View all text of Part 1321 [§ 1321.1 - § 1321.9]

§ 1321.8 - Confidentiality.

(a) Responsibilities of each Recognized Statistical Agency and Unit. Each Recognized Statistical Agency and Unit must uphold the responsibility to protect the trust of information providers by ensuring the confidentiality and exclusive statistical use of confidential statistical data by carrying out its duties under this paragraph (a). The Recognized Statistical Agency or Unit must determine whether the tools, practices, and procedures employed to ensure the effective security of the confidential statistical data it holds comply with this part and with statistical laws. Each Recognized Statistical Agency or Unit must:

(1) Secure all confidential statistical data against unauthorized access. This includes:

(i) Ensuring that any information systems containing confidential statistical data employ effective barriers to restrict access such that only employees of the Recognized Statistical Agency or Unit or its authorized agents have access to such data. This must be done in accordance with the requirements of the Confidential Information Protection and Statistical Efficiency Act of 2018, codified as amended at 44 U.S.C. 3561-3576; other applicable statistical laws; and policies and guidance issued by the Office of Management and Budget, while also ensuring compliance with the Federal Information Security Modernization Act of 2014, codified as amended at 44 U.S.C. 3551-3558, and other applicable laws and policies;

(ii) Ensuring required security policies, configurations, and controls placed on information technology assets are appropriate to protect the confidentiality of confidential statistical data throughout the data lifecycle;

(iii) Controlling logical access to data storage assets containing confidential statistical data and restricting access to authorized personnel; and

(iv) Complying with paragraph (c) of this section;

(2) Ensure that confidential statistical data are not used for any nonstatistical purposes. This includes:

(i) Coordinating with the agency Chief Freedom of Information Act Officer to ensure appropriate application of exemptions pertaining to confidential statistical data in response to Freedom of Information Act requests;

(ii) Employing current best practices, including statistical disclosure avoidance methods and procedures, to minimize the risk of disclosing confidential statistical data; and

(iii) Complying with paragraph (c) of this section;

(3) Provide information to the public about the integrity, confidentiality, and impartiality of all confidential statistical data acquired and maintained under its authority, so that it retains the trust of its information providers and data users, by:

(i) Making readily accessible, for example, through its website, information about its policies on confidentiality and information security;

(ii) Developing and maintaining a comprehensive data inventory as required under 44 U.S.C. 3511 and related guidance; and

(iii) Complying with the Standard Application Process required under 44 U.S.C. 3583 and related guidance;

(4) Provide sufficient information to respondents to enable them to make an informed decision about whether to provide the requested information by:

(i) Providing notification statements to respondents to collections of information sponsored by the Recognized Statistical Agency or Unit consistent with this section, including the intended uses of the information being collected, potential future uses, their relevance for public purposes, and the extent of confidentiality protection that will be provided; and

(ii) When acquiring data from another agency, ensuring that any agreement with the providing agency addresses any legal requirements for notice and consent consistent with applicable law and applicable rules implementing 44 U.S.C. 3581;

(5) Maintain and develop professional staff, or identify appropriate ways to access professional staff, that are trained in statistical disclosure limitation and restricted access mechanisms to maximize the protection of the confidential statistical data throughout the data lifecycle, including creation or collection, processing, dissemination, use, storage, and disposition; and

(6) Inform employees, contractors, and other approved agents of the Recognized Statistical Agency or Unit of their responsibility not to willfully disclose confidential statistical data in an identifiable form, and of the legal consequences of such disclosure, such as the penalty in 44 U.S.C. 3572(f) that provides that any officer, employee, or approved agent of the Recognized Statistical Agency or Unit who willfully discloses such information is subject to fines and penalties, to include being guilty of a class E felony and imprisoned for not more than 5 years, or fined not more than $250,000, or both.

(b) Responsibilities of each parent agency. Each parent agency must enable, support, and facilitate the Recognized Statistical Agency or Unit in carrying out its responsibility to protect the trust of information providers by ensuring the confidentiality and exclusive statistical use of its information. Each parent agency must:

(1) Ensure that the Recognized Statistical Agency or Unit has the sole authority to provide access to its confidential statistical data. Unless otherwise prohibited by statute, when a statute, rule, or policy authorizes any other official to control access to such data, that responsibility must be delegated to the head of the Recognized Statistical Agency or Unit.

(2) Ensure that implementation of the Federal Information Technology Acquisition Reform Act, 40 U.S.C. 11319, is consistent with the Recognized Statistical Agency or Unit's responsibility to protect confidential statistical data from unauthorized use or disclosure, by:

(i) Ensuring that information technology policies appropriately safeguard and protect the integrity, confidentiality, and availability of confidential statistical data; and

(ii) Ensuring that confidential statistical data are protected by any effective security standards established in writing by the Recognized Statistical Agency or Unit.

(3) Ensure that the Senior Agency Official for Privacy consults with the Recognized Statistical Agency or Unit when the Senior Agency Official for Privacy performs duties related to the Recognized Statistical Agency or Unit's statistical activities, including under the Privacy Act of 1974, codified as amended at 5 U.S.C. 552a; the E-Government Act of 2002, codified at 44 U.S.C. 3501 note; and other applicable statutory requirements, including:

(i) Conducting Privacy Impact Assessments on information technology systems that store and process confidential statistical data, as required by law and Office of Management and Budget guidance;

(ii) Responding to Privacy Act requests to access or amend confidential statistical data maintained by the Recognized Statistical Agency or Unit; and

(iii) Responding to breaches of confidential statistical data containing personally identifiable information in a way that complies with law and policy and is sensitive to the Recognized Statistical Agency or Unit's need to maintain the public trust.

(4) Ensure that the agency Chief Freedom of Information Act Officer coordinates with the Recognized Statistical Agency or Unit to ensure appropriate application of exemptions pertaining to confidential statistical data in response to Freedom of Information Act requests.

(c) Responsibilities to protect confidential statistical data. Each Recognized Statistical Agency or Unit is responsible for protecting the confidentiality and exclusive statistical use of confidential statistical data by carrying out its duties under this paragraph (c). Each parent agency must enable, support, and facilitate the Recognized Statistical Agency or Unit in carrying out its responsibility to protect the confidentiality and exclusive statistical use of confidential statistical data.

(1) The head of each Recognized Statistical Agency or Unit must:

(i) Determine who is authorized to access confidential statistical data;

(ii) Ensure that access to confidential statistical data is limited to officers and employees of such Recognized Statistical Agency or Unit and its designated agents; and

(iii) Establish written standards and processes by which the head of such Recognized Statistical Agency or Unit designates a person as an agent, which must:

(A) Comply with 44 U.S.C. 3572 and other applicable statistical law;

(B) Ensure designated agents are fully informed of, and have agreed to comply with, all legal requirements to access confidential statistical data; and

(C) Define the scope of such agent's authorization to access confidential statistical data.

(2) The parent agency head must:

(i) Ensure confidential statistical data are secure from access by any individual unless such individual has been authorized to access such confidential statistical data by the head of the Recognized Statistical Agency or Unit in accordance with paragraph (c)(1) of this section;

(ii) Prohibit agency officers or employees from accessing confidential statistical data unless they have been authorized to access such confidential statistical data by the head of the Recognized Statistical Agency or Unit in accordance with paragraph (c)(1) of this section; and

(iii) Ensure the Recognized Statistical Agency or Unit has the resources necessary to ensure confidential statistical data are secure from unauthorized access.

(3) Nothing in this part authorizes the parent agency head, or anyone else, to access confidential statistical data, unless the head of the Recognized Statistical Agency or Unit has designated such individual as an agent.

(4) When a component needs access to confidential statistical data, the head of the component must:

(i) Establish policies to prohibit access to confidential statistical data by any individual unless such individual has been authorized by the head of the Recognized Statistical Agency or Unit in accordance with paragraph (c)(1) of this section;

(ii) Ensure that any officer or employee that needs to access confidential statistical data meets the written requirements issued by the Recognized Statistical Agency or Unit;

(iii) To the greatest extent possible, limit the scope and number of its requests for access to confidential statistical data;

(iv) Coordinate with the Recognized Statistical Agency or Unit to determine the number of persons needing access to confidential statistical data; and

(v) Provide the Recognized Statistical Agency or Unit with any information necessary for the Recognized Statistical Agency or Unit to make a determination regarding access to confidential statistical data.

(5) The head of the Recognized Statistical Agency or Unit must coordinate with the head of the parent agency or any component requesting access to confidential statistical data as described in paragraphs (c)(2) and (4) of this section to identify and designate necessary agents to fulfill the component's responsibilities.

(6) If the parent agency head finds that the Recognized Statistical Agency or Unit is unable to designate a sufficient number of agents for the parent agency to fulfill its responsibilities, the parent agency head must consult with the head of the Recognized Statistical Agency or Unit and the Chief Statistician of the United States to resolve the issue.

(7) Each Recognized Statistical Agency or Unit must track access to its information systems that contain confidential statistical data and maintain sufficient access logs that detail the individual accessing such data and the time of access. Each Recognized Statistical Agency or Unit must ensure that confidential statistical data hosted outside of its information systems is maintained in a manner such that the host can track access to the confidential statistical data in a way sufficient to detail the individual accessing the data and the time of access and that the Recognized Statistical Agency or Unit is notified in a timely manner of any unauthorized access. The parent agency must ensure the Recognized Statistical Agency or Unit has sufficient technology resources to ensure all access to confidential statistical data is tracked.

(i) The Recognized Statistical Agency or Unit must monitor the access log to ensure only authorized persons have accessed confidential statistical data.

(ii) If any unauthorized person has accessed confidential statistical data, the Recognized Statistical Agency or Unit must notify the parent agency head and the Chief Statistician of the United States, and the parent agency head and the head of the Recognized Statistical Agency or Unit must:

(A) Address any deficiencies that led to such unauthorized access to ensure unauthorized access does not occur in the future; and

(B) Provide a written report to the Chief Statistician of the United States within 30 days detailing the remediation efforts.