The CIPSEA, Protecting Statistical Privacy for U.S. Citizens
October 14, 2021 | 4 minutes read
The Confidential Information Protection and Statistical Efficiency Act of 2002 or CIPSEA for short, is a federal law that was passed as a part of the E-Government Act of 2002. Just as the Federal Information Security Management Act of 2002 or the FISMA 2002 Law was passed with the E-Government Act of 2002 to govern the cybersecurity practices of the U.S. federal government, the CISPEA functions in the same way as it pertains to personally “identifiable information collected by federal agencies for exclusively statistical purposes under a pledge of confidentiality”. To this point, the CIPSEA defines what constitutes personally identifiable information in the context of statistical analysis under the law, as well as the requirements of the federal government as it relates to such information.
How is personally identifiable information defined under the CIPSEA?
Under the CIPSEA, personal information in the context of statistical analysis is defined as information from which the identity of a person or organization can “be reasonably inferred by either direct or indirect means. Agencies will deem certain information indirectly identifiable if it identifies persons or organizations using other available information”. Examples of such types of personal information include names and social security numbers, as well race, gender, and date of birth, as these types of personal information can also be deemed as indirectly identifiable. To this end, CIPSEA protected personal information can only be shared for statistical purposes unless respondents give informed consent for their information to be shared for alternative purposes.
Conversely, the CISPEA does not prohibit the disclosure of personal information that is not in an identifiable form, as defined by the law. Moreover, the CIPSEA defines statistical purposes to include “the description, estimation, or analysis of the characteristics of groups” and related “development, implementation, or maintenance of methods, technical or administrative procedures, or information sources.” As such, federal agencies can only generally share “CISPEA protected data” among other agents, officers, or employees within the federal government, for statistical purposes only. Under the law, an agent can include a contractor or consultant, an individual working under the authority of a government agency or entity, or an employee of a private organization.
What are the requirements of government agencies under the CIPSEA?
Under the CIPSEA, the disclosure of personally identifiable information for non-statistical purposes without informed consent must be approved by the head of the applicable federal agency, as well as adhere to any other applicable federal laws. Furthermore, federal agencies must also distinguish any personal information that is collected for non-statistical purposes, as well as “provide public notice prior to collecting data for non-statistical purposes”. What’s more, the CIPSEA also requires all Designated Statistical Agencies, such as the Census Bureau, the Bureau of Economic Analysis or BEA, and the Bureau of Labor Statistics or BLS, to create and maintain written agreements between other Designated Statistical Agencies prior to sharing any personally identifiable business information or data.
To the contrary, the term “statistical purposes” is defined broadly under the law. To illustrate this point further, the CIPSEA permits the sharing of personally identifiable information for the purposes of improving public health, as the law “supports data sharing to improve community health to the extent that agencies disclose protected data for exclusively statistical activities that promote community health”. Additionally, the CIPSEA “does not contain a provision that expressly permits the use or disclosure of protected information for public health purposes”. However, on a practical level, “persons and organizations seeking designated agent status to access protected data for statistical purposes are subject to potentially lengthy approval processes”.
What are the penalties for non-compliance under the CIPSEA?
Under the CIPSEA, federal agencies who share the personally identifiable information of American citizens for purposes outside of those stated by the law are subject to both monetary and criminal liability penalties, including fines of up to $250,000 and a term of imprisonment of up to 5 years. To avoid such penalties, the Office of Management and Budget or OMB for short issued “minimum requirements and standards for protecting data under CIPSEA (e.g., inform survey respondents of confidentiality protections, minimize risk of disclosure, training, limit uses to statistical purposes, review information to be disseminated for potential disclosures of identifiable information, and supervise agents with access to protected information)”.
As there are more form personally identifiable information being collected by the U.S. government than ever before due to the rise of online communication, laws and regulations such as the CIPSEA are of the utmost importance in the midst of the current digital climate. As a major function of the E-Government Act of 2002 and in accordance with the Federal Information Security Management Act of 2002 or the FISMA 2002 Law, the CIPSEA provides American citizens with an avenue of recourse with respect to the personal information and data that they share with government agencies. Through the implementation and enforcement of such legislation, U.S. citizens can rest assured that the personal information and data that they share with the government cannot be disclosed for non-authorized purposes.