The IT Law Wiki


Computer Matching and Privacy Protection Act of 1988, Pub. L. No. 100-503, 102 Stat. 2507 (Oct. 18, 1988), codified at 5 U.S.C. §552a note, rev. 1990 (full-text).


This Act amended the Privacy Act of 1974[1] to establish procedural safeguards regarding an agency’s use of Privacy Act records in performing certain types of computer matching. A controversial matter for more than a decade, computer matching had begun in 1977 at the Department of Health and Human Services. The effort, dubbed Project Match, compared welfare rolls in selected jurisdictions with federal payroll records in the same areas. The controversy surrounding this and similar computerized matches pitted privacy advocates, who alleged that personally identifiable data were being used for purposes other than those prompting their collection, against those using the technique to ferret out fraud, abuse, and the overpayment of federal benefits. As the practice subsequently became more widespread, controversy over its use grew.

Provisions of the Act[]

The Act covers two types of matching programs: (1) matches involving Federal benefits programs and matches using records from Federal personnel or payroll systems of records.

The Act regulates the use of computer matching by federal agencies involving personally identifiable records maintained in a system of records subject to the Privacy Act. Matches performed for statistical, research, law enforcement, tax, and certain other purposes are not subject to such regulation.

In order for matches to occur, a written matching agreement, effectively creating a matching program, must be prepared specifying such details, explicitly required by the amendments, as the purpose and legal authority for the program; the justification for the program and the anticipated results, including a specific estimate of any savings; a description of the records being matched; procedures for providing individualized notice, at the time of application, to applicants for, and recipients of, financial assistance or payments under federal benefits programs and to applicants for and holders of positions as federal personnel that any information they provide may be subject to verification through the matching program; procedures for verifying information produced in the matching program; and procedures for the retention, security, and timely destruction of the records matched and for the security of the results of the matching program.

Copies of such matching agreements are transmitted to congressional oversight committees and are available to the public upon request. Executive oversight of, and guidance for, matching programs is vested in the director of OMB. Notice of the establishment or revision of a matching program must be published in the Federal Register 30 days in advance of implementation.

The Act also provides due process rights for individuals to prevent agencies from taking adverse actions unless they have independently verified the results of a match and given the subject 30 days’ advance notice.

The Act also require every agency conducting or participating in a matching program to establish a Data Integrity Board, composed of senior agency officials, to oversee and coordinate program operations, including the execution of certain specified review, approval, and reporting responsibilities.

Agencies are prohibited from reducing, suspending, or terminating financial assistance to an individual without first verifying the accuracy of computerized data used in the matching program and without first giving the individual 30 days to contest the action.

1990 amendment[]

"An amendment to the Act that was passed in 1990 somewhat altered the original Act's due process provisions. Specifically, the amendment changed some of the details regarding subject notification of adverse findings and gave data protection boards the ability to waive independent verification of information under certain circumstances."[2]


  1. Because the Act amends the Privacy Act of 1974, the provisions of the former are to be read within the context of the latter, and all of the terms defined in the Privacy Act of 1974 apply.
  2. Who Goes There?: Authentication Through the Lens of Privacy, at 142-43.

See also[]