|
|
small (250x250 max)
medium (500x500 max)
Large
Extra Large
Full Size
Full Resolution
|
|
to,t« COMPLETED * 19-%'^L * »>■■*«& Office of Analysis and Evaluation EBT Data Privacy Issues for Food Benefit Programs United States Department of Agriculture Food and I «■* ^«fc — — ^»* ^ifc ■■■ -^^ "^ ^i*» ^ifc ^J Nutrition Service ff EBT DATA PRIVACY ISSUES FOR FOOD BENEFIT PROGRAMS This report reflects what was learned from a roundtable discussion among privacy and other experts, summarizes existing privacy protections in Electronic Benefit Transfer (EBT) systems used in the Food Stamp Program and the Special Supplemental Food Program for Women, Infants and Children, and suggests strategies for continued and enhanced privacy protections as EBT expands. Additional copies of this report may be obtained by calling the Office of Analysis and Evaluation, (703) 305-2133. Enclosure EBT Data Privacy Issues for Food Benefit Programs August 1994 Authors: Joseph T. Casey Brenda L. Monroe George Trubow Jenifer L. Wolfman Submitted by: Price Waterhouse Office of Government Services 1801 K Street, NW Washington, DC 20006 Submitted to: U.S. Department of Agriculture Food and Nutrition Service Office of Analysis and Evaluation 3101 Park Center Drive Alexandria, VA 22302 Project Director: Brenda L. Monroe Project Officer: Alana Landey This study was conducted under Contract Number FNS-3198-1 -020 with the Food and Nutrition Service, U.S. Department of Agriculture, under the authority of the Food Stamp Act of 1977. as amended. Points of view or opinions stated in this report do not necessarily represent the official position of the Food and Nutrition Service. ( * H TABLE OF CONTENTS EXECUTIVE SUMMARY ii I. INTRODUCTION A. The Evolution of EBT 1 B. EBT in a Privacy Context 1 C. Study Objectives 2 II. EBT AND PRIVACY BACKGROUND INFORMATION A. Definition and Description of EBT 3 B. Federal Laws and Regulations Governing EBT Data Use 7 C. General Privacy Issues 8 III. PRIVACY RESEARCH AND THE ROUNDTABLE DISCUSSION A. Program Administration and Compliance 11 B. The Differences Between FSP and WIC Privacy Concerns 13 C. Adequacy of Existing Limits 14 D. Uses of EBT Data for Research 16 E. Implications of Privacy Protection Needs for EBT Data Security 18 F. Potential Uses of EBT Data 18 G. Privacy Issues in EBT Demonstration Projects 21 IV. CONCLUSIONS AND STRATEGDZS FOR PRIVACY PROTECTION A. Summary of Conclusions 23 B. Strategies for Maintaining High Levels of Privacy Protection in EBT .... 25 APPENDICES Appendix A: Applicable Privacy Laws Appendix B: Food Stamp and WIC Regulatory Language on Privacy Appendix C: Research Performed on Privacy Issues Appendix D: EBT Privacy Roundtable Participants /// EBT DATA PRIVACY ISSUES FOR FOOD BENEFIT PROGRAMS EXECUTIVE SUMMARY Electronic Benefit Transfer (EBT) replaces paper-based issuance systems for the Food Stamp Program (FSP). the Special Supplemental Food Program for Women. Infants, and Children (WIC). and cash benefit programs with systems that issue and redeem benefits through electronic funds transfer (EFT) networks and point-of-sale (POS) technology. FSP and WIC EBT systems generate and retain records on client food purchasing and retailer redemption patterns that do not exist under the paper issuance system. In addition, there are new "players" that have access to this information - retailers, system processors, and third-party processors. As EBT systems emerge nationwide, the Food and Nutrition Service (FNS) needs to ensure that privacy of recipient information and confidentiality of retailer information is adequately and appropriately incorporated into the planning and use of EBT system data. This study identified the major privacy concerns for FSP and WIC Program recipients and retailers through literature reviews, interviews with various participants in the EBT arena, and a roundtable discussion among EBT stakeholders and other appropriate experts. Overall. FSP regulations and. to a somewhat lesser extent. WIC regulations, provide specific and adequate safeguards over access to and use of information about individuals and retailers. Other Findings include the following: • FSP and WIC regulations restrict the use of individual recipient EBT transaction data to benefit issuance and program integrity purposes. • "Secondary" uses of EBT data, such as targeted marketing or locating individuals through transaction information for law enforcement purposes unrelated to benefit issuance, is prohibited without the recipient's consent. • Multi-program, multi-State EBT raises the concern of opening access to data that was not shared prior to the use of EBT systems. • FSP regulations protect the confidentiality of retailer information. WIC regulations, however, do not address the collection and use of retailer information. Based on these findings, there are a number of strategies that the various parties that develop and use EBT systems and data should consider. These include the development of an overall privacy framework applicable to reviews of existing data as well as the planning of new uses of data. Such a framework could enhance the privacy and confidentiality protections that already exist within the FSP and WIC Program. u // EBTPx; \ PRIVACY ISSUES FOR FOOD BENEFIT PRC/'.M wis I. INTRODUCTION A. The Evolution of EBT The Food and Nutrition Service (FNS) has been at the forefront of developing and applying Electronic Benefit Transfer, or EBT. systems in public assistance programs for 12 years. As of April 1994. Food Stamp Program (FSP) participants in seven locations of varying size located throughout the United States receive their benefits through EBT. A demonstration for EBT in the Special Supplemental Food Program for Women. Infants, and Children <\VICi was recently completed, and others are planned. About 30 States are planning to develop and operate an EBT system for FSP and other programs. Many States have also expressed an interest in WIC EBT. This new technology enhances food benefit service to FSP and WIC recipients. It can be and is used by other benefit programs, such as Aid for Families with Dependent Children (AFDC). child support, and Social Security. Unlike FNS' programs, these programs provide their recipients with cash benefits. EBT has evolved into a viable, appealing alternative to conventional benefit delivery systems, and it is clear that it will play a central role in the delivery of nutrition assistance benefits in the Food Stamp and WIC Programs and in the delivery of cash benefits for other programs. The Secretary of Agriculture is committed to initiating nationwide EBT by 1996 and FNS must consider the range of operational issues associated with a complete shift from paper coupons to EBT. The study of EBT data privacy is one of these issues. In its report to the Vice President, the Federal EBT Task Force recommended the unified delivery of government-funded benefits. Under this plan, EBT would involve many benefit programs and would function without regard to State borders. This report focuses on the privacy issues that impact FNS' programs, issues that may be quite different from those facing cash benefit programs. B. EBT in a Privacy Context Over the past several years, privacy issues in general have received extensive attention from the media, the courts, and business. Consumer advocacy groups lobby for more stringent limits on the uses of credit history, debt information, and other personal data. Manufacturers, on the other hand, increasingly rely on targeted marketing -- which requires detailed information on income, shopping habits, and household composition -- to win new customers. The results of public opinion surveys conducted over the past two decades indicate that government access to personal information is especially worrisome to the American public. These trends create a complex environment for the exploration of EBT privacy issues. Food Stamp and WIC Program EBT systems issue and redeem benefits through the use of an electronic funds transfer network and point-of-sale (POS) technology. Participants use an electronically coded card instead of paper coupons to buy food. EBT systems collect and retain transaction-specific information to reconcile or balance benefit issuances with redemptions and debits with credits. To date, information accrued through EBT systems has been used primarily 1 EBTDATA PRIVACY ISSUES FOR FOOD BENEFIT PROGRAMS PRIVACY TERMINOLOGY The terms personal information, privacy, confidentiality, and security are used throughout this report. For clarity in usage we define these terms as follows: • Personal information is any information that describes or is referenced to an identifiable individual (noi a business entity such as a retailer), whether that reference be by name, number, address, or some other identifier. Information is considered personal because of its reference and not because of its content. • Privacy is a characteristic of natural persons and concerns how personal information is collected, used, and disclosed. • Confidentiality is a characteristic of information management and implies that information can be disclosed only to certain persons under specified circumstances. • Security is a characteristic of information systems and ensures that information in the system is protected from unauthorized access, disclosure, alteration, or loss. Accordingly, system security implements confidentiality protocols, which in turn protect privacy. Assuring security is primarily a matter of management policy and system technology; confidentiality protocols reflect information management policy. to ensure that funds are appropriately debited and credited. Electronic processing of information also creates the potential for greatly increasing FNS' knowledge of client food purchasing and retailer redemption patterns. In addition, EBT creates the opportunity for additional entities, such as retailers and third-party processors, to access this information. The actual and potential uses of transaction data raise a variety of privacy-oriented questions that FNS must consider so that it can implement responsible EBT programs. C. Study Objectives FNS studied EBT privacy issues in the FSP and the WIC Program for two main reasons: to determine whether controls over access to and uses of EBT data are adequate, too lax or too strict; and, to anticipate and address some of the issues that may arise with the availability and potential use of the data. Specifically, this report: • Identifies current and potential uses of EBT data. • Examines current policies on uses of EBT data in the FSP and WIC Program and assesses their effectiveness in (1) protecting client and retailer rights and (2) supporting FNS' need to pursue programmatic objectives such as program integrity and effective benefit delivery. • Outlines strategies that provide the best balance between these two potentially competing goals. EBT DATA PRIVACY ISSUES FOR FOOD BENEFIT PROGRAMS Presents the opinions and perspectives of the broad range of EBT stakeholders and other appropriate experts. his report is organized into the following sections: Background on EBT and privacy issues Findings from our research and the roundtable discussion Conclusions and strategies for privacy protection The information presented in this report will assist FNS in its overall efforts to understand fully the privacy implications of EBT data use and to assess EBT data use policy. II. EBT AND PRIVACY BACKGROUND INFORMATION A. Definition and Description of EBT Currently, most eligible FSP benefit recipients are given books of paper coupons that may be used to pay for a broad range of food items purchased at authorized retail stores. In the WIC Program, recipients exchange vouchers at participating retail stores for specific food products such as milk and related items. New computer and communications technologies present the opportunity to deliver benefits electronically. Under an EBT system, recipients in either program access benefits using an electronically encoded plastic card similar to those issued by banks and other financial institutions for use with automated bank teller machines and point of sale direct debit machines. Most EBT food stamp and cash benefit systems are on-line. The WIC program, due to its focus on specific items, has pursued off-line EBT which uses smart card technology. This EBT card is recognized in electronic information networks that validate the requests for benefits and authorize the purchase of food products. This automated process has the potential to decrease administrative costs and reduce management burdens while improving the speed, convenience, and security of benefit delivery to qualified recipients. For example, EBT cards reported to be lost or stolen can be invalidated and their accounts frozen immediately, minimizing unauthorized access to the benefits. Payments are made directly to authorized accounts, curtailing coupon theft and other fraud. Benefits are drawn down as needed. The cards only work if the correct personal identification number (PIN) is used. EBT also enables the collection and maintenance of transaction information that can be linked to benefit recipients, retail stores, and financial institutions. An EBT system ties together many persons and organizations: • Recipients under FSP are the households eligible for food stamps. Recipients under the WIC Program are pregnant, breast-feeding and postpartum women, infants, and children under the age of five who are at "nutritional risk." The head of household receives an EBT card and chooses a personal identification number (PIN), which serves as a EBT DATA PRIVACY ISSUES FOR FOOD BENEFIT PROGRAMS signature and limits the use of the card, and access to benefits, to the cardholder. In WIC, individuals receive an EBT card. In the Wyoming demonstration project, all WIC participants in a family were on one card. A retailer is a food store that is authorized by FNS to accept food stamp coupons or WIC food instruments. Retailers participating in EBT have point-of-sale (POS) terminals located among the check-out lanes that can read the EBT card. The system processor is the party that has contracted with the State agency to operate the EBT system. The purchase amount, retailer identification information (the retailer, clerk, and terminal ID numbers), recipient identification information held on the card. and information that authenticates the recipient's identity is checked against the processor's central computer files. If the recipient and retailer are both authorized participants, and the recipient has sufficient funds in his account to cover the purchase, the transaction is authorized. • A third-party processor may be used to drive the POS terminals located at the retailer. or it may simply act as a switch between the POS terminals and the system processor. Third-party processors are used in EBT systems that are integrated with commercial payment systems (the POS is used for commercial credit or debit payment transactions as well as EBT transactions). These processors may also provide other services to retailers, such as check authorization services. • A concentrator bank is a member of the Federal Reserve System and has the capability to take information regarding retailer food stamp credits from the EBT system processor and transmit this information to the Automated Clearinghouse (ACH) network. The ACH transfers funds to and from member institutions and is the method used to credit retailers accounts for food stamp EBT transactions. • The State Agency is responsible for the administration of Federally-aided public assistance program within the State. The State agency also has administrative responsibility for the EBT system. For each of these stakeholders, EBT poses issues associated with informational privacy. confidentiality, and security because it collects and uses more information than the paper system. The following section outlines the five basic operating functions of an on-line EBT system. identifies the information it collects and uses, and contrasts it with how it is accomplished under the paper system. • Benefit Authorization/Posting. The available balance of benefits authorized for household use is posted to each electronic "account." Paper systems have no comparable step: FSP coupons and WIC vouchers are issued to the recipients by mail or "over the counter." • Transaction Authorization. To authorize a transaction, an on-line system transfers several pieces of information from a terminal at a retailer location to the central processor to verify recipient and retailer identity and to confirm whether there are EBT DATA PRIVACY ISSCES FOR FOOD BENEFIT PROGRAMS sufficient funds in the recipient's account. This information is maintained in the central database. While the recipient's name is not recorded, an EBT account number links an individual recipient to a transaction. For the first time, a central record is available that identifies the history of purchases with individual households. Under the current FSP coupon system the recipient exchanges coupons equivalent to the value of food purchased. There are no program records of individual transactions. The retailer may record the type of sale as a food stamp purchase and, depending on the equipment used, may also be able to track aggregate FSP purchase totals. The retailer, however, has no way of knowing who made which purchase. Because there is no authorization process, the collection of recipient and retailer information is not necessary to conduct the transaction. No information on the use of benefits by individual households is collected. In WIC EBT, the client debits specific prescription food items from their account. Information about purchase behavior is captured and available for use by program administrators. Current WIC paper vouchers are participant specific and indicate what foods are authorized for purchase. Limited information about food purchases can be extracted from the returned vouchers. System Settlement and Crediting of Retailers. Each day, the system processor compiles FSP EBT transaction information for each retailer in order to initiate the settlement process. This retailer-specific information is then transferred to and processed by a Concentrator Bank, which in turn completes the transfer of funds using the Federal Reserve's ACH system. Settlement data is retained by the EBT processor for audit purposes. WIC EBT accomplishes these steps in a nearly identical manner. In the current FSP coupon issuance system, retailers count and bundle the coupons and deposit them in their bank accounts. The retailer's bank credits the retailer account and transfers the bundled coupons to the Federal Reserve, which processes the coupons, and periodically debits the Food Stamp Program Treasury account. The retailer redemption information available under a coupon system includes retailer deposit amounts and the cumulative dollar value of redemptions. Reconciliation. Federal FSP EBT regulations require extensive reporting about reconciliation between recipient accounts, retailer accounts, and system processor authorization files. Reconciliation is performed by the State agency or EBT processor using data obtained during transactions, and reports are provided to FNS. Some reports aggregate the daily EBT activity of individual retailers while others reconcile total issuances and redemptions in the system. Included in these reports is daily transaction information identified by recipient ID number, terminal ID number, retailer ID number, transaction time, and transaction amount. These data may be provided to the State agency, which aggregates the data into various reports that are submitted to FNS monthly, quarterly, or annually. These same capabilities are available in WIC EBT systems. EBT DATA PRIVACY ISSUES FOR FOOD BENEFIT PROGRAMS Under the FSP coupon issuance system, transaction-level data are not tracked. The Federal Reserve sends information on total retailer redemptions to the FNS Minneapolis Computer Center, where these redemptions are tracked by retailer deposit amount and total dollar value of redemptions. The total amount of benefits authorized to be paid is also reconciled against the amount of in-person and mail issuances. In contrast, WIC State agencies make extensive use of data extracted from vouchers to manage expenditures and monitor retailer compliance with program requirements. • Exception Reporting. In order to conduct compliance investigations, FSP regulations require that EBT systems provide exception reports that can isolate transaction data by individual retailers and households.1 These reports are provided to the States. They are also pro.ided to FNS' Compliance Branch Area Office on a quarterly or, if requested, a more frequent basis. Although FSP retailer monitoring is the responsibility of the Federal government, States are beginning to ask EBT processors to provide detailed transaction information that will assist Federal investigators in identifying unusual redemption patterns. The information is used to support investigation of both retailers and recipients. In WIC, similar retailer monitoring is currently performed as a State responsibility. WIC EBT enhances this monitoring function. Under the coupon system, Federal compliance monitoring is only performed for retailers, using information on deposits of coupons. When examining these reports, compliance investigators look for unusual redemption patterns among retailers. On-line EBT is currently the preferred approach to EBT because of its similarity to existing commercial systems. In an off-line system, the EBT process operates without direct or real-time access to a central database. The recipient is issued a "smart card," which has a built-in memory and processing capability to maintain balance and authorization information on the card. Benefits are transferred onto each recipient's card at predetermined times. In the FSP, benefits are provided as a dollar amount; in WIC, the benefits are provided in the form of a food prescription, and the exact value of the food redeemed is not known until a transaction occurs and the value is entered on the card. During each purchase transaction, the purchase amount or food is deducted from the balance of benefits (for FSP) or foods available (for WIC) maintained on the card. Transaction information is simultaneously recorded on a computer located in the store for delayed transfer to the central computer where balance information is updated and credits to retailer accounts are processed and transferred via the Federal Reserve system. There have been two off-line EBT demonstration projects, one for the FSP and one for the WIC Program. In the one WIC EBT demonstration project conducted to date, the EBT system performed these five functions and maintained data about the specific foods and prices associated with each transaction. Since the WIC Program prescribes the types and quantities of foods to be Section 274.12(j)(2)(ii)of the FSP Regulations. EBTDATA PRIVACY ISSUES IOR !-"<><>\) Bi M:I IT PROGRAMS purchased, tracking items and prices of purchases was necessary to determine program compliance. WIC State agencies also are responsible for monitoring retailer performance and compliance with program requirements through the analysis of transaction data. EBT makes it possible to obtain more information on retailer and participant benefit redemption behaviors. B. Federal Laws and Regulations Governing EBT Data Use There are a number of Federal laws and regulations intended to protect the privacy and prevent the misuse of personal data in general and EBT data in particular. The relevant Federal privacy law and relevant Federal program regulations are briefly summarized below to provide a legal framework in which to place EBT privacy issues. (See Appendices A and B for more detailed information.) • The Privacy Act of 1974. which regulates the use and disclosure of personal information by the Federal government, states that personal data can be disclosed only for "routine use... a purpose which is compatible with the purpose for which it was collected." • FSP and WIC Program regulations limit the use of recipient information to administration or enforcement of the program, including investigations into program violations, and federal audits of the program. For the Food Stamp Program, information can be used to certify alien status and conduct computer matching for eligibility and income with other benefit programs. Also, the Secretary of Agriculture is authorized to undertake research that will help improve the administration and effectiveness of the FSP in delivering benefits. The Secretary is required to develop and implement measures for evaluating, on at least an annual basis, the effectiveness of the FSP in achieving its stated objectives. In neither case do the regulations or law specify the type or level of data to be used. The FSP regulations also contain a specific provision that safeguards the confidentiality of retailer information, which can be used only if directly connected with the administration and enforcement of either the Food Stamp or WIC Program. For the WIC Program, information on participants can be given to representatives of public organizations designated by the chief State health officers who administer health or welfare programs that serve persons categorically eligible for the program. WIC regulations also specifically allow the use of data in summary, statistical, or other form if individuals are not identified. • FSP EBT regulations include a provision stating that the State agency must ensure that the EBT system is able to ensure the privacy of household data. Although FNS provides the funding for the Food Stamp and WIC Programs, both programs are administered at the State level. Because the appropriate State agency collects the EBT data, the Privacy Act does not apply to what the State can do. (The Act does, however. isa EBT DATA PRIVACY ISSUES FOR FOOD BENEFIT PROGRAMS apply to what FNS can do.) This situation would be true under multi-State EBT, where several State agencies might require access to information about recipients and retailers. C. General Privacy Issues Informational privacy in the United States is regarded as a characteristic only of individual persons. Individuals are referred to as natural persons to distinguish them legally from corporations. Strictly speaking, information pertaining to business entities is not subject to privacy restrictions in the same way as information on individuals. FNS, however, has a programmatic interest in the rights of retailers as well as program participants. There has long been concern over computer technology's implications for individual privacy. Several books published in the 1970's focused popular attention on these issues. In 1973, a special task force of '.he U.S. Department of Health, Education, and Welfare completed the first in-depth government study of personal information kept in Federal computerized data banks. Its report, "Records, Computers, and the Rights of Citizens," documented the significant growth of the use of computers to process information. The Task Force proposed a set of "fair information practices" to enhance privacy by protecting the confidentiality of personal information. These principles can be distilled as follows: 1. 2. 3. Collect only that personal information necessary for a lawful purpose. Use for decision-making only those data that are relevant, accurate, timely, and complete. Give the data subject access to information about himself and provide a procedure by which to challenge and correct the information. 4. Use data only for the purpose for which it was collected. 5. Protect the data against unauthorized loss, alteration, or disclosure. The Privacy Protection Study Commission, established by the Privacy Act of 1974, also conducted a thorough and comprehensive study of public and private record systems and issued 166 specific recommendations to enhance informational privacy. In reinforcing the foregoing principles, the Commission identified three objectives of good information practice: (1) minimize intrusiveness into the personal affairs of citizens; (2) maximize fairness to individuals in the way personal information is managed; and (3) legitimize expectations of the confidentiality of personal information. In 1981. the American Bar Association sponsored a National Symposium on Personal Privacy and Information Technology. The published report of a panel of distinguished participants emphasized informational privacy threats and urged protective measures. Numerous publications have echoed and re-echoed these concerns. The 1986 Annual Survey of American Law succinctly summarized the nature of the problem: 8 EBT DATA PRIVACY ISSUES FOR FOOD BENEFIT PROGRAMS The right 10 privacy is integral to the American conception of the proper balance or power between the people and their government. As long as a citizen abides by the laws, his personal affairs should remain free from excessive governmental scrutiny. In recent years, however, this balance has shifted. Federal agencies today maintain vast amounts of computerized, easily accessible information on nearly every aspect of our lives.... Concerns about privacy are also reflected in consumer awareness. The most significant barometer of national consumer consciousness regarding privacy is the annual Louis Harris Privacy Survey, funded by Equifax. The 1993 survey focused heavily on health information privacy, but it did estimate that almost 60 percent of the surveyed population believed that privacy is inadequately protected by laws and organizational practices. The 1992 privacy survey provides more extensive information on privacy concerns: 78 percent of respondents are concerned about threats to personal privacy. 76 percent of the public agree that consumers have lost all control over how personal information about them is circulated and used. 68 percent agree that the present use of computers is an actual threat to personal privacy. 89 percent of the public express concern about the security of personal information in computers. 67 percent agree that if privacy is to be preserved, the use of computers must be sharply restricted in the future. The problem is not merely one of the potential for privacy invasion by government; vast amounts of data are kept in the private sector. While EBT data are not available to the public, our research found that numerous individuals and organizations are concerned about private organizations, such as retailers and third-party processors, using and/or distributing data to which they may have access. A major limit on the use of personal information results from the prohibition on "secondary use" of information.2 The secondary use principle states that personal information gathered for a particular purpose may not be used for any other purpose without the express consent of the data subject. This principle gives maximum control of personal information to the data subject and is regarded by privacy experts as the "litmus test" of informational privacy. As noted above, the FSP and WIC Program regulations limit the use of recipient information to a few explicitly identified uses. EBT DATA PRIVACY ISSI 'i:s FOR FOOD BENEFIT PROGRAMS III. PRIVACY RKSEARCH AND THE ROUNDTABLE DISCUSSION In order to identify the full range of issues on the privacy of EBT data, the project team completed a detailed literature review and conducted a series of interviews with selected stakeholders. The information collected served as the starting point for a roundtahle discussion of EBT data privacy issues. A group of EBT stakeholders and other appropriate experts met to discuss several questions during a full day meeting. The purpose of the meeting was not to reach consensus, but rather to gather as broad a ram : of perspectives and opinions as possible. his section summarizes our research and the roundtable discussion and is divided into the allowing issues: Program administration and compliance Differences between FSP and WIC privacy concerns Adequacy of existing limits Using EBT data for research Implications of privacy protection needs for EBT privacy security Potential uses of EBT data Privacy issues in EBT demonstration projects ROUNDTABLE QUESTIONS In February 1994. FNS sponsored a roundtable panel of program advocates, program officials, privacy experts, civil rights experts, and security experts to consider the following questions regarding EBT data use and related privacy implications: •*• Does existing data use policy adequately support FSP and WIC program administrators' needs to pursue legitimate and important program improvements such as enforcing program compliance and monitoring EBT system use to ensure adequate delivery of benefits? If not, what improvements can be made that do not infringe upon program participants' privacy rights? «r Should constraints on data use differ for WIC and FSP, given the differences in the programs' structures and populations served? w Are existing legal limitations on EBT data use adequate to protect program clients' privacy rights and retailers' confidentiality rights? If not, what else is needed? Are there or should there be additional ethical principles governing data use? w Should participation in data analysis efforts be voluntary? «* What are the implications of privacy protection needs for EBT data security? 10 I-"BT DATA PRIVACY Issues i OK !■<» <: \ Hi \i i n PROGRAMS A. Program Administration and Compliance The abundance of data generated through EBT can be an extreme!) valuable tool to program administrators. But the administrative need to utilize this important resource for improving program operations should not eclipse the need to protect program participants" privacy rights. In both EBT and paper issuance systems, data are used bj Slate and Federal governments for two purposes: program administration and program compliance. Both of these uses are specifically delineated in the Food Stamp and WIC Program regulations (see Appendix B). PROGRAM ADMINISTRATION. Data about individual EBT transactions are collected because they support the redemption of benefits by the recipient at authorized food retailers. The data the EBT system collects on each transaction include recipient's EBT account number: retailer identity: POS terminal identity: type of transaction3; transaction amount: and time and date of transaction. For the WIC Program, the system would also collect data on authorized WIC foods. This information is used to approve each transaction, update recipient account balances, resolve questions about transaction authorization, credit retailers, settle and reconcile the system, and support system performance monitoring. A transaction history file is maintained by the EBT processor for a fixed period of time, typically 30 or 60 days. Authorized personnel can use this file when responding to recipient requests for transaction histories, resolving problems, and addressing other program administration and program integrity purposes. The transaction history file can also be used to support fraud and abuse investigations. In a coupon-based system, the only comparable information is that the FSP recipient was issued (e.g., mailed) a monthly allotment of food stamp coupons on a given date. As indicated before, there are no transaction-specific or aggregate data about either the individual recipient or the retailer. WIC recipients receive vouchers for their food prescriptions. These vouchers are returned to the State and aggregated information about transactions is available and is used for analysis or for nutritional counselling provided to the participants. Discussion: Overall, our research and the roundtable discussion did not question the importance of using EBT data for ensuring the delivery of FSP and WIC Program benefits. Most advocacy groups noted that FSP and WIC recipients prefer receiving their benefits through EBT than through the paper system. They find it more appealing, more secure, and less stigmatizing. The concern lies in other uses of the data that would fall under the "program administration" umbrella. As one roundtable participant noted, it seems that the information available is similar to an answer waiting for a question. Some advocates firmly believe that FNS' sole responsibility is to provide food benefits, and program administration should be limited to this function. They fear that information collected from the EBT system could be used to change the program fundamentally. For example, FNS could restrict FSP benefits to The types of transactions that can be made include balance inquiry, regular transaction, or manual transaction. 11 EBT DATA PRIVACY ISSUES I OR FOOD BENEFIT PROGRAMS a defined group of "nutritious foods." Other advocates, however, believe that additional information collected through the EBT system would improve the WIC Program, particularly in the area of nutritional education and counseling. A more detailed discussion of potential uses of EBT data and related policy issues is found in Section F below. In general, there is expressed concern over the tracking of individual transaction data. Such monitoring creates a "Big Brother" effect, in which the government has knowledge of the location and behavior of an individual at a given time. In addition, several persons interviewed stated that such monitoring is discriminatory, since this data is not collected by the government on persons who are not program recipients. PROGRAM COMPLIANCE. EBT data are used to monitor recipient and retailer program compliance. EBT processors submit mandatory exception reports containing information on amount and time of transactions by individual retailers and households. FNS' Office of Compliance conducts routine monitoring of compliance by retailers. These data are also used by the U.S. Department of Agriculture's Office of Inspector General (OIG) to help detect individual abuse and trafficking of FSP benefits and, more importantly, to support retailer compliance investigations. For example, FSP EBT data for recipients or retailers on even-dollar transactions, multiple high-value transactions per day, and concentrations of same-recipient transactions in a single retail location can be used to develop profile programs to identify retailers and recipients that may be violating program rules. Aggregated information on recipient redemption behavior is also available through EBT systems. Currently, investigations of recipient fraud and abuse are conducted primarily by the States. Information on individuals is not routinely collected by the Food and Nutrition Service, and only if the OIG suspects trafficking of benefits and if the information will assist in the investigation of a suspected retailer. Such data have been and will continue to be used to prosecute recipients as well when appropriate. In coupon-based systems, there is no data system-based monitoring of recipients. Retailer compliance is accomplished through analysis of aggregate redemption data at FNS' Minneapolis Computer Center. The OIG relies on allegations of retailer fraud and abuse, and investigations are limited to on-site surveillance. Discussion: The use of EBT data to monitor retailer compliance was not raised as an issue in either the interviews or roundtable discussion. Several advocacy groups, however, were concerned that the OIG would use EBT data on individuals on a regular basis to assist with program enforcement and/or investigations. In fact, the OIG stressed that its investigations focus almost exclusively on retailers, because retail fraud investigation is a Federal function for the FSP. Also, since both FNS and the State agencies have jurisdiction over recipient fraud, FNS' view is that it should be dealt with at the State level. Food-specific purcjiase transaction data are not tracked for FSP. If such information were captured, however, it is conceivable that FNS could use the data to ensure retailers are redeeming FNS benefits for eligible foods only or to track the proportions of types of foods (e.g., junk food) sold by authorized FSP retailers in order to re-evaluate the program eligibility 12 EBT DATA PRIVACY ISSUKS FOR FOOD BENEFIT PROGRAMS of certain retailers or food types.4 In the WIC Program, the State WIC agency could use EBT to track the costs of prescription foods to determine which retailers are providing foods at the lowest cost. Retailer advocacy groups were concerned over the tracking of purchase data for individual retailers because, again, the tracking could include other items in addition to those purchased with program benefits. It was mentioned that when and if Regulation E*1 applied fully to EBT. the States might redouble their efforts to investigate recipient fraud because the State would be liable for lost or stolen EBT benefits in excess of $50. The Federal Reserve has postponed the application of Regulation E to EBT for three years to allow adequate time to study the magnitude of liability that occurs in EBT systems. B. The Differences Between FSP and WIC Privacy Concerns The FSP and WIC Program differ in their purpose, structure, and populations served. FNS sought EBT stakeholder views on whether it is acceptable to use EBT data on purchasing patterns to conduct nutrition education at either the individual or aggregate level for either program. FSP is an entitlement program - all households that meet the eligibility criteria receive food stamps. The WIC program is a very individualized, tailored program where the prescription, in theory, is targeted to the specific circumstances, health history, and nutrition history of the particular client. It is not an entitlement program, and each year there are thousands of women and children who are eligible to participate in the program but cannot because of budget constraints." Therefore, the State ranks eligible clients in terms of health and nutritional risk. A logical outgrowth of the clinical aspects of WIC is the use of information about purchase behavior in nutritional counseling. Discussion: As noted above, EBT tracks some food purchase transaction data for FSP recipients. The delivery of benefits does not require information on specific food purchases. While it is possible for WIC EBT to perate in a manner similar to FSP EBT, the WIC Program needs to track specific prescription purchases -- milk, juice, cereal, and infant formula. To do this. WIC EBT must collect more individual level information. The roundtable participants acknowledged that the WIC Program requires more detailed knowledge of individual clients' circumstances than the FSP. (It was also noted that the uses of WIC Program data are even more restrictive than those for FSP, e.g., WIC does not participate in computer matching among 4 Although Slates are responsible for EBT. FNS is currently responsible for retailer authorization, management, monitoring, and sanctioning for FSP. Under this arrangement. EBT systems provide data for Federal use. 5 Regulation E of the Board of Governors of the Federal Reserve System to implement the Electronic Funds Transfer Act. 6 It has long been contemplated, however, that the WIC Program will one day be fully funded. 13 EBT DATA PRIVACY ISSUES FOR FOOD BENEFIT PROGRAMS Federal welfare programs.) Although several client advocates argue that FSP EBT data should be used exclusively for the delivery of benefits, some advocates believe that increased information available from the WIC EBT systems would help the States provide better and more comprehensive services to a greater number of people. Thus, advocates appear to be more comfortable with using EBT data for direct client interventions in WIC than in FSP. C. Adequacy of Existing Limits The FSP and WIC Program have legal and regulatory limits on who can access program data and how that data can be used. According to FSP and WIC regulations, recipient information can be disclosed only to those directly involved in program administration and enforcement. FSP regulations also limit disclosure of retailer information to purposes of FSP and WIC Program administration and enforcement. Although law enforcement agencies around the country would like increased access to all information that could help with criminal and civil investigations, the U.S. Department of Agriculture's Office of General Council (OGC) has been consistent in its refusal to provide information unless required to do so under subpoena. FNS wants to be sure that as EBT expands, existing FSP and WIC Program regulations and laws are sufficient to protect client rights to privacy and retailer rights to confidentiality. Discussion: Several members of the roundtable were very impressed with FSP and WIC privacy and confidentiality regulations, which were seen to be much more stringent than those in effect for other benefit programs. FSP regulations also extend confidentiality to information about authorized retailers, information that is not covered by privacy laws. According to the OGC, each State must provide the minimum level of privacy protection that is required by Federal law. This minimum level is clearly established by the Food Stamp Act and is reflected in the FSP EBT regulations.7 As FNS moves to EBT for the FSP and WIC Program, there appear to be two areas that need to be considered. One is access to FNS EBT data by other Federal and State agencies. The second is that new players — retailers and third-party processors — are directly involved in the delivery of benefits and must have access to information to deliver benefits. Controlling access to EBT data is an issue that will need to be considered as Federal and State governments consider multi-program EBT. In multi-program EBT, the EBT processor is provided with information by each of the participating programs. The processor maintains this information so that each EBT household has a single identifier, rather than identifiers unique to each program. There is the concern that multi-program EBT may increase access to program information among the Federal or State agency officials who administer these programs. However, in all instances existing program restrictions would continue to apply. Some eligibility-related information is now shared, but benefit data is not. How and when EBT might facilitate further information sharing has not yet been addressed systematically. Section 274.12(e)(l)(ix) of the FSP regulations states, "Each State shall ensure that the EBT system is capable of performing the following functional requirements prior to implementation . . . Ensuring the privacy of household data and providing benefits and data security." 14 EBTDATA PRIVACY ISSUES FOR FOOD BENEFIT PROGRAMS Another issue is that EBT brings new players into the delivery of FSP and WIC Program benefits: retailers; system processors; and third-party processors. EBT POS terminals in food stores relay transaction data and receive summary data that the retailer uses for internal settlement and accounting purposes.8 Existing legislation does not specifically regulate retailer collection and use of shopper-related information for internal purposes (see discussion on shopper clubs in Section F below). In EBT systems, however, most agreements between retailers and the EBT administering agencies include a clause stating that EBT data may not be used for purposes other than program administration. Since there is no comparable requirement of retailers under coupon systems, data may in fact be better protected under EBT. Most of the current limitations on retailer uses of consumer data for both FSP and non- FSP recipients are in the form of self-regulation. The Food Marketing Institute (FMI) has issued a policy statement on consumer privacy that provides retailers with a set of guidelines on the collection and use of customer information. Several persons interviewed expressed the opinion that retailers will not disclose information on individual recipients for fear of losing customers. They feel that the cost of losing a customer is much greater than the marginal benefits obtained from targeted marketing and other uses of this data. This principle applies to both FSP and non- FSP customers. FMI believes that retailers will abide by the recommended guidelines for the use of recipient data so as not to jeopardize their business with individual clients. It is important to remember that unless the recipient. State agency, or third-party processor provides personal identification information to the store, retailers cannot link purchase data to individuals. EBT systems are not designed to provide this information. Although State agencies are responsible for all aspects of EBT systems, experience with the demonstrations and current State efforts to develop EBT indicate that many aspects of the EBT system will be contracted out. EBT systems create access to recipient and retailer data by one, and potentially two or more, new parties: system processors and third-party processors. EBT system processors maintain information about recipient identity, including recipient address, and use this information to ensure that benefits are delivered to those who are entitled to receive them. As mentioned before, EBT processors are being asked to produce analyses for the OIG to support investigations of unauthorized retailer and recipient activities. In addition. EBT processors provide analyses of aggregate transaction data to State agencies and to USDA. These reports provide information used to monitor processor performance. The third-party processors generally included in EBT systems are integrated with commercial EFT payment systems. They have access to transaction information only; recipients are not identified by name or any other personal identifier. Currently, retailers select their third-party processor, and third-party processors and networks do not collect recipient transaction data; information merely passes through these systems. In the future, as EBT more closely mirrors the commercial operating rules, third-party processors may become more involved in Retailers with more advanced electronic cash registers can (and do) electronically distinguish between food stamp coupon and non-coupon purchases. For example, FSP eligible products are exempt from sales tax. Having the register automatically total FSP and non-FSP items and then compute sales tax creates fewer register errors. It also reduces the chance of allowing non-FSP eligible items to be purchased with FSP benefits. 15 EBT DATA PRIVACY ISSUES FOR FOOD BINIHT PROGRAMS system settlement. If third-party processors ever provide settlement services, they will require redemption information about specific retailers. If third parties were to capture the data they transmit, then the confidentiality of retailer redemption information might be compromised. D. Uses of EBT Data for Research While Food Stamp EBT regulations stipulate mandatory participation for the participant once EBT is introduced in a location, there is no rule requiring clients' or retailers' involvement in an organized EBT data analysis effort. FNS must consider the implications of mandatory versus voluntary participation in data analysis projects. Specifically, should prior approval from program participants or authorized food retailers be required before any collection of data, or is notification unnecessary if information is randomly collected on individuals, aggregated, and cannot be traced to a particular recipient?9 Under the paper coupon system, researchers require the voluntary participation of program clients. FSP clients may be asked to complete long and detailed surveys and keep a log of all food purchases. Researchers must rely on the accuracy of these entries, which may not reflect actual purchases or eating habits. Individual data is then aggregated and reported. Under EBT, data collection could be much less intrusive if information on items purchased is an integral part of the electronic redemption process, as is likely to be the case for WIC EBT but not necessarily for FSP EBT. EBT provides new avenues for research and analysis of the use of benefits. At present, some demonstration sites are using aggregated FSP EBT data to examine redemption behaviors such as number and time of transactions, number and types of retailers used, average dollar value of the transactions, and proportion of the full monthly allotment used. These analyses are done by aggregating household-level information, but purchases are not tied to specific individuals. WIC does such analyses routinely for management information system reports. Such studies help develop an understanding of program participation and contribute to the identification of changes that would improve efficiency and effectiveness of benefit delivery. Recently completed evaluations of EBT demonstrations have used redemption data to determine if recipient purchasing behavior changes with EBT and to examine retailer redemption characteristics. For example, FNS needs to have information on the volume and number of transactions in order to anticipate system capacity requirements in light of minimum performance requirements. FNS learned early on that the average FSP recipient made 8-10 transactions per month, a number higher than expected. The databases resulting from such analyses are much like other administrative record systems that help program administrators track system use and capacity. To the extent that these analyses are built upon individually identifiable data, however. It must be noted, however, that, according to Sections 282.1(a). (b), and (c) of the Food Stamp regulations, research currently conducted on the demonstration programs is accorded much greater freedom in the collection and use of data than what would be permitted for operational EBT programs. 16 EBTDATA PRIVACY ISSUES FOR FOOD BENEFIT PROGRAMS it is appropriate to consider the degree to which this represents a secondary use of data1" and thus is subject to privacy considerations. Discussion: The use of recipient EBT data for research purposes generated much discussion among the roundtable participants and focused on the following issues: • Dealing with aggregated versus individual recipient data • Identifying the research agenda that would use the data • Allowing participants to opt-in or opt-out of the research project Roundtable participants stated that collecting information on how its programs operate is an appropriate role for government. Individual data, when aggregated and stripped of identifiers, protects individual privacy while providing necessary information to develop, refine, and implement effective programs. For other roundtable participants, the type of research being conducted was just as important, if not more important, than the collection of data. It was argued that as the amount of information the government has increases, so too does the risk to program participants that government can intrude further into their lives. For these participants, the issue is trusting the government to put the information to good use. The 1993 Harris- Equifax survey provides a context for understanding this concern. First, it found that 75 percent of the American public do not believe that the government can be trusted to look after its interests. In addition, 58 percent of the American public do not feel that they have adequate legal protection of their rights to privacy. For some advocacy groups, however, the examination of individual data infringes on recipient privacy, even if the data is stripped of identifiers and aggregated or collected by randomly sampling unidentified individuals. For these stakeholders, voluntary participation should be required for all research, because the consequences of the research may affect individual recipients in unexpected ways. The issue of opting-in versus opting-out is very important. Under the existing benefit issuance system, FSP and WIC recipients have to "opt-in" - voluntarily decide to participate in a research project. Under EBT, certain data could be collected without the active participation of the FSP or WIC recipient. For example, tracking the number or value of transactions at store A over a set period of time or tracking the average number of transactions made from a sample of accounts. The roundtable participants differed on whether research should be restricted to those individuals that explicitly state that they want to participate (opt-in), or whether individuals should automatically be considered as research participants unless they explicitly state that they do not want to participate (opt-out). See discussion on page 9 for explanation of secondary uses. 17 HBT DATA PRIVACY ISSUES FOR FOOD BENEFIT PROGRAMS E. Implications of Privacy Protection Needs for EBT Data Security It is impossible to ensure EBT data privacy without adequate safeguards over the physical security of data. Data security is the set of tools used to protect privacy and confidentiality. As with all computerized databases, there is the possibility of unauthorized access and use of EBT data. Some of the unauthorized uses include perusing data files, tampering with account information, changing or invalidating personal identification numbers, intercepting transaction communications, and theft of benefits. Discussion: As separate database systems expand in capacity and are linked to one another for purposes such as computerized matching, there arises concern over "leaky databases." There have been several cases in which information stored on a government database was illegally sold. As more people obtain access to each database, the potential for this activity increases. Databases maintained in EBT systems could be subject to such abuse as well, though there are data and system security requirements (a combination of software, hardware, and personnel controls) in place to minimize this risk. Unauthorized access is addressed through data use policy and system security. FNS provides general security guidelines that State systems must address. In addition, there are FSP-and EBT-specific security regulations. States must restrict access to authorized users and report violations and irregularities, maintain security plans, conduct periodic risk assessments, and conduct biennial reviews that include data privacy and confidentiality. EBT transactions are typically transmitted in clear text, except for the PIN, which is encrypted. These various security measures provide adequate protection of information when they are implemented and monitored systematically. F. Potential Uses of EBT Data Our research identified a widely-held concern that, as technological advances in the administration of government programs occur, new data uses may be deemed permissible by the government. Computerized matching, for example, was deemed acceptable once computer systems provided for this capability. Food retailers routinely use Universal Product Code (UPC) scanners to control inventory and to expedite check-out procedures. It is now possible to link customers with purchase information. With relatively simple changes to data systems, it is also possible to provide the means to collect new types of data about retailers and recipients not possible under the paper coupon system. There are additional uses of data that may come about as a result of changes in telecommunications and processing technology. Some potential uses of these data are discussed below. These uses are neither contemplated nor endorsed by FNS; they are presented merely as examples that may help define the limits of acceptable data use. RECIPIENT EDUCATION. Recipient purchase pattern data could be used to monitor aggregate or individual FSP and/or WIC recipient purchases in order to determine the nutritional value and balance of items purchased. Results could be used to counsel FSP recipients on how to maximize the nutritional content of their purchases. Aggregate purchasing data could be used 18 EBT DATA PRIVACY ISSPI.S iOR loop BHNF.FIT PROGRAMS to develop generic counseling efforts, such as nutrition pamphlets, for distribution to FSP or WIC Program participants. Monitoring of purchases for information on brands, quantities, and product selection could allow analysis of food usage or the efficiency of benefit use by specific recipients or groups of recipients. Advice might be given on how to obtain better value by changing brand or product choices, timing of purchases, or size of purchase. In WIC. food packages could be changed to better meet the food preferences of groups. If EBT systems were to be integrated with the data obtained with UPC scanners, there is also the capability to track food items not purchased with program benefits. While it can be argued that this could serve as a basis for more in-depth counseling, it raises serious privacy implications. Individuals generally do not want the purchase of items such as pregnancy tests, alcohol, prescription drugs, and cigarettes to be tracked by the government. Such tracking raises additional concerns for FSP and WIC recipients. Government agencies could potentially use this information when determining an individual's eligibility for benefit programs, for example by examining purchase information for clues to household composition. Discussion: In general, recipient advocacy groups expressed strong opposition to the collection and use of either person-level or aggregated purchase pattern information for purposes of recipient education in the Food Stamp Program and, to a lesser, extent, the WIC Program. This linkage is not required for FSP EBT to function. The linkage for WIC food prescriptions, but not all food purchases, is required of WIC EBT systems. Therefore, FNS needs to discuss and formulate policies about whether, how, and under what circumstances this additional type of information might be used. RETAILER USES OF AGGREGATE DATA. It is conceivable that stores would want to track recipient purchase patterns on either an aggregate or individual basis for purposes of marketing, inventory, and negotiations with manufacturers. For the larger food stores and chains, the EBT system could be integrated with UPC-scanning electronic cash registers if it is not already. The data systems that support these registers could keep a daily or longer record of specific items purchased through EBT or with other means." As indicated before, it is not possible to identify individual recipients by name under either the paper coupon system or EBT system. In the EBT system, only the recipient account number is tracked. Because the transaction data do not reveal recipient identity, retailers could not tie specific purchases to specific individuals this way. They could, however, use data to target marketing strategies to FSP and/or WIC participants in general by: • Running promotions on products that are often purchased by FSP or WIC Program recipients. This capability exists in the paper coupon system. Retailers equipped with UPC scanners can flag a given transaction as a "food stamp transaction." separate out non-authorized products, and calculate sales tax for non-FSP purchases. 19 EBT DATA PRIVACY ISSUES FOR It>< ID BI-.XHNT PROGRAMS • Encouraging FSP or WIC Program recipients to join a frequent shopper program h\ offering additional discounts on products most often purchased by them. (This would not violate FNS regulations prohibiting "differential treatment" of recipients if the discount were applied without regard to program participation status.) • Conducting market research on FSP or WIC Program recipients who volunteer to participate to study consumer preferences and changes in buying behavior. Discussion: The roundtable participants did not discuss this type of data use. There ma\ be several reasons for this. Primarily, the information that might be collected by retailers is not person-specific. Also, retailer representatives maintain that retailers do not maintain this information and do not sell or otherwise provide access to it because it is not economically or technically feasible. USES OF SHOPPER'S CLUB DATA. Our research found that consumers (e.g.. recipients) weigh the perceived loss of privacy against potential benefits. People are willing to give up an element of privacy as long as the benefits are significant. Retailer-sponsored shopping clubs are based on this principle. Retailers track individual purchase data using UPC scanning systems in combination with a "shopping club card" that identifies the purchaser. The retailer is then able to use this information for purposes of marketing and inventory. In return, shoppers club members receive a variety of benefits, such as special reductions on specific products or discount coupons applicable to the total cost of a single day's purchase at the food store. Credit companies have also initiated shopper's clubs, in which the purchases of credit card holders are tracked and either used internally or sold to marketers. Participation is voluntary. To date, several shopper's clubs have failed because of low consumer acceptance. One reason is that the perceived benefits were not sufficient to counterbalance the loss of privacy. If FSP recipients who receive benefits through EBT participate in shopper*s club programs, then individual identities, rather than just the recipient account number, could be linked to purchase patterns. This information could then be used similarly to the way information on non-FSP participants is used: to conduct individualized targeted marketing. Because shopper's clubs are voluntary, recipient privacy is less of an issue, as the individual has agreed to release personal information in return for certain benefits. Discussion: The roundtable participants, including the advocacy representatives, believe that FSP and WIC clients should be free to participate in such clubs as long as program recipients are treated no differently from other participating customers and are informed fully of possible data uses. Participation in shoppers programs would directly benefit FSP recipients because they would receive discounts on food items, stretching their FSP monthly allotment. WIC recipients would indirectly benefit because their non-prescription food stuffs might be less expensive. SYSTEM AND THIRD-PARTY PROCESSOR USE OF DATA. Third-party processors that drive both commercial payment systems and EBT POS terminals are limited by technology and cost in their access to item-specific purchase data. System processors and third-party processors would have little use for this data for internal purposes. Absent restrictions already in place. 20 EBT DATA PRIVACY ISSUES FOR FOOD BF.NEFIT PROGRAMS the information they do have -- transaction histories - might he sold to direct marketers and credit bureaus. Redemption information including transaction times, amounts, and. potentially, item-specific purchase data could be taken from one retailer and sold to its competitors. Discussion: Our research found concern expressed over the lack of Federal regulation and legislation on the collection and use of data by system processors. FSP EBT regulations do address this issue, however, requiring each State agency to ensure that EBT system and third-party processors protect the privacy of household data and provide benefit data security.12 In EBT demonstration projects to date, confidentiality clauses are included in contracts between the State and the system processor. These clauses restrict EBT transaction data use to that which is directly related to the administration of the FSP. Since retailers can make their own arrangements for third-party processing, we do not know if these retailers impose data use limitations on processors in current EBT projects. If no limitations are imposed, third-party processors may feel free to capture and distribute data at will, possibly to marketers willing to pay for a list of potential new customers. The experience to date with third-party processors in the delivery of EBT is very limited and does not provide an adequate basis for gauging actual or potential threats to the privacy of data. G. Privacy Issues in EBT Demonstration Projects Existing protection and restrictions on EBT data use seem to have been effective enough to prevent any significant privacy or confidentiality breaches in the EBT demonstration sites we contacted.13 Recipients in the demonstrations have not voiced concerns regarding their privacy under the EBT system, and retailers are believed to have complied with confidentiality and data use restrictions outlined in FSP policy. State legislation, and contractual agreements. We know of only two privacy-related incidents at demonstration sites, and both were resolved without compromising clients' privacy rights. In one site, several retailers requested that the State agency identify a recipient by name after a transaction error (such as a clerk forgetting to enter the purchase amount of a transaction) occurred, and the recipient was no longer accessible. Under this State's law, identifying a recipient for a retailer is prohibited. The State agency wrote a letter to the recipient describing the error and let the recipient decide whether to contact the retailer. In another instance, a law enforcement agency requested information on a suspect's EBT transactions to help the agency locate the person. The State's Office of General Counsel ruled that such use of data was illegal, and the request was denied. These incidents reinforce a generally high level of attention given to the non-disclosure requirements of the existing Food Stamp regulations. 12 13 Section 274.12(h)(5)(iii) of the FSP regulations state, "The State agency shall ensure that third-party processors and retailers driving their own terminals comply with ... all applicable Food Stamp Program regulations." See footnote 6. 21 EBT DATA PRIVACY ISSUES I OR FOOD BENEFIT PROGRAMS Privacy issues have been addressed in the contractual agreements and system design of certain EBT demonstration projects. The experiences of several of these projects are described below. PRIVACY ISSUES CONSIDERED IN SYSTEM DESIGN. In the EBT system designs for ISP demonstration projects, privacy tends to be covered indirectly through system security standards and design. Security is usually outlined in terms of controlled access to various parts of the system (e.g.. PIN encryption, telecommunications, batch files. POS terminals, and host computers), rather than uses of data. In the initial phases of EBT system design, staff from each of the demonstration projects spoke with recipient and retailer advocacy groups regarding the implementation of the FSP EBT system. These groups did not consider privacy to be a major concern. The only privacy-related question raised repeatedly was whether the recipient's balance would be displayed on the cashier's screen at the check-out lane. In fact, the balance is not displayed on the check-out screen in any of the FSP EBT systems. It is, however, printed on the recipient's receipt, which is handed to the recipient by the clerk and is listed on the tapes maintained by some retailers as a record of transactions. Balances are printed on receipts to give recipients a convenient, timely tool for tracking their account balances. CONTRACTl AL PROVISIONS FOR RETAILER AND RECIPIENT PRIVACY. There are provisions in the contractual agreements with the EBT system processor and retailers that either directly or indirectly address privacy and the restriction of data uses. These provisions are discussed below. • System Processor Contracts. In most cases, the contract between the administering State agency and the system processor includes clauses restricting EBT transaction data use to that which is directly related to the administration of the FSP. In addition, system processors must adhere to FSP regulations concerning privacy and information security as well as the regulations of other programs that use EBT.14 • Retailer Agreements. In each of the FSP EBT demonstration projects contacted, participating retailers must enter into an agreement with the administering State agency or its agent. Retailer agreements vary widely in the manner and extent to which privacy issues are addressed. In at least one case, there is a clause prohibiting the use or disclosure of recipient information for any purpose not connected with the administration of the FSP. A different retailer agreement prohibits the disclosure of recipient information but does not address internal uses of these data. At least one retailer agreement fails to address privacy issues specifically in any form. Each retailer agreement, however, requires the retailer to adhere to applicable State laws and Federal regulations, which would include privacy legislation. 14 FSP regulations require State agencies to ensure that EBT systems are capable of performing several functional requirements prior to implementation. Two of these requirements are ensuring the privacy of household data and providing benefit and data security. 22 EBT DATA PRIVACY ISSUES urn Fo< >i> HiMI 11 PKCKIKWIS In order to participate in the FSP. authorized retailers must enter into an agreement v» ith FNS. This agreement specifies that retailers must cooperate with Federal compliance investigations. This is standard practice tor retailer participation in both EBT and paper coupon systems. In this agreement, the retailer is required to provide transaction information when requested as part of an investigation. In the EBT system, this information is maintained by the system processor on a daily basis and later aggregated and sent to the FNS central computer center. The agreement states that FNS will only use retailer-specific transaction data for compliance purposes. Third-Party Processors. To date, there are no contractual agreements between the administering State agency or system processor and third-party processors except in the FSP off-line demonstration. In at least one case, however, a clause is included in the retailer agreement holding the retailer responsible for the compliance of third-party processors with FSP EBT policy and standards. Yet the FSP regulations do state that the State agency shall ensure that third-party processors comply with FSP regulations, including those dealing with privacy and security. If a third-party processor does not adhere to these mandates, it may no longer be allowed to participate in the EBT system. IV. CONCLUSIONS AND STRATEGIES FOR PRIVACY PROTECTION This section summarizes our conclusions and offers guidelines and strategies that the various parties that influence and guide EBT could take to address privacy protection of FSP and WIC recipients and confidentiality protection of retailers. A. Summary of Conclusions Electronic Benefit Transfer is now a proven technology. It has moved beyond testing and development to become an operational alternative to existing benefit issuance systems The benefits to the recipient and administrative agency have been documented in numerous studies undertaken by the Food and Nutrition Service. EBT systems, however, greatly increase the amount, detail, and potential accessibility of information about the use of benefits. EBT systems create databases containing individually identifiable purchase information that varies in detail depending upon the program using EBT, something that is not possible under existing coupon-based issuance systems. Fundamentally, FSP regulations and. to a somewhat lesser extent. WIC regulations provide specific and adequate safeguards over access to and use of information about individuals and retailers. These basic protections extend to EBT-developed information. However, the means of access to data and the potential uses for those data will expand in the future. Therefore, it is appropriate to consider the privacy implications of data uses. It is also appropriate to provide mechanisms for ensuring that other agencies not typically involved in the administration and oversight of FSP and WIC are bound by comparable requirements for safeguarding the privacy of information to which they may have access as a result of their involvement in the electronic delivery of benefits. 23 EBT I) \ i \ PRIVACY ISSUES t-oR FOOD BENEFIT PROGRAMS Through interviews with EBT stakeholders and the roundtable discussion, we identified a number of concerns about the current and potential uses of EBT data. These are summarized below. THE RECIPIENT • Concern: Data may be used for "secondaiy uses" such as targeted marketing or locating individuals through transaction information for lavv enforcement purposes not related to program integrity. Finding: FSPand WIC regulations closely limit the use o. program data, including EBT data, for law enforcement purposes not specifically concerned with program integrity. Under the various EBT demonstration projects, client privacy rights have not been comprised. Finding: The use of aggregated EBT data for marketing purposes cannot segregate FSP/WIC recipients from other food purchasers. Individual targeting can only occur if the recipient has voluntarily joined a retailers shopper program. • Concern: Administering agencies or other parties might use individual recipient EBT transaction data for purposes other than benefit issuance without the recipient's consent. Finding: Advocacy groups differed in their interpretation of how FNS could or should use EBT data for program administration Various opinions were expressed on the appropriateness of using data for purposes such as nutrition research, nutrition education and determining the range of food stamp-eligible items. Some stakeholders felt that data should be used only for benefit determination purposes while others felt that research using aggregated data was acceptable • Concern: U«e of EBT may lead to creation of a single database containing multiple pieces of in' ^nation on a single individual "One-stop shopping." or the development of a sing' .rd to distribute multiple benefits, can be seen as a precursc to this situation. Finding: Our research found concern over potential uses of data resulting from the integration of WIC Program benefit and health care information. Some stakeholders fear that information on program panicipants may become accessible to more program officials than those who legitimately need access. However, some feel this issue should be considered in the context of welfare reform as well as EBT privacy. THE RETAILER » Concern: WIC retailers may not be protected adequately under EBT systems. While FSP regulations protect the confidentiality of food stamp retailer information. WIC regulations do not address retailer confidentiality because WIC retailer redemption data are collected by States and generally not b\ FNS. 24 EBT DATA PRIVACY ISSUES FOR FOOD BENEFIT PROGRAMS Finding: Although many WIC retailers are also authorized to accept food stamps. State WIC administrative agencies have greater latitude in the use and disclosure of information about retailers that participate in WIC. None of the retailer representatives to whom we spoke had contemplated the implications of EBT for redemption data confidentiality, but this issue may receive more attention as EBT applications spread. During the roundtable discussion, it was pointed out that retailers would likely lobby for more stringent protection if data disclosure became a problem. B. Strategies for Maintaining High Levels of Privacy Protection in EBT Based on our research and the views and perspectives expressed during the privacy roundtable, there are a number of strategies that the various parties who develop and use EBT systems and data should consider. This report is not intended to provide specific recommendations for changes in policy, procedure, or practice; the following are offered as ways of maintaining comparatively high levels of privacy protection in FSP and WIC EBT. At the most general level, privacy should be considered within a framework. This framework is applicable to reviews of existing uses of data as well as the planning of new uses of data. A PRIVACY FRAMEWORK: As discussed previously, FSP regulations establish the requirement for the protection of privacy. The Privacy Act of 1974 generally permits use of information (1) consistent with the purpose for which information was gathered and (2) for designated "routine uses." Other uses would be considered "secondary" and, therefore, prohibited. In dealing with this "secondary use" limitation, there can be disagreement over what is within the principal purpose for which FSP and WIC Program information is gathered and what might be considered appropriate "routine use." There are four possible categories of use: 1. In a narrow interpretation, the primary uses would be to establish eligibility for the program, identify shoppers as qualified recipients, ascertain that sufficient benefits are available in the recipient account, authorize the FSP or WIC transaction, and transfer necessary funds to reimburse the retailer for that transaction. 2. Other uses appropriate to the EBT program include monitoring program operations to evaluate and improve service delivery and integrity, reporting on programs to appropriate governmental authorities, providing announcements and relevant program information to recipients and others, and detecting and preventing fraud or abuse. Such uses generally are considered routine and necessary for program administration. 3. Another category of use would be to evaluate individual purchase behavior in order to advise specific recipients of how they might better utilize the resources 25 EBT DATA PRIVACY ISSUES FOR FOOD BENEFIT PROGRAMS of the program or improve their nutritional intake through food selection alternatives. 4. Retailers or third-party processors might devise a variety of marketing or "mailing list" uses of personal information. These would clearly be considered "secondary" uses. FNS can. as it has done in the past, employ regulations and user agreements to set standards for informational privacy. The following are some suggested guidelines: • Uses in categories (1) and (2) are primary or routine and need to be identified as part of program operations. They do not require consent by recipients; notice of the practice is sufficient. • Analysis of statistical transaction information not individually identifiable is not a privacy threat and could be done for research purposes. Such research could support general announcements to all recipients regarding nutrition and resource allocation. • Use of personally-identifiable transaction information for category (3) requires prior notice to recipients and the opportunity for them to decline such use ("opt out") and still receive benefits, in conformity with the procedures outlined below. • Any category (4) or other secondary use can be pursued only with the prior affirmative written consent of the recipient. Specifically: The intended use should be clearly explained, in writing, to the recipient. The identity of the intended users of the transaction information should be disclosed to the client. The voluntary nature of the secondary use should be clearly explained to the recipient. The recipient should consent to the specific use in writing. The recipient should be free, at any time, to withdraw consent to a secondary use. The recipient should be given the opportunity, at least annually, to renew or withdraw consent. OTHER STRATEGIES: There are additional strategies that the various parties in the EBT process can incorporate into data use planning: 26 EBT DATA PRIVACY ISSUES I-OR l< Privacy and confidentiality provisions within the FSP and WIC ret and difficult to find. A basic compilation of those provisions, sue!: appendices to this report, could be shared with the various panic- FNS annually publishes its research agenda. The agency could us inform advocates and the public at large of planned research using re. ;;: PROGRAMS .- are scattered ■mained in the ed in EBT. mechanism to i-specific data. Recipients need to be informed of and reminded about their privacy r.chtv There are a variety of ways this might be done without creating special procedures or incurring administrative costs. For example, one program advocate suggested :nai a statement of rights and responsibilities be provided to recipients when the) are i.certified lor the program. EBT systems involve multiple parties, many of which are remo\ed from the immediate administrative reach of FNS. As noted above, contracts and agreements provide the means for extending responsibility for privacy to those parties. Contractual arrangements with EBT processors, retailers, banks, and others that are likely to ha\e access to EBT data should include specific reference to FSP and WIC regulations As policy decisions on EBT data privacy develop, so too must data securit) practices that provide for responsive safeguards. It cannot be assumed that existing access controls or other safeguards will provide the desired level of protection to new file structures or uses of EBT data. When new uses of data are developed, file access and control procedures and policies must be reviewed to ensure that access to data about individuals is appropriately restricted and that data use is subject to audits to ensure conformance to policy. When EBT systems support multiple benefit programs or a single program administered by multiple States, program administrators and EBT system designers should specify what data will be shared, how it will be shared, and when it will be shared This sharing should be fully consistent with FSP and WIC Program regulations The system design should provide technical and procedural safeguards consistent with the predefined uses of EBT data. 27 Appendix A Applicable Privacy Laws l!t Appendix A APPLICABLE PRfVACY LAWS A. THE PRIVACY ACT OF 1974 The Privacy Act of 1974 regulates the collection, use and disclosure of personal information by Federal agencies and is the principal means of information privacy protection in the Federal realm. It does not apply to State or local governments or to the private sector. The Act does not apply to information collection efforts or systems funded with Federal money if the information is controlled by State or local governments. The Privacy Act pertains to any personally identifiable information and prohibits disclosure of such information without the consent of the data subject. There are 12 exceptions to the disclosure limitation, four of which are especially relevant to the EBT program: (1) internal "need to know;" (2) routine use: (3) statistical use; and (4) law enforcement disclosures. The consent of the data subject is not required for disclosures of information: (1) "... to those officers and employees of the agency who maintain the record and who have a need for the record in the performance of their duties." (2) for a "routine use" which is defined as "a purpose which is compatible with the purpose for which it was collected." (3) if ". . . the record will be used solely as a statistical research or reporting record, and the record is to be transferred in a form that is not individually [i.e., personally) identifiable." (4) to any Federal or State agency "... for a civil or criminal law enforcement activity The Department of Agriculture would have Privacy Act of 1974 disclosure concern mainly with FSP information that it maintains and/or authorizes to be collected. In this respect. the "routine use" designation by the Department of Agriculture includes referral to IRS for collection of claims from tax refunds, referral to appropriate State agencies, disclosures in response to inquiries from Congressional offices on behalf of a client, and disclosure to firms that may have contracted with FNS for the purpose of research and reporting to FNS. Congress, or appropriate oversight agencies. The Privacy Act also requires that personal information maintained by the Federal government must be "only such information ... as is relevant and necessary to accomplish a purpose of the agency . . . ." Further, the agency is required to collect the information, "to the greatest extent practicable directly from the subject individual when the information may result in adverse determinations about . . . benefits . . . under Federal programs." The agency also has an obligation to "maintain all records . . . with such accuracy, relevance, timeliness, and completeness as is reasonably necessary to assure fairness . . . ." A-l -1 FNS has promulgated rules pursuant to the Privacy Act of 1974 that deal with the FSP. State agencies and others involved in the administration of FSP or WIC are required to satisfy the standards of the Privacy Act of 1974. The major privacy-related impact of EBT will be the potential for government agencies or the retailer to link purchase information with a particular client. Indeed, the Department of Agriculture regulation 274.12(h)(3)(v)(H) requires the State agency to assure the availability of a complete audit trail which "shall, at a minimum, be able to provide a complete transaction history of each individual system activity that affects an account balance." This necessarily involves identifying a POS transaction by account. The major privacy questions, then, involve what uses the government and retailers may make of household purchase information. FNS is sensitive to the desirability of providing the same level of respect for confidentiality of information generated as a result of this Federal government program as for program information maintained by the agency itself. The regulations do provide, at 274.12(e)(l)(ix), that the EBT system must ensure "the privacy of household data ..." This requirement is certainly consistent with the basic assumption of OMB Circular A-130. 7g. that "The individual's right to privacy must be protected in Federal government information activities involving personal information." B. STATE LAWS State Laws and regulations present a mix of common law. constitutional and statutory provisions regarding a multitude of privacy dimensions; the relevance of these various measures to EBT in the FSP is problematic. It is difficult even to try to categorize States in terms of privacy protection. For instance, ten States recognize a "privacy" right in their constitutions, but the application and interpretation of that right varies among those States. Minnesota has rejected a right of privacy in its constitution or common law, but has enacted an information practices act, similar to the Privacy Act, which does not extend to the private sector Only nine or ten other States have what might be considered an information practices act comparable to the Privacy Act though the scope of protection of each varies; none apply to the private sector. New York does not recognize privacy as part of its common law though a few New York statutes deal with narrow aspects of the right. Only three or four States significantly restrict the sale of mailing lists generally and then only with respect to State government. Several States do limit video customer rental information disclosure, though Delaware specifically allows sale of video rentals mailing lists. Certainly, no consistent threshold of privacy can be deduced from State law and though the FSP is a State-administered program, it seems wise to consider Federal constraints as the best vehicle for uniform privacy protection in the EBT environment. A-2 3<? Appendix B Food Stamp and WIC Regulatory Language on Privacy 3/ Appendix B FOOD STAMP AND WIC REGULATORY LANGUAGE ON PRIVACY A. FOOD STAMP PROGRAM 1. FSP Regulations - General The purpose of the Food Stamp Program is to "promote the general welfare and to safeguard the health and well being of the Nation's population by raising the levels of nutrition among low-income households." Currently, over ten percent of the U.S. population receive food stamps, and substantial information on millions of households is developed during the application process. The wide-spread use of EBT systems would increase the use of this information base. Food stamp regulations contain several provisions that address confidentiality ot information. FNS construes these regulations to apply equally to both coupon-based and EBT systems. The disclosure of information is limited to the following: Administration or enforcement of the Food Stamp Program Computer matching for eligibility and income with other benefit programs (such as AFDC) Certification of alien status Federal government audits of the program Law enforcement agencies' investigation of program fraud or violations. In addition, the use of the information is restricted to verifying eligibility and level of benefit, and to enforcing laws directly related to program activities. There are also provisions that identify who can access records contained in automated data processing and information retrieval systems, which would include EBT systems. 2. FSP Regulations ~ Privacy The Food Stamp Program regulations contain a number of provisions on the privacy of information. Section 272.1 of the current regulations1 contains the general terms and conditions for participating State agencies and includes a provision dealing specifically with disclosure: 1 These regulations are found in volume seven of (he Code of Federal Regulations and are current as of September 1992. B-l 3* (c) Disclosure. (1) Use or disclosure of information obtained from food stamp applicant or recipient households shall be restricted to: (i) Persons directly connected with the administration or enforcement of the provisions of the Food Stamp Act or regulations, other Federal assistance programs, federally-assisted State programs providing assistance on a means-tested basis to low income individuals, or general assistance programs which are subject to the joint processing requirements in Section 273.2(j)(2). (ii) Persons directly connected with the administration or enforcement of the programs which are required to participate in the State income and eligibility verification system (IEVS) as specified in Section 272.8(a)(2), to the extent the food stamp information is useful in establishing or verifying eligibility or benefit amounts under those programs; (iii) Persons directly connected with the verification of immigration status of aliens applying for food stamp benefits, through the Systematic Alien Verification for Entitlements (SAVE) Program, to the extent the information is necessary to identify the individual for verification purposes; (iv) Persons directly connected with the administration of the Child Support Program under Part D. Title IV of the Social Security Act in order to assist in the administration of that program, and employees of the Secretary of Health and Human Services as necessary to assist in establishing or verifying eligibility or benefits under Titles II and XVI of the Social Security Act; (v) Employees of the Comptroller General's Office of the United States for audit examination authorized by any other provision of law; and (vi) Local, State or Federal law enforcement officials, upon their written request, for the purpose of investigating an alleged violation of the Food Stamp Act or regulation. The written request shall include the identity of the individual requesting the information and his authority to do so, violation being investigated, and the identity of the person on whom the information is requested. (2) Recipients of information released under paragraph (c)(1) of this section must adequately protect the information against unauthorized disclosure to person or for purposes not specified in this section. In addition, information received through the IEVS must be protected from unauthorized disclosure as required by regulations established by the information provider. In using the data it collects, States are limited by the following provisions found in Section 272.8 on the State Income and Eligibility Verification System (IEVS): (5) Uses of data. The State agency shall use information obtained by means of the IEVS: for the purposes of: 2 The IEVS includes information on participants from the following programs: Aid for Families with Dependent Children, Medicaid, Unemployment Compensation, Food Stamps, and any State program administered under a plan approved under Title I, X or XIV (the adult categories), or Title XVI of the Social Security Act. This information may be shared among State agencies administering these programs for establishing or verifying eligibility or benefit amounts. B-2 33 (i) Verifying a household's eligibility; (ii) Verifying Che proper amount of benefits; (iii) Investigating to determine whether participating households received benefits to which they were not entitled; and (iv) Obtaining information which will be used in conducting criminal or civil prosecutions based on receipt of food stamp benefits to which participating households were not entitled. All food stamp applicants will be notified at the time of application that IEVS may be used to verify the information they supplied. The FNS regulations also cover automated data processing and information retrieval systems, which contain language on who can access records. In particular, Section 277.18(k) states the following: (k) Access to the system and records. Access to the system in all aspects, including but not limited to design, development, and operation, including work performed by any source, and including cost records of contractors and subcontractors, shall be made available by the State to FNS or its authorized representatives at intervals as are deemed necessary by FNS, in order to determine whether the conditions for approval are being met and to determine the efficiency, economy, and effectiveness of the system. Finally, Section 278. l(q) of the FSP regulations protect the confidentiality of retailer information: Safeguarding privacy. The contents of application or other information furnished by firms, including information on their gross sales and food sales volumes and their redemptions of coupons, may not be used or disclosed to anyone except for purposes directly connected with the administration and enforcement of the Food Stamp Act and these regulations, except that such information may be disclosed and used by State agencies that administer the Special Supplemental Food Program for Women, Infants and Children (WIC). Such purposes shall not exclude the audit and examination of such information by the Comptroller General of the United States authorized by any other provision of law. 3. FSP Regulations -- EBT and Privacy EBT regulations were finalized on April 1, 1992. These regulations establish the standards for on-line EBT systems issuing Food Stamp Program benefits. In the area of privacy, the participant's name does not appear on either the POS receipt or the terminal display. In addition, no name is embossed on the card. Privacy is specifically addressed in Section 274.12(e) under functional requirements: (e) The State agency shall ensure that the EBT system is capable of performing the following functional requirements prior to implementation: (1) Authorizing Household Benefits, (ix) Ensuring the privacy of household data and providing benefit and data security. B-3 3y There are several other provisions dealing with the security ol the system and the movement of data within the system for purposes of EBT operations, bin no other provisions directly address the issue of privacy. In addition, there are no FSP regulati«>p.N that specifically limit or prohibit retailers or third-party processors from capturing EBT information and using it for other purposes. Section 274.12(h)5(iii) of the regulations indirecth pun ides guidance: (in) The State agency shall ensure that third party processors and retailers drix ing their own terminals comply with this section and all applicable Food Stamp Program regulations. B. WIC PROGRAM REGULATIONS 1. WIC Program Regulations - General The WIC program provides food prescriptions to pregnant, nursing and postpartum women, their infants, and their children under the age of five who are at nutritional risk." Because WIC benefits include nutrition education and counseling for WIC participants, there is substantial information (including health information) contained in each participant's case file. FNS recognizes this and has several provisions protecting the confidentiality and use of its program and client information. Although the WIC regulations do not specifically contain EBT provisions, it is assumed that any alternative benefit delivery system, including EBT. must also maintain the confidentiality of program and client information. The use or disclosure of information is limited to the following: • Administration or enforcement of the WIC program, including investigations into program violations • Establishment of program eligibility and outreach • Federal government audits of the program. In addition, statistical or medical information collected under the program must not identify particular individuals. The WIC regulations are more restrictive than the FSP regulations because WIC program information can not be used in determining the alien status of a client nor in computer matching of eligibility information with other social service programs. B-4 35 2. WIC Program Regulations ~ Privacy The specific disclosure and confidentiality provisions for the Special Supplemental Food Program for Women, Infants and Children (WIC) are found in Section 246.263: (b) Statistical information. FNS reserves the right to use information obtained under the Program in a summary, statistical or other form which does not identify particular individuals. (c) Medical information. FNS may require the State or local agencies to supply medical data and other information collected under the Program in a form that does not identify particular individuals, to enable the Secretary or the State agencies to evaluate the effect of food intervention upon low-income individuals determined to be at nutritional risk. (d) Confidentiality. The State agency shall restrict the use or disclosure of information obtained from program applicants and participants to: (1) Persons directly connected with the administration or enforcement of the program, including persons investigating or prosecuting violations in the WIC program under Federal, State or local authority; (2) Representatives of public organizations designated by the chief State health officer (or, in the case of Indian State agencies, the governing authority) which administer health or welfare programs that serve persons categorically eligible for the WIC Program., The State agency shall execute a written agreement with each such designated organization: (i) Specifying that the receiving organization may employ WIC Program information only for the purpose of establishing the eligibility of WIC applicants and participants for health or welfare programs which it administers and conducting outreach to WIC applicants and participants for such programs, and (ii) Containing the receiving organization's assurance that it will not, in turn, disclose the information to a third party; and (3) The Comptroller General of the United States for audit and examination authorized by law.4 During the application process, the applicant, parent, or caretaker will be informed of WIC's disclosure provisions. 3 These regulations are found in volume seven of the Code of Federal Regulations and are current as of August 1992. 4 Any reports resulting from such examinations shall not divulge names of individuals (7 CFR Section 246.25(4)). B-5 36 Appendix C Research Performed on Privacy Issues 37 Appendix C RESEARCH PERFORMED ON PRIVACY ISSUES Price Waterhouse conducted an extensive research effort on privacy issues and Electronic Benefit Transfer (EBT). This research was performed in two parts: (1) on-site and telephone interviews with persons knowledgeable in the area of EBT and/or Privacy; and (2) a literature review. This Appendix lists these sources. A. CONTACTS Interviews were conducted with representatives of the following organizations, in order to gain an understanding of their views on privacy with respect to EBT: Congressional Committees Government Agencies Advocacy Groups American Banker's Association National Organization of Women B. EBT DEMONSTRATION PROJECTS INTERVIEWED Telephone interviews were conducted with project directors of three of the EBT demonstration projects, to identify any privacy-related issues that have arisen in the operations of the demonstration projects to date: • San Bernalillo County, NM • Ramsey County, MN • Dayton, Ohio • State of Maryland C-l ■6$ C. LITERATURE REVIEW A comprehensive literature review was conducted in order to gain an understanding of the potential uses of data in an EBT system, and the legal and ethical constraints of these uses. The literature review included the identification and examination of Federal and State legislation. Federal Regulations, public opinion surveys. Congressional reports. Congressional hearings. Federal government agency publications, nonprofit organization and advocacy group publications, journal articles, and books. The following is a selected bibliography of these sources: U.S. Government, Congressional Committee on Government Operations. Who Cares About Privacy? Oversight of the Privacy Act of 1974 by the Office ofManagement and Budget and by the Congress, 98th Congress, 1st Session, House Report No. 98-455, November 1, 1983 U.S. Government, Privacy Protection Study Commission. Personal Privacy in an Information Society, The Report of the Privacy Protection Study Commission. July 1977 U.S. Government, Office of Technology Assessment, Federal Government Information Technology: Electronic Record Systems and Individual Privacy, OTA-CIA-296, U.S. Government Printing Office, Washington DC, June 1986. U.S. Government, Office of Technology Assessment. Defending Secrets, Sharing Data: New- Locks and Keys for Electronic Information, U.S. Government Printing Office. Washington, DC, October, 1987. U.S. Government, Congressional Committee on Government Operations. A Citizens Guide on Using the Freedom of Information Act and the Privacy Act of 1974 to Request Government Records, 102d Congress, 1st Session, House Report No. 102-146, July 10, 1991. U.S. Government, Office of Technology Assessment. Electronic Delivery of Public Assistance Benefits: Technology Options and Policy Issues, OTA-BP-CIT-47, Washington DC. U.S. Government Printing Office, April 1988. U.S. Government, House of Representatives. Hearing before the Government Information. Justice and Agriculture Subcommittee of the Committee on Government Operations. Data Protection, Computers, and Changing Information Practices. One Hundred and First Congress, Second Session, May 16, 1990. U.S. Government, House of Representatives. Hearings before the Government Information. Justice and Agriculture Subcommittee of the Committee on Government Operations. Data and International Data Protection Issues. One Hundred Second Congress. First Session. April 10 and October 17, 1991. C-2 2fT Geva. Benjamin. The Law of Electronic 1-unds Transfers. Matthew Bender & Co.. New York. 1992. Flaherty. David H. Protecting Privacy in Surveillance Societies. The University of North Carolina Press. Chapel Hill. NC. 1989. Plesser. Ronald and Emilio. Cividanes. Privacy Protection in the United States. A 1991 Survey of Laws and Regulations Affecting Privacy in the Public and Private Sector. Washington. DC 1991. C-3 qO Appendix D EBT Privacy Roundtable Participants 4/ Appendix D EBT PRIVACY ROUNDTABLE PARTICIPANTS Richard Allen Deputy Assistant Inspector General for Investigations USDA Office of Inspector General Gregory Benson Program Manager Retail Banking. Operations and Technology Savings & Community Bankers of America Mike Bernstein Attorney Office of General Counsel Food and Nutrition Division USDA Office of General Counsel Steven Carlson Office of Analysis and Evaluation Food and Nutrition Service U.S. Department of Agriculture Mary Culnan Professor of Management Information Systems Georgetown University School of Business John P. Fanning Senior Health Policy Advisor Office of Health Planning and Evaluation Public Health Service US Department of Health and Human Services Larry Goolsby Policy Associate American Public Welfare Association Stephan Harvey Director of WIC Programs Center on Budget and Policy Priorities Daphne Herling Director of Community Organizing Maryland Food Committee Dr. Kathleen Horoszewski Corporate Architecture and Systems Management Director AT&T Peter Larkin Vice President for State Government Relations and Environmental Affairs Food Marketing Institute Carrie Lewis Staff Attorney Food Research and Action Center Barbara Leyser Senior Policy Analyst Center on Social Welfare Policy and Law David O'Connor President & CEO Internet, Inc. Agnes Phares Acting Management Information Systems Director New Jersey WIC Program George Trubow Professor of Law The John Marshall Law School D-l ^
Click tabs to swap between content that is broken into logical sections.
Title | EBT data privacy issues for food benefit programs |
Date | 1994 |
Contributors (individual) | Casey, Joseph T. |
Contributors (group) | Price Waterhouse (Firm) Office of Government Services.;United States Food and Nutrition Service Office of Analysis and Evaluation. |
Subject headings | Food stamps--United States--Data processing;Electronic benefits transfers--United States;Personnel records--United States--Access control |
Type | Text |
Format | Pamphlets |
Physical description | 1 v. (various pagings). |
Publisher | Alexandria, Va. : The Office, |
Language | en |
Contributing institution | Martha Blakeney Hodges Special Collections and University Archives, UNCG University Libraries |
Source collection | Government Documents Collection (UNCG University Libraries) |
Rights statement | http://rightsstatements.org/vocab/NoC-US/1.0/ |
Additional rights information | NO COPYRIGHT - UNITED STATES. This item has been determined to be free of copyright restrictions in the United States. The user is responsible for determining actual copyright status for any reuse of the material. |
SUDOC number | A 98.2:EL 2 |
Digital publisher | The University of North Carolina at Greensboro, University Libraries, PO Box 26170, Greensboro NC 27402-6170, 336.334.5304 |
Full-text | to,t« COMPLETED * 19-%'^L * »>■■*«& Office of Analysis and Evaluation EBT Data Privacy Issues for Food Benefit Programs United States Department of Agriculture Food and I «■* ^«fc — — ^»* ^ifc ■■■ -^^ "^ ^i*» ^ifc ^J Nutrition Service ff EBT DATA PRIVACY ISSUES FOR FOOD BENEFIT PROGRAMS This report reflects what was learned from a roundtable discussion among privacy and other experts, summarizes existing privacy protections in Electronic Benefit Transfer (EBT) systems used in the Food Stamp Program and the Special Supplemental Food Program for Women, Infants and Children, and suggests strategies for continued and enhanced privacy protections as EBT expands. Additional copies of this report may be obtained by calling the Office of Analysis and Evaluation, (703) 305-2133. Enclosure EBT Data Privacy Issues for Food Benefit Programs August 1994 Authors: Joseph T. Casey Brenda L. Monroe George Trubow Jenifer L. Wolfman Submitted by: Price Waterhouse Office of Government Services 1801 K Street, NW Washington, DC 20006 Submitted to: U.S. Department of Agriculture Food and Nutrition Service Office of Analysis and Evaluation 3101 Park Center Drive Alexandria, VA 22302 Project Director: Brenda L. Monroe Project Officer: Alana Landey This study was conducted under Contract Number FNS-3198-1 -020 with the Food and Nutrition Service, U.S. Department of Agriculture, under the authority of the Food Stamp Act of 1977. as amended. Points of view or opinions stated in this report do not necessarily represent the official position of the Food and Nutrition Service. ( * H TABLE OF CONTENTS EXECUTIVE SUMMARY ii I. INTRODUCTION A. The Evolution of EBT 1 B. EBT in a Privacy Context 1 C. Study Objectives 2 II. EBT AND PRIVACY BACKGROUND INFORMATION A. Definition and Description of EBT 3 B. Federal Laws and Regulations Governing EBT Data Use 7 C. General Privacy Issues 8 III. PRIVACY RESEARCH AND THE ROUNDTABLE DISCUSSION A. Program Administration and Compliance 11 B. The Differences Between FSP and WIC Privacy Concerns 13 C. Adequacy of Existing Limits 14 D. Uses of EBT Data for Research 16 E. Implications of Privacy Protection Needs for EBT Data Security 18 F. Potential Uses of EBT Data 18 G. Privacy Issues in EBT Demonstration Projects 21 IV. CONCLUSIONS AND STRATEGDZS FOR PRIVACY PROTECTION A. Summary of Conclusions 23 B. Strategies for Maintaining High Levels of Privacy Protection in EBT .... 25 APPENDICES Appendix A: Applicable Privacy Laws Appendix B: Food Stamp and WIC Regulatory Language on Privacy Appendix C: Research Performed on Privacy Issues Appendix D: EBT Privacy Roundtable Participants /// EBT DATA PRIVACY ISSUES FOR FOOD BENEFIT PROGRAMS EXECUTIVE SUMMARY Electronic Benefit Transfer (EBT) replaces paper-based issuance systems for the Food Stamp Program (FSP). the Special Supplemental Food Program for Women. Infants, and Children (WIC). and cash benefit programs with systems that issue and redeem benefits through electronic funds transfer (EFT) networks and point-of-sale (POS) technology. FSP and WIC EBT systems generate and retain records on client food purchasing and retailer redemption patterns that do not exist under the paper issuance system. In addition, there are new "players" that have access to this information - retailers, system processors, and third-party processors. As EBT systems emerge nationwide, the Food and Nutrition Service (FNS) needs to ensure that privacy of recipient information and confidentiality of retailer information is adequately and appropriately incorporated into the planning and use of EBT system data. This study identified the major privacy concerns for FSP and WIC Program recipients and retailers through literature reviews, interviews with various participants in the EBT arena, and a roundtable discussion among EBT stakeholders and other appropriate experts. Overall. FSP regulations and. to a somewhat lesser extent. WIC regulations, provide specific and adequate safeguards over access to and use of information about individuals and retailers. Other Findings include the following: • FSP and WIC regulations restrict the use of individual recipient EBT transaction data to benefit issuance and program integrity purposes. • "Secondary" uses of EBT data, such as targeted marketing or locating individuals through transaction information for law enforcement purposes unrelated to benefit issuance, is prohibited without the recipient's consent. • Multi-program, multi-State EBT raises the concern of opening access to data that was not shared prior to the use of EBT systems. • FSP regulations protect the confidentiality of retailer information. WIC regulations, however, do not address the collection and use of retailer information. Based on these findings, there are a number of strategies that the various parties that develop and use EBT systems and data should consider. These include the development of an overall privacy framework applicable to reviews of existing data as well as the planning of new uses of data. Such a framework could enhance the privacy and confidentiality protections that already exist within the FSP and WIC Program. u // EBTPx; \ PRIVACY ISSUES FOR FOOD BENEFIT PRC/'.M wis I. INTRODUCTION A. The Evolution of EBT The Food and Nutrition Service (FNS) has been at the forefront of developing and applying Electronic Benefit Transfer, or EBT. systems in public assistance programs for 12 years. As of April 1994. Food Stamp Program (FSP) participants in seven locations of varying size located throughout the United States receive their benefits through EBT. A demonstration for EBT in the Special Supplemental Food Program for Women. Infants, and Children <\VICi was recently completed, and others are planned. About 30 States are planning to develop and operate an EBT system for FSP and other programs. Many States have also expressed an interest in WIC EBT. This new technology enhances food benefit service to FSP and WIC recipients. It can be and is used by other benefit programs, such as Aid for Families with Dependent Children (AFDC). child support, and Social Security. Unlike FNS' programs, these programs provide their recipients with cash benefits. EBT has evolved into a viable, appealing alternative to conventional benefit delivery systems, and it is clear that it will play a central role in the delivery of nutrition assistance benefits in the Food Stamp and WIC Programs and in the delivery of cash benefits for other programs. The Secretary of Agriculture is committed to initiating nationwide EBT by 1996 and FNS must consider the range of operational issues associated with a complete shift from paper coupons to EBT. The study of EBT data privacy is one of these issues. In its report to the Vice President, the Federal EBT Task Force recommended the unified delivery of government-funded benefits. Under this plan, EBT would involve many benefit programs and would function without regard to State borders. This report focuses on the privacy issues that impact FNS' programs, issues that may be quite different from those facing cash benefit programs. B. EBT in a Privacy Context Over the past several years, privacy issues in general have received extensive attention from the media, the courts, and business. Consumer advocacy groups lobby for more stringent limits on the uses of credit history, debt information, and other personal data. Manufacturers, on the other hand, increasingly rely on targeted marketing -- which requires detailed information on income, shopping habits, and household composition -- to win new customers. The results of public opinion surveys conducted over the past two decades indicate that government access to personal information is especially worrisome to the American public. These trends create a complex environment for the exploration of EBT privacy issues. Food Stamp and WIC Program EBT systems issue and redeem benefits through the use of an electronic funds transfer network and point-of-sale (POS) technology. Participants use an electronically coded card instead of paper coupons to buy food. EBT systems collect and retain transaction-specific information to reconcile or balance benefit issuances with redemptions and debits with credits. To date, information accrued through EBT systems has been used primarily 1 EBTDATA PRIVACY ISSUES FOR FOOD BENEFIT PROGRAMS PRIVACY TERMINOLOGY The terms personal information, privacy, confidentiality, and security are used throughout this report. For clarity in usage we define these terms as follows: • Personal information is any information that describes or is referenced to an identifiable individual (noi a business entity such as a retailer), whether that reference be by name, number, address, or some other identifier. Information is considered personal because of its reference and not because of its content. • Privacy is a characteristic of natural persons and concerns how personal information is collected, used, and disclosed. • Confidentiality is a characteristic of information management and implies that information can be disclosed only to certain persons under specified circumstances. • Security is a characteristic of information systems and ensures that information in the system is protected from unauthorized access, disclosure, alteration, or loss. Accordingly, system security implements confidentiality protocols, which in turn protect privacy. Assuring security is primarily a matter of management policy and system technology; confidentiality protocols reflect information management policy. to ensure that funds are appropriately debited and credited. Electronic processing of information also creates the potential for greatly increasing FNS' knowledge of client food purchasing and retailer redemption patterns. In addition, EBT creates the opportunity for additional entities, such as retailers and third-party processors, to access this information. The actual and potential uses of transaction data raise a variety of privacy-oriented questions that FNS must consider so that it can implement responsible EBT programs. C. Study Objectives FNS studied EBT privacy issues in the FSP and the WIC Program for two main reasons: to determine whether controls over access to and uses of EBT data are adequate, too lax or too strict; and, to anticipate and address some of the issues that may arise with the availability and potential use of the data. Specifically, this report: • Identifies current and potential uses of EBT data. • Examines current policies on uses of EBT data in the FSP and WIC Program and assesses their effectiveness in (1) protecting client and retailer rights and (2) supporting FNS' need to pursue programmatic objectives such as program integrity and effective benefit delivery. • Outlines strategies that provide the best balance between these two potentially competing goals. EBT DATA PRIVACY ISSUES FOR FOOD BENEFIT PROGRAMS Presents the opinions and perspectives of the broad range of EBT stakeholders and other appropriate experts. his report is organized into the following sections: Background on EBT and privacy issues Findings from our research and the roundtable discussion Conclusions and strategies for privacy protection The information presented in this report will assist FNS in its overall efforts to understand fully the privacy implications of EBT data use and to assess EBT data use policy. II. EBT AND PRIVACY BACKGROUND INFORMATION A. Definition and Description of EBT Currently, most eligible FSP benefit recipients are given books of paper coupons that may be used to pay for a broad range of food items purchased at authorized retail stores. In the WIC Program, recipients exchange vouchers at participating retail stores for specific food products such as milk and related items. New computer and communications technologies present the opportunity to deliver benefits electronically. Under an EBT system, recipients in either program access benefits using an electronically encoded plastic card similar to those issued by banks and other financial institutions for use with automated bank teller machines and point of sale direct debit machines. Most EBT food stamp and cash benefit systems are on-line. The WIC program, due to its focus on specific items, has pursued off-line EBT which uses smart card technology. This EBT card is recognized in electronic information networks that validate the requests for benefits and authorize the purchase of food products. This automated process has the potential to decrease administrative costs and reduce management burdens while improving the speed, convenience, and security of benefit delivery to qualified recipients. For example, EBT cards reported to be lost or stolen can be invalidated and their accounts frozen immediately, minimizing unauthorized access to the benefits. Payments are made directly to authorized accounts, curtailing coupon theft and other fraud. Benefits are drawn down as needed. The cards only work if the correct personal identification number (PIN) is used. EBT also enables the collection and maintenance of transaction information that can be linked to benefit recipients, retail stores, and financial institutions. An EBT system ties together many persons and organizations: • Recipients under FSP are the households eligible for food stamps. Recipients under the WIC Program are pregnant, breast-feeding and postpartum women, infants, and children under the age of five who are at "nutritional risk." The head of household receives an EBT card and chooses a personal identification number (PIN), which serves as a EBT DATA PRIVACY ISSUES FOR FOOD BENEFIT PROGRAMS signature and limits the use of the card, and access to benefits, to the cardholder. In WIC, individuals receive an EBT card. In the Wyoming demonstration project, all WIC participants in a family were on one card. A retailer is a food store that is authorized by FNS to accept food stamp coupons or WIC food instruments. Retailers participating in EBT have point-of-sale (POS) terminals located among the check-out lanes that can read the EBT card. The system processor is the party that has contracted with the State agency to operate the EBT system. The purchase amount, retailer identification information (the retailer, clerk, and terminal ID numbers), recipient identification information held on the card. and information that authenticates the recipient's identity is checked against the processor's central computer files. If the recipient and retailer are both authorized participants, and the recipient has sufficient funds in his account to cover the purchase, the transaction is authorized. • A third-party processor may be used to drive the POS terminals located at the retailer. or it may simply act as a switch between the POS terminals and the system processor. Third-party processors are used in EBT systems that are integrated with commercial payment systems (the POS is used for commercial credit or debit payment transactions as well as EBT transactions). These processors may also provide other services to retailers, such as check authorization services. • A concentrator bank is a member of the Federal Reserve System and has the capability to take information regarding retailer food stamp credits from the EBT system processor and transmit this information to the Automated Clearinghouse (ACH) network. The ACH transfers funds to and from member institutions and is the method used to credit retailers accounts for food stamp EBT transactions. • The State Agency is responsible for the administration of Federally-aided public assistance program within the State. The State agency also has administrative responsibility for the EBT system. For each of these stakeholders, EBT poses issues associated with informational privacy. confidentiality, and security because it collects and uses more information than the paper system. The following section outlines the five basic operating functions of an on-line EBT system. identifies the information it collects and uses, and contrasts it with how it is accomplished under the paper system. • Benefit Authorization/Posting. The available balance of benefits authorized for household use is posted to each electronic "account." Paper systems have no comparable step: FSP coupons and WIC vouchers are issued to the recipients by mail or "over the counter." • Transaction Authorization. To authorize a transaction, an on-line system transfers several pieces of information from a terminal at a retailer location to the central processor to verify recipient and retailer identity and to confirm whether there are EBT DATA PRIVACY ISSCES FOR FOOD BENEFIT PROGRAMS sufficient funds in the recipient's account. This information is maintained in the central database. While the recipient's name is not recorded, an EBT account number links an individual recipient to a transaction. For the first time, a central record is available that identifies the history of purchases with individual households. Under the current FSP coupon system the recipient exchanges coupons equivalent to the value of food purchased. There are no program records of individual transactions. The retailer may record the type of sale as a food stamp purchase and, depending on the equipment used, may also be able to track aggregate FSP purchase totals. The retailer, however, has no way of knowing who made which purchase. Because there is no authorization process, the collection of recipient and retailer information is not necessary to conduct the transaction. No information on the use of benefits by individual households is collected. In WIC EBT, the client debits specific prescription food items from their account. Information about purchase behavior is captured and available for use by program administrators. Current WIC paper vouchers are participant specific and indicate what foods are authorized for purchase. Limited information about food purchases can be extracted from the returned vouchers. System Settlement and Crediting of Retailers. Each day, the system processor compiles FSP EBT transaction information for each retailer in order to initiate the settlement process. This retailer-specific information is then transferred to and processed by a Concentrator Bank, which in turn completes the transfer of funds using the Federal Reserve's ACH system. Settlement data is retained by the EBT processor for audit purposes. WIC EBT accomplishes these steps in a nearly identical manner. In the current FSP coupon issuance system, retailers count and bundle the coupons and deposit them in their bank accounts. The retailer's bank credits the retailer account and transfers the bundled coupons to the Federal Reserve, which processes the coupons, and periodically debits the Food Stamp Program Treasury account. The retailer redemption information available under a coupon system includes retailer deposit amounts and the cumulative dollar value of redemptions. Reconciliation. Federal FSP EBT regulations require extensive reporting about reconciliation between recipient accounts, retailer accounts, and system processor authorization files. Reconciliation is performed by the State agency or EBT processor using data obtained during transactions, and reports are provided to FNS. Some reports aggregate the daily EBT activity of individual retailers while others reconcile total issuances and redemptions in the system. Included in these reports is daily transaction information identified by recipient ID number, terminal ID number, retailer ID number, transaction time, and transaction amount. These data may be provided to the State agency, which aggregates the data into various reports that are submitted to FNS monthly, quarterly, or annually. These same capabilities are available in WIC EBT systems. EBT DATA PRIVACY ISSUES FOR FOOD BENEFIT PROGRAMS Under the FSP coupon issuance system, transaction-level data are not tracked. The Federal Reserve sends information on total retailer redemptions to the FNS Minneapolis Computer Center, where these redemptions are tracked by retailer deposit amount and total dollar value of redemptions. The total amount of benefits authorized to be paid is also reconciled against the amount of in-person and mail issuances. In contrast, WIC State agencies make extensive use of data extracted from vouchers to manage expenditures and monitor retailer compliance with program requirements. • Exception Reporting. In order to conduct compliance investigations, FSP regulations require that EBT systems provide exception reports that can isolate transaction data by individual retailers and households.1 These reports are provided to the States. They are also pro.ided to FNS' Compliance Branch Area Office on a quarterly or, if requested, a more frequent basis. Although FSP retailer monitoring is the responsibility of the Federal government, States are beginning to ask EBT processors to provide detailed transaction information that will assist Federal investigators in identifying unusual redemption patterns. The information is used to support investigation of both retailers and recipients. In WIC, similar retailer monitoring is currently performed as a State responsibility. WIC EBT enhances this monitoring function. Under the coupon system, Federal compliance monitoring is only performed for retailers, using information on deposits of coupons. When examining these reports, compliance investigators look for unusual redemption patterns among retailers. On-line EBT is currently the preferred approach to EBT because of its similarity to existing commercial systems. In an off-line system, the EBT process operates without direct or real-time access to a central database. The recipient is issued a "smart card" which has a built-in memory and processing capability to maintain balance and authorization information on the card. Benefits are transferred onto each recipient's card at predetermined times. In the FSP, benefits are provided as a dollar amount; in WIC, the benefits are provided in the form of a food prescription, and the exact value of the food redeemed is not known until a transaction occurs and the value is entered on the card. During each purchase transaction, the purchase amount or food is deducted from the balance of benefits (for FSP) or foods available (for WIC) maintained on the card. Transaction information is simultaneously recorded on a computer located in the store for delayed transfer to the central computer where balance information is updated and credits to retailer accounts are processed and transferred via the Federal Reserve system. There have been two off-line EBT demonstration projects, one for the FSP and one for the WIC Program. In the one WIC EBT demonstration project conducted to date, the EBT system performed these five functions and maintained data about the specific foods and prices associated with each transaction. Since the WIC Program prescribes the types and quantities of foods to be Section 274.12(j)(2)(ii)of the FSP Regulations. EBTDATA PRIVACY ISSUES IOR !-"<><>\) Bi M:I IT PROGRAMS purchased, tracking items and prices of purchases was necessary to determine program compliance. WIC State agencies also are responsible for monitoring retailer performance and compliance with program requirements through the analysis of transaction data. EBT makes it possible to obtain more information on retailer and participant benefit redemption behaviors. B. Federal Laws and Regulations Governing EBT Data Use There are a number of Federal laws and regulations intended to protect the privacy and prevent the misuse of personal data in general and EBT data in particular. The relevant Federal privacy law and relevant Federal program regulations are briefly summarized below to provide a legal framework in which to place EBT privacy issues. (See Appendices A and B for more detailed information.) • The Privacy Act of 1974. which regulates the use and disclosure of personal information by the Federal government, states that personal data can be disclosed only for "routine use... a purpose which is compatible with the purpose for which it was collected." • FSP and WIC Program regulations limit the use of recipient information to administration or enforcement of the program, including investigations into program violations, and federal audits of the program. For the Food Stamp Program, information can be used to certify alien status and conduct computer matching for eligibility and income with other benefit programs. Also, the Secretary of Agriculture is authorized to undertake research that will help improve the administration and effectiveness of the FSP in delivering benefits. The Secretary is required to develop and implement measures for evaluating, on at least an annual basis, the effectiveness of the FSP in achieving its stated objectives. In neither case do the regulations or law specify the type or level of data to be used. The FSP regulations also contain a specific provision that safeguards the confidentiality of retailer information, which can be used only if directly connected with the administration and enforcement of either the Food Stamp or WIC Program. For the WIC Program, information on participants can be given to representatives of public organizations designated by the chief State health officers who administer health or welfare programs that serve persons categorically eligible for the program. WIC regulations also specifically allow the use of data in summary, statistical, or other form if individuals are not identified. • FSP EBT regulations include a provision stating that the State agency must ensure that the EBT system is able to ensure the privacy of household data. Although FNS provides the funding for the Food Stamp and WIC Programs, both programs are administered at the State level. Because the appropriate State agency collects the EBT data, the Privacy Act does not apply to what the State can do. (The Act does, however. isa EBT DATA PRIVACY ISSUES FOR FOOD BENEFIT PROGRAMS apply to what FNS can do.) This situation would be true under multi-State EBT, where several State agencies might require access to information about recipients and retailers. C. General Privacy Issues Informational privacy in the United States is regarded as a characteristic only of individual persons. Individuals are referred to as natural persons to distinguish them legally from corporations. Strictly speaking, information pertaining to business entities is not subject to privacy restrictions in the same way as information on individuals. FNS, however, has a programmatic interest in the rights of retailers as well as program participants. There has long been concern over computer technology's implications for individual privacy. Several books published in the 1970's focused popular attention on these issues. In 1973, a special task force of '.he U.S. Department of Health, Education, and Welfare completed the first in-depth government study of personal information kept in Federal computerized data banks. Its report, "Records, Computers, and the Rights of Citizens" documented the significant growth of the use of computers to process information. The Task Force proposed a set of "fair information practices" to enhance privacy by protecting the confidentiality of personal information. These principles can be distilled as follows: 1. 2. 3. Collect only that personal information necessary for a lawful purpose. Use for decision-making only those data that are relevant, accurate, timely, and complete. Give the data subject access to information about himself and provide a procedure by which to challenge and correct the information. 4. Use data only for the purpose for which it was collected. 5. Protect the data against unauthorized loss, alteration, or disclosure. The Privacy Protection Study Commission, established by the Privacy Act of 1974, also conducted a thorough and comprehensive study of public and private record systems and issued 166 specific recommendations to enhance informational privacy. In reinforcing the foregoing principles, the Commission identified three objectives of good information practice: (1) minimize intrusiveness into the personal affairs of citizens; (2) maximize fairness to individuals in the way personal information is managed; and (3) legitimize expectations of the confidentiality of personal information. In 1981. the American Bar Association sponsored a National Symposium on Personal Privacy and Information Technology. The published report of a panel of distinguished participants emphasized informational privacy threats and urged protective measures. Numerous publications have echoed and re-echoed these concerns. The 1986 Annual Survey of American Law succinctly summarized the nature of the problem: 8 EBT DATA PRIVACY ISSUES FOR FOOD BENEFIT PROGRAMS The right 10 privacy is integral to the American conception of the proper balance or power between the people and their government. As long as a citizen abides by the laws, his personal affairs should remain free from excessive governmental scrutiny. In recent years, however, this balance has shifted. Federal agencies today maintain vast amounts of computerized, easily accessible information on nearly every aspect of our lives.... Concerns about privacy are also reflected in consumer awareness. The most significant barometer of national consumer consciousness regarding privacy is the annual Louis Harris Privacy Survey, funded by Equifax. The 1993 survey focused heavily on health information privacy, but it did estimate that almost 60 percent of the surveyed population believed that privacy is inadequately protected by laws and organizational practices. The 1992 privacy survey provides more extensive information on privacy concerns: 78 percent of respondents are concerned about threats to personal privacy. 76 percent of the public agree that consumers have lost all control over how personal information about them is circulated and used. 68 percent agree that the present use of computers is an actual threat to personal privacy. 89 percent of the public express concern about the security of personal information in computers. 67 percent agree that if privacy is to be preserved, the use of computers must be sharply restricted in the future. The problem is not merely one of the potential for privacy invasion by government; vast amounts of data are kept in the private sector. While EBT data are not available to the public, our research found that numerous individuals and organizations are concerned about private organizations, such as retailers and third-party processors, using and/or distributing data to which they may have access. A major limit on the use of personal information results from the prohibition on "secondary use" of information.2 The secondary use principle states that personal information gathered for a particular purpose may not be used for any other purpose without the express consent of the data subject. This principle gives maximum control of personal information to the data subject and is regarded by privacy experts as the "litmus test" of informational privacy. As noted above, the FSP and WIC Program regulations limit the use of recipient information to a few explicitly identified uses. EBT DATA PRIVACY ISSI 'i:s FOR FOOD BENEFIT PROGRAMS III. PRIVACY RKSEARCH AND THE ROUNDTABLE DISCUSSION In order to identify the full range of issues on the privacy of EBT data, the project team completed a detailed literature review and conducted a series of interviews with selected stakeholders. The information collected served as the starting point for a roundtahle discussion of EBT data privacy issues. A group of EBT stakeholders and other appropriate experts met to discuss several questions during a full day meeting. The purpose of the meeting was not to reach consensus, but rather to gather as broad a ram : of perspectives and opinions as possible. his section summarizes our research and the roundtable discussion and is divided into the allowing issues: Program administration and compliance Differences between FSP and WIC privacy concerns Adequacy of existing limits Using EBT data for research Implications of privacy protection needs for EBT privacy security Potential uses of EBT data Privacy issues in EBT demonstration projects ROUNDTABLE QUESTIONS In February 1994. FNS sponsored a roundtable panel of program advocates, program officials, privacy experts, civil rights experts, and security experts to consider the following questions regarding EBT data use and related privacy implications: •*• Does existing data use policy adequately support FSP and WIC program administrators' needs to pursue legitimate and important program improvements such as enforcing program compliance and monitoring EBT system use to ensure adequate delivery of benefits? If not, what improvements can be made that do not infringe upon program participants' privacy rights? «r Should constraints on data use differ for WIC and FSP, given the differences in the programs' structures and populations served? w Are existing legal limitations on EBT data use adequate to protect program clients' privacy rights and retailers' confidentiality rights? If not, what else is needed? Are there or should there be additional ethical principles governing data use? w Should participation in data analysis efforts be voluntary? «* What are the implications of privacy protection needs for EBT data security? 10 I-"BT DATA PRIVACY Issues i OK !■<» <: \ Hi \i i n PROGRAMS A. Program Administration and Compliance The abundance of data generated through EBT can be an extreme!) valuable tool to program administrators. But the administrative need to utilize this important resource for improving program operations should not eclipse the need to protect program participants" privacy rights. In both EBT and paper issuance systems, data are used bj Slate and Federal governments for two purposes: program administration and program compliance. Both of these uses are specifically delineated in the Food Stamp and WIC Program regulations (see Appendix B). PROGRAM ADMINISTRATION. Data about individual EBT transactions are collected because they support the redemption of benefits by the recipient at authorized food retailers. The data the EBT system collects on each transaction include recipient's EBT account number: retailer identity: POS terminal identity: type of transaction3; transaction amount: and time and date of transaction. For the WIC Program, the system would also collect data on authorized WIC foods. This information is used to approve each transaction, update recipient account balances, resolve questions about transaction authorization, credit retailers, settle and reconcile the system, and support system performance monitoring. A transaction history file is maintained by the EBT processor for a fixed period of time, typically 30 or 60 days. Authorized personnel can use this file when responding to recipient requests for transaction histories, resolving problems, and addressing other program administration and program integrity purposes. The transaction history file can also be used to support fraud and abuse investigations. In a coupon-based system, the only comparable information is that the FSP recipient was issued (e.g., mailed) a monthly allotment of food stamp coupons on a given date. As indicated before, there are no transaction-specific or aggregate data about either the individual recipient or the retailer. WIC recipients receive vouchers for their food prescriptions. These vouchers are returned to the State and aggregated information about transactions is available and is used for analysis or for nutritional counselling provided to the participants. Discussion: Overall, our research and the roundtable discussion did not question the importance of using EBT data for ensuring the delivery of FSP and WIC Program benefits. Most advocacy groups noted that FSP and WIC recipients prefer receiving their benefits through EBT than through the paper system. They find it more appealing, more secure, and less stigmatizing. The concern lies in other uses of the data that would fall under the "program administration" umbrella. As one roundtable participant noted, it seems that the information available is similar to an answer waiting for a question. Some advocates firmly believe that FNS' sole responsibility is to provide food benefits, and program administration should be limited to this function. They fear that information collected from the EBT system could be used to change the program fundamentally. For example, FNS could restrict FSP benefits to The types of transactions that can be made include balance inquiry, regular transaction, or manual transaction. 11 EBT DATA PRIVACY ISSUES I OR FOOD BENEFIT PROGRAMS a defined group of "nutritious foods." Other advocates, however, believe that additional information collected through the EBT system would improve the WIC Program, particularly in the area of nutritional education and counseling. A more detailed discussion of potential uses of EBT data and related policy issues is found in Section F below. In general, there is expressed concern over the tracking of individual transaction data. Such monitoring creates a "Big Brother" effect, in which the government has knowledge of the location and behavior of an individual at a given time. In addition, several persons interviewed stated that such monitoring is discriminatory, since this data is not collected by the government on persons who are not program recipients. PROGRAM COMPLIANCE. EBT data are used to monitor recipient and retailer program compliance. EBT processors submit mandatory exception reports containing information on amount and time of transactions by individual retailers and households. FNS' Office of Compliance conducts routine monitoring of compliance by retailers. These data are also used by the U.S. Department of Agriculture's Office of Inspector General (OIG) to help detect individual abuse and trafficking of FSP benefits and, more importantly, to support retailer compliance investigations. For example, FSP EBT data for recipients or retailers on even-dollar transactions, multiple high-value transactions per day, and concentrations of same-recipient transactions in a single retail location can be used to develop profile programs to identify retailers and recipients that may be violating program rules. Aggregated information on recipient redemption behavior is also available through EBT systems. Currently, investigations of recipient fraud and abuse are conducted primarily by the States. Information on individuals is not routinely collected by the Food and Nutrition Service, and only if the OIG suspects trafficking of benefits and if the information will assist in the investigation of a suspected retailer. Such data have been and will continue to be used to prosecute recipients as well when appropriate. In coupon-based systems, there is no data system-based monitoring of recipients. Retailer compliance is accomplished through analysis of aggregate redemption data at FNS' Minneapolis Computer Center. The OIG relies on allegations of retailer fraud and abuse, and investigations are limited to on-site surveillance. Discussion: The use of EBT data to monitor retailer compliance was not raised as an issue in either the interviews or roundtable discussion. Several advocacy groups, however, were concerned that the OIG would use EBT data on individuals on a regular basis to assist with program enforcement and/or investigations. In fact, the OIG stressed that its investigations focus almost exclusively on retailers, because retail fraud investigation is a Federal function for the FSP. Also, since both FNS and the State agencies have jurisdiction over recipient fraud, FNS' view is that it should be dealt with at the State level. Food-specific purcjiase transaction data are not tracked for FSP. If such information were captured, however, it is conceivable that FNS could use the data to ensure retailers are redeeming FNS benefits for eligible foods only or to track the proportions of types of foods (e.g., junk food) sold by authorized FSP retailers in order to re-evaluate the program eligibility 12 EBT DATA PRIVACY ISSUKS FOR FOOD BENEFIT PROGRAMS of certain retailers or food types.4 In the WIC Program, the State WIC agency could use EBT to track the costs of prescription foods to determine which retailers are providing foods at the lowest cost. Retailer advocacy groups were concerned over the tracking of purchase data for individual retailers because, again, the tracking could include other items in addition to those purchased with program benefits. It was mentioned that when and if Regulation E*1 applied fully to EBT. the States might redouble their efforts to investigate recipient fraud because the State would be liable for lost or stolen EBT benefits in excess of $50. The Federal Reserve has postponed the application of Regulation E to EBT for three years to allow adequate time to study the magnitude of liability that occurs in EBT systems. B. The Differences Between FSP and WIC Privacy Concerns The FSP and WIC Program differ in their purpose, structure, and populations served. FNS sought EBT stakeholder views on whether it is acceptable to use EBT data on purchasing patterns to conduct nutrition education at either the individual or aggregate level for either program. FSP is an entitlement program - all households that meet the eligibility criteria receive food stamps. The WIC program is a very individualized, tailored program where the prescription, in theory, is targeted to the specific circumstances, health history, and nutrition history of the particular client. It is not an entitlement program, and each year there are thousands of women and children who are eligible to participate in the program but cannot because of budget constraints." Therefore, the State ranks eligible clients in terms of health and nutritional risk. A logical outgrowth of the clinical aspects of WIC is the use of information about purchase behavior in nutritional counseling. Discussion: As noted above, EBT tracks some food purchase transaction data for FSP recipients. The delivery of benefits does not require information on specific food purchases. While it is possible for WIC EBT to perate in a manner similar to FSP EBT, the WIC Program needs to track specific prescription purchases -- milk, juice, cereal, and infant formula. To do this. WIC EBT must collect more individual level information. The roundtable participants acknowledged that the WIC Program requires more detailed knowledge of individual clients' circumstances than the FSP. (It was also noted that the uses of WIC Program data are even more restrictive than those for FSP, e.g., WIC does not participate in computer matching among 4 Although Slates are responsible for EBT. FNS is currently responsible for retailer authorization, management, monitoring, and sanctioning for FSP. Under this arrangement. EBT systems provide data for Federal use. 5 Regulation E of the Board of Governors of the Federal Reserve System to implement the Electronic Funds Transfer Act. 6 It has long been contemplated, however, that the WIC Program will one day be fully funded. 13 EBT DATA PRIVACY ISSUES FOR FOOD BENEFIT PROGRAMS Federal welfare programs.) Although several client advocates argue that FSP EBT data should be used exclusively for the delivery of benefits, some advocates believe that increased information available from the WIC EBT systems would help the States provide better and more comprehensive services to a greater number of people. Thus, advocates appear to be more comfortable with using EBT data for direct client interventions in WIC than in FSP. C. Adequacy of Existing Limits The FSP and WIC Program have legal and regulatory limits on who can access program data and how that data can be used. According to FSP and WIC regulations, recipient information can be disclosed only to those directly involved in program administration and enforcement. FSP regulations also limit disclosure of retailer information to purposes of FSP and WIC Program administration and enforcement. Although law enforcement agencies around the country would like increased access to all information that could help with criminal and civil investigations, the U.S. Department of Agriculture's Office of General Council (OGC) has been consistent in its refusal to provide information unless required to do so under subpoena. FNS wants to be sure that as EBT expands, existing FSP and WIC Program regulations and laws are sufficient to protect client rights to privacy and retailer rights to confidentiality. Discussion: Several members of the roundtable were very impressed with FSP and WIC privacy and confidentiality regulations, which were seen to be much more stringent than those in effect for other benefit programs. FSP regulations also extend confidentiality to information about authorized retailers, information that is not covered by privacy laws. According to the OGC, each State must provide the minimum level of privacy protection that is required by Federal law. This minimum level is clearly established by the Food Stamp Act and is reflected in the FSP EBT regulations.7 As FNS moves to EBT for the FSP and WIC Program, there appear to be two areas that need to be considered. One is access to FNS EBT data by other Federal and State agencies. The second is that new players — retailers and third-party processors — are directly involved in the delivery of benefits and must have access to information to deliver benefits. Controlling access to EBT data is an issue that will need to be considered as Federal and State governments consider multi-program EBT. In multi-program EBT, the EBT processor is provided with information by each of the participating programs. The processor maintains this information so that each EBT household has a single identifier, rather than identifiers unique to each program. There is the concern that multi-program EBT may increase access to program information among the Federal or State agency officials who administer these programs. However, in all instances existing program restrictions would continue to apply. Some eligibility-related information is now shared, but benefit data is not. How and when EBT might facilitate further information sharing has not yet been addressed systematically. Section 274.12(e)(l)(ix) of the FSP regulations states, "Each State shall ensure that the EBT system is capable of performing the following functional requirements prior to implementation . . . Ensuring the privacy of household data and providing benefits and data security." 14 EBTDATA PRIVACY ISSUES FOR FOOD BENEFIT PROGRAMS Another issue is that EBT brings new players into the delivery of FSP and WIC Program benefits: retailers; system processors; and third-party processors. EBT POS terminals in food stores relay transaction data and receive summary data that the retailer uses for internal settlement and accounting purposes.8 Existing legislation does not specifically regulate retailer collection and use of shopper-related information for internal purposes (see discussion on shopper clubs in Section F below). In EBT systems, however, most agreements between retailers and the EBT administering agencies include a clause stating that EBT data may not be used for purposes other than program administration. Since there is no comparable requirement of retailers under coupon systems, data may in fact be better protected under EBT. Most of the current limitations on retailer uses of consumer data for both FSP and non- FSP recipients are in the form of self-regulation. The Food Marketing Institute (FMI) has issued a policy statement on consumer privacy that provides retailers with a set of guidelines on the collection and use of customer information. Several persons interviewed expressed the opinion that retailers will not disclose information on individual recipients for fear of losing customers. They feel that the cost of losing a customer is much greater than the marginal benefits obtained from targeted marketing and other uses of this data. This principle applies to both FSP and non- FSP customers. FMI believes that retailers will abide by the recommended guidelines for the use of recipient data so as not to jeopardize their business with individual clients. It is important to remember that unless the recipient. State agency, or third-party processor provides personal identification information to the store, retailers cannot link purchase data to individuals. EBT systems are not designed to provide this information. Although State agencies are responsible for all aspects of EBT systems, experience with the demonstrations and current State efforts to develop EBT indicate that many aspects of the EBT system will be contracted out. EBT systems create access to recipient and retailer data by one, and potentially two or more, new parties: system processors and third-party processors. EBT system processors maintain information about recipient identity, including recipient address, and use this information to ensure that benefits are delivered to those who are entitled to receive them. As mentioned before, EBT processors are being asked to produce analyses for the OIG to support investigations of unauthorized retailer and recipient activities. In addition. EBT processors provide analyses of aggregate transaction data to State agencies and to USDA. These reports provide information used to monitor processor performance. The third-party processors generally included in EBT systems are integrated with commercial EFT payment systems. They have access to transaction information only; recipients are not identified by name or any other personal identifier. Currently, retailers select their third-party processor, and third-party processors and networks do not collect recipient transaction data; information merely passes through these systems. In the future, as EBT more closely mirrors the commercial operating rules, third-party processors may become more involved in Retailers with more advanced electronic cash registers can (and do) electronically distinguish between food stamp coupon and non-coupon purchases. For example, FSP eligible products are exempt from sales tax. Having the register automatically total FSP and non-FSP items and then compute sales tax creates fewer register errors. It also reduces the chance of allowing non-FSP eligible items to be purchased with FSP benefits. 15 EBT DATA PRIVACY ISSUES FOR FOOD BINIHT PROGRAMS system settlement. If third-party processors ever provide settlement services, they will require redemption information about specific retailers. If third parties were to capture the data they transmit, then the confidentiality of retailer redemption information might be compromised. D. Uses of EBT Data for Research While Food Stamp EBT regulations stipulate mandatory participation for the participant once EBT is introduced in a location, there is no rule requiring clients' or retailers' involvement in an organized EBT data analysis effort. FNS must consider the implications of mandatory versus voluntary participation in data analysis projects. Specifically, should prior approval from program participants or authorized food retailers be required before any collection of data, or is notification unnecessary if information is randomly collected on individuals, aggregated, and cannot be traced to a particular recipient?9 Under the paper coupon system, researchers require the voluntary participation of program clients. FSP clients may be asked to complete long and detailed surveys and keep a log of all food purchases. Researchers must rely on the accuracy of these entries, which may not reflect actual purchases or eating habits. Individual data is then aggregated and reported. Under EBT, data collection could be much less intrusive if information on items purchased is an integral part of the electronic redemption process, as is likely to be the case for WIC EBT but not necessarily for FSP EBT. EBT provides new avenues for research and analysis of the use of benefits. At present, some demonstration sites are using aggregated FSP EBT data to examine redemption behaviors such as number and time of transactions, number and types of retailers used, average dollar value of the transactions, and proportion of the full monthly allotment used. These analyses are done by aggregating household-level information, but purchases are not tied to specific individuals. WIC does such analyses routinely for management information system reports. Such studies help develop an understanding of program participation and contribute to the identification of changes that would improve efficiency and effectiveness of benefit delivery. Recently completed evaluations of EBT demonstrations have used redemption data to determine if recipient purchasing behavior changes with EBT and to examine retailer redemption characteristics. For example, FNS needs to have information on the volume and number of transactions in order to anticipate system capacity requirements in light of minimum performance requirements. FNS learned early on that the average FSP recipient made 8-10 transactions per month, a number higher than expected. The databases resulting from such analyses are much like other administrative record systems that help program administrators track system use and capacity. To the extent that these analyses are built upon individually identifiable data, however. It must be noted, however, that, according to Sections 282.1(a). (b), and (c) of the Food Stamp regulations, research currently conducted on the demonstration programs is accorded much greater freedom in the collection and use of data than what would be permitted for operational EBT programs. 16 EBTDATA PRIVACY ISSUES FOR FOOD BENEFIT PROGRAMS it is appropriate to consider the degree to which this represents a secondary use of data1" and thus is subject to privacy considerations. Discussion: The use of recipient EBT data for research purposes generated much discussion among the roundtable participants and focused on the following issues: • Dealing with aggregated versus individual recipient data • Identifying the research agenda that would use the data • Allowing participants to opt-in or opt-out of the research project Roundtable participants stated that collecting information on how its programs operate is an appropriate role for government. Individual data, when aggregated and stripped of identifiers, protects individual privacy while providing necessary information to develop, refine, and implement effective programs. For other roundtable participants, the type of research being conducted was just as important, if not more important, than the collection of data. It was argued that as the amount of information the government has increases, so too does the risk to program participants that government can intrude further into their lives. For these participants, the issue is trusting the government to put the information to good use. The 1993 Harris- Equifax survey provides a context for understanding this concern. First, it found that 75 percent of the American public do not believe that the government can be trusted to look after its interests. In addition, 58 percent of the American public do not feel that they have adequate legal protection of their rights to privacy. For some advocacy groups, however, the examination of individual data infringes on recipient privacy, even if the data is stripped of identifiers and aggregated or collected by randomly sampling unidentified individuals. For these stakeholders, voluntary participation should be required for all research, because the consequences of the research may affect individual recipients in unexpected ways. The issue of opting-in versus opting-out is very important. Under the existing benefit issuance system, FSP and WIC recipients have to "opt-in" - voluntarily decide to participate in a research project. Under EBT, certain data could be collected without the active participation of the FSP or WIC recipient. For example, tracking the number or value of transactions at store A over a set period of time or tracking the average number of transactions made from a sample of accounts. The roundtable participants differed on whether research should be restricted to those individuals that explicitly state that they want to participate (opt-in), or whether individuals should automatically be considered as research participants unless they explicitly state that they do not want to participate (opt-out). See discussion on page 9 for explanation of secondary uses. 17 HBT DATA PRIVACY ISSUES FOR FOOD BENEFIT PROGRAMS E. Implications of Privacy Protection Needs for EBT Data Security It is impossible to ensure EBT data privacy without adequate safeguards over the physical security of data. Data security is the set of tools used to protect privacy and confidentiality. As with all computerized databases, there is the possibility of unauthorized access and use of EBT data. Some of the unauthorized uses include perusing data files, tampering with account information, changing or invalidating personal identification numbers, intercepting transaction communications, and theft of benefits. Discussion: As separate database systems expand in capacity and are linked to one another for purposes such as computerized matching, there arises concern over "leaky databases." There have been several cases in which information stored on a government database was illegally sold. As more people obtain access to each database, the potential for this activity increases. Databases maintained in EBT systems could be subject to such abuse as well, though there are data and system security requirements (a combination of software, hardware, and personnel controls) in place to minimize this risk. Unauthorized access is addressed through data use policy and system security. FNS provides general security guidelines that State systems must address. In addition, there are FSP-and EBT-specific security regulations. States must restrict access to authorized users and report violations and irregularities, maintain security plans, conduct periodic risk assessments, and conduct biennial reviews that include data privacy and confidentiality. EBT transactions are typically transmitted in clear text, except for the PIN, which is encrypted. These various security measures provide adequate protection of information when they are implemented and monitored systematically. F. Potential Uses of EBT Data Our research identified a widely-held concern that, as technological advances in the administration of government programs occur, new data uses may be deemed permissible by the government. Computerized matching, for example, was deemed acceptable once computer systems provided for this capability. Food retailers routinely use Universal Product Code (UPC) scanners to control inventory and to expedite check-out procedures. It is now possible to link customers with purchase information. With relatively simple changes to data systems, it is also possible to provide the means to collect new types of data about retailers and recipients not possible under the paper coupon system. There are additional uses of data that may come about as a result of changes in telecommunications and processing technology. Some potential uses of these data are discussed below. These uses are neither contemplated nor endorsed by FNS; they are presented merely as examples that may help define the limits of acceptable data use. RECIPIENT EDUCATION. Recipient purchase pattern data could be used to monitor aggregate or individual FSP and/or WIC recipient purchases in order to determine the nutritional value and balance of items purchased. Results could be used to counsel FSP recipients on how to maximize the nutritional content of their purchases. Aggregate purchasing data could be used 18 EBT DATA PRIVACY ISSPI.S iOR loop BHNF.FIT PROGRAMS to develop generic counseling efforts, such as nutrition pamphlets, for distribution to FSP or WIC Program participants. Monitoring of purchases for information on brands, quantities, and product selection could allow analysis of food usage or the efficiency of benefit use by specific recipients or groups of recipients. Advice might be given on how to obtain better value by changing brand or product choices, timing of purchases, or size of purchase. In WIC. food packages could be changed to better meet the food preferences of groups. If EBT systems were to be integrated with the data obtained with UPC scanners, there is also the capability to track food items not purchased with program benefits. While it can be argued that this could serve as a basis for more in-depth counseling, it raises serious privacy implications. Individuals generally do not want the purchase of items such as pregnancy tests, alcohol, prescription drugs, and cigarettes to be tracked by the government. Such tracking raises additional concerns for FSP and WIC recipients. Government agencies could potentially use this information when determining an individual's eligibility for benefit programs, for example by examining purchase information for clues to household composition. Discussion: In general, recipient advocacy groups expressed strong opposition to the collection and use of either person-level or aggregated purchase pattern information for purposes of recipient education in the Food Stamp Program and, to a lesser, extent, the WIC Program. This linkage is not required for FSP EBT to function. The linkage for WIC food prescriptions, but not all food purchases, is required of WIC EBT systems. Therefore, FNS needs to discuss and formulate policies about whether, how, and under what circumstances this additional type of information might be used. RETAILER USES OF AGGREGATE DATA. It is conceivable that stores would want to track recipient purchase patterns on either an aggregate or individual basis for purposes of marketing, inventory, and negotiations with manufacturers. For the larger food stores and chains, the EBT system could be integrated with UPC-scanning electronic cash registers if it is not already. The data systems that support these registers could keep a daily or longer record of specific items purchased through EBT or with other means." As indicated before, it is not possible to identify individual recipients by name under either the paper coupon system or EBT system. In the EBT system, only the recipient account number is tracked. Because the transaction data do not reveal recipient identity, retailers could not tie specific purchases to specific individuals this way. They could, however, use data to target marketing strategies to FSP and/or WIC participants in general by: • Running promotions on products that are often purchased by FSP or WIC Program recipients. This capability exists in the paper coupon system. Retailers equipped with UPC scanners can flag a given transaction as a "food stamp transaction." separate out non-authorized products, and calculate sales tax for non-FSP purchases. 19 EBT DATA PRIVACY ISSUES FOR It>< ID BI-.XHNT PROGRAMS • Encouraging FSP or WIC Program recipients to join a frequent shopper program h\ offering additional discounts on products most often purchased by them. (This would not violate FNS regulations prohibiting "differential treatment" of recipients if the discount were applied without regard to program participation status.) • Conducting market research on FSP or WIC Program recipients who volunteer to participate to study consumer preferences and changes in buying behavior. Discussion: The roundtable participants did not discuss this type of data use. There ma\ be several reasons for this. Primarily, the information that might be collected by retailers is not person-specific. Also, retailer representatives maintain that retailers do not maintain this information and do not sell or otherwise provide access to it because it is not economically or technically feasible. USES OF SHOPPER'S CLUB DATA. Our research found that consumers (e.g.. recipients) weigh the perceived loss of privacy against potential benefits. People are willing to give up an element of privacy as long as the benefits are significant. Retailer-sponsored shopping clubs are based on this principle. Retailers track individual purchase data using UPC scanning systems in combination with a "shopping club card" that identifies the purchaser. The retailer is then able to use this information for purposes of marketing and inventory. In return, shoppers club members receive a variety of benefits, such as special reductions on specific products or discount coupons applicable to the total cost of a single day's purchase at the food store. Credit companies have also initiated shopper's clubs, in which the purchases of credit card holders are tracked and either used internally or sold to marketers. Participation is voluntary. To date, several shopper's clubs have failed because of low consumer acceptance. One reason is that the perceived benefits were not sufficient to counterbalance the loss of privacy. If FSP recipients who receive benefits through EBT participate in shopper*s club programs, then individual identities, rather than just the recipient account number, could be linked to purchase patterns. This information could then be used similarly to the way information on non-FSP participants is used: to conduct individualized targeted marketing. Because shopper's clubs are voluntary, recipient privacy is less of an issue, as the individual has agreed to release personal information in return for certain benefits. Discussion: The roundtable participants, including the advocacy representatives, believe that FSP and WIC clients should be free to participate in such clubs as long as program recipients are treated no differently from other participating customers and are informed fully of possible data uses. Participation in shoppers programs would directly benefit FSP recipients because they would receive discounts on food items, stretching their FSP monthly allotment. WIC recipients would indirectly benefit because their non-prescription food stuffs might be less expensive. SYSTEM AND THIRD-PARTY PROCESSOR USE OF DATA. Third-party processors that drive both commercial payment systems and EBT POS terminals are limited by technology and cost in their access to item-specific purchase data. System processors and third-party processors would have little use for this data for internal purposes. Absent restrictions already in place. 20 EBT DATA PRIVACY ISSUES FOR FOOD BF.NEFIT PROGRAMS the information they do have -- transaction histories - might he sold to direct marketers and credit bureaus. Redemption information including transaction times, amounts, and. potentially, item-specific purchase data could be taken from one retailer and sold to its competitors. Discussion: Our research found concern expressed over the lack of Federal regulation and legislation on the collection and use of data by system processors. FSP EBT regulations do address this issue, however, requiring each State agency to ensure that EBT system and third-party processors protect the privacy of household data and provide benefit data security.12 In EBT demonstration projects to date, confidentiality clauses are included in contracts between the State and the system processor. These clauses restrict EBT transaction data use to that which is directly related to the administration of the FSP. Since retailers can make their own arrangements for third-party processing, we do not know if these retailers impose data use limitations on processors in current EBT projects. If no limitations are imposed, third-party processors may feel free to capture and distribute data at will, possibly to marketers willing to pay for a list of potential new customers. The experience to date with third-party processors in the delivery of EBT is very limited and does not provide an adequate basis for gauging actual or potential threats to the privacy of data. G. Privacy Issues in EBT Demonstration Projects Existing protection and restrictions on EBT data use seem to have been effective enough to prevent any significant privacy or confidentiality breaches in the EBT demonstration sites we contacted.13 Recipients in the demonstrations have not voiced concerns regarding their privacy under the EBT system, and retailers are believed to have complied with confidentiality and data use restrictions outlined in FSP policy. State legislation, and contractual agreements. We know of only two privacy-related incidents at demonstration sites, and both were resolved without compromising clients' privacy rights. In one site, several retailers requested that the State agency identify a recipient by name after a transaction error (such as a clerk forgetting to enter the purchase amount of a transaction) occurred, and the recipient was no longer accessible. Under this State's law, identifying a recipient for a retailer is prohibited. The State agency wrote a letter to the recipient describing the error and let the recipient decide whether to contact the retailer. In another instance, a law enforcement agency requested information on a suspect's EBT transactions to help the agency locate the person. The State's Office of General Counsel ruled that such use of data was illegal, and the request was denied. These incidents reinforce a generally high level of attention given to the non-disclosure requirements of the existing Food Stamp regulations. 12 13 Section 274.12(h)(5)(iii) of the FSP regulations state, "The State agency shall ensure that third-party processors and retailers driving their own terminals comply with ... all applicable Food Stamp Program regulations." See footnote 6. 21 EBT DATA PRIVACY ISSUES I OR FOOD BENEFIT PROGRAMS Privacy issues have been addressed in the contractual agreements and system design of certain EBT demonstration projects. The experiences of several of these projects are described below. PRIVACY ISSUES CONSIDERED IN SYSTEM DESIGN. In the EBT system designs for ISP demonstration projects, privacy tends to be covered indirectly through system security standards and design. Security is usually outlined in terms of controlled access to various parts of the system (e.g.. PIN encryption, telecommunications, batch files. POS terminals, and host computers), rather than uses of data. In the initial phases of EBT system design, staff from each of the demonstration projects spoke with recipient and retailer advocacy groups regarding the implementation of the FSP EBT system. These groups did not consider privacy to be a major concern. The only privacy-related question raised repeatedly was whether the recipient's balance would be displayed on the cashier's screen at the check-out lane. In fact, the balance is not displayed on the check-out screen in any of the FSP EBT systems. It is, however, printed on the recipient's receipt, which is handed to the recipient by the clerk and is listed on the tapes maintained by some retailers as a record of transactions. Balances are printed on receipts to give recipients a convenient, timely tool for tracking their account balances. CONTRACTl AL PROVISIONS FOR RETAILER AND RECIPIENT PRIVACY. There are provisions in the contractual agreements with the EBT system processor and retailers that either directly or indirectly address privacy and the restriction of data uses. These provisions are discussed below. • System Processor Contracts. In most cases, the contract between the administering State agency and the system processor includes clauses restricting EBT transaction data use to that which is directly related to the administration of the FSP. In addition, system processors must adhere to FSP regulations concerning privacy and information security as well as the regulations of other programs that use EBT.14 • Retailer Agreements. In each of the FSP EBT demonstration projects contacted, participating retailers must enter into an agreement with the administering State agency or its agent. Retailer agreements vary widely in the manner and extent to which privacy issues are addressed. In at least one case, there is a clause prohibiting the use or disclosure of recipient information for any purpose not connected with the administration of the FSP. A different retailer agreement prohibits the disclosure of recipient information but does not address internal uses of these data. At least one retailer agreement fails to address privacy issues specifically in any form. Each retailer agreement, however, requires the retailer to adhere to applicable State laws and Federal regulations, which would include privacy legislation. 14 FSP regulations require State agencies to ensure that EBT systems are capable of performing several functional requirements prior to implementation. Two of these requirements are ensuring the privacy of household data and providing benefit and data security. 22 EBT DATA PRIVACY ISSUES urn Fo< >i> HiMI 11 PKCKIKWIS In order to participate in the FSP. authorized retailers must enter into an agreement v» ith FNS. This agreement specifies that retailers must cooperate with Federal compliance investigations. This is standard practice tor retailer participation in both EBT and paper coupon systems. In this agreement, the retailer is required to provide transaction information when requested as part of an investigation. In the EBT system, this information is maintained by the system processor on a daily basis and later aggregated and sent to the FNS central computer center. The agreement states that FNS will only use retailer-specific transaction data for compliance purposes. Third-Party Processors. To date, there are no contractual agreements between the administering State agency or system processor and third-party processors except in the FSP off-line demonstration. In at least one case, however, a clause is included in the retailer agreement holding the retailer responsible for the compliance of third-party processors with FSP EBT policy and standards. Yet the FSP regulations do state that the State agency shall ensure that third-party processors comply with FSP regulations, including those dealing with privacy and security. If a third-party processor does not adhere to these mandates, it may no longer be allowed to participate in the EBT system. IV. CONCLUSIONS AND STRATEGIES FOR PRIVACY PROTECTION This section summarizes our conclusions and offers guidelines and strategies that the various parties that influence and guide EBT could take to address privacy protection of FSP and WIC recipients and confidentiality protection of retailers. A. Summary of Conclusions Electronic Benefit Transfer is now a proven technology. It has moved beyond testing and development to become an operational alternative to existing benefit issuance systems The benefits to the recipient and administrative agency have been documented in numerous studies undertaken by the Food and Nutrition Service. EBT systems, however, greatly increase the amount, detail, and potential accessibility of information about the use of benefits. EBT systems create databases containing individually identifiable purchase information that varies in detail depending upon the program using EBT, something that is not possible under existing coupon-based issuance systems. Fundamentally, FSP regulations and. to a somewhat lesser extent. WIC regulations provide specific and adequate safeguards over access to and use of information about individuals and retailers. These basic protections extend to EBT-developed information. However, the means of access to data and the potential uses for those data will expand in the future. Therefore, it is appropriate to consider the privacy implications of data uses. It is also appropriate to provide mechanisms for ensuring that other agencies not typically involved in the administration and oversight of FSP and WIC are bound by comparable requirements for safeguarding the privacy of information to which they may have access as a result of their involvement in the electronic delivery of benefits. 23 EBT I) \ i \ PRIVACY ISSUES t-oR FOOD BENEFIT PROGRAMS Through interviews with EBT stakeholders and the roundtable discussion, we identified a number of concerns about the current and potential uses of EBT data. These are summarized below. THE RECIPIENT • Concern: Data may be used for "secondaiy uses" such as targeted marketing or locating individuals through transaction information for lavv enforcement purposes not related to program integrity. Finding: FSPand WIC regulations closely limit the use o. program data, including EBT data, for law enforcement purposes not specifically concerned with program integrity. Under the various EBT demonstration projects, client privacy rights have not been comprised. Finding: The use of aggregated EBT data for marketing purposes cannot segregate FSP/WIC recipients from other food purchasers. Individual targeting can only occur if the recipient has voluntarily joined a retailers shopper program. • Concern: Administering agencies or other parties might use individual recipient EBT transaction data for purposes other than benefit issuance without the recipient's consent. Finding: Advocacy groups differed in their interpretation of how FNS could or should use EBT data for program administration Various opinions were expressed on the appropriateness of using data for purposes such as nutrition research, nutrition education and determining the range of food stamp-eligible items. Some stakeholders felt that data should be used only for benefit determination purposes while others felt that research using aggregated data was acceptable • Concern: U«e of EBT may lead to creation of a single database containing multiple pieces of in' ^nation on a single individual "One-stop shopping." or the development of a sing' .rd to distribute multiple benefits, can be seen as a precursc to this situation. Finding: Our research found concern over potential uses of data resulting from the integration of WIC Program benefit and health care information. Some stakeholders fear that information on program panicipants may become accessible to more program officials than those who legitimately need access. However, some feel this issue should be considered in the context of welfare reform as well as EBT privacy. THE RETAILER » Concern: WIC retailers may not be protected adequately under EBT systems. While FSP regulations protect the confidentiality of food stamp retailer information. WIC regulations do not address retailer confidentiality because WIC retailer redemption data are collected by States and generally not b\ FNS. 24 EBT DATA PRIVACY ISSUES FOR FOOD BENEFIT PROGRAMS Finding: Although many WIC retailers are also authorized to accept food stamps. State WIC administrative agencies have greater latitude in the use and disclosure of information about retailers that participate in WIC. None of the retailer representatives to whom we spoke had contemplated the implications of EBT for redemption data confidentiality, but this issue may receive more attention as EBT applications spread. During the roundtable discussion, it was pointed out that retailers would likely lobby for more stringent protection if data disclosure became a problem. B. Strategies for Maintaining High Levels of Privacy Protection in EBT Based on our research and the views and perspectives expressed during the privacy roundtable, there are a number of strategies that the various parties who develop and use EBT systems and data should consider. This report is not intended to provide specific recommendations for changes in policy, procedure, or practice; the following are offered as ways of maintaining comparatively high levels of privacy protection in FSP and WIC EBT. At the most general level, privacy should be considered within a framework. This framework is applicable to reviews of existing uses of data as well as the planning of new uses of data. A PRIVACY FRAMEWORK: As discussed previously, FSP regulations establish the requirement for the protection of privacy. The Privacy Act of 1974 generally permits use of information (1) consistent with the purpose for which information was gathered and (2) for designated "routine uses." Other uses would be considered "secondary" and, therefore, prohibited. In dealing with this "secondary use" limitation, there can be disagreement over what is within the principal purpose for which FSP and WIC Program information is gathered and what might be considered appropriate "routine use." There are four possible categories of use: 1. In a narrow interpretation, the primary uses would be to establish eligibility for the program, identify shoppers as qualified recipients, ascertain that sufficient benefits are available in the recipient account, authorize the FSP or WIC transaction, and transfer necessary funds to reimburse the retailer for that transaction. 2. Other uses appropriate to the EBT program include monitoring program operations to evaluate and improve service delivery and integrity, reporting on programs to appropriate governmental authorities, providing announcements and relevant program information to recipients and others, and detecting and preventing fraud or abuse. Such uses generally are considered routine and necessary for program administration. 3. Another category of use would be to evaluate individual purchase behavior in order to advise specific recipients of how they might better utilize the resources 25 EBT DATA PRIVACY ISSUES FOR FOOD BENEFIT PROGRAMS of the program or improve their nutritional intake through food selection alternatives. 4. Retailers or third-party processors might devise a variety of marketing or "mailing list" uses of personal information. These would clearly be considered "secondary" uses. FNS can. as it has done in the past, employ regulations and user agreements to set standards for informational privacy. The following are some suggested guidelines: • Uses in categories (1) and (2) are primary or routine and need to be identified as part of program operations. They do not require consent by recipients; notice of the practice is sufficient. • Analysis of statistical transaction information not individually identifiable is not a privacy threat and could be done for research purposes. Such research could support general announcements to all recipients regarding nutrition and resource allocation. • Use of personally-identifiable transaction information for category (3) requires prior notice to recipients and the opportunity for them to decline such use ("opt out") and still receive benefits, in conformity with the procedures outlined below. • Any category (4) or other secondary use can be pursued only with the prior affirmative written consent of the recipient. Specifically: The intended use should be clearly explained, in writing, to the recipient. The identity of the intended users of the transaction information should be disclosed to the client. The voluntary nature of the secondary use should be clearly explained to the recipient. The recipient should consent to the specific use in writing. The recipient should be free, at any time, to withdraw consent to a secondary use. The recipient should be given the opportunity, at least annually, to renew or withdraw consent. OTHER STRATEGIES: There are additional strategies that the various parties in the EBT process can incorporate into data use planning: 26 EBT DATA PRIVACY ISSUES I-OR l< Privacy and confidentiality provisions within the FSP and WIC ret and difficult to find. A basic compilation of those provisions, sue!: appendices to this report, could be shared with the various panic- FNS annually publishes its research agenda. The agency could us inform advocates and the public at large of planned research using re. ;;: PROGRAMS .- are scattered ■mained in the ed in EBT. mechanism to i-specific data. Recipients need to be informed of and reminded about their privacy r.chtv There are a variety of ways this might be done without creating special procedures or incurring administrative costs. For example, one program advocate suggested :nai a statement of rights and responsibilities be provided to recipients when the) are i.certified lor the program. EBT systems involve multiple parties, many of which are remo\ed from the immediate administrative reach of FNS. As noted above, contracts and agreements provide the means for extending responsibility for privacy to those parties. Contractual arrangements with EBT processors, retailers, banks, and others that are likely to ha\e access to EBT data should include specific reference to FSP and WIC regulations As policy decisions on EBT data privacy develop, so too must data securit) practices that provide for responsive safeguards. It cannot be assumed that existing access controls or other safeguards will provide the desired level of protection to new file structures or uses of EBT data. When new uses of data are developed, file access and control procedures and policies must be reviewed to ensure that access to data about individuals is appropriately restricted and that data use is subject to audits to ensure conformance to policy. When EBT systems support multiple benefit programs or a single program administered by multiple States, program administrators and EBT system designers should specify what data will be shared, how it will be shared, and when it will be shared This sharing should be fully consistent with FSP and WIC Program regulations The system design should provide technical and procedural safeguards consistent with the predefined uses of EBT data. 27 Appendix A Applicable Privacy Laws l!t Appendix A APPLICABLE PRfVACY LAWS A. THE PRIVACY ACT OF 1974 The Privacy Act of 1974 regulates the collection, use and disclosure of personal information by Federal agencies and is the principal means of information privacy protection in the Federal realm. It does not apply to State or local governments or to the private sector. The Act does not apply to information collection efforts or systems funded with Federal money if the information is controlled by State or local governments. The Privacy Act pertains to any personally identifiable information and prohibits disclosure of such information without the consent of the data subject. There are 12 exceptions to the disclosure limitation, four of which are especially relevant to the EBT program: (1) internal "need to know;" (2) routine use: (3) statistical use; and (4) law enforcement disclosures. The consent of the data subject is not required for disclosures of information: (1) "... to those officers and employees of the agency who maintain the record and who have a need for the record in the performance of their duties." (2) for a "routine use" which is defined as "a purpose which is compatible with the purpose for which it was collected." (3) if ". . . the record will be used solely as a statistical research or reporting record, and the record is to be transferred in a form that is not individually [i.e., personally) identifiable." (4) to any Federal or State agency "... for a civil or criminal law enforcement activity The Department of Agriculture would have Privacy Act of 1974 disclosure concern mainly with FSP information that it maintains and/or authorizes to be collected. In this respect. the "routine use" designation by the Department of Agriculture includes referral to IRS for collection of claims from tax refunds, referral to appropriate State agencies, disclosures in response to inquiries from Congressional offices on behalf of a client, and disclosure to firms that may have contracted with FNS for the purpose of research and reporting to FNS. Congress, or appropriate oversight agencies. The Privacy Act also requires that personal information maintained by the Federal government must be "only such information ... as is relevant and necessary to accomplish a purpose of the agency . . . ." Further, the agency is required to collect the information, "to the greatest extent practicable directly from the subject individual when the information may result in adverse determinations about . . . benefits . . . under Federal programs." The agency also has an obligation to "maintain all records . . . with such accuracy, relevance, timeliness, and completeness as is reasonably necessary to assure fairness . . . ." A-l -1 FNS has promulgated rules pursuant to the Privacy Act of 1974 that deal with the FSP. State agencies and others involved in the administration of FSP or WIC are required to satisfy the standards of the Privacy Act of 1974. The major privacy-related impact of EBT will be the potential for government agencies or the retailer to link purchase information with a particular client. Indeed, the Department of Agriculture regulation 274.12(h)(3)(v)(H) requires the State agency to assure the availability of a complete audit trail which "shall, at a minimum, be able to provide a complete transaction history of each individual system activity that affects an account balance." This necessarily involves identifying a POS transaction by account. The major privacy questions, then, involve what uses the government and retailers may make of household purchase information. FNS is sensitive to the desirability of providing the same level of respect for confidentiality of information generated as a result of this Federal government program as for program information maintained by the agency itself. The regulations do provide, at 274.12(e)(l)(ix), that the EBT system must ensure "the privacy of household data ..." This requirement is certainly consistent with the basic assumption of OMB Circular A-130. 7g. that "The individual's right to privacy must be protected in Federal government information activities involving personal information." B. STATE LAWS State Laws and regulations present a mix of common law. constitutional and statutory provisions regarding a multitude of privacy dimensions; the relevance of these various measures to EBT in the FSP is problematic. It is difficult even to try to categorize States in terms of privacy protection. For instance, ten States recognize a "privacy" right in their constitutions, but the application and interpretation of that right varies among those States. Minnesota has rejected a right of privacy in its constitution or common law, but has enacted an information practices act, similar to the Privacy Act, which does not extend to the private sector Only nine or ten other States have what might be considered an information practices act comparable to the Privacy Act though the scope of protection of each varies; none apply to the private sector. New York does not recognize privacy as part of its common law though a few New York statutes deal with narrow aspects of the right. Only three or four States significantly restrict the sale of mailing lists generally and then only with respect to State government. Several States do limit video customer rental information disclosure, though Delaware specifically allows sale of video rentals mailing lists. Certainly, no consistent threshold of privacy can be deduced from State law and though the FSP is a State-administered program, it seems wise to consider Federal constraints as the best vehicle for uniform privacy protection in the EBT environment. A-2 3 Appendix B Food Stamp and WIC Regulatory Language on Privacy 3/ Appendix B FOOD STAMP AND WIC REGULATORY LANGUAGE ON PRIVACY A. FOOD STAMP PROGRAM 1. FSP Regulations - General The purpose of the Food Stamp Program is to "promote the general welfare and to safeguard the health and well being of the Nation's population by raising the levels of nutrition among low-income households." Currently, over ten percent of the U.S. population receive food stamps, and substantial information on millions of households is developed during the application process. The wide-spread use of EBT systems would increase the use of this information base. Food stamp regulations contain several provisions that address confidentiality ot information. FNS construes these regulations to apply equally to both coupon-based and EBT systems. The disclosure of information is limited to the following: Administration or enforcement of the Food Stamp Program Computer matching for eligibility and income with other benefit programs (such as AFDC) Certification of alien status Federal government audits of the program Law enforcement agencies' investigation of program fraud or violations. In addition, the use of the information is restricted to verifying eligibility and level of benefit, and to enforcing laws directly related to program activities. There are also provisions that identify who can access records contained in automated data processing and information retrieval systems, which would include EBT systems. 2. FSP Regulations ~ Privacy The Food Stamp Program regulations contain a number of provisions on the privacy of information. Section 272.1 of the current regulations1 contains the general terms and conditions for participating State agencies and includes a provision dealing specifically with disclosure: 1 These regulations are found in volume seven of (he Code of Federal Regulations and are current as of September 1992. B-l 3* (c) Disclosure. (1) Use or disclosure of information obtained from food stamp applicant or recipient households shall be restricted to: (i) Persons directly connected with the administration or enforcement of the provisions of the Food Stamp Act or regulations, other Federal assistance programs, federally-assisted State programs providing assistance on a means-tested basis to low income individuals, or general assistance programs which are subject to the joint processing requirements in Section 273.2(j)(2). (ii) Persons directly connected with the administration or enforcement of the programs which are required to participate in the State income and eligibility verification system (IEVS) as specified in Section 272.8(a)(2), to the extent the food stamp information is useful in establishing or verifying eligibility or benefit amounts under those programs; (iii) Persons directly connected with the verification of immigration status of aliens applying for food stamp benefits, through the Systematic Alien Verification for Entitlements (SAVE) Program, to the extent the information is necessary to identify the individual for verification purposes; (iv) Persons directly connected with the administration of the Child Support Program under Part D. Title IV of the Social Security Act in order to assist in the administration of that program, and employees of the Secretary of Health and Human Services as necessary to assist in establishing or verifying eligibility or benefits under Titles II and XVI of the Social Security Act; (v) Employees of the Comptroller General's Office of the United States for audit examination authorized by any other provision of law; and (vi) Local, State or Federal law enforcement officials, upon their written request, for the purpose of investigating an alleged violation of the Food Stamp Act or regulation. The written request shall include the identity of the individual requesting the information and his authority to do so, violation being investigated, and the identity of the person on whom the information is requested. (2) Recipients of information released under paragraph (c)(1) of this section must adequately protect the information against unauthorized disclosure to person or for purposes not specified in this section. In addition, information received through the IEVS must be protected from unauthorized disclosure as required by regulations established by the information provider. In using the data it collects, States are limited by the following provisions found in Section 272.8 on the State Income and Eligibility Verification System (IEVS): (5) Uses of data. The State agency shall use information obtained by means of the IEVS: for the purposes of: 2 The IEVS includes information on participants from the following programs: Aid for Families with Dependent Children, Medicaid, Unemployment Compensation, Food Stamps, and any State program administered under a plan approved under Title I, X or XIV (the adult categories), or Title XVI of the Social Security Act. This information may be shared among State agencies administering these programs for establishing or verifying eligibility or benefit amounts. B-2 33 (i) Verifying a household's eligibility; (ii) Verifying Che proper amount of benefits; (iii) Investigating to determine whether participating households received benefits to which they were not entitled; and (iv) Obtaining information which will be used in conducting criminal or civil prosecutions based on receipt of food stamp benefits to which participating households were not entitled. All food stamp applicants will be notified at the time of application that IEVS may be used to verify the information they supplied. The FNS regulations also cover automated data processing and information retrieval systems, which contain language on who can access records. In particular, Section 277.18(k) states the following: (k) Access to the system and records. Access to the system in all aspects, including but not limited to design, development, and operation, including work performed by any source, and including cost records of contractors and subcontractors, shall be made available by the State to FNS or its authorized representatives at intervals as are deemed necessary by FNS, in order to determine whether the conditions for approval are being met and to determine the efficiency, economy, and effectiveness of the system. Finally, Section 278. l(q) of the FSP regulations protect the confidentiality of retailer information: Safeguarding privacy. The contents of application or other information furnished by firms, including information on their gross sales and food sales volumes and their redemptions of coupons, may not be used or disclosed to anyone except for purposes directly connected with the administration and enforcement of the Food Stamp Act and these regulations, except that such information may be disclosed and used by State agencies that administer the Special Supplemental Food Program for Women, Infants and Children (WIC). Such purposes shall not exclude the audit and examination of such information by the Comptroller General of the United States authorized by any other provision of law. 3. FSP Regulations -- EBT and Privacy EBT regulations were finalized on April 1, 1992. These regulations establish the standards for on-line EBT systems issuing Food Stamp Program benefits. In the area of privacy, the participant's name does not appear on either the POS receipt or the terminal display. In addition, no name is embossed on the card. Privacy is specifically addressed in Section 274.12(e) under functional requirements: (e) The State agency shall ensure that the EBT system is capable of performing the following functional requirements prior to implementation: (1) Authorizing Household Benefits, (ix) Ensuring the privacy of household data and providing benefit and data security. B-3 3y There are several other provisions dealing with the security ol the system and the movement of data within the system for purposes of EBT operations, bin no other provisions directly address the issue of privacy. In addition, there are no FSP regulati«>p.N that specifically limit or prohibit retailers or third-party processors from capturing EBT information and using it for other purposes. Section 274.12(h)5(iii) of the regulations indirecth pun ides guidance: (in) The State agency shall ensure that third party processors and retailers drix ing their own terminals comply with this section and all applicable Food Stamp Program regulations. B. WIC PROGRAM REGULATIONS 1. WIC Program Regulations - General The WIC program provides food prescriptions to pregnant, nursing and postpartum women, their infants, and their children under the age of five who are at nutritional risk." Because WIC benefits include nutrition education and counseling for WIC participants, there is substantial information (including health information) contained in each participant's case file. FNS recognizes this and has several provisions protecting the confidentiality and use of its program and client information. Although the WIC regulations do not specifically contain EBT provisions, it is assumed that any alternative benefit delivery system, including EBT. must also maintain the confidentiality of program and client information. The use or disclosure of information is limited to the following: • Administration or enforcement of the WIC program, including investigations into program violations • Establishment of program eligibility and outreach • Federal government audits of the program. In addition, statistical or medical information collected under the program must not identify particular individuals. The WIC regulations are more restrictive than the FSP regulations because WIC program information can not be used in determining the alien status of a client nor in computer matching of eligibility information with other social service programs. B-4 35 2. WIC Program Regulations ~ Privacy The specific disclosure and confidentiality provisions for the Special Supplemental Food Program for Women, Infants and Children (WIC) are found in Section 246.263: (b) Statistical information. FNS reserves the right to use information obtained under the Program in a summary, statistical or other form which does not identify particular individuals. (c) Medical information. FNS may require the State or local agencies to supply medical data and other information collected under the Program in a form that does not identify particular individuals, to enable the Secretary or the State agencies to evaluate the effect of food intervention upon low-income individuals determined to be at nutritional risk. (d) Confidentiality. The State agency shall restrict the use or disclosure of information obtained from program applicants and participants to: (1) Persons directly connected with the administration or enforcement of the program, including persons investigating or prosecuting violations in the WIC program under Federal, State or local authority; (2) Representatives of public organizations designated by the chief State health officer (or, in the case of Indian State agencies, the governing authority) which administer health or welfare programs that serve persons categorically eligible for the WIC Program., The State agency shall execute a written agreement with each such designated organization: (i) Specifying that the receiving organization may employ WIC Program information only for the purpose of establishing the eligibility of WIC applicants and participants for health or welfare programs which it administers and conducting outreach to WIC applicants and participants for such programs, and (ii) Containing the receiving organization's assurance that it will not, in turn, disclose the information to a third party; and (3) The Comptroller General of the United States for audit and examination authorized by law.4 During the application process, the applicant, parent, or caretaker will be informed of WIC's disclosure provisions. 3 These regulations are found in volume seven of the Code of Federal Regulations and are current as of August 1992. 4 Any reports resulting from such examinations shall not divulge names of individuals (7 CFR Section 246.25(4)). B-5 36 Appendix C Research Performed on Privacy Issues 37 Appendix C RESEARCH PERFORMED ON PRIVACY ISSUES Price Waterhouse conducted an extensive research effort on privacy issues and Electronic Benefit Transfer (EBT). This research was performed in two parts: (1) on-site and telephone interviews with persons knowledgeable in the area of EBT and/or Privacy; and (2) a literature review. This Appendix lists these sources. A. CONTACTS Interviews were conducted with representatives of the following organizations, in order to gain an understanding of their views on privacy with respect to EBT: Congressional Committees Government Agencies Advocacy Groups American Banker's Association National Organization of Women B. EBT DEMONSTRATION PROJECTS INTERVIEWED Telephone interviews were conducted with project directors of three of the EBT demonstration projects, to identify any privacy-related issues that have arisen in the operations of the demonstration projects to date: • San Bernalillo County, NM • Ramsey County, MN • Dayton, Ohio • State of Maryland C-l ■6$ C. LITERATURE REVIEW A comprehensive literature review was conducted in order to gain an understanding of the potential uses of data in an EBT system, and the legal and ethical constraints of these uses. The literature review included the identification and examination of Federal and State legislation. Federal Regulations, public opinion surveys. Congressional reports. Congressional hearings. Federal government agency publications, nonprofit organization and advocacy group publications, journal articles, and books. The following is a selected bibliography of these sources: U.S. Government, Congressional Committee on Government Operations. Who Cares About Privacy? Oversight of the Privacy Act of 1974 by the Office ofManagement and Budget and by the Congress, 98th Congress, 1st Session, House Report No. 98-455, November 1, 1983 U.S. Government, Privacy Protection Study Commission. Personal Privacy in an Information Society, The Report of the Privacy Protection Study Commission. July 1977 U.S. Government, Office of Technology Assessment, Federal Government Information Technology: Electronic Record Systems and Individual Privacy, OTA-CIA-296, U.S. Government Printing Office, Washington DC, June 1986. U.S. Government, Office of Technology Assessment. Defending Secrets, Sharing Data: New- Locks and Keys for Electronic Information, U.S. Government Printing Office. Washington, DC, October, 1987. U.S. Government, Congressional Committee on Government Operations. A Citizens Guide on Using the Freedom of Information Act and the Privacy Act of 1974 to Request Government Records, 102d Congress, 1st Session, House Report No. 102-146, July 10, 1991. U.S. Government, Office of Technology Assessment. Electronic Delivery of Public Assistance Benefits: Technology Options and Policy Issues, OTA-BP-CIT-47, Washington DC. U.S. Government Printing Office, April 1988. U.S. Government, House of Representatives. Hearing before the Government Information. Justice and Agriculture Subcommittee of the Committee on Government Operations. Data Protection, Computers, and Changing Information Practices. One Hundred and First Congress, Second Session, May 16, 1990. U.S. Government, House of Representatives. Hearings before the Government Information. Justice and Agriculture Subcommittee of the Committee on Government Operations. Data and International Data Protection Issues. One Hundred Second Congress. First Session. April 10 and October 17, 1991. C-2 2fT Geva. Benjamin. The Law of Electronic 1-unds Transfers. Matthew Bender & Co.. New York. 1992. Flaherty. David H. Protecting Privacy in Surveillance Societies. The University of North Carolina Press. Chapel Hill. NC. 1989. Plesser. Ronald and Emilio. Cividanes. Privacy Protection in the United States. A 1991 Survey of Laws and Regulations Affecting Privacy in the Public and Private Sector. Washington. DC 1991. C-3 qO Appendix D EBT Privacy Roundtable Participants 4/ Appendix D EBT PRIVACY ROUNDTABLE PARTICIPANTS Richard Allen Deputy Assistant Inspector General for Investigations USDA Office of Inspector General Gregory Benson Program Manager Retail Banking. Operations and Technology Savings & Community Bankers of America Mike Bernstein Attorney Office of General Counsel Food and Nutrition Division USDA Office of General Counsel Steven Carlson Office of Analysis and Evaluation Food and Nutrition Service U.S. Department of Agriculture Mary Culnan Professor of Management Information Systems Georgetown University School of Business John P. Fanning Senior Health Policy Advisor Office of Health Planning and Evaluation Public Health Service US Department of Health and Human Services Larry Goolsby Policy Associate American Public Welfare Association Stephan Harvey Director of WIC Programs Center on Budget and Policy Priorities Daphne Herling Director of Community Organizing Maryland Food Committee Dr. Kathleen Horoszewski Corporate Architecture and Systems Management Director AT&T Peter Larkin Vice President for State Government Relations and Environmental Affairs Food Marketing Institute Carrie Lewis Staff Attorney Food Research and Action Center Barbara Leyser Senior Policy Analyst Center on Social Welfare Policy and Law David O'Connor President & CEO Internet, Inc. Agnes Phares Acting Management Information Systems Director New Jersey WIC Program George Trubow Professor of Law The John Marshall Law School D-l ^ |
OCLC number | 888048050 |
|
|
|
A |
|
C |
|
G |
|
H |
|
N |
|
P |
|
U |
|
W |
|
|
|