Federal Statistical Agency law and Executive Directives in conflict with FITARA about fitara HOT 5 CLOSED

The Consortium of Social Science Associations (COSSA) writes to endorse the statement made by the Council of Professional Associations on Federal Statistics (COPAFS) regarding proposed guidelines for the Federal Information Technology Acquisition Reform Act (FITARA), and asks that federal statistical agencies be excluded from the requirements within the law.

COSSA is a nonprofit organization serving as a united voice for more than 100 professional associations, scientific societies, research centers and institutes, and colleges and universities who care about a robust social and behavioral scientific research enterprise, including a vibrant federal statistical system.

COSSA agrees with COPAFS' comments that the proposed FITARA guidance would "violate federal law and Executive Directives that assure critically essential independence of officially designated statistical agencies and should thus explicitly exclude these agencies from its requirements."

from fitara.

The American Statistical Association comments echo those of COAPS and are posted at http://www.amstat.org/misc/pdfs/FITARA.pdf, with the text pasted below:

May 29, 2015

Tony Scott
United States Chief Information Officer
Administrator, Office of E-Government & Information Technology
Office of Management and Budget
725 17th Street, NW
Washington, DC 20503

Dear Administrator Scott,

As President of the American Statistical Association, I write to on comment on the draft guidance to implement the Federal Information Technology Acquisition Reform Act (FITARA). We urge that every effort be made to ensure that FITARA not undermine the work of the federal statistical agencies, work which is critical to informing policymaking, decision-making, and public administration.

Our specific concern is that FITARA implementation could jeopardize the confidentiality pledges statistical agencies make. We are concerned that it could significantly degrade their autonomy and ability to provide timely responses to support both routine and special data analyses, both of which are vital to a statistical agency’s effectiveness and the analytical value of the functions it supports.

We understand and appreciate the importance of ensuring successful management and oversight of IT issues. Just as important are the confidentiality issues, the safeguards for which are set forth in the Confidential Information Protection and Statistical Efficiency Act of 2002 (CIPSEA) and CIPSEA Implementation Guidance (2007). The balance needed in implementing these two statutes is evident in the fact that they are each separate titles in the same act, the E-Government Act of 2002. We emphasize that the respect for confidentiality, in reality and perception, is of paramount importance to federal statistical agencies and programs.

CIPSEA, in short, requires that data, collected under a pledge of confidentiality and for exclusively statistical purposes, be used for statistical purposes only. The relationship of confidentiality to control over IT resources is emphasized in the National Academy of Sciences’ Principles and Practices for a Federal Statistical Agency (fifth edition, 2013), in the discussion of the Independence Principle:

i) “As part of confidentiality protection, an agency should have the authority to manage the storage of confidential micro-data on secure servers that are controlled by the agency and not by a department-wide information technology system. A statistical agency should also have policies and procedures to inform data providers of the manner and level of confidentiality protection and the kinds of research and analysis that will be allowed with the data.” (p. 21)
ii) “Protection from political and other undue external influence over a statistical agency’s data collection, production, dissemination, and other operations necessitates that the agency have the necessary authority for professional decisions in key aspects of its work, including the following: … authority to control information technology systems in order to securely maintain the integrity and confidentiality of data and reliably support timely and accurate production of key statistics.” (p. 39)
iii) “The authority to ensure that information technology systems fulfill the specialized needs of the statistical agency is another important aspect of independence. A statistical agency must be able to vouch for the integrity, confidentiality, and impartiality of the information collected and maintained under its authority so that it retains the trust of its data providers and data users. Such trust is fostered when a statistical agency has control over its information technology resources, and there is no opportunity or perception that policy, program, or regulatory agencies could gain access to records of individual respondents. A statistical agency also needs control over its information technology resources to support timely and accurate release of official statistics, which are often produced under stringent deadlines.” (p. 40)

OMB also recognizes the importance of IT autonomy for federal statistical agencies, most recently in Statistical Policy Directive #1, “Fundamental Responsibilities of Federal Statistical Agencies and Recognized Statistical Units.” In the Federal Register notice announcing the directive being finalized, Office of Information and Regulatory Affairs Administrator Howard Shelanski notes their agreement with a commenter’s “recommendation to emphasize that a Federal statistical agency or recognized statistical unit has authority over the processing, storage, and maintenance of the data that it collects”. He notes they added text referencing the CIPSEA Implementation Guidance. The directive itself, Responsibility 3, on conducting objective statistical activities, includes these sentences:
"Accordingly, Federal statistical agencies and recognized statistical units must function in an environment that is clearly separate and autonomous from the other administrative, regulatory, law enforcement, or policy-making activities within their respective Departments. Specifically, Federal statistical agencies and recognized statistical units must be able to conduct statistical activities autonomously when determining what information to collect and process, the physical security and information systems security employed to protect confidential data, which methods to apply in their estimation procedures and data analysis, when and how to store and disseminate their statistical products, and which staff to select to join their agencies."

Responsibility 4, on protecting the trust of information providers, concludes with this sentence: “Federal statistical agencies and recognized statistical units must fully adhere to legal requirements and follow best practices for protecting the confidentiality of data, including training their staffs and agents, and ensuring the physical and information system security of confidential information. (CIPSEA Implementation Guidance, 33362 at 33374)” It’s also important to note that OMB used the Principles and Practices of a Federal Statistical Agency as one of its primary reference documents.

In summary, we ask you to carefully consider the missions of statistical agencies and confidentiality requirements in the OMB FITARA guidance and urge you to allow the statistical agencies to maintain authority over their IT functions and personnel so they can continue to perform their work effectively and efficiently.

Thank you for your consideration.

Sincerely,
David Morganstein
President, American Statistical Association

from fitara.

Thank you @kittysmith @COSSADC and @swpierson for your comments. Because of your comments, we have revised the handling of statistical agenices and units in the memorandum. Preserving the ability of the statistical community to conduct its important work in part depends on confidence in the confidentiality guarantees which it provides to its information providers. To help clarify how to apply these requirements to the statistical community, the final memorandum includes language addressing this directly within the "scope and applicability" section. This includes: "With respect to Federal statistical agencies and units as defined in the Confidential Information Protection and Statistical Efficiency Act of 2002 (CIPSEA), covered agencies under FITARA shall implement this guidance in a manner that ensures that statistical data collected under a pledge of confidentiality solely for statistical purposes are used exclusively for statistical purposes, consistent with CIPSEA."

from fitara.

Hi, Mr. Sweeny.

Thank you for your willingness to address the inconsistencies between
FITARA guidelines and the law and Directives applying to statistical
agencies. Any chance we could get together to discuss this? Your language
does cover the CIPSEA requirement for confidentiality, but I am not able to
tell whether it also preserves the responsibility given the statistical
agencies. I would be more than happy to propose, discuss or review
alternative language.

Thanks again for your attention to the issue.

Sincerely,

Kitty Smith

Katherine R. Smith, PhD

Executive Director
Council of Professional Associations on Federal Statistics (COPAFS)
2121 Eisenhower Ave., Suite 200
Alexandria, VA 22314
Office Phone: 703-836-0404_;_ Direct Phone: 202-407-1292
Our goal: Linking you with a thriving statistical system
Visit us at w http://www.copafs.org/ww.copafs.org http://www.copafs.org/

Join us on Twitter: @copafsK

On Mon, Jun 15, 2015 at 12:20 PM, Ben Sweezy [email protected]
wrote:

Thank you @kittysmith https://github.com/kittysmith @COSSADC
https://github.com/COSSADC and @swpierson https://github.com/swpierson
for your comments. Because of your comments, we have revised the handling
of statistical agenices and units in the memorandum. Preserving the ability
of the statistical community to conduct its important work in part depends
on confidence in the confidentiality guarantees which it provides to its
information providers. To help clarify how to apply these requirements to
the statistical community, the final memorandum includes language
addressing this directly within the "scope and applicability" section. This
includes: "With respect to Federal statistical agencies and units as
defined in the Confidential Information Protection and Statistical
Efficiency Act of 2002 (CIPSEA), covered agencies under FITARA shall
implement this guidance in a ma nner tha t ensures that statistical data
collected under a pledge of confidentiality solely for statistical purposes
are used exclusively for statistical purposes, consistent with CIPSEA."

—
Reply to this email directly or view it on GitHub
#27 (comment).

from fitara.

Mr. Sweezy (not Sweeny!) --sorry

On Mon, Jun 15, 2015 at 12:46 PM, Kitty Smith [email protected]
wrote:

Hi, Mr. Sweeny.

Thank you for your willingness to address the inconsistencies between
FITARA guidelines and the law and Directives applying to statistical
agencies. Any chance we could get together to discuss this? Your language
does cover the CIPSEA requirement for confidentiality, but I am not able to
tell whether it also preserves the responsibility given the statistical
agencies. I would be more than happy to propose, discuss or review
alternative language.

Thanks again for your attention to the issue.

Sincerely,

Kitty Smith

Katherine R. Smith, PhD

Executive Director
Council of Professional Associations on Federal Statistics (COPAFS)
2121 Eisenhower Ave., Suite 200
Alexandria, VA 22314
Office Phone: 703-836-0404_;_ Direct Phone: 202-407-1292
Our goal: Linking you with a thriving statistical system
Visit us at w http://www.copafs.org/ww.copafs.org
http://www.copafs.org/

Join us on Twitter: @copafsK

On Mon, Jun 15, 2015 at 12:20 PM, Ben Sweezy [email protected]
wrote:

Thank you @kittysmith https://github.com/kittysmith @COSSADC
https://github.com/COSSADC and @swpierson
https://github.com/swpierson for your comments. Because of your
comments, we have revised the handling of statistical agenices and units in
the memorandum. Preserving the ability of the statistical community to
conduct its important work in part depends on confidence in the
confidentiality guarantees which it provides to its information providers.
To help clarify how to apply these requirements to the statistical
community, the final memorandum includes language addressing this directly
within the "scope and applicability" section. This includes: "With respect
to Federal statistical agencies and units as defined in the Confidential
Information Protection and Statistical Efficiency Act of 2002 (CIPSEA),
covered agencies under FITARA shall implement this guidance in a ma nner
tha t ensures that statistical data collected under a pledge of
confidentiality solely for statistical purposes are used exclusively for
statistical purposes, consistent with CIPSEA."

—
Reply to this email directly or view it on GitHub
#27 (comment).

from fitara.