Minimizing Disclosure Risk in HHS Open Data Initiatives. 2. Computer Matching and Privacy Protection Act of 1988


The Computer Matching and Privacy Act of 1988 updated the language of the Privacy Act to address concerns about how agencies share and match data across agencies. Under this law, agencies must notify individuals at the time of data collection that the information provided could be used for matching purposes. Agencies must also give individuals 30-days advance notice before taking adverse action based on the matched data. Finally, the law provides some guidance on oversight, requiring that agencies create internal review boards to approve matching activities, publish matching agreements between agencies, and report to the Office of Management and Budget (OMB) and Congress about matching. The law does not apply to two types of matches: (1) matches that aggregate data stripped of personal identifiers, and (2) matches made to support research or statistical purposes. For matches that will be used for research purposes, information collected through the matching process cannot be used to make decisions that “affect the rights, benefits, or privileges of specific individuals.” However, data can be used to make decisions about the program in general.3

3 “Computer Matching and Privacy Protection Act of 1988,” Public Law 100-503. Available at [ Accessed May 30, 2014.

View full report


"rpt_Disclosure.pdf" (pdf, 1.01Mb)

Note: Documents in PDF format require the Adobe Acrobat Reader®. If you experience problems with PDF documents, please download the latest version of the Reader®