federal Government Implementation Guide for Office and Management and Budget Circular A-87 April 1997 . 3. Background . On May 31 1996 the U.S. Department of Labor Department issued UIPL No. 23-96 in response to an agreement between the Iowa Department of Employment Services and a third party other than an agent to allow that third party to use Iowa wage records as part of an electronic credit verification process. UIPL No. 23-96 stated that provided certain conditions were met this practice would not be inconsistent with Federal UC law. After issuance of UIPL No. 23-96 the Department published major amendments to the regulations at 20 CFR Part 603 Confidentiality and Disclosure of State UC Information. The regulation at Section 603.5 d 2 supersedes UIPL No. 23-96. Several states have recently been contacted by third-party entities seeking confidential UC information. These entities are not agents of the individuals or employers whose information is sought but are requesting access to this information to facilitate determinations of credit- worthiness for those individuals. It is our understanding based on state reports of their 2 conversations with these private entities that the private entities propose to access the state wage database or a mirror server containing only wage data in real time and with no state review of individual requests to obtain information to pass on to lenders and other providers of credit. The third parties understand that the lenders must obtain an informed consent release signed by the individuals whose records are sought and must provide that consent form to the third party private entity. This UIPL addresses the application of disclosure requirements to third parties other than an agent for an individual or employer in the context of the provisions of 20 CFR Part 603. While the Department does not discourage participation by states in an agreement to provide confidential UC information under the conditions discussed in this UIPL or under the requirements of 20 CFR 603.5 d 2 there may be significant consequences for the individual whose data is being accessed and we encourage states to be rigorous in ensuring fairness and accuracy. The Department does not directly approve or authorize disclosure of confidential UC information contemplated by 20 CFR 603.5 d 2 this UIPL merely addresses disclosures permitted by that provision. It also includes considerations states should take into account as they review this type of proposal from private entities. 4. Discussion . a. General Requirements for Confidentiality . Section 303 a 1 SSA makes the Secretary of Labor s certification to the Department of the Treasury required for the payment of UC grants to states contingent on a finding that state law provides for methods of administration that are reasonably calculated to ensure full payment of unemployment compensation when due. The disclosure of confidential UC information could undermine the integrity of the system thereby discouraging employers and workers from participating in it. Accordingly the Department interprets this provision to require that state law include provision for maintaining the confidentiality of any UC information which reveals the name or any identifying particular about any individual or employer or which could foreseeably be combined with other publicly available information to reveal such particulars. See 20 CFR 603.4 b . However the regulation permits states to disclose confidential UC information under certain circumstances if state law allows. Specific to the circumstances addressed in Section 603.5 d 2 states may provide an individual s wage or claim data to a third party who is not an agent of that individual if the third party obtains from the individual an informed consent form meeting the regulatory requirements discussed in paragraph 4.b of this UIPL. Thus transactions by which private entities request the confidential UC information of individuals whom they do not represent require an informed consent form signed by those individuals. b. Informed Consent . Section 603.5 d 2 requires that private entities seeking to obtain confidential UC information first obtain from the individual whose information is sought a written signed consent that includes 1 the specific information to be disclosed 2 a statement that state government files will be accessed 3 the purpose for which the information is sought and a statement that the information obtained will be used only for that purpose and 4 all parties to whom the information may be released. That section of the regulation also requires that the purpose specified in the release provide a service or benefit that the individual expects to receive as a result of signing the release. In addition Section 603.10 b 2 requires that the information be released only to parties authorized under the release and that it be used 3 only for the specific purposes authorized in the release. Thus disclosure must be limited to the purpose or purposes specific to the information provided in the informed consent release. See Section 603.5 d 2 i C . In recognition of advances in technology as well as the enactment of E-Sign the note to Section 603.5 d 2 provides If an informed consent release is to be effectuated electronically the State must determine whether E-Sign applies to that transaction and if so make certain that the transaction satisfies the conditions imposed by E-sign. The State must also make certain that the electronic transaction complies with every other condition necessary to make it legally enforceable. If states planning to secure informed consent releases electronically have not previously created an informed consent form that meets the requirements of Section 603.5 d 2 it will be necessary to do so before confidential UC information may be disclosed. States may create such a form on their own or may work with any private third-party entity seeking confidential UC information to create a form that meets the requirements of Section 603.5 d 2 . States may also take into consideration in creating an informed consent release form any confidentiality requirements in banking law that the private entity is required to follow. There is no requirement that several or all states use the same form so long as it meets both Federal requirements and the legal requirements of any state using the form. Before disclosure states may but are not required to first obtain a physical copy rather than an electronic copy of the informed consent release. A PDF copy of a signed informed consent form when submitted to the state UI agency with the request for confidential UC information may serve as a copy for the states records. However if state law does not require receipt of a physical copy of the release from the private entity the state must require in its agreement with the private entity meeting the requirements of Section 603.10 that the private entity retain a copy of the informed consent forms whether physical or electronic and make such copies available upon request for audits and or on-site inspections. The agreement entered into between the state and the private entity must at a minimum require that the private entity retain informed consent forms for at least the three years the state agency is required under 29 CFR 97.42 to retain records so that the state may audit the third party consistent with Section 603.9 b vii . To the extent banking fair credit or such other laws governing the conduct of business by third-party entities require a longer retention period those laws should govern the parties agreement. In addition states may apply state law on records retention if the state law requires a retention period longer than the three years specified in 29 CFR 97.42. c. Redisclosure of Confidential UC Information . Information available to the Department reflects that the third-party entities now seeking to obtain individuals confidential UC information intend to obtain from lenders and other entities extending credit a release form signed by the individual. The third parties would then obtain the wage data from the state UI agency and send it to the lender. The third party s release to the lender constitutes a redisclosure of confidential UC information under Section 603.9 c . The redisclosure contemplated by the third parties is listed among permitted redisclosures at 20 CFR 603.9 c viii . Thus to the extent the informed consent form names a specific lender lenders or other entity extending credit the 4 third-party entities may redisclose confidential UC data only to the named party or parties and only for the single specified purpose consistent with the informed consent authorization. Consistent with the specific-purpose requirement in Section 603.5 d 2 i C the agreement between the state and the third-party entity must prohibit the third-party private entity from populating its database with individuals confidential UC information or including confidential UC information in credit reports credit ratings or any other system containing individuals personally identifiable information except to the extent the state determines such record retention is required by the Fair Credit Reporting Act and other state and Federal banking laws. This requirement applies to both third-party entities and lenders. Thus third-party entities and lenders may retain confidential UC information only for the purpose or purposes designated in the informed consent release and for no other purpose or purposes. d. Audit Requirement and Reporting. The Department is aware that it may be difficult to control or detect redisclosure of confidential information. However Section 603.9 b vii requires that the recipient of confidential UC information maintain a system sufficient to allow an audit of compliance with the requirements of this part. Because an informed consent will reflect both the originating lender and the third-party entity as recipients both are subject to the safeguarding requirements of Section 603.9 b . Both the lender and the third-party entity must maintain systems sufficient to permit the state to audit for compliance with these regulatory requirements and states must conduct periodic audits of both the lender and the third-party entities to ensure compliance with the agreement required by Section 603.10. However since a state s agreement is only with the third party and not with the lenders seeking to verify an individual s credit- worthiness states must include in their agreements with the third parties who are not agents of the individuals whose information is sought a requirement that the lenders and other entities to whom the data is redisclosed maintain systems sufficient to allow an audit by the state releasing the UC information of compliance with the part 603 regulatory requirements. Moreover the agreement between the third party and the lender or other ultimate recipient must include provision for the state UI agency to conduct on-site visits to ensure compliance with 20 CFR Part 603. See 20 CFR 603.10 b vi . State UI agencies must provide for and conduct random audits of third-party entities access to redisclosure of and retention and disposal of confidential UC information as well as audits of lenders to whom third parties redisclose the confidential information. States must audit a reasonable number of transactions in light of the total number of transactions processed each month. Audits must be conducted by auditors with a high level of expertise in auditing electronic transactions. The costs associated with audits which preliminary research reflects could range from approximately 140 per hour to 200 per hour may not be charged to the agency s Title III administrative grant. We recommend that states include the costs of such audits in the calculated costs of disclosure to third parties. In addition to the audits conducted by state agencies the Department may audit the state s results and both the state s and the Department s audits are subject to review by the Office of the Inspector General. To monitor state compliance with audit requirements the Department will require that states submit reports concerning transactions with third parties. This reporting requirement is in addition to any reports currently required by the Department for program operations. With regard to the reporting and data collection requirements the Department is in the process of submitting an Information Collection Request ICR to the Office of Management and Budget 5 OMB requesting changes to existing collections and new collections. The Department notes that a Federal agency cannot conduct or sponsor a collection of information unless it is approved by OMB under the Paperwork Reduction Act of 1995 and displays a currently valid OMB control number and the public is not required to respond to a collection of information unless it displays a currently valid OMB control number see 44 U.S.C. 3507 . Also notwithstanding any other provisions of law no person shall be subject to penalty for failing to comply with a collection of information if the collection of information does not display a currently valid OMB control number see 44 U.S.C. 3512 . The Department will issue guidance to states to notify them of OMB s decision upon review of the Department s ICR including any changes that may result from this review process. e. Program Income . It is permissible for a state to generate profit income in excess of costs based on an agreement with a private entity designed to govern the disclosure of confidential UC information for the purposes described in this UIPL. Section 603.8 c provides that t he costs to a State or State UC agency of processing and handling a request for disclosure of information must be calculated in accordance with the cost principles and administrative requirements of 29 CFR part 97 and Office of Management and Budget OMB Circular No. A-87 Revised . OMB Circular No. A-87 corresponding regulations at 2 CFR part 225 and the official implementing guidance published by the U.S. Department of Health and Human Services as adopted by OMB and referenced in 2 CFR part 225 Appendices C and E establish standards for determining costs that states may charge to grants contracts and other Federal financial awards and provide that profits are unallowable when charged to grant funds themselves. However they neither address nor prohibit profits when those profits are not paid out of grant funds. The regulations at 29 CFR Part 97 in particular Section 97.25 a specifically provide that G rantees are encouraged to earn income to defray program costs. Section 97.25 b defines program income as gross income received by the grantee or subgrantee directly generated by grant supported activity or earned only as a result of the grant agreement during the grant period. Additionally under Section 97.25 a p rogram income includes income from fees for services performed from the use or rental of real or personal property acquired with grant funds from the sale of commodities or items fabricated under a grant agreement and from payments of principal and interest on loans made with grant funds. Thus 29 CFR Part 97 permits income to be received as the result of a financial agreement between a state UI agency as grantee and a third-party private entity and is consistent with regulations at 20 CFR 603.8 c and e . Profits or income above the cost of the service provided from such an agreement would be defined as program income and would be subject to the use limitations established by 29 CFR 97.25 g . f. Agreement on Costs Safeguards and Other Required Provisions . Section 603.10 of the regulation requires the state agency to enter into a written enforceable agreement when access to confidential UC information is to be granted to a third party. As set forth in Section 603.10 b the agreement must include among other things a description of the information sought and the purpose for which is it sought a statement that access will be limited to those persons with a need based on purposes listed in the agreement provisions for payment in advance of disclosure to the state agency for costs of furnishing the information Section 603.8 d and provisions for safeguarding the information disclosed Section 603.9 . In addition states must provide in the agreement for on-site inspections to ensure that the requirements of the agreement are being met. 6 The cost of on-site inspections is one of the costs that under Section 603.8 a may not be charged to the State s administrative grant and thus must be included as part of the state agency s costs of furnishing the information. States must also require the recipient entity to instruct all personnel having access to the data of the penalties under state law for unauthorized disclosure of confidential UC information in accordance with Section 603.9 b 1 v . Section 603.9 b vi requires that the agreement entered into between the parties provide that the recipient . . . dispose of information disclosed or obtained and any copies thereof made by the recipient agency entity or contractor after the purpose for which the information is disclosed is served . Emphasis added. Because use of the information is limited to a single purpose under Section 603.5 d 2 i C private entities are prohibited from retaining that information in their database or redisclosing the data for any other purpose. Thus except to the extent lenders are required under banking laws to maintain documentation to support lending decisions and documentation of wage records is incorporated into the supporting documentation for extension of credit or to the extent documentation must be retained as required by state UC agency audit procedures neither lenders nor third-party entities may retain in their records and or use for any other purpose the wage data provided under an agreement to disclose confidential UC information. This requirement applies equally to the third-party entities obtaining the information from the states and to the lenders to which or to whom the third-party private entity rediscloses the confidential UC information and states must require that third-party recipients make this prohibition part of their agreement with lenders. Section 603.9 b vii requires the recipient of confidential UC data both third-party entities and lenders to maintain systems sufficient to allow an audit of compliance with the requirements of 20 CFR Part 603 including disposal of confidential UC information. Such audits should include review of the technical system and network physical security and access and administrative controls and compliance with the agreement between the state and the third-party entity. While specific audit procedures may vary among states the Department has issued guidance to State Workforce Agencies SWAs in UIPL No. 24-04 and UIPL Nos. 24-04 changes 1 through 5 providing specific information on the National Institute of Standards and Technology s NIST Information Technology IT security guidelines. g. Access to Data . Section 603.5 provides that under most of the exceptions to the confidentiality requirement established under that section a state may disclose confidential UC information only if authorized by State law and only when such disclosure does not interfere with the efficient administration of the state s UC law. This includes disclosures under Section 603.5 d 2 to third parties based on informed consent. Section 603.9 c provides that a state or state UC agency may authorize redisclosure to third party non-agents under the safeguards required by that section. In addition Section 603.10 b 1 iii requires that an agreement between a state UC agency and a recipient of confidential UC information include among other things information on the methods and timing of requests for information and responses to those requests including the format to be used. We interpret these provisions to require a state s thoughtful participation in the process and a deliberate affirmative act by the state UC agency to effectuate each disclosure of confidential information. Thus third-parties both agents and non-agents must submit requests for information to the state. States may not permit these entities to have direct access to the state UI database or a subset of the data contained in or originating from a state s database regardless of format e.g. by creating mirror databases . This ensures that recipients of confidential UC information under Section 603.5 d 2 do not 7 access the records of individuals for whom they do not have a signed informed consent form. Allowing the process to run without state participation would open it up to abuse. And while unauthorized access to wage records could potentially be discovered in a subsequent audit discovery would be made more difficult and resource-intensive as a state would have to audit every record accessed and request a copy of each corresponding consent form to ensure that there had been no breach of confidentiality. A state s active participation in each disclosure significantly reduces the likelihood of unauthorized access to confidential UC information. Under Sections 603.9 b 1 iii and iv a state must require that recipients of confidential UC information in an electronic format store and process it so as to provide access only to authorized personnel and keep out all others. The Department interprets these provisions to require that data be transferred via a secure portal such as a file transfer protocol FTP site where access can be limited to specific individuals with passwords. Sections 603.9 b and 603.10 b of the regulation contain provisions limiting access of disclosed data to authorized personnel with a need to know the information set out the precautions recipients of the disclosed data must take to safeguard access and provide instructions to be given to all persons authorized to access the confidential UC information. As noted in subparagraph 4.c above these provisions apply to both the third- party entity obtaining wage data directly from a state and to the lender or other recipient of the data named in the informed consent form. h. Penalties for Breach of the Agreement or Unauthorized Disclosure or Access. Section 603.10 c provides for suspension and subsequent termination of the agreement in the event of a breach of any of the terms of the agreement. In addition under Section 603.10 c 2 states are required to undertake any other action under the agreement or the state s law to enforce the agreement and secure satisfactory corrective action or surrender of the information and must take other remedial actions permitted under state or Federal law to effect adherence to confidentiality requirements in 20 CFR Subpart B including seeking damages penalties and restitution as permitted under state or Federal law for any charges to granted funds and all costs incurred by the state or the state UC agency in pursuing the breach of the agreement and enforcement as required . i. Efficient Administration of State UC Law . Section 603.5 provides in the unnumbered introductory language that states may disclose confidential UC information consistent with the exceptions set out in that section only if authorized by State law and if such disclosure does not interfere with the efficient administration of the State UC law. Emphasis added. The disclosure of confidential UC information contemplated by this UIPL is not a UC activity thus no steps taken to implement such disclosure may supersede interfere with or delay the efficient administration of state UC law. To the extent funded UC technology upgrade or replacement projects are in the development or implementation stage and not yet completed the Department interprets the regulation to require that those projects for the efficient administration of the state s UC program take priority over any IT project designed to provide confidential UC information for purposes other than administration of the UC program. 5. Other Applicable Laws . The Department reminds states that the disclosure of confidential UC information to third parties as contemplated in this guidance is also governed by the Fair Credit Reporting Act. That law at 15 USC 1681s-2 sets out responsibilities of furnishers of information to consumer reporting agencies as follows 8 A person shall not furnish any information relating to a consumer to any consumer reporting agency if the person knows or has reasonable cause to believe that the information is inaccurate. In addition 15 USC 1681n and 1681o make provision for civil penalties for both willful and negligent noncompliance respectively by any person who fails to comply with any requirement imposed under this subchapter with respect to any consumer . We do not offer an opinion on or interpretation of the provisions of the Fair Credit Reporting Act because to do so would be outside the scope of our authority. However we provide this information so that states may be aware of their potential responsibilities under that law. 6. Action Requested . State administrators are requested to provide the above information and instructions to appropriate staff. 7. Inquiries . Direct inquiries to the appropriate Regional Office.