to,t« COMPLETED * 19-%'^L *
»>■■*«&
Office of
Analysis and
Evaluation
EBT Data Privacy
Issues for Food
Benefit Programs
United States
Department of
Agriculture
Food and I «■* ^«fc — — ^»* ^ifc ■■■ -^^ "^ ^i*» ^ifc ^J
Nutrition
Service
ff
EBT DATA PRIVACY ISSUES FOR FOOD BENEFIT PROGRAMS
This report reflects what was learned from a roundtable discussion among
privacy and other experts, summarizes existing privacy protections in
Electronic Benefit Transfer (EBT) systems used in the Food Stamp Program and
the Special Supplemental Food Program for Women, Infants and Children, and
suggests strategies for continued and enhanced privacy protections as EBT
expands.
Additional copies of this report may be obtained by calling the Office of
Analysis and Evaluation, (703) 305-2133.
Enclosure
EBT Data Privacy Issues for Food Benefit Programs
August 1994
Authors:
Joseph T. Casey
Brenda L. Monroe
George Trubow
Jenifer L. Wolfman
Submitted by:
Price Waterhouse
Office of Government Services
1801 K Street, NW
Washington, DC 20006
Submitted to:
U.S. Department of Agriculture
Food and Nutrition Service
Office of Analysis and Evaluation
3101 Park Center Drive
Alexandria, VA 22302
Project Director: Brenda L. Monroe Project Officer: Alana Landey
This study was conducted under Contract Number FNS-3198-1 -020 with the Food and Nutrition Service, U.S. Department
of Agriculture, under the authority of the Food Stamp Act of 1977. as amended. Points of view or opinions stated in
this report do not necessarily represent the official position of the Food and Nutrition Service.
( *
H
TABLE OF CONTENTS
EXECUTIVE SUMMARY ii
I. INTRODUCTION
A. The Evolution of EBT 1
B. EBT in a Privacy Context 1
C. Study Objectives 2
II. EBT AND PRIVACY BACKGROUND INFORMATION
A. Definition and Description of EBT 3
B. Federal Laws and Regulations Governing EBT Data Use 7
C. General Privacy Issues 8
III. PRIVACY RESEARCH AND THE ROUNDTABLE DISCUSSION
A. Program Administration and Compliance 11
B. The Differences Between FSP and WIC Privacy Concerns 13
C. Adequacy of Existing Limits 14
D. Uses of EBT Data for Research 16
E. Implications of Privacy Protection Needs for EBT Data Security 18
F. Potential Uses of EBT Data 18
G. Privacy Issues in EBT Demonstration Projects 21
IV. CONCLUSIONS AND STRATEGDZS FOR PRIVACY PROTECTION
A. Summary of Conclusions 23
B. Strategies for Maintaining High Levels of Privacy Protection in EBT .... 25
APPENDICES
Appendix A: Applicable Privacy Laws
Appendix B: Food Stamp and WIC Regulatory Language on Privacy
Appendix C: Research Performed on Privacy Issues
Appendix D: EBT Privacy Roundtable Participants
///
EBT DATA PRIVACY ISSUES FOR FOOD BENEFIT PROGRAMS
EXECUTIVE SUMMARY
Electronic Benefit Transfer (EBT) replaces paper-based issuance systems for the Food
Stamp Program (FSP). the Special Supplemental Food Program for Women. Infants, and
Children (WIC). and cash benefit programs with systems that issue and redeem benefits through
electronic funds transfer (EFT) networks and point-of-sale (POS) technology.
FSP and WIC EBT systems generate and retain records on client food purchasing and
retailer redemption patterns that do not exist under the paper issuance system. In addition, there
are new "players" that have access to this information - retailers, system processors, and third-party
processors. As EBT systems emerge nationwide, the Food and Nutrition Service (FNS)
needs to ensure that privacy of recipient information and confidentiality of retailer information
is adequately and appropriately incorporated into the planning and use of EBT system data.
This study identified the major privacy concerns for FSP and WIC Program recipients
and retailers through literature reviews, interviews with various participants in the EBT arena,
and a roundtable discussion among EBT stakeholders and other appropriate experts. Overall.
FSP regulations and. to a somewhat lesser extent. WIC regulations, provide specific and
adequate safeguards over access to and use of information about individuals and retailers. Other
Findings include the following:
• FSP and WIC regulations restrict the use of individual recipient EBT transaction data to
benefit issuance and program integrity purposes.
• "Secondary" uses of EBT data, such as targeted marketing or locating individuals through
transaction information for law enforcement purposes unrelated to benefit issuance, is
prohibited without the recipient's consent.
• Multi-program, multi-State EBT raises the concern of opening access to data that was not
shared prior to the use of EBT systems.
• FSP regulations protect the confidentiality of retailer information. WIC regulations,
however, do not address the collection and use of retailer information.
Based on these findings, there are a number of strategies that the various parties that
develop and use EBT systems and data should consider. These include the development of an
overall privacy framework applicable to reviews of existing data as well as the planning of new
uses of data. Such a framework could enhance the privacy and confidentiality protections that
already exist within the FSP and WIC Program.
u
//
EBTPx; \ PRIVACY ISSUES FOR FOOD BENEFIT PRC/'.M wis
I. INTRODUCTION
A. The Evolution of EBT
The Food and Nutrition Service (FNS) has been at the forefront of developing and
applying Electronic Benefit Transfer, or EBT. systems in public assistance programs for 12
years. As of April 1994. Food Stamp Program (FSP) participants in seven locations of varying
size located throughout the United States receive their benefits through EBT. A demonstration
for EBT in the Special Supplemental Food Program for Women. Infants, and Children <\VICi
was recently completed, and others are planned. About 30 States are planning to develop and
operate an EBT system for FSP and other programs. Many States have also expressed an
interest in WIC EBT.
This new technology enhances food benefit service to FSP and WIC recipients. It can
be and is used by other benefit programs, such as Aid for Families with Dependent Children
(AFDC). child support, and Social Security. Unlike FNS' programs, these programs provide
their recipients with cash benefits.
EBT has evolved into a viable, appealing alternative to conventional benefit delivery
systems, and it is clear that it will play a central role in the delivery of nutrition assistance
benefits in the Food Stamp and WIC Programs and in the delivery of cash benefits for other
programs. The Secretary of Agriculture is committed to initiating nationwide EBT by 1996 and
FNS must consider the range of operational issues associated with a complete shift from paper
coupons to EBT. The study of EBT data privacy is one of these issues. In its report to the Vice
President, the Federal EBT Task Force recommended the unified delivery of government-funded
benefits. Under this plan, EBT would involve many benefit programs and would function
without regard to State borders. This report focuses on the privacy issues that impact FNS'
programs, issues that may be quite different from those facing cash benefit programs.
B. EBT in a Privacy Context
Over the past several years, privacy issues in general have received extensive attention
from the media, the courts, and business. Consumer advocacy groups lobby for more stringent
limits on the uses of credit history, debt information, and other personal data. Manufacturers,
on the other hand, increasingly rely on targeted marketing -- which requires detailed information
on income, shopping habits, and household composition -- to win new customers. The results
of public opinion surveys conducted over the past two decades indicate that government access
to personal information is especially worrisome to the American public. These trends create a
complex environment for the exploration of EBT privacy issues.
Food Stamp and WIC Program EBT systems issue and redeem benefits through the use
of an electronic funds transfer network and point-of-sale (POS) technology. Participants use an
electronically coded card instead of paper coupons to buy food. EBT systems collect and retain
transaction-specific information to reconcile or balance benefit issuances with redemptions and
debits with credits. To date, information accrued through EBT systems has been used primarily
1
EBTDATA PRIVACY ISSUES FOR FOOD BENEFIT PROGRAMS
PRIVACY TERMINOLOGY
The terms personal information, privacy, confidentiality, and security are used throughout this
report. For clarity in usage we define these terms as follows:
• Personal information is any information that describes or is referenced to an identifiable individual
(noi a business entity such as a retailer), whether that reference be by name, number, address, or
some other identifier. Information is considered personal because of its reference and not because
of its content.
• Privacy is a characteristic of natural persons and concerns how personal information is collected,
used, and disclosed.
• Confidentiality is a characteristic of information management and implies that information can be
disclosed only to certain persons under specified circumstances.
• Security is a characteristic of information systems and ensures that information in the system is
protected from unauthorized access, disclosure, alteration, or loss. Accordingly, system security
implements confidentiality protocols, which in turn protect privacy. Assuring security is primarily
a matter of management policy and system technology; confidentiality protocols reflect information
management policy.
to ensure that funds are appropriately debited and credited. Electronic processing of information
also creates the potential for greatly increasing FNS' knowledge of client food purchasing and
retailer redemption patterns. In addition, EBT creates the opportunity for additional entities,
such as retailers and third-party processors, to access this information. The actual and potential
uses of transaction data raise a variety of privacy-oriented questions that FNS must consider so
that it can implement responsible EBT programs.
C. Study Objectives
FNS studied EBT privacy issues in the FSP and the WIC Program for two main reasons:
to determine whether controls over access to and uses of EBT data are adequate, too lax or too
strict; and, to anticipate and address some of the issues that may arise with the availability and
potential use of the data. Specifically, this report:
• Identifies current and potential uses of EBT data.
• Examines current policies on uses of EBT data in the FSP and WIC Program and
assesses their effectiveness in (1) protecting client and retailer rights and (2) supporting
FNS' need to pursue programmatic objectives such as program integrity and effective
benefit delivery.
• Outlines strategies that provide the best balance between these two potentially competing
goals.
EBT DATA PRIVACY ISSUES FOR FOOD BENEFIT PROGRAMS
Presents the opinions and perspectives of the broad range of EBT stakeholders and other
appropriate experts.
his report is organized into the following sections:
Background on EBT and privacy issues
Findings from our research and the roundtable discussion
Conclusions and strategies for privacy protection
The information presented in this report will assist FNS in its overall efforts to
understand fully the privacy implications of EBT data use and to assess EBT data use policy.
II. EBT AND PRIVACY BACKGROUND INFORMATION
A. Definition and Description of EBT
Currently, most eligible FSP benefit recipients are given books of paper coupons that
may be used to pay for a broad range of food items purchased at authorized retail stores. In the
WIC Program, recipients exchange vouchers at participating retail stores for specific food
products such as milk and related items. New computer and communications technologies
present the opportunity to deliver benefits electronically. Under an EBT system, recipients in
either program access benefits using an electronically encoded plastic card similar to those issued
by banks and other financial institutions for use with automated bank teller machines and point
of sale direct debit machines. Most EBT food stamp and cash benefit systems are on-line. The
WIC program, due to its focus on specific items, has pursued off-line EBT which uses smart
card technology. This EBT card is recognized in electronic information networks that validate
the requests for benefits and authorize the purchase of food products.
This automated process has the potential to decrease administrative costs and reduce
management burdens while improving the speed, convenience, and security of benefit delivery
to qualified recipients. For example, EBT cards reported to be lost or stolen can be invalidated
and their accounts frozen immediately, minimizing unauthorized access to the benefits.
Payments are made directly to authorized accounts, curtailing coupon theft and other fraud.
Benefits are drawn down as needed. The cards only work if the correct personal identification
number (PIN) is used. EBT also enables the collection and maintenance of transaction
information that can be linked to benefit recipients, retail stores, and financial institutions.
An EBT system ties together many persons and organizations:
• Recipients under FSP are the households eligible for food stamps. Recipients under the
WIC Program are pregnant, breast-feeding and postpartum women, infants, and children
under the age of five who are at "nutritional risk." The head of household receives an
EBT card and chooses a personal identification number (PIN), which serves as a
EBT DATA PRIVACY ISSUES FOR FOOD BENEFIT PROGRAMS
signature and limits the use of the card, and access to benefits, to the cardholder. In
WIC, individuals receive an EBT card. In the Wyoming demonstration project, all WIC
participants in a family were on one card.
A retailer is a food store that is authorized by FNS to accept food stamp coupons or
WIC food instruments. Retailers participating in EBT have point-of-sale (POS) terminals
located among the check-out lanes that can read the EBT card.
The system processor is the party that has contracted with the State agency to operate the
EBT system. The purchase amount, retailer identification information (the retailer,
clerk, and terminal ID numbers), recipient identification information held on the card.
and information that authenticates the recipient's identity is checked against the
processor's central computer files. If the recipient and retailer are both authorized
participants, and the recipient has sufficient funds in his account to cover the purchase,
the transaction is authorized.
• A third-party processor may be used to drive the POS terminals located at the retailer.
or it may simply act as a switch between the POS terminals and the system processor.
Third-party processors are used in EBT systems that are integrated with commercial
payment systems (the POS is used for commercial credit or debit payment transactions
as well as EBT transactions). These processors may also provide other services to
retailers, such as check authorization services.
• A concentrator bank is a member of the Federal Reserve System and has the capability
to take information regarding retailer food stamp credits from the EBT system processor
and transmit this information to the Automated Clearinghouse (ACH) network. The
ACH transfers funds to and from member institutions and is the method used to credit
retailers accounts for food stamp EBT transactions.
• The State Agency is responsible for the administration of Federally-aided public
assistance program within the State. The State agency also has administrative
responsibility for the EBT system.
For each of these stakeholders, EBT poses issues associated with informational privacy.
confidentiality, and security because it collects and uses more information than the paper system.
The following section outlines the five basic operating functions of an on-line EBT system.
identifies the information it collects and uses, and contrasts it with how it is accomplished under
the paper system.
• Benefit Authorization/Posting. The available balance of benefits authorized for household
use is posted to each electronic "account." Paper systems have no comparable step: FSP
coupons and WIC vouchers are issued to the recipients by mail or "over the counter."
• Transaction Authorization. To authorize a transaction, an on-line system transfers
several pieces of information from a terminal at a retailer location to the central
processor to verify recipient and retailer identity and to confirm whether there are
EBT DATA PRIVACY ISSCES FOR FOOD BENEFIT PROGRAMS
sufficient funds in the recipient's account. This information is maintained in the central
database. While the recipient's name is not recorded, an EBT account number links an
individual recipient to a transaction. For the first time, a central record is available that
identifies the history of purchases with individual households.
Under the current FSP coupon system the recipient exchanges coupons equivalent to the
value of food purchased. There are no program records of individual transactions. The
retailer may record the type of sale as a food stamp purchase and, depending on the
equipment used, may also be able to track aggregate FSP purchase totals. The retailer,
however, has no way of knowing who made which purchase. Because there is no
authorization process, the collection of recipient and retailer information is not necessary
to conduct the transaction. No information on the use of benefits by individual
households is collected.
In WIC EBT, the client debits specific prescription food items from their account.
Information about purchase behavior is captured and available for use by program
administrators. Current WIC paper vouchers are participant specific and indicate what
foods are authorized for purchase. Limited information about food purchases can be
extracted from the returned vouchers.
System Settlement and Crediting of Retailers. Each day, the system processor compiles
FSP EBT transaction information for each retailer in order to initiate the settlement
process. This retailer-specific information is then transferred to and processed by a
Concentrator Bank, which in turn completes the transfer of funds using the Federal
Reserve's ACH system. Settlement data is retained by the EBT processor for audit
purposes. WIC EBT accomplishes these steps in a nearly identical manner.
In the current FSP coupon issuance system, retailers count and bundle the coupons and
deposit them in their bank accounts. The retailer's bank credits the retailer account and
transfers the bundled coupons to the Federal Reserve, which processes the coupons, and
periodically debits the Food Stamp Program Treasury account. The retailer redemption
information available under a coupon system includes retailer deposit amounts and the
cumulative dollar value of redemptions.
Reconciliation. Federal FSP EBT regulations require extensive reporting about
reconciliation between recipient accounts, retailer accounts, and system processor
authorization files. Reconciliation is performed by the State agency or EBT processor
using data obtained during transactions, and reports are provided to FNS. Some reports
aggregate the daily EBT activity of individual retailers while others reconcile total
issuances and redemptions in the system. Included in these reports is daily transaction
information identified by recipient ID number, terminal ID number, retailer ID number,
transaction time, and transaction amount. These data may be provided to the State
agency, which aggregates the data into various reports that are submitted to FNS
monthly, quarterly, or annually. These same capabilities are available in WIC EBT
systems.
EBT DATA PRIVACY ISSUES FOR FOOD BENEFIT PROGRAMS
Under the FSP coupon issuance system, transaction-level data are not tracked. The
Federal Reserve sends information on total retailer redemptions to the FNS Minneapolis
Computer Center, where these redemptions are tracked by retailer deposit amount and
total dollar value of redemptions. The total amount of benefits authorized to be paid is
also reconciled against the amount of in-person and mail issuances. In contrast, WIC
State agencies make extensive use of data extracted from vouchers to manage
expenditures and monitor retailer compliance with program requirements.
• Exception Reporting. In order to conduct compliance investigations, FSP regulations
require that EBT systems provide exception reports that can isolate transaction data by
individual retailers and households.1 These reports are provided to the States. They are
also pro.ided to FNS' Compliance Branch Area Office on a quarterly or, if requested,
a more frequent basis. Although FSP retailer monitoring is the responsibility of the
Federal government, States are beginning to ask EBT processors to provide detailed
transaction information that will assist Federal investigators in identifying unusual
redemption patterns. The information is used to support investigation of both retailers
and recipients. In WIC, similar retailer monitoring is currently performed as a State
responsibility. WIC EBT enhances this monitoring function.
Under the coupon system, Federal compliance monitoring is only performed for retailers,
using information on deposits of coupons. When examining these reports, compliance
investigators look for unusual redemption patterns among retailers.
On-line EBT is currently the preferred approach to EBT because of its similarity to
existing commercial systems.
In an off-line system, the EBT process operates without direct or real-time access to a
central database. The recipient is issued a "smart card," which has a built-in memory and
processing capability to maintain balance and authorization information on the card. Benefits
are transferred onto each recipient's card at predetermined times. In the FSP, benefits are
provided as a dollar amount; in WIC, the benefits are provided in the form of a food
prescription, and the exact value of the food redeemed is not known until a transaction occurs
and the value is entered on the card. During each purchase transaction, the purchase amount
or food is deducted from the balance of benefits (for FSP) or foods available (for WIC)
maintained on the card. Transaction information is simultaneously recorded on a computer
located in the store for delayed transfer to the central computer where balance information is
updated and credits to retailer accounts are processed and transferred via the Federal Reserve
system. There have been two off-line EBT demonstration projects, one for the FSP and one for
the WIC Program.
In the one WIC EBT demonstration project conducted to date, the EBT system performed
these five functions and maintained data about the specific foods and prices associated with each
transaction. Since the WIC Program prescribes the types and quantities of foods to be
Section 274.12(j)(2)(ii)of the FSP Regulations.
EBTDATA PRIVACY ISSUES IOR !-"<><>\) Bi M:I IT PROGRAMS
purchased, tracking items and prices of purchases was necessary to determine program
compliance. WIC State agencies also are responsible for monitoring retailer performance and
compliance with program requirements through the analysis of transaction data. EBT makes it
possible to obtain more information on retailer and participant benefit redemption behaviors.
B. Federal Laws and Regulations Governing EBT Data Use
There are a number of Federal laws and regulations intended to protect the privacy and
prevent the misuse of personal data in general and EBT data in particular. The relevant Federal
privacy law and relevant Federal program regulations are briefly summarized below to provide
a legal framework in which to place EBT privacy issues. (See Appendices A and B for more
detailed information.)
• The Privacy Act of 1974. which regulates the use and disclosure of personal information
by the Federal government, states that personal data can be disclosed only for "routine
use... a purpose which is compatible with the purpose for which it was collected."
• FSP and WIC Program regulations limit the use of recipient information to administration
or enforcement of the program, including investigations into program violations, and
federal audits of the program.
For the Food Stamp Program, information can be used to certify alien status and conduct
computer matching for eligibility and income with other benefit programs. Also, the
Secretary of Agriculture is authorized to undertake research that will help improve the
administration and effectiveness of the FSP in delivering benefits. The Secretary is
required to develop and implement measures for evaluating, on at least an annual basis,
the effectiveness of the FSP in achieving its stated objectives. In neither case do the
regulations or law specify the type or level of data to be used.
The FSP regulations also contain a specific provision that safeguards the confidentiality
of retailer information, which can be used only if directly connected with the
administration and enforcement of either the Food Stamp or WIC Program.
For the WIC Program, information on participants can be given to representatives of
public organizations designated by the chief State health officers who administer health
or welfare programs that serve persons categorically eligible for the program. WIC
regulations also specifically allow the use of data in summary, statistical, or other form
if individuals are not identified.
• FSP EBT regulations include a provision stating that the State agency must ensure that
the EBT system is able to ensure the privacy of household data.
Although FNS provides the funding for the Food Stamp and WIC Programs, both
programs are administered at the State level. Because the appropriate State agency collects the
EBT data, the Privacy Act does not apply to what the State can do. (The Act does, however.
isa
EBT DATA PRIVACY ISSUES FOR FOOD BENEFIT PROGRAMS
apply to what FNS can do.) This situation would be true under multi-State EBT, where several
State agencies might require access to information about recipients and retailers.
C. General Privacy Issues
Informational privacy in the United States is regarded as a characteristic only of
individual persons. Individuals are referred to as natural persons to distinguish them legally
from corporations. Strictly speaking, information pertaining to business entities is not subject
to privacy restrictions in the same way as information on individuals. FNS, however, has a
programmatic interest in the rights of retailers as well as program participants.
There has long been concern over computer technology's implications for individual
privacy. Several books published in the 1970's focused popular attention on these issues. In
1973, a special task force of '.he U.S. Department of Health, Education, and Welfare completed
the first in-depth government study of personal information kept in Federal computerized data
banks. Its report, "Records, Computers, and the Rights of Citizens," documented the significant
growth of the use of computers to process information. The Task Force proposed a set of "fair
information practices" to enhance privacy by protecting the confidentiality of personal
information. These principles can be distilled as follows:
1.
2.
3.
Collect only that personal information necessary for a lawful purpose.
Use for decision-making only those data that are relevant, accurate, timely, and
complete.
Give the data subject access to information about himself and provide a procedure
by which to challenge and correct the information.
4. Use data only for the purpose for which it was collected.
5. Protect the data against unauthorized loss, alteration, or disclosure.
The Privacy Protection Study Commission, established by the Privacy Act of 1974, also
conducted a thorough and comprehensive study of public and private record systems and issued
166 specific recommendations to enhance informational privacy. In reinforcing the foregoing
principles, the Commission identified three objectives of good information practice: (1)
minimize intrusiveness into the personal affairs of citizens; (2) maximize fairness to individuals
in the way personal information is managed; and (3) legitimize expectations of the confidentiality
of personal information.
In 1981. the American Bar Association sponsored a National Symposium on Personal
Privacy and Information Technology. The published report of a panel of distinguished
participants emphasized informational privacy threats and urged protective measures. Numerous
publications have echoed and re-echoed these concerns. The 1986 Annual Survey of American
Law succinctly summarized the nature of the problem:
8
EBT DATA PRIVACY ISSUES FOR FOOD BENEFIT PROGRAMS
The right 10 privacy is integral to the American conception of the proper balance or power
between the people and their government. As long as a citizen abides by the laws, his personal
affairs should remain free from excessive governmental scrutiny. In recent years, however, this
balance has shifted. Federal agencies today maintain vast amounts of computerized, easily
accessible information on nearly every aspect of our lives....
Concerns about privacy are also reflected in consumer awareness. The most significant
barometer of national consumer consciousness regarding privacy is the annual Louis Harris
Privacy Survey, funded by Equifax. The 1993 survey focused heavily on health information
privacy, but it did estimate that almost 60 percent of the surveyed population believed that
privacy is inadequately protected by laws and organizational practices.
The 1992 privacy survey provides more extensive information on privacy concerns:
78 percent of respondents are concerned about threats to personal privacy.
76 percent of the public agree that consumers have lost all control over how personal
information about them is circulated and used.
68 percent agree that the present use of computers is an actual threat to personal privacy.
89 percent of the public express concern about the security of personal information in
computers.
67 percent agree that if privacy is to be preserved, the use of computers must be sharply
restricted in the future.
The problem is not merely one of the potential for privacy invasion by government; vast
amounts of data are kept in the private sector. While EBT data are not available to the public,
our research found that numerous individuals and organizations are concerned about private
organizations, such as retailers and third-party processors, using and/or distributing data to
which they may have access.
A major limit on the use of personal information results from the prohibition on
"secondary use" of information.2 The secondary use principle states that personal information
gathered for a particular purpose may not be used for any other purpose without the express
consent of the data subject. This principle gives maximum control of personal information to
the data subject and is regarded by privacy experts as the "litmus test" of informational privacy.
As noted above, the FSP and WIC Program regulations limit the use of recipient information to a few
explicitly identified uses.
EBT DATA PRIVACY ISSI 'i:s FOR FOOD BENEFIT PROGRAMS
III. PRIVACY RKSEARCH AND THE ROUNDTABLE DISCUSSION
In order to identify the full range of issues on the privacy of EBT data, the project team
completed a detailed literature review and conducted a series of interviews with selected
stakeholders. The information collected served as the starting point for a roundtahle discussion
of EBT data privacy issues. A group of EBT stakeholders and other appropriate experts met to
discuss several questions during a full day meeting. The purpose of the meeting was not to
reach consensus, but rather to gather as broad a ram : of perspectives and opinions as possible.
his section summarizes our research and the roundtable discussion and is divided into the
allowing issues:
Program administration and compliance
Differences between FSP and WIC privacy concerns
Adequacy of existing limits
Using EBT data for research
Implications of privacy protection needs for EBT privacy security
Potential uses of EBT data
Privacy issues in EBT demonstration projects
ROUNDTABLE QUESTIONS
In February 1994. FNS sponsored a roundtable panel of program advocates, program officials, privacy
experts, civil rights experts, and security experts to consider the following questions regarding EBT data
use and related privacy implications:
•*• Does existing data use policy adequately support FSP and WIC program administrators' needs to
pursue legitimate and important program improvements such as enforcing program compliance and
monitoring EBT system use to ensure adequate delivery of benefits? If not, what improvements
can be made that do not infringe upon program participants' privacy rights?
«r Should constraints on data use differ for WIC and FSP, given the differences in the programs'
structures and populations served?
w Are existing legal limitations on EBT data use adequate to protect program clients' privacy rights
and retailers' confidentiality rights? If not, what else is needed? Are there or should there be
additional ethical principles governing data use?
w Should participation in data analysis efforts be voluntary?
«* What are the implications of privacy protection needs for EBT data security?
10
I-"BT DATA PRIVACY Issues i OK !■<» <: \ Hi \i i n PROGRAMS
A. Program Administration and Compliance
The abundance of data generated through EBT can be an extreme!) valuable tool to
program administrators. But the administrative need to utilize this important resource for
improving program operations should not eclipse the need to protect program participants"
privacy rights. In both EBT and paper issuance systems, data are used bj Slate and Federal
governments for two purposes: program administration and program compliance. Both of these
uses are specifically delineated in the Food Stamp and WIC Program regulations (see
Appendix B).
PROGRAM ADMINISTRATION. Data about individual EBT transactions are collected
because they support the redemption of benefits by the recipient at authorized food retailers.
The data the EBT system collects on each transaction include recipient's EBT account number:
retailer identity: POS terminal identity: type of transaction3; transaction amount: and time and
date of transaction. For the WIC Program, the system would also collect data on authorized
WIC foods. This information is used to approve each transaction, update recipient account
balances, resolve questions about transaction authorization, credit retailers, settle and reconcile
the system, and support system performance monitoring. A transaction history file is maintained
by the EBT processor for a fixed period of time, typically 30 or 60 days. Authorized personnel
can use this file when responding to recipient requests for transaction histories, resolving
problems, and addressing other program administration and program integrity purposes. The
transaction history file can also be used to support fraud and abuse investigations.
In a coupon-based system, the only comparable information is that the FSP recipient was
issued (e.g., mailed) a monthly allotment of food stamp coupons on a given date. As indicated
before, there are no transaction-specific or aggregate data about either the individual recipient
or the retailer. WIC recipients receive vouchers for their food prescriptions. These vouchers
are returned to the State and aggregated information about transactions is available and is used
for analysis or for nutritional counselling provided to the participants.
Discussion: Overall, our research and the roundtable discussion did not question the
importance of using EBT data for ensuring the delivery of FSP and WIC Program benefits.
Most advocacy groups noted that FSP and WIC recipients prefer receiving their benefits through
EBT than through the paper system. They find it more appealing, more secure, and less
stigmatizing.
The concern lies in other uses of the data that would fall under the "program
administration" umbrella. As one roundtable participant noted, it seems that the information
available is similar to an answer waiting for a question. Some advocates firmly believe that
FNS' sole responsibility is to provide food benefits, and program administration should be
limited to this function. They fear that information collected from the EBT system could be
used to change the program fundamentally. For example, FNS could restrict FSP benefits to
The types of transactions that can be made include balance inquiry, regular transaction, or manual
transaction.
11
EBT DATA PRIVACY ISSUES I OR FOOD BENEFIT PROGRAMS
a defined group of "nutritious foods." Other advocates, however, believe that additional
information collected through the EBT system would improve the WIC Program, particularly
in the area of nutritional education and counseling. A more detailed discussion of potential uses
of EBT data and related policy issues is found in Section F below.
In general, there is expressed concern over the tracking of individual transaction data.
Such monitoring creates a "Big Brother" effect, in which the government has knowledge of the
location and behavior of an individual at a given time. In addition, several persons interviewed
stated that such monitoring is discriminatory, since this data is not collected by the government
on persons who are not program recipients.
PROGRAM COMPLIANCE. EBT data are used to monitor recipient and retailer program
compliance. EBT processors submit mandatory exception reports containing information on
amount and time of transactions by individual retailers and households. FNS' Office of
Compliance conducts routine monitoring of compliance by retailers. These data are also used
by the U.S. Department of Agriculture's Office of Inspector General (OIG) to help detect
individual abuse and trafficking of FSP benefits and, more importantly, to support retailer
compliance investigations. For example, FSP EBT data for recipients or retailers on even-dollar
transactions, multiple high-value transactions per day, and concentrations of same-recipient
transactions in a single retail location can be used to develop profile programs to identify
retailers and recipients that may be violating program rules.
Aggregated information on recipient redemption behavior is also available through EBT
systems. Currently, investigations of recipient fraud and abuse are conducted primarily by the
States. Information on individuals is not routinely collected by the Food and Nutrition Service,
and only if the OIG suspects trafficking of benefits and if the information will assist in the
investigation of a suspected retailer. Such data have been and will continue to be used to
prosecute recipients as well when appropriate.
In coupon-based systems, there is no data system-based monitoring of recipients. Retailer
compliance is accomplished through analysis of aggregate redemption data at FNS' Minneapolis
Computer Center. The OIG relies on allegations of retailer fraud and abuse, and investigations
are limited to on-site surveillance.
Discussion: The use of EBT data to monitor retailer compliance was not raised as an
issue in either the interviews or roundtable discussion. Several advocacy groups, however, were
concerned that the OIG would use EBT data on individuals on a regular basis to assist with
program enforcement and/or investigations. In fact, the OIG stressed that its investigations focus
almost exclusively on retailers, because retail fraud investigation is a Federal function for the
FSP. Also, since both FNS and the State agencies have jurisdiction over recipient fraud, FNS'
view is that it should be dealt with at the State level.
Food-specific purcjiase transaction data are not tracked for FSP. If such information
were captured, however, it is conceivable that FNS could use the data to ensure retailers are
redeeming FNS benefits for eligible foods only or to track the proportions of types of foods
(e.g., junk food) sold by authorized FSP retailers in order to re-evaluate the program eligibility
12
EBT DATA PRIVACY ISSUKS FOR FOOD BENEFIT PROGRAMS
of certain retailers or food types.4 In the WIC Program, the State WIC agency could use EBT
to track the costs of prescription foods to determine which retailers are providing foods at the
lowest cost. Retailer advocacy groups were concerned over the tracking of purchase data for
individual retailers because, again, the tracking could include other items in addition to those
purchased with program benefits.
It was mentioned that when and if Regulation E*1 applied fully to EBT. the States might
redouble their efforts to investigate recipient fraud because the State would be liable for lost or
stolen EBT benefits in excess of $50. The Federal Reserve has postponed the application of
Regulation E to EBT for three years to allow adequate time to study the magnitude of liability
that occurs in EBT systems.
B. The Differences Between FSP and WIC Privacy Concerns
The FSP and WIC Program differ in their purpose, structure, and populations served.
FNS sought EBT stakeholder views on whether it is acceptable to use EBT data on purchasing
patterns to conduct nutrition education at either the individual or aggregate level for either
program.
FSP is an entitlement program - all households that meet the eligibility criteria receive
food stamps. The WIC program is a very individualized, tailored program where the
prescription, in theory, is targeted to the specific circumstances, health history, and nutrition
history of the particular client. It is not an entitlement program, and each year there are
thousands of women and children who are eligible to participate in the program but cannot
because of budget constraints." Therefore, the State ranks eligible clients in terms of health and
nutritional risk. A logical outgrowth of the clinical aspects of WIC is the use of information
about purchase behavior in nutritional counseling.
Discussion: As noted above, EBT tracks some food purchase transaction data for FSP
recipients. The delivery of benefits does not require information on specific food purchases.
While it is possible for WIC EBT to perate in a manner similar to FSP EBT, the WIC Program
needs to track specific prescription purchases -- milk, juice, cereal, and infant formula. To do
this. WIC EBT must collect more individual level information. The roundtable participants
acknowledged that the WIC Program requires more detailed knowledge of individual clients'
circumstances than the FSP. (It was also noted that the uses of WIC Program data are even
more restrictive than those for FSP, e.g., WIC does not participate in computer matching among
4 Although Slates are responsible for EBT. FNS is currently responsible for retailer authorization,
management, monitoring, and sanctioning for FSP. Under this arrangement. EBT systems provide data
for Federal use.
5 Regulation E of the Board of Governors of the Federal Reserve System to implement the Electronic Funds
Transfer Act.
6 It has long been contemplated, however, that the WIC Program will one day be fully funded.
13
EBT DATA PRIVACY ISSUES FOR FOOD BENEFIT PROGRAMS
Federal welfare programs.) Although several client advocates argue that FSP EBT data should
be used exclusively for the delivery of benefits, some advocates believe that increased
information available from the WIC EBT systems would help the States provide better and more
comprehensive services to a greater number of people. Thus, advocates appear to be more
comfortable with using EBT data for direct client interventions in WIC than in FSP.
C. Adequacy of Existing Limits
The FSP and WIC Program have legal and regulatory limits on who can access program
data and how that data can be used. According to FSP and WIC regulations, recipient
information can be disclosed only to those directly involved in program administration and
enforcement. FSP regulations also limit disclosure of retailer information to purposes of FSP
and WIC Program administration and enforcement. Although law enforcement agencies around
the country would like increased access to all information that could help with criminal and civil
investigations, the U.S. Department of Agriculture's Office of General Council (OGC) has been
consistent in its refusal to provide information unless required to do so under subpoena. FNS
wants to be sure that as EBT expands, existing FSP and WIC Program regulations and laws are
sufficient to protect client rights to privacy and retailer rights to confidentiality.
Discussion: Several members of the roundtable were very impressed with FSP and WIC
privacy and confidentiality regulations, which were seen to be much more stringent than those
in effect for other benefit programs. FSP regulations also extend confidentiality to information
about authorized retailers, information that is not covered by privacy laws. According to the
OGC, each State must provide the minimum level of privacy protection that is required by
Federal law. This minimum level is clearly established by the Food Stamp Act and is reflected
in the FSP EBT regulations.7
As FNS moves to EBT for the FSP and WIC Program, there appear to be two areas that
need to be considered. One is access to FNS EBT data by other Federal and State agencies.
The second is that new players — retailers and third-party processors — are directly involved in
the delivery of benefits and must have access to information to deliver benefits.
Controlling access to EBT data is an issue that will need to be considered as Federal and
State governments consider multi-program EBT. In multi-program EBT, the EBT processor
is provided with information by each of the participating programs. The processor maintains
this information so that each EBT household has a single identifier, rather than identifiers unique
to each program. There is the concern that multi-program EBT may increase access to program
information among the Federal or State agency officials who administer these programs.
However, in all instances existing program restrictions would continue to apply. Some
eligibility-related information is now shared, but benefit data is not. How and when EBT might
facilitate further information sharing has not yet been addressed systematically.
Section 274.12(e)(l)(ix) of the FSP regulations states, "Each State shall ensure that the EBT system is
capable of performing the following functional requirements prior to implementation . . . Ensuring the
privacy of household data and providing benefits and data security."
14
EBTDATA PRIVACY ISSUES FOR FOOD BENEFIT PROGRAMS
Another issue is that EBT brings new players into the delivery of FSP and WIC Program
benefits: retailers; system processors; and third-party processors. EBT POS terminals in food
stores relay transaction data and receive summary data that the retailer uses for internal
settlement and accounting purposes.8 Existing legislation does not specifically regulate retailer
collection and use of shopper-related information for internal purposes (see discussion on
shopper clubs in Section F below). In EBT systems, however, most agreements between
retailers and the EBT administering agencies include a clause stating that EBT data may not be
used for purposes other than program administration. Since there is no comparable requirement
of retailers under coupon systems, data may in fact be better protected under EBT.
Most of the current limitations on retailer uses of consumer data for both FSP and non-
FSP recipients are in the form of self-regulation. The Food Marketing Institute (FMI) has issued
a policy statement on consumer privacy that provides retailers with a set of guidelines on the
collection and use of customer information. Several persons interviewed expressed the opinion
that retailers will not disclose information on individual recipients for fear of losing customers.
They feel that the cost of losing a customer is much greater than the marginal benefits obtained
from targeted marketing and other uses of this data. This principle applies to both FSP and non-
FSP customers. FMI believes that retailers will abide by the recommended guidelines for the
use of recipient data so as not to jeopardize their business with individual clients. It is important
to remember that unless the recipient. State agency, or third-party processor provides personal
identification information to the store, retailers cannot link purchase data to individuals. EBT
systems are not designed to provide this information.
Although State agencies are responsible for all aspects of EBT systems, experience with
the demonstrations and current State efforts to develop EBT indicate that many aspects of the
EBT system will be contracted out. EBT systems create access to recipient and retailer data by
one, and potentially two or more, new parties: system processors and third-party processors.
EBT system processors maintain information about recipient identity, including recipient address,
and use this information to ensure that benefits are delivered to those who are entitled to receive
them. As mentioned before, EBT processors are being asked to produce analyses for the OIG
to support investigations of unauthorized retailer and recipient activities. In addition. EBT
processors provide analyses of aggregate transaction data to State agencies and to USDA. These
reports provide information used to monitor processor performance.
The third-party processors generally included in EBT systems are integrated with
commercial EFT payment systems. They have access to transaction information only; recipients
are not identified by name or any other personal identifier. Currently, retailers select their third-party
processor, and third-party processors and networks do not collect recipient transaction
data; information merely passes through these systems. In the future, as EBT more closely
mirrors the commercial operating rules, third-party processors may become more involved in
Retailers with more advanced electronic cash registers can (and do) electronically distinguish between food
stamp coupon and non-coupon purchases. For example, FSP eligible products are exempt from sales tax.
Having the register automatically total FSP and non-FSP items and then compute sales tax creates fewer
register errors. It also reduces the chance of allowing non-FSP eligible items to be purchased with FSP
benefits.
15
EBT DATA PRIVACY ISSUES FOR FOOD BINIHT PROGRAMS
system settlement. If third-party processors ever provide settlement services, they will require
redemption information about specific retailers. If third parties were to capture the data they
transmit, then the confidentiality of retailer redemption information might be compromised.
D. Uses of EBT Data for Research
While Food Stamp EBT regulations stipulate mandatory participation for the participant
once EBT is introduced in a location, there is no rule requiring clients' or retailers' involvement
in an organized EBT data analysis effort. FNS must consider the implications of mandatory
versus voluntary participation in data analysis projects. Specifically, should prior approval from
program participants or authorized food retailers be required before any collection of data, or
is notification unnecessary if information is randomly collected on individuals, aggregated, and
cannot be traced to a particular recipient?9
Under the paper coupon system, researchers require the voluntary participation of
program clients. FSP clients may be asked to complete long and detailed surveys and keep a
log of all food purchases. Researchers must rely on the accuracy of these entries, which may
not reflect actual purchases or eating habits. Individual data is then aggregated and reported.
Under EBT, data collection could be much less intrusive if information on items purchased is
an integral part of the electronic redemption process, as is likely to be the case for WIC EBT
but not necessarily for FSP EBT.
EBT provides new avenues for research and analysis of the use of benefits. At present,
some demonstration sites are using aggregated FSP EBT data to examine redemption behaviors
such as number and time of transactions, number and types of retailers used, average dollar
value of the transactions, and proportion of the full monthly allotment used. These analyses are
done by aggregating household-level information, but purchases are not tied to specific
individuals. WIC does such analyses routinely for management information system reports.
Such studies help develop an understanding of program participation and contribute to the
identification of changes that would improve efficiency and effectiveness of benefit delivery.
Recently completed evaluations of EBT demonstrations have used redemption data to
determine if recipient purchasing behavior changes with EBT and to examine retailer redemption
characteristics. For example, FNS needs to have information on the volume and number of
transactions in order to anticipate system capacity requirements in light of minimum performance
requirements. FNS learned early on that the average FSP recipient made 8-10 transactions per
month, a number higher than expected. The databases resulting from such analyses are much
like other administrative record systems that help program administrators track system use and
capacity. To the extent that these analyses are built upon individually identifiable data, however.
It must be noted, however, that, according to Sections 282.1(a). (b), and (c) of the Food Stamp regulations,
research currently conducted on the demonstration programs is accorded much greater freedom in the
collection and use of data than what would be permitted for operational EBT programs.
16
EBTDATA PRIVACY ISSUES FOR FOOD BENEFIT PROGRAMS
it is appropriate to consider the degree to which this represents a secondary use of data1" and
thus is subject to privacy considerations.
Discussion: The use of recipient EBT data for research purposes generated much
discussion among the roundtable participants and focused on the following issues:
• Dealing with aggregated versus individual recipient data
• Identifying the research agenda that would use the data
• Allowing participants to opt-in or opt-out of the research project
Roundtable participants stated that collecting information on how its programs operate
is an appropriate role for government. Individual data, when aggregated and stripped of
identifiers, protects individual privacy while providing necessary information to develop, refine,
and implement effective programs. For other roundtable participants, the type of research being
conducted was just as important, if not more important, than the collection of data. It was
argued that as the amount of information the government has increases, so too does the risk to
program participants that government can intrude further into their lives. For these participants,
the issue is trusting the government to put the information to good use. The 1993 Harris-
Equifax survey provides a context for understanding this concern. First, it found that 75 percent
of the American public do not believe that the government can be trusted to look after its
interests. In addition, 58 percent of the American public do not feel that they have adequate
legal protection of their rights to privacy.
For some advocacy groups, however, the examination of individual data infringes on
recipient privacy, even if the data is stripped of identifiers and aggregated or collected by
randomly sampling unidentified individuals. For these stakeholders, voluntary participation
should be required for all research, because the consequences of the research may affect
individual recipients in unexpected ways.
The issue of opting-in versus opting-out is very important. Under the existing benefit
issuance system, FSP and WIC recipients have to "opt-in" - voluntarily decide to participate
in a research project. Under EBT, certain data could be collected without the active
participation of the FSP or WIC recipient. For example, tracking the number or value of
transactions at store A over a set period of time or tracking the average number of transactions
made from a sample of accounts. The roundtable participants differed on whether research
should be restricted to those individuals that explicitly state that they want to participate (opt-in),
or whether individuals should automatically be considered as research participants unless they
explicitly state that they do not want to participate (opt-out).
See discussion on page 9 for explanation of secondary uses.
17
HBT DATA PRIVACY ISSUES FOR FOOD BENEFIT PROGRAMS
E. Implications of Privacy Protection Needs for EBT Data Security
It is impossible to ensure EBT data privacy without adequate safeguards over the physical
security of data. Data security is the set of tools used to protect privacy and confidentiality.
As with all computerized databases, there is the possibility of unauthorized access and use of
EBT data. Some of the unauthorized uses include perusing data files, tampering with account
information, changing or invalidating personal identification numbers, intercepting transaction
communications, and theft of benefits.
Discussion: As separate database systems expand in capacity and are linked to one
another for purposes such as computerized matching, there arises concern over "leaky
databases." There have been several cases in which information stored on a government
database was illegally sold. As more people obtain access to each database, the potential for this
activity increases. Databases maintained in EBT systems could be subject to such abuse as well,
though there are data and system security requirements (a combination of software, hardware,
and personnel controls) in place to minimize this risk.
Unauthorized access is addressed through data use policy and system security. FNS
provides general security guidelines that State systems must address. In addition, there are FSP-and
EBT-specific security regulations. States must restrict access to authorized users and report
violations and irregularities, maintain security plans, conduct periodic risk assessments, and
conduct biennial reviews that include data privacy and confidentiality. EBT transactions are
typically transmitted in clear text, except for the PIN, which is encrypted. These various
security measures provide adequate protection of information when they are implemented and
monitored systematically.
F. Potential Uses of EBT Data
Our research identified a widely-held concern that, as technological advances in the
administration of government programs occur, new data uses may be deemed permissible by the
government. Computerized matching, for example, was deemed acceptable once computer
systems provided for this capability. Food retailers routinely use Universal Product Code (UPC)
scanners to control inventory and to expedite check-out procedures. It is now possible to link
customers with purchase information. With relatively simple changes to data systems, it is also
possible to provide the means to collect new types of data about retailers and recipients not
possible under the paper coupon system. There are additional uses of data that may come about
as a result of changes in telecommunications and processing technology. Some potential uses
of these data are discussed below. These uses are neither contemplated nor endorsed by FNS;
they are presented merely as examples that may help define the limits of acceptable data use.
RECIPIENT EDUCATION. Recipient purchase pattern data could be used to monitor
aggregate or individual FSP and/or WIC recipient purchases in order to determine the nutritional
value and balance of items purchased. Results could be used to counsel FSP recipients on how
to maximize the nutritional content of their purchases. Aggregate purchasing data could be used
18
EBT DATA PRIVACY ISSPI.S iOR loop BHNF.FIT PROGRAMS
to develop generic counseling efforts, such as nutrition pamphlets, for distribution to FSP or
WIC Program participants.
Monitoring of purchases for information on brands, quantities, and product selection
could allow analysis of food usage or the efficiency of benefit use by specific recipients or
groups of recipients. Advice might be given on how to obtain better value by changing brand
or product choices, timing of purchases, or size of purchase. In WIC. food packages could be
changed to better meet the food preferences of groups.
If EBT systems were to be integrated with the data obtained with UPC scanners, there
is also the capability to track food items not purchased with program benefits. While it can be
argued that this could serve as a basis for more in-depth counseling, it raises serious privacy
implications. Individuals generally do not want the purchase of items such as pregnancy tests,
alcohol, prescription drugs, and cigarettes to be tracked by the government. Such tracking raises
additional concerns for FSP and WIC recipients. Government agencies could potentially use this
information when determining an individual's eligibility for benefit programs, for example by
examining purchase information for clues to household composition.
Discussion: In general, recipient advocacy groups expressed strong opposition to the
collection and use of either person-level or aggregated purchase pattern information for purposes
of recipient education in the Food Stamp Program and, to a lesser, extent, the WIC Program.
This linkage is not required for FSP EBT to function. The linkage for WIC food prescriptions,
but not all food purchases, is required of WIC EBT systems. Therefore, FNS needs to discuss
and formulate policies about whether, how, and under what circumstances this additional type
of information might be used.
RETAILER USES OF AGGREGATE DATA. It is conceivable that stores would want to
track recipient purchase patterns on either an aggregate or individual basis for purposes of
marketing, inventory, and negotiations with manufacturers. For the larger food stores and
chains, the EBT system could be integrated with UPC-scanning electronic cash registers if it is
not already. The data systems that support these registers could keep a daily or longer record
of specific items purchased through EBT or with other means." As indicated before, it is not
possible to identify individual recipients by name under either the paper coupon system or EBT
system. In the EBT system, only the recipient account number is tracked. Because the
transaction data do not reveal recipient identity, retailers could not tie specific purchases to
specific individuals this way. They could, however, use data to target marketing strategies to
FSP and/or WIC participants in general by:
• Running promotions on products that are often purchased by FSP or WIC Program
recipients.
This capability exists in the paper coupon system. Retailers equipped with UPC scanners can flag a given
transaction as a "food stamp transaction." separate out non-authorized products, and calculate sales tax for
non-FSP purchases.
19
EBT DATA PRIVACY ISSUES FOR It>< ID BI-.XHNT PROGRAMS
• Encouraging FSP or WIC Program recipients to join a frequent shopper program h\
offering additional discounts on products most often purchased by them. (This would not
violate FNS regulations prohibiting "differential treatment" of recipients if the discount
were applied without regard to program participation status.)
• Conducting market research on FSP or WIC Program recipients who volunteer to
participate to study consumer preferences and changes in buying behavior.
Discussion: The roundtable participants did not discuss this type of data use. There ma\
be several reasons for this. Primarily, the information that might be collected by retailers is not
person-specific. Also, retailer representatives maintain that retailers do not maintain this
information and do not sell or otherwise provide access to it because it is not economically or
technically feasible.
USES OF SHOPPER'S CLUB DATA. Our research found that consumers (e.g.. recipients)
weigh the perceived loss of privacy against potential benefits. People are willing to give up an
element of privacy as long as the benefits are significant. Retailer-sponsored shopping clubs are
based on this principle. Retailers track individual purchase data using UPC scanning systems
in combination with a "shopping club card" that identifies the purchaser. The retailer is then
able to use this information for purposes of marketing and inventory. In return, shoppers club
members receive a variety of benefits, such as special reductions on specific products or discount
coupons applicable to the total cost of a single day's purchase at the food store. Credit
companies have also initiated shopper's clubs, in which the purchases of credit card holders are
tracked and either used internally or sold to marketers. Participation is voluntary. To date,
several shopper's clubs have failed because of low consumer acceptance. One reason is that the
perceived benefits were not sufficient to counterbalance the loss of privacy.
If FSP recipients who receive benefits through EBT participate in shopper*s club
programs, then individual identities, rather than just the recipient account number, could be
linked to purchase patterns. This information could then be used similarly to the way
information on non-FSP participants is used: to conduct individualized targeted marketing.
Because shopper's clubs are voluntary, recipient privacy is less of an issue, as the individual has
agreed to release personal information in return for certain benefits.
Discussion: The roundtable participants, including the advocacy representatives, believe
that FSP and WIC clients should be free to participate in such clubs as long as program
recipients are treated no differently from other participating customers and are informed fully
of possible data uses. Participation in shoppers programs would directly benefit FSP recipients
because they would receive discounts on food items, stretching their FSP monthly allotment.
WIC recipients would indirectly benefit because their non-prescription food stuffs might be less
expensive.
SYSTEM AND THIRD-PARTY PROCESSOR USE OF DATA. Third-party processors that
drive both commercial payment systems and EBT POS terminals are limited by technology and
cost in their access to item-specific purchase data. System processors and third-party processors
would have little use for this data for internal purposes. Absent restrictions already in place.
20
EBT DATA PRIVACY ISSUES FOR FOOD BF.NEFIT PROGRAMS
the information they do have -- transaction histories - might he sold to direct marketers and
credit bureaus. Redemption information including transaction times, amounts, and. potentially,
item-specific purchase data could be taken from one retailer and sold to its competitors.
Discussion: Our research found concern expressed over the lack of Federal regulation
and legislation on the collection and use of data by system processors. FSP EBT regulations do
address this issue, however, requiring each State agency to ensure that EBT system and third-party
processors protect the privacy of household data and provide benefit data security.12 In
EBT demonstration projects to date, confidentiality clauses are included in contracts between the
State and the system processor. These clauses restrict EBT transaction data use to that which
is directly related to the administration of the FSP. Since retailers can make their own
arrangements for third-party processing, we do not know if these retailers impose data use
limitations on processors in current EBT projects. If no limitations are imposed, third-party
processors may feel free to capture and distribute data at will, possibly to marketers willing to
pay for a list of potential new customers. The experience to date with third-party processors in
the delivery of EBT is very limited and does not provide an adequate basis for gauging actual
or potential threats to the privacy of data.
G. Privacy Issues in EBT Demonstration Projects
Existing protection and restrictions on EBT data use seem to have been effective enough
to prevent any significant privacy or confidentiality breaches in the EBT demonstration sites we
contacted.13 Recipients in the demonstrations have not voiced concerns regarding their privacy
under the EBT system, and retailers are believed to have complied with confidentiality and data
use restrictions outlined in FSP policy. State legislation, and contractual agreements.
We know of only two privacy-related incidents at demonstration sites, and both were
resolved without compromising clients' privacy rights. In one site, several retailers requested
that the State agency identify a recipient by name after a transaction error (such as a clerk
forgetting to enter the purchase amount of a transaction) occurred, and the recipient was no
longer accessible. Under this State's law, identifying a recipient for a retailer is prohibited.
The State agency wrote a letter to the recipient describing the error and let the recipient decide
whether to contact the retailer. In another instance, a law enforcement agency requested
information on a suspect's EBT transactions to help the agency locate the person. The State's
Office of General Counsel ruled that such use of data was illegal, and the request was denied.
These incidents reinforce a generally high level of attention given to the non-disclosure
requirements of the existing Food Stamp regulations.
12
13
Section 274.12(h)(5)(iii) of the FSP regulations state, "The State agency shall ensure that third-party
processors and retailers driving their own terminals comply with ... all applicable Food Stamp Program
regulations."
See footnote 6.
21
EBT DATA PRIVACY ISSUES I OR FOOD BENEFIT PROGRAMS
Privacy issues have been addressed in the contractual agreements and system design of
certain EBT demonstration projects. The experiences of several of these projects are described
below.
PRIVACY ISSUES CONSIDERED IN SYSTEM DESIGN. In the EBT system designs for ISP
demonstration projects, privacy tends to be covered indirectly through system security standards
and design. Security is usually outlined in terms of controlled access to various parts of the
system (e.g.. PIN encryption, telecommunications, batch files. POS terminals, and host
computers), rather than uses of data.
In the initial phases of EBT system design, staff from each of the demonstration projects
spoke with recipient and retailer advocacy groups regarding the implementation of the FSP EBT
system. These groups did not consider privacy to be a major concern. The only privacy-related
question raised repeatedly was whether the recipient's balance would be displayed on the
cashier's screen at the check-out lane. In fact, the balance is not displayed on the check-out
screen in any of the FSP EBT systems. It is, however, printed on the recipient's receipt, which
is handed to the recipient by the clerk and is listed on the tapes maintained by some retailers as
a record of transactions. Balances are printed on receipts to give recipients a convenient, timely
tool for tracking their account balances.
CONTRACTl AL PROVISIONS FOR RETAILER AND RECIPIENT PRIVACY. There are
provisions in the contractual agreements with the EBT system processor and retailers that either
directly or indirectly address privacy and the restriction of data uses. These provisions are
discussed below.
• System Processor Contracts. In most cases, the contract between the administering State
agency and the system processor includes clauses restricting EBT transaction data use to
that which is directly related to the administration of the FSP. In addition, system
processors must adhere to FSP regulations concerning privacy and information security
as well as the regulations of other programs that use EBT.14
• Retailer Agreements. In each of the FSP EBT demonstration projects contacted,
participating retailers must enter into an agreement with the administering State agency
or its agent. Retailer agreements vary widely in the manner and extent to which privacy
issues are addressed. In at least one case, there is a clause prohibiting the use or
disclosure of recipient information for any purpose not connected with the administration
of the FSP. A different retailer agreement prohibits the disclosure of recipient
information but does not address internal uses of these data. At least one retailer
agreement fails to address privacy issues specifically in any form. Each retailer
agreement, however, requires the retailer to adhere to applicable State laws and Federal
regulations, which would include privacy legislation.
14 FSP regulations require State agencies to ensure that EBT systems are capable of performing several
functional requirements prior to implementation. Two of these requirements are ensuring the privacy of
household data and providing benefit and data security.
22
EBT DATA PRIVACY ISSUES urn Fo< >i> HiMI 11 PKCKIKWIS
In order to participate in the FSP. authorized retailers must enter into an agreement v» ith
FNS. This agreement specifies that retailers must cooperate with Federal compliance
investigations. This is standard practice tor retailer participation in both EBT and paper
coupon systems. In this agreement, the retailer is required to provide transaction
information when requested as part of an investigation. In the EBT system, this
information is maintained by the system processor on a daily basis and later aggregated
and sent to the FNS central computer center. The agreement states that FNS will only
use retailer-specific transaction data for compliance purposes.
Third-Party Processors. To date, there are no contractual agreements between the
administering State agency or system processor and third-party processors except in the
FSP off-line demonstration. In at least one case, however, a clause is included in the
retailer agreement holding the retailer responsible for the compliance of third-party
processors with FSP EBT policy and standards. Yet the FSP regulations do state that
the State agency shall ensure that third-party processors comply with FSP regulations,
including those dealing with privacy and security. If a third-party processor does not
adhere to these mandates, it may no longer be allowed to participate in the EBT system.
IV. CONCLUSIONS AND STRATEGIES FOR PRIVACY PROTECTION
This section summarizes our conclusions and offers guidelines and strategies that the
various parties that influence and guide EBT could take to address privacy protection of FSP and
WIC recipients and confidentiality protection of retailers.
A. Summary of Conclusions
Electronic Benefit Transfer is now a proven technology. It has moved beyond testing and
development to become an operational alternative to existing benefit issuance systems The
benefits to the recipient and administrative agency have been documented in numerous studies
undertaken by the Food and Nutrition Service. EBT systems, however, greatly increase the
amount, detail, and potential accessibility of information about the use of benefits. EBT systems
create databases containing individually identifiable purchase information that varies in detail
depending upon the program using EBT, something that is not possible under existing coupon-based
issuance systems.
Fundamentally, FSP regulations and. to a somewhat lesser extent. WIC regulations
provide specific and adequate safeguards over access to and use of information about individuals
and retailers. These basic protections extend to EBT-developed information. However, the
means of access to data and the potential uses for those data will expand in the future.
Therefore, it is appropriate to consider the privacy implications of data uses. It is also
appropriate to provide mechanisms for ensuring that other agencies not typically involved in the
administration and oversight of FSP and WIC are bound by comparable requirements for
safeguarding the privacy of information to which they may have access as a result of their
involvement in the electronic delivery of benefits.
23
EBT I) \ i \ PRIVACY ISSUES t-oR FOOD BENEFIT PROGRAMS
Through interviews with EBT stakeholders and the roundtable discussion, we identified
a number of concerns about the current and potential uses of EBT data. These are summarized
below.
THE RECIPIENT
• Concern: Data may be used for "secondaiy uses" such as targeted marketing or locating
individuals through transaction information for lavv enforcement purposes not related to
program integrity.
Finding: FSPand WIC regulations closely limit the use o. program data, including EBT
data, for law enforcement purposes not specifically concerned with program integrity.
Under the various EBT demonstration projects, client privacy rights have not been
comprised.
Finding: The use of aggregated EBT data for marketing purposes cannot segregate
FSP/WIC recipients from other food purchasers. Individual targeting can only occur if
the recipient has voluntarily joined a retailers shopper program.
• Concern: Administering agencies or other parties might use individual recipient EBT
transaction data for purposes other than benefit issuance without the recipient's consent.
Finding: Advocacy groups differed in their interpretation of how FNS could or should
use EBT data for program administration Various opinions were expressed on the
appropriateness of using data for purposes such as nutrition research, nutrition education
and determining the range of food stamp-eligible items. Some stakeholders felt that data
should be used only for benefit determination purposes while others felt that research
using aggregated data was acceptable
• Concern: U«e of EBT may lead to creation of a single database containing multiple
pieces of in' ^nation on a single individual "One-stop shopping." or the development
of a sing' .rd to distribute multiple benefits, can be seen as a precursc to this
situation.
Finding: Our research found concern over potential uses of data resulting from the
integration of WIC Program benefit and health care information. Some stakeholders fear
that information on program panicipants may become accessible to more program
officials than those who legitimately need access. However, some feel this issue should
be considered in the context of welfare reform as well as EBT privacy.
THE RETAILER
» Concern: WIC retailers may not be protected adequately under EBT systems. While
FSP regulations protect the confidentiality of food stamp retailer information. WIC
regulations do not address retailer confidentiality because WIC retailer redemption data
are collected by States and generally not b\ FNS.
24
EBT DATA PRIVACY ISSUES FOR FOOD BENEFIT PROGRAMS
Finding: Although many WIC retailers are also authorized to accept food stamps. State
WIC administrative agencies have greater latitude in the use and disclosure of
information about retailers that participate in WIC. None of the retailer representatives
to whom we spoke had contemplated the implications of EBT for redemption data
confidentiality, but this issue may receive more attention as EBT applications spread.
During the roundtable discussion, it was pointed out that retailers would likely lobby for
more stringent protection if data disclosure became a problem.
B. Strategies for Maintaining High Levels of Privacy Protection in EBT
Based on our research and the views and perspectives expressed during the privacy
roundtable, there are a number of strategies that the various parties who develop and use EBT
systems and data should consider. This report is not intended to provide specific
recommendations for changes in policy, procedure, or practice; the following are offered as
ways of maintaining comparatively high levels of privacy protection in FSP and WIC EBT.
At the most general level, privacy should be considered within a framework. This
framework is applicable to reviews of existing uses of data as well as the planning of new uses
of data.
A PRIVACY FRAMEWORK: As discussed previously, FSP regulations establish the
requirement for the protection of privacy. The Privacy Act of 1974 generally permits use of
information (1) consistent with the purpose for which information was gathered and (2) for
designated "routine uses." Other uses would be considered "secondary" and, therefore,
prohibited.
In dealing with this "secondary use" limitation, there can be disagreement over what is
within the principal purpose for which FSP and WIC Program information is gathered and what
might be considered appropriate "routine use." There are four possible categories of use:
1. In a narrow interpretation, the primary uses would be to establish eligibility for
the program, identify shoppers as qualified recipients, ascertain that sufficient
benefits are available in the recipient account, authorize the FSP or WIC
transaction, and transfer necessary funds to reimburse the retailer for that
transaction.
2. Other uses appropriate to the EBT program include monitoring program
operations to evaluate and improve service delivery and integrity, reporting on
programs to appropriate governmental authorities, providing announcements and
relevant program information to recipients and others, and detecting and
preventing fraud or abuse. Such uses generally are considered routine and
necessary for program administration.
3. Another category of use would be to evaluate individual purchase behavior in
order to advise specific recipients of how they might better utilize the resources
25
EBT DATA PRIVACY ISSUES FOR FOOD BENEFIT PROGRAMS
of the program or improve their nutritional intake through food selection
alternatives.
4. Retailers or third-party processors might devise a variety of marketing or
"mailing list" uses of personal information. These would clearly be considered
"secondary" uses.
FNS can. as it has done in the past, employ regulations and user agreements to set
standards for informational privacy. The following are some suggested guidelines:
• Uses in categories (1) and (2) are primary or routine and need to be identified as part of
program operations. They do not require consent by recipients; notice of the practice
is sufficient.
• Analysis of statistical transaction information not individually identifiable is not a privacy
threat and could be done for research purposes. Such research could support general
announcements to all recipients regarding nutrition and resource allocation.
• Use of personally-identifiable transaction information for category (3) requires prior
notice to recipients and the opportunity for them to decline such use ("opt out") and still
receive benefits, in conformity with the procedures outlined below.
• Any category (4) or other secondary use can be pursued only with the prior affirmative
written consent of the recipient. Specifically:
The intended use should be clearly explained, in writing, to the recipient.
The identity of the intended users of the transaction information should be
disclosed to the client.
The voluntary nature of the secondary use should be clearly explained to the
recipient.
The recipient should consent to the specific use in writing.
The recipient should be free, at any time, to withdraw consent to a secondary
use.
The recipient should be given the opportunity, at least annually, to renew or
withdraw consent.
OTHER STRATEGIES: There are additional strategies that the various parties in the EBT
process can incorporate into data use planning:
26
EBT DATA PRIVACY ISSUES I-OR l<
Privacy and confidentiality provisions within the FSP and WIC ret
and difficult to find. A basic compilation of those provisions, sue!:
appendices to this report, could be shared with the various panic-
FNS annually publishes its research agenda. The agency could us
inform advocates and the public at large of planned research using re.
;;: PROGRAMS
.- are scattered
■mained in the
ed in EBT.
mechanism to
i-specific data.
Recipients need to be informed of and reminded about their privacy r.chtv There are a
variety of ways this might be done without creating special procedures or incurring
administrative costs. For example, one program advocate suggested :nai a statement of
rights and responsibilities be provided to recipients when the) are i.certified lor the
program.
EBT systems involve multiple parties, many of which are remo\ed from the immediate
administrative reach of FNS. As noted above, contracts and agreements provide the
means for extending responsibility for privacy to those parties. Contractual arrangements
with EBT processors, retailers, banks, and others that are likely to ha\e access to EBT
data should include specific reference to FSP and WIC regulations
As policy decisions on EBT data privacy develop, so too must data securit) practices that
provide for responsive safeguards. It cannot be assumed that existing access controls or
other safeguards will provide the desired level of protection to new file structures or uses
of EBT data. When new uses of data are developed, file access and control procedures
and policies must be reviewed to ensure that access to data about individuals is
appropriately restricted and that data use is subject to audits to ensure conformance to
policy.
When EBT systems support multiple benefit programs or a single program administered
by multiple States, program administrators and EBT system designers should specify
what data will be shared, how it will be shared, and when it will be shared This sharing
should be fully consistent with FSP and WIC Program regulations The system design
should provide technical and procedural safeguards consistent with the predefined uses
of EBT data.
27
Appendix A
Applicable Privacy Laws
l!t
Appendix A
APPLICABLE PRfVACY LAWS
A. THE PRIVACY ACT OF 1974
The Privacy Act of 1974 regulates the collection, use and disclosure of personal
information by Federal agencies and is the principal means of information privacy protection in
the Federal realm. It does not apply to State or local governments or to the private sector. The
Act does not apply to information collection efforts or systems funded with Federal money if the
information is controlled by State or local governments. The Privacy Act pertains to any
personally identifiable information and prohibits disclosure of such information without the
consent of the data subject. There are 12 exceptions to the disclosure limitation, four of which
are especially relevant to the EBT program: (1) internal "need to know;" (2) routine use: (3)
statistical use; and (4) law enforcement disclosures. The consent of the data subject is not
required for disclosures of information:
(1) "... to those officers and employees of the agency who maintain the record and
who have a need for the record in the performance of their duties."
(2) for a "routine use" which is defined as "a purpose which is compatible with the
purpose for which it was collected."
(3) if ". . . the record will be used solely as a statistical research or reporting
record, and the record is to be transferred in a form that is not individually [i.e., personally)
identifiable."
(4) to any Federal or State agency "... for a civil or criminal law enforcement
activity
The Department of Agriculture would have Privacy Act of 1974 disclosure concern
mainly with FSP information that it maintains and/or authorizes to be collected. In this respect.
the "routine use" designation by the Department of Agriculture includes referral to IRS for
collection of claims from tax refunds, referral to appropriate State agencies, disclosures in
response to inquiries from Congressional offices on behalf of a client, and disclosure to firms
that may have contracted with FNS for the purpose of research and reporting to FNS. Congress,
or appropriate oversight agencies.
The Privacy Act also requires that personal information maintained by the Federal
government must be "only such information ... as is relevant and necessary to accomplish a
purpose of the agency . . . ." Further, the agency is required to collect the information, "to the
greatest extent practicable directly from the subject individual when the information may result
in adverse determinations about . . . benefits . . . under Federal programs." The agency also
has an obligation to "maintain all records . . . with such accuracy, relevance, timeliness, and
completeness as is reasonably necessary to assure fairness . . . ."
A-l
-1
FNS has promulgated rules pursuant to the Privacy Act of 1974 that deal with the FSP.
State agencies and others involved in the administration of FSP or WIC are required to satisfy
the standards of the Privacy Act of 1974.
The major privacy-related impact of EBT will be the potential for government agencies
or the retailer to link purchase information with a particular client. Indeed, the Department of
Agriculture regulation 274.12(h)(3)(v)(H) requires the State agency to assure the availability of
a complete audit trail which "shall, at a minimum, be able to provide a complete transaction
history of each individual system activity that affects an account balance." This necessarily
involves identifying a POS transaction by account. The major privacy questions, then, involve
what uses the government and retailers may make of household purchase information.
FNS is sensitive to the desirability of providing the same level of respect for
confidentiality of information generated as a result of this Federal government program as for
program information maintained by the agency itself. The regulations do provide, at
274.12(e)(l)(ix), that the EBT system must ensure "the privacy of household data ..." This
requirement is certainly consistent with the basic assumption of OMB Circular A-130. 7g. that
"The individual's right to privacy must be protected in Federal government information activities
involving personal information."
B. STATE LAWS
State Laws and regulations present a mix of common law. constitutional and statutory
provisions regarding a multitude of privacy dimensions; the relevance of these various measures
to EBT in the FSP is problematic. It is difficult even to try to categorize States in terms of
privacy protection.
For instance, ten States recognize a "privacy" right in their constitutions, but the
application and interpretation of that right varies among those States. Minnesota has rejected
a right of privacy in its constitution or common law, but has enacted an information practices
act, similar to the Privacy Act, which does not extend to the private sector Only nine or ten
other States have what might be considered an information practices act comparable to the
Privacy Act though the scope of protection of each varies; none apply to the private sector.
New York does not recognize privacy as part of its common law though a few New York
statutes deal with narrow aspects of the right. Only three or four States significantly restrict the
sale of mailing lists generally and then only with respect to State government. Several States
do limit video customer rental information disclosure, though Delaware specifically allows sale
of video rentals mailing lists.
Certainly, no consistent threshold of privacy can be deduced from State law and though
the FSP is a State-administered program, it seems wise to consider Federal constraints as the
best vehicle for uniform privacy protection in the EBT environment.
A-2
3<?
Appendix B
Food Stamp and WIC Regulatory Language on Privacy
3/
Appendix B
FOOD STAMP AND WIC REGULATORY LANGUAGE ON PRIVACY
A. FOOD STAMP PROGRAM
1. FSP Regulations - General
The purpose of the Food Stamp Program is to "promote the general welfare and to
safeguard the health and well being of the Nation's population by raising the levels of nutrition
among low-income households." Currently, over ten percent of the U.S. population receive food
stamps, and substantial information on millions of households is developed during the application
process. The wide-spread use of EBT systems would increase the use of this information base.
Food stamp regulations contain several provisions that address confidentiality ot
information. FNS construes these regulations to apply equally to both coupon-based and EBT
systems. The disclosure of information is limited to the following:
Administration or enforcement of the Food Stamp Program
Computer matching for eligibility and income with other benefit programs (such as
AFDC)
Certification of alien status
Federal government audits of the program
Law enforcement agencies' investigation of program fraud or violations.
In addition, the use of the information is restricted to verifying eligibility and level of
benefit, and to enforcing laws directly related to program activities. There are also provisions
that identify who can access records contained in automated data processing and information
retrieval systems, which would include EBT systems.
2. FSP Regulations ~ Privacy
The Food Stamp Program regulations contain a number of provisions on the privacy of
information. Section 272.1 of the current regulations1 contains the general terms and conditions
for participating State agencies and includes a provision dealing specifically with disclosure:
1 These regulations are found in volume seven of (he Code of Federal Regulations and are current as of
September 1992.
B-l
3*
(c) Disclosure. (1) Use or disclosure of information obtained from food stamp applicant or
recipient households shall be restricted to:
(i) Persons directly connected with the administration or enforcement
of the provisions of the Food Stamp Act or regulations, other Federal assistance
programs, federally-assisted State programs providing assistance on a means-tested
basis to low income individuals, or general assistance programs which are
subject to the joint processing requirements in Section 273.2(j)(2).
(ii) Persons directly connected with the administration or enforcement
of the programs which are required to participate in the State income and
eligibility verification system (IEVS) as specified in Section 272.8(a)(2), to the
extent the food stamp information is useful in establishing or verifying eligibility
or benefit amounts under those programs;
(iii) Persons directly connected with the verification of immigration
status of aliens applying for food stamp benefits, through the Systematic Alien
Verification for Entitlements (SAVE) Program, to the extent the information is
necessary to identify the individual for verification purposes;
(iv) Persons directly connected with the administration of the Child
Support Program under Part D. Title IV of the Social Security Act in order to
assist in the administration of that program, and employees of the Secretary of
Health and Human Services as necessary to assist in establishing or verifying
eligibility or benefits under Titles II and XVI of the Social Security Act;
(v) Employees of the Comptroller General's Office of the United States
for audit examination authorized by any other provision of law; and
(vi) Local, State or Federal law enforcement officials, upon their
written request, for the purpose of investigating an alleged violation of the Food
Stamp Act or regulation. The written request shall include the identity of the
individual requesting the information and his authority to do so, violation being
investigated, and the identity of the person on whom the information is
requested.
(2) Recipients of information released under paragraph (c)(1) of this section must
adequately protect the information against unauthorized disclosure to person or for purposes not
specified in this section. In addition, information received through the IEVS must be protected
from unauthorized disclosure as required by regulations established by the information provider.
In using the data it collects, States are limited by the following provisions found in
Section 272.8 on the State Income and Eligibility Verification System (IEVS):
(5) Uses of data. The State agency shall use information obtained by means of the
IEVS: for the purposes of:
2 The IEVS includes information on participants from the following programs: Aid for Families with
Dependent Children, Medicaid, Unemployment Compensation, Food Stamps, and any State program
administered under a plan approved under Title I, X or XIV (the adult categories), or Title XVI of the
Social Security Act. This information may be shared among State agencies administering these
programs for establishing or verifying eligibility or benefit amounts.
B-2
33
(i) Verifying a household's eligibility;
(ii) Verifying Che proper amount of benefits;
(iii) Investigating to determine whether participating households
received benefits to which they were not entitled; and
(iv) Obtaining information which will be used in conducting criminal
or civil prosecutions based on receipt of food stamp benefits to which
participating households were not entitled.
All food stamp applicants will be notified at the time of application that IEVS may be
used to verify the information they supplied.
The FNS regulations also cover automated data processing and information retrieval
systems, which contain language on who can access records. In particular, Section 277.18(k)
states the following:
(k) Access to the system and records. Access to the system in all aspects, including but
not limited to design, development, and operation, including work performed by any source, and
including cost records of contractors and subcontractors, shall be made available by the State to
FNS or its authorized representatives at intervals as are deemed necessary by FNS, in order to
determine whether the conditions for approval are being met and to determine the efficiency,
economy, and effectiveness of the system.
Finally, Section 278. l(q) of the FSP regulations protect the confidentiality of retailer
information:
Safeguarding privacy. The contents of application or other information furnished by firms,
including information on their gross sales and food sales volumes and their redemptions of
coupons, may not be used or disclosed to anyone except for purposes directly connected with the
administration and enforcement of the Food Stamp Act and these regulations, except that such
information may be disclosed and used by State agencies that administer the Special Supplemental
Food Program for Women, Infants and Children (WIC). Such purposes shall not exclude the audit
and examination of such information by the Comptroller General of the United States authorized
by any other provision of law.
3. FSP Regulations -- EBT and Privacy
EBT regulations were finalized on April 1, 1992. These regulations establish the
standards for on-line EBT systems issuing Food Stamp Program benefits. In the area of privacy,
the participant's name does not appear on either the POS receipt or the terminal display. In
addition, no name is embossed on the card. Privacy is specifically addressed in Section
274.12(e) under functional requirements:
(e) The State agency shall ensure that the EBT system is capable of performing the
following functional requirements prior to implementation:
(1) Authorizing Household Benefits, (ix) Ensuring the privacy of household
data and providing benefit and data security.
B-3
3y
There are several other provisions dealing with the security ol the system and the
movement of data within the system for purposes of EBT operations, bin no other provisions
directly address the issue of privacy. In addition, there are no FSP regulati«>p.N that specifically
limit or prohibit retailers or third-party processors from capturing EBT information and using
it for other purposes. Section 274.12(h)5(iii) of the regulations indirecth pun ides guidance:
(in) The State agency shall ensure that third party processors and retailers drix ing their
own terminals comply with this section and all applicable Food Stamp Program regulations.
B. WIC PROGRAM REGULATIONS
1. WIC Program Regulations - General
The WIC program provides food prescriptions to pregnant, nursing and postpartum
women, their infants, and their children under the age of five who are at nutritional risk."
Because WIC benefits include nutrition education and counseling for WIC participants, there is
substantial information (including health information) contained in each participant's case file.
FNS recognizes this and has several provisions protecting the confidentiality and use of its
program and client information. Although the WIC regulations do not specifically contain EBT
provisions, it is assumed that any alternative benefit delivery system, including EBT. must also
maintain the confidentiality of program and client information.
The use or disclosure of information is limited to the following:
• Administration or enforcement of the WIC program, including investigations into
program violations
• Establishment of program eligibility and outreach
• Federal government audits of the program.
In addition, statistical or medical information collected under the program must not
identify particular individuals. The WIC regulations are more restrictive than the FSP
regulations because WIC program information can not be used in determining the alien status
of a client nor in computer matching of eligibility information with other social service
programs.
B-4
35
2. WIC Program Regulations ~ Privacy
The specific disclosure and confidentiality provisions for the Special Supplemental Food
Program for Women, Infants and Children (WIC) are found in Section 246.263:
(b) Statistical information. FNS reserves the right to use information obtained under the
Program in a summary, statistical or other form which does not identify particular individuals.
(c) Medical information. FNS may require the State or local agencies to supply medical
data and other information collected under the Program in a form that does not identify particular
individuals, to enable the Secretary or the State agencies to evaluate the effect of food intervention
upon low-income individuals determined to be at nutritional risk.
(d) Confidentiality. The State agency shall restrict the use or disclosure of information
obtained from program applicants and participants to:
(1) Persons directly connected with the administration or enforcement
of the program, including persons investigating or prosecuting violations in the
WIC program under Federal, State or local authority;
(2) Representatives of public organizations designated by the chief
State health officer (or, in the case of Indian State agencies, the governing
authority) which administer health or welfare programs that serve persons
categorically eligible for the WIC Program., The State agency shall execute a
written agreement with each such designated organization:
(i) Specifying that the receiving organization may
employ WIC Program information only for the purpose of
establishing the eligibility of WIC applicants and participants
for health or welfare programs which it administers and
conducting outreach to WIC applicants and participants for
such programs, and
(ii) Containing the receiving organization's assurance
that it will not, in turn, disclose the information to a third
party; and
(3) The Comptroller General of the United States for audit and
examination authorized by law.4
During the application process, the applicant, parent, or caretaker will be informed of WIC's
disclosure provisions.
3 These regulations are found in volume seven of the Code of Federal Regulations and are current as of
August 1992.
4 Any reports resulting from such examinations shall not divulge names of individuals (7 CFR Section
246.25(4)).
B-5
36
Appendix C
Research Performed on Privacy Issues
37
Appendix C
RESEARCH PERFORMED ON PRIVACY ISSUES
Price Waterhouse conducted an extensive research effort on privacy issues and Electronic
Benefit Transfer (EBT). This research was performed in two parts: (1) on-site and telephone
interviews with persons knowledgeable in the area of EBT and/or Privacy; and (2) a literature
review. This Appendix lists these sources.
A. CONTACTS
Interviews were conducted with representatives of the following organizations, in order
to gain an understanding of their views on privacy with respect to EBT:
Congressional Committees
Government Agencies
Advocacy Groups
American Banker's Association
National Organization of Women
B. EBT DEMONSTRATION PROJECTS INTERVIEWED
Telephone interviews were conducted with project directors of three of the EBT
demonstration projects, to identify any privacy-related issues that have arisen in the operations
of the demonstration projects to date:
• San Bernalillo County, NM
• Ramsey County, MN
• Dayton, Ohio
• State of Maryland
C-l
■6$
C. LITERATURE REVIEW
A comprehensive literature review was conducted in order to gain an understanding of
the potential uses of data in an EBT system, and the legal and ethical constraints of these uses.
The literature review included the identification and examination of Federal and State legislation.
Federal Regulations, public opinion surveys. Congressional reports. Congressional hearings.
Federal government agency publications, nonprofit organization and advocacy group
publications, journal articles, and books. The following is a selected bibliography of these
sources:
U.S. Government, Congressional Committee on Government Operations. Who Cares About
Privacy? Oversight of the Privacy Act of 1974 by the Office ofManagement and Budget
and by the Congress, 98th Congress, 1st Session, House Report No. 98-455,
November 1, 1983
U.S. Government, Privacy Protection Study Commission. Personal Privacy in an Information
Society, The Report of the Privacy Protection Study Commission. July 1977
U.S. Government, Office of Technology Assessment, Federal Government Information
Technology: Electronic Record Systems and Individual Privacy, OTA-CIA-296, U.S.
Government Printing Office, Washington DC, June 1986.
U.S. Government, Office of Technology Assessment. Defending Secrets, Sharing Data: New-
Locks and Keys for Electronic Information, U.S. Government Printing Office.
Washington, DC, October, 1987.
U.S. Government, Congressional Committee on Government Operations. A Citizens Guide on
Using the Freedom of Information Act and the Privacy Act of 1974 to Request
Government Records, 102d Congress, 1st Session, House Report No. 102-146, July 10,
1991.
U.S. Government, Office of Technology Assessment. Electronic Delivery of Public Assistance
Benefits: Technology Options and Policy Issues, OTA-BP-CIT-47, Washington DC.
U.S. Government Printing Office, April 1988.
U.S. Government, House of Representatives. Hearing before the Government Information.
Justice and Agriculture Subcommittee of the Committee on Government Operations.
Data Protection, Computers, and Changing Information Practices. One Hundred and
First Congress, Second Session, May 16, 1990.
U.S. Government, House of Representatives. Hearings before the Government Information.
Justice and Agriculture Subcommittee of the Committee on Government Operations. Data
and International Data Protection Issues. One Hundred Second Congress. First Session.
April 10 and October 17, 1991.
C-2
2fT
Geva. Benjamin. The Law of Electronic 1-unds Transfers. Matthew Bender & Co..
New York. 1992.
Flaherty. David H. Protecting Privacy in Surveillance Societies. The University of North
Carolina Press. Chapel Hill. NC. 1989.
Plesser. Ronald and Emilio. Cividanes. Privacy Protection in the United States. A 1991 Survey
of Laws and Regulations Affecting Privacy in the Public and Private Sector.
Washington. DC 1991.
C-3
qO
Appendix D
EBT Privacy Roundtable Participants
4/
Appendix D
EBT PRIVACY ROUNDTABLE PARTICIPANTS
Richard Allen
Deputy Assistant Inspector General for
Investigations
USDA Office of Inspector General
Gregory Benson
Program Manager
Retail Banking. Operations and
Technology
Savings & Community Bankers of
America
Mike Bernstein
Attorney
Office of General Counsel
Food and Nutrition Division
USDA Office of General Counsel
Steven Carlson
Office of Analysis and Evaluation
Food and Nutrition Service
U.S. Department of Agriculture
Mary Culnan
Professor of Management Information
Systems
Georgetown University
School of Business
John P. Fanning
Senior Health Policy Advisor
Office of Health Planning and Evaluation
Public Health Service
US Department of Health and Human
Services
Larry Goolsby
Policy Associate
American Public Welfare Association
Stephan Harvey
Director of WIC Programs
Center on Budget and Policy Priorities
Daphne Herling
Director of Community Organizing
Maryland Food Committee
Dr. Kathleen Horoszewski
Corporate Architecture and Systems
Management Director
AT&T
Peter Larkin
Vice President for State Government
Relations and Environmental Affairs
Food Marketing Institute
Carrie Lewis
Staff Attorney
Food Research and Action Center
Barbara Leyser
Senior Policy Analyst
Center on Social Welfare Policy and Law
David O'Connor
President & CEO
Internet, Inc.
Agnes Phares
Acting Management Information Systems
Director
New Jersey WIC Program
George Trubow
Professor of Law
The John Marshall Law School
D-l
^
