The Computer Matching and Privacy Act of 1988 updated the language of the Privacy Act to address concerns about how agencies share and match data across agencies. Agencies must notify individuals at the time of data collection that the information provided could be used for matching purposes, and give individuals 30-days advance notice before taking adverse action based on the matched data. In addition, the law requires that agencies create internal review boards to approve matching activities, publish matching agreements between agencies, and report to OMB and Congress about matching. The law does not apply to two types of matches: (1) matches that aggregate data stripped of personal identifiers, and (2) matches made to support research or statistical purposes. 6
6 “Computer Matching and Privacy Protection Act of 1988,” Public Law 100-503. Available at [http://www. whitehouse.gov/system/files/omb/inforeg/final_guidance_pl100-503.pdf]. Accessed May 30, 2014.