oversight

U.S. Postal Service: Status of Efforts to Protect Privacy of Address Changes

Published by the Government Accountability Office on 1999-07-30.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                 United States General Accounting Office

GAO              Report to the Chairman, Subcommittee
                 on the Postal Service, Committee on
                 Government Reform, House of
                 Representatives

July 1999
                 U.S. Postal Service
                 Status of Efforts to
                 Protect Privacy of
                 Address Changes




GAO/GGD-99-102
United States General Accounting Office                                                       General Government Division
Washington, D.C. 20548




                                    B-281674
                                    July 30, 1999

                                    The Honorable John M. McHugh
                                    Chairman, Subcommittee on the Postal Service
                                    Committee on Government Reform
                                    House of Representatives

                                    Dear Mr. Chairman:

                                    As you know, the Postal Service’s National Change of Address (NCOA)
                                    program is intended to improve the quality of addresses on mail by
                                    providing business mailers with accurate, properly formatted change-of-
                                    address data that are automation compatible. To do this, the Service
                                    collects change-of-address information reported by postal customers
                                    nationally and disseminates corrected addresses through a number of
                                    private firms licensed by the Service to provide address correction
                                    services. A recently completed audit of the costs and benefits of the NCOA
                                    program for the Service’s Office of Inspector General found that, through
                                    the program, the Service was able to avoid nearly $1.2 billion in rehandling
                                                                                              1
                                    costs associated with forwarding mail in fiscal year 1998.

                                    Accompanying the benefits the Service derives from this program,
                                    however, is the responsibility for oversight and control over postal
                                    customers’ change-of-address data, which are protected from
                                    inappropriate release or use under applicable federal privacy laws. In our
                                    1996 report, we pointed out that the NCOA program was operating without
                                    clearly delineated procedures and sufficient management attention to
                                    always prevent, detect, and correct the inappropriate release or use of
                                                            2
                                    change-of-address data. We recommended specific actions the Service
                                    should take to strengthen its oversight and control of these data. This
                                    report responds to your November 19, 1998, request that we determine
                                    what actions the Service has taken in response to our 1996 report and
                                    whether any additional actions are needed to strengthen the Service’s
                                    oversight of the program.



                                    1
                                    Performance Audit of the National Change of Address Program, DS-AR-99-001, United States Postal
                                    Service Office of Inspector General, Mar. 31, 1999.
                                    2
                                     U.S. Postal Service: Improved Oversight Needed to Protect Privacy of Address Changes (GAO/GGD-96-
                                    119, Aug. 13, 1996)




                                    Page 1                                               GAO/GGD-99-102 Address Change Privacy
                   B-281674




                   As we recommended, the Service has developed and implemented written
Results in Brief   procedures that addressed its NCOA program oversight and control
                                                              3
                   responsibilities for (1) using seed records to help detect the unauthorized
                   disclosure of NCOA data by licensees, should it occur; and (2) reviewing,
                   responding to, and documenting NCOA-related complaints and inquiries
                   from postal customers and NCOA-related proposed advertisements by
                   licensees. However, procedures designed by the Service to ensure that it is
                   alerted when mail is sent to seed record addresses were not working as
                   intended; thus, the Service lacked assurance that the seeding process
                   provided an effective program oversight mechanism. Further, even though
                   required to do so by the licensing agreement or by prescribed program
                   procedures, during the 1996 through 1998 period we examined, the Service
                   did not always (1) conduct the minimum number of licensee audits,
                   including on-site audits; (2) promptly reaudit licensees that failed initial
                   audits; or (3) promptly or always suspend or terminate licensees that failed
                   successive audits. Also, the Service reported that it had performed more
                   licensee audits than were documented in its audit files; however, even
                   when we included these additional audits in our data, we determined that
                   the Service did not perform all audits required. We make recommendations
                   near the end of this report to address these weaknesses.

                   The Service has taken no action on our recommendation that it explicitly
                   state, in the acknowledgment form signed by customers of licensees, that
                   NCOA program-linked data are not to be used to create or maintain new-
                   movers lists (a list of postal customers who have submitted address
                   change orders to the Service, usually created for marketing purposes). We
                   continue to believe that more specific language in the acknowledgment
                   form could help ensure that use of NCOA program-linked data is limited to
                   the purposes for which they were collected. Congress may want to
                   consider intervening if it believes that the Service should act on our
                   recommendation.

                   The automation of mail sorting and distribution activities with state-of-the-
Background         art technology is a core component of the Service’s strategy to achieve its
                   goals for efficiency, effectiveness, and financial performance. According to
                   the Service, the success of this strategy relies, in considerable part, on the
                   Service’s ability to provide address management services that help mailers
                   accurately address their mail and adopt automation-compatible address
                   standards. The NCOA program is one of several Service address

                   3
                    A seed record is a record inserted into a file to detect the unauthorized disclosure or inappropriate
                   release of that record or file. The practice of seeding is reportedly widely used in the mailing industry
                   to control proprietary information.




                   Page 2                                                    GAO/GGD-99-102 Address Change Privacy
B-281674




management programs under the direction of the Manager, Address
Management, located at the National Customer Support Center in
Memphis, TN. The Manager reports to the Vice President, Operations
Planning, at Service headquarters.

The NCOA program began in 1986 and extended the use of change-of-
address information submitted by postal customers to the Service by
providing that information to business mailers for updating their mailing
lists. This is important to the Service because sorting, transporting,
delivering, and, in some cases, disposing of improperly addressed mail
costs the Service money—estimated by the Service in 1996 at about $1.5
billion a year. The Service estimated that of the 191 billion pieces of mail it
processed in 1997, incomplete or inaccurate address elements adversely
affected the delivery of about one-third, or over 63 billion pieces.

NCOA change-of-address data are widely disseminated to business mailers
through a network of 21 private businesses licensed, for a fee, by the
Service. Licensees are responsible for maintaining a complete and current
NCOA master file. Every week, the NCOA program office is to provide
licensees a copy of the latest NCOA file update via computer tape.
Licensees are to use these tapes to update the NCOA files they maintain.
These tapes include address deletions, additions, and changes.

Licensees are to use their updated NCOA master files and the address-
matching logic designed into their computer software to update addresses
on their and their customers’ mailing lists. Each licensee’s address
matching software is to be tested and approved by the NCOA program
office. The Service requires the software to meet strict performance
standards as specified in the licensing agreement, and licensees are to use
only the approved software to provide the NCOA service. In providing this
service, licensees are to update an address on a mailing list only when a
name and address on that list match a name and old address in the NCOA
file.

Service authority to disclose address information about its customers is
limited by certain privacy guarantees in two federal laws. One of them,
Section 412 of the Postal Reorganization Act of 1970, as amended (39
U.S.C. 412), provides that no officer or employee of the Postal Service shall
make available to the public by any means or for any purpose any mailing
or other list of names or addresses of postal patrons or other persons,
except for census purposes or as otherwise specifically provided by law.




Page 3                                     GAO/GGD-99-102 Address Change Privacy
              B-281674




              The Privacy Act of 1974 (5 U.S.C. 552a) provides individuals broader
              protection from the unauthorized use of records that federal agencies
              maintain about them and gives them right of access to those records.
              Subsection (n) of the act specifically restricts certain uses of a name and
              address as follows: “An individual’s name and address may not be sold or
              rented by an agency unless such action is specifically authorized by law.”
              More generally, under the Privacy Act, agency records may be disclosed
              provided such disclosures are compatible with the purpose for which the
              records were collected. Under subsection (m)(1) of the act, NCOA
              licensees operate on behalf of the Service and are subject to the provisions
              of the act to the same extent that employees of the Service would be.

              To determine the actions the Service has taken in response to our
Scope and     recommendations that it prepare and implement formal written
Methodology   procedures to strengthen its oversight of the NCOA program, we
              interviewed the Manager, Address Management and National Customer
              Support Center; technical managers who oversee certain Service-
              administered address management processes and programs, including the
              NCOA program; and the NCOA program manager. We obtained and
              reviewed the two procedures manuals the Service prepared in response to
              our earlier recommendations.

              The “NCOA Procedure Guide” was undated but, according to the program
              manager, became effective beginning in about September 1996. It
              prescribes oversight procedures and processes for (1) reviewing and
              documenting reviews of licensees’ proposed NCOA-related advertisements
              and sales methods; (2) receiving, responding to, and documenting Service
              responses to postal customer NCOA-related inquiries and complaints; and
              (3) scheduling, conducting, and managing the results of Service audits of
              NCOA program licensees. The second manual, the “NCOA Integrity
              Procedures Manual,” dated October 1998, describes seed records, their
              purposes, and the procedures and organizational responsibilities for
              carrying out the seeding process.

              To verify that written procedures were being followed and assess whether
              they responded to our recommendations, we (1) discussed the procedures
              with the NCOA program manager and other managers and staff
              responsible for program operations and oversight; and (2) reviewed
              records and files documenting the oversight processes of seeding,
              responding to and resolving postal customer inquiries and complaints,
              reviewing licensee’s proposed advertisement, and auditing licensees.
              Specifically, we discussed the seeding process with the program office’s
              project leader, who had primary responsibility for carrying out the



              Page 4                                   GAO/GGD-99-102 Address Change Privacy
B-281674




process. We reviewed reports and documentation related to the seeding
process, including tests of the process for alerting NCOA program officials
to the possible release of seed record addresses, during the January 1996
through March 1999 period.

We had discussions with the program manager responsible for handling
customer inquiries and complaints and reviewed program files and
records. We had no way to determine whether all inquiries and complaints
received at the program office were logged and responded to. However, we
randomly selected 18 of the 32 file drawers where inquiry and complaint
records were stored, and we reviewed the entire contents of each. We
discussed selected examples with the program office technical staff
responsible for researching and responding to customer concerns.

We examined documentation of licensees’ NCOA-related advertisements
that had been submitted to and reviewed and approved/disapproved by the
Service as required by the licensing agreement and specified in the NCOA
Procedure Guide. We reviewed all available documentation in the program
office’s official licensee files, and we discussed selected examples of
advertisements with the program office staff responsible for the review
and approval process.

For the licensee audit process, we reviewed the results of all audits
conducted from September 1995 through March 1999 that were
documented in the program office’s audit files. We discussed the audits
with the program manager and reviewed examples of audit results with
responsible program office staff.

To assess the Service’s response to our recommendation that the Privacy
Act-related restriction on the use of NCOA-linked data to create new-
movers lists be communicated explicitly to licensees’ customers, we
discussed the issue with the Service’s Chief Counsel, Consumer Protection
Law; a Service Senior Attorney in Washington, D.C.; and the Manager,
Address Management, in Memphis.

We conducted our review between September 1998 and May 1999 in
accordance with generally accepted government auditing standards. We
requested comments on a draft of this report from the Service and
received written comments from the Postmaster General, which we have
included in appendix I. His comments are discussed near the end of this
report.




Page 5                                   GAO/GGD-99-102 Address Change Privacy
                         B-281674




                         The Service has taken steps to strengthen its oversight of the NCOA
Program Oversight        program and help ensure that the program operates in compliance with the
Strengthened, but        privacy provisions of federal laws. The Service has developed and
Seeding Process          implemented written procedures formalizing its oversight processes and
                         responsibilities for (1) seeding NCOA address change updates released to
Weaknesses Still Exist   licensees, (2) addressing customer NCOA-related inquiries and complaints,
                         and (3) reviewing and approving licensees’ proposed advertisements
                         promoting NCOA-related services. However, our review revealed that the
                         procedures the Service developed to ensure that mail sent to seed record
                         addresses is appropriately identified, and the program office alerted to a
                         possible release of a seed record address by a licensee, were not working
                         as intended. As a result, the Service has no assurance that the seeding
                         process provided an effective oversight mechanism.

Use of Seed Records      In 1996, we found several weaknesses in the Service’s practice of using
                         seed records as an oversight measure to detect the improper release of
                         NCOA data by licensees. We recommended that the Service develop and
                         implement formal, written procedures that addressed the responsibilities
                         and timetables for using the seeding process as an oversight mechanism.
                         Our more recent work at the NCOA program office showed that, in
                         response to our recommendations, the Service prepared formal written
                         procedures that delineate program office responsibilities for carrying out
                         the seeding process. Further, our work showed that the written
                         procedures were generally being followed. However, we found another
                         problem—the program’s process for alerting program officials that mail
                         was sent to a seed record address (and therefore a licensee had possibly
                         released a seed record address) was not working as intended. As a result,
                         the Service had no assurance that the seeding process was providing the
                         program oversight intended.

                         According to NCOA program officials, the process of seeding NCOA files
                         provides program oversight by helping to detect and deter the improper
                         release of NCOA data by licensees. They said that NCOA file updates have
                         been seeded since the program began in 1986. Seed records are fictitious
                         name and address data that the program office periodically places in
                         NCOA file updates provided to licensees. These names and addresses are
                         designed uniquely and do not identify postal customers who have moved
                         and submitted mail-forwarding forms to the Service, or any other postal
                         customer. Therefore, licensees should not be able to match the seed
                         record names and addresses with names and addresses on their mailing
                         lists or their customer’s mailing lists when using the Service-approved
                         name and address-matching computer software.




                         Page 6                                   GAO/GGD-99-102 Address Change Privacy
B-281674




Service procedures state that mail sent to a seed record address is to be
intercepted by the local post office and photocopied. The photocopy is to
be returned to the NCOA program office, thereby alerting program officials
of the possibility that a licensee has improperly released a seed record
address. Program officials could then identify the licensee that released
the seed record by tracing it back to the licensee that received (and
subsequently released) the seed record. According to program officials,
licensees are aware that NCOA file updates are seeded but are not able to
identify the seed records.

In our 1996 review, we found that the Service had informal, unwritten
procedures for seeding. Specific responsibilities and timetables for
carrying out the seeding process were not delineated. We found that,
because of inattention to program management, seed record addresses for
a 9-month period in 1993 and 1994 were inadvertently not included in
licensee file updates. Thus, the Service’s oversight of the program through
use of the seeding process was not in effect during this period.

Subsequent to our 1996 review, the Service developed written procedures
that describe seed records; their purpose; and the procedures,
responsibilities, and timetables for implementing and using the seeding
process as an oversight mechanism. The procedures include steps such as
developing the seed record addresses, placing them into the licensees’
NCOA file updates at specified times, and testing the retrieval process for
mail sent to seed record addresses. On the basis of our discussions with
NCOA officials and our review of seeding files and reports, it appears that
program office staff were following most of the written procedures. For
example, files we examined showed that 10,000 to 20,000 seed records
were implanted in licensees’ databases continuously throughout the period
January 1996 through March 1999. Also, as required by the procedures, the
Service annually added new seed records to the licensees’ master file
updates.

However, we found that Service “tests” of the seeding process revealed
that procedures for alerting program officials that mail had been sent to a
seed record address were not working as intended. Specifically, we found
that the NCOA program office was not always alerted by postal delivery
units when test mail was sent to seed record addresses. As a result, the
Service could not be assured that it would be appropriately alerted if
actual mail were to be sent to seed record addresses. In turn, the Service
could not be assured that it would always be made aware that a licensee
had released a seed record address, should this occur.




Page 7                                   GAO/GGD-99-102 Address Change Privacy
B-281674




According to the Service, instructions for appropriately identifying and
notifying program officials of mail sent to seed record addresses are sent
by the program office to affected postal delivery units throughout the
postal system each year. Periodically, the program office sends mail to
seed record addresses to test whether the identification and notification
process for mail sent to seed record addresses is working properly. If it is
working properly, the applicable delivery units will identify mail sent to
seed record addresses and return a photocopy of it to the program office,
thereby alerting program officials that mail was sent to a seed record
address.

However, we found that local delivery units were not always appropriately
alerting program officials when test mail was sent to seed record
addresses. Data provided to us by the program office showed that program
officials were appropriately notified of only about 6 percent of nearly 1,000
test mailings sent out during the period October 1998 to February 1999.
The program office did not have complete records showing the results of
test mailings prior to this period.

Although the program office has procedures for following up with delivery
units when these units do not handle test mail appropriately, program
office reports on test mail results showed that these procedures were not
always followed. The program manager said that the process of sending
test mail to seed record addresses, and following up with the appropriate
delivery units when test mail was not returned, had been a manual
process; however, because the process was labor intensive, it was
automated in early 1999. The program manager said that, because the
process is automated, when program officials are not appropriately
notified that a delivery unit received test mail, the system will
automatically generate correspondence advising the delivery unit manager
that procedures were not followed for test mail sent to a seed record
address. According to program officials, the automated process was only
recently implemented. Therefore, its effectiveness in identifying and
correcting problems in handling test mail sent to seed record addresses
had not been determined at the time of our review.

Determining why delivery units did not always appropriately notify NCOA
program officials when test mail was received was not within the scope of
our review. Further, delivery units are in a different Service organizational
component and are not under the authority of NCOA program officials.
However, until the process for appropriately identifying test mail and
notifying program officials when test mail is sent to seed record addresses
is working completely as intended, the Service cannot be assured that



Page 8                                    GAO/GGD-99-102 Address Change Privacy
                            B-281674




                            program officials would be appropriately notified if actual mail were sent
                            to seed record addresses. In turn, the Service cannot be assured that the
                            seeding process would detect an improper release of NCOA data by a
                            licensee.

Program-Related Inquiries   In our 1996 review, we found that the NCOA program office’s complaint
                            investigation process was informal and lacked structure. We were
and Complaints              therefore unable to assess the effectiveness of the complaint process as a
                            program oversight mechanism. We recommended that the NCOA program
                            office develop and implement written oversight procedures providing for
                            the systematic recording of all NCOA-related complaints received,
                            including actions taken to resolve the complaints. On the basis of our
                            recent review, we believe that the actions taken by the Service provide the
                            formal structure needed to ensure that the complaint investigation process
                            could be an effective licensee oversight mechanism.

                            In our earlier review, NCOA program officials told us that they investigate
                            program-related inquiries and complaints from postal customers,
                            licensees, and the licensees’ customers to provide another program
                            oversight and control mechanism. They said that inquiries and complaints
                            were important because they can alert the Service to possible problems
                            involving the quality of NCOA program services that licensees are
                            providing, as well as to instances of licensees’ noncompliance with the
                            terms and provisions of the licensing agreement. However, the office could
                            not provide us with any evidence of a process for logging inquiries and
                            complaints received, investigating them, and reporting the results of the
                            investigations internally or to the inquirers or complainants.

                            In our most recent review, we found that the procedure guide contained
                            written procedures providing formal structure to the program’s process for
                            receiving, researching, and responding to customer inquiries and
                            complaints and documenting the results of these actions. Our examination
                            of the program office’s inquiry and complaint files, combined with our
                            discussions with program office managers and staff, showed that the
                            procedures had been implemented. Specifically, we found documentation
                            showing that (1) NCOA-related inquiries and complaints had been entered
                            into an electronic tracking system and (2) research and analysis needed to
                            respond to inquiries and complaints had been conducted and, where
                            appropriate, responses provided.

                            The NCOA program manager told us that since about September 1997,
                            over 38,000 inquiries and complaints had been logged into a database at
                            the program office. Documentation relating to these inquiries and



                            Page 9                                   GAO/GGD-99-102 Address Change Privacy
                  B-281674




                  complaints was retained in 32 file drawers located in the program office.
                  Although we had no way to verify that all inquiries and complaints
                  received were logged in and responded to, we randomly selected 18 of
                  these drawers and reviewed the entire contents of each. On the basis of
                  this review and our discussions with program managers and staff, it
                  appears that the Service was following procedures and appropriately
                  utilizing inquiries and complaints as a program oversight mechanism.

Program–Related   We reported in 1996 that we had been unable to fully evaluate the
                  effectiveness of the NCOA program office’s oversight of licensees’
Advertising       program-related proposed advertising as prescribed in the licensing
                  agreement because program officials had not documented their oversight
                  efforts. We recommended that the Service develop and implement written
                  oversight procedures for obtaining and reviewing licensees’ program-
                  related proposed advertisements, documenting the review, and notifying
                  licensees of the results within the time period prescribed in the licensing
                  agreement. On the basis of the results of our current review, we believe
                  that the Service has substantially complied with our recommendations and
                  has in place a formalized process for ensuring generally that licensees’
                  proposed advertising is in compliance with the provisions of the licensing
                  agreement.

                  The licensing agreement requires licensees to adhere to Service guidelines
                  relating to the wording, content, and design of proposed advertisements
                  that mention the NCOA program to ensure that the relationship between
                  licensees and the Service is correctly represented. In addition, the
                  licensing agreement requires that all licensee advertisements be pre-
                  approved by the NCOA program office prior to their use. According to the
                  agreement, the program office is to provide licensees a written notice of its
                  approval or disapproval of proposed advertisements within 20 days of
                  receipt of this material, or the licensees may consider the proposed
                  advertisement approved.

                  In our earlier review, however, we found little documentation of an
                  advertisement review process, and it appeared that NCOA program
                  officials did not always review licensees’ program-related advertisements.
                  For example, we found that at least two licensees had submitted proposed
                  advertisements for review that contained material promoting the
                  availability of new-movers lists linked to NCOA data, which was in
                  violation of the licensing agreement. Even though licensees were
                  precluded by the licensing agreement from advertising the availability of
                  new-movers lists based in any part on NCOA-related data, program
                  officials took no action to disapprove the advertisements.



                  Page 10                                   GAO/GGD-99-102 Address Change Privacy
                      B-281674




                      In our most recent review, we found that the program office’s oversight of
                      NCOA-related proposed advertisements had improved, and licensees were
                      generally meeting the terms of the licensing agreement related to
                      advertising. Specifically, we found that licensee files in the program office
                      contained varying types and amounts of proposed advertisements. In
                      addition, most of the advertisements submitted for approval had a
                      document noting either the approval or disapproval of the advertisement
                      within the 20-day period prescribed. If the advertisement had been
                      disapproved, reasons for the disapproval and suggested changes were also
                      documented.

                      Although we reviewed all advertisements contained in the program office
                      files, we had no way to determine whether licensees had submitted all of
                      their advertisements for review. Program officials told us, however, that
                      office staff regularly review publications where licensees are known to
                      advertise frequently to help verify that the licensees are using only
                      approved advertisements. In addition, we found examples of
                      advertisements that had not been approved and the related follow-up
                      correspondence with the licensees. Program officials told us that when
                      these situations are discovered, they contact the licensee and require a
                      written explanation. In December 1998, the program office sent letters to
                      all of the licensees stating that effective January 1, 1999, if a licensee fails
                      three times within a 1-year period to obtain program office approval before
                      an NCOA-related advertisement is used, the licensee may be suspended
                      from the NCOA program.

                      Our 1996 review disclosed that licensee audit files at the NCOA program
Requirements for      office were poorly maintained, and that the number of licensee audits
Licensee Audits and   conducted by the program office was unclear. As a result, we could not
Suspensions Not Met   determine whether the Service’s licensee audits were providing effective
                      and meaningful oversight of licensees’ compliance with the licensing
                      agreement or the applicable privacy provisions of federal law. We
                      recommended that the Service enforce the provision of the licensing
                      agreement that licensees be audited a prescribed minimum number of
                      times each year and suspend or terminate, as appropriate, licensees that
                      fail consecutive audits.

                      Our follow-up review of licensee audit files at the program office revealed
                      that problems similar to what we found earlier still existed. Specifically,
                      we found that the program office had not (1) performed the required
                      minimum number of annual licensee audits, (2) performed the required
                      minimum number of on-site licensee audits every 24 months, (3)
                      performed timely licensee reaudits after a failed audit, and (4) always or



                      Page 11                                    GAO/GGD-99-102 Address Change Privacy
B-281674




promptly suspended or terminated licensees that failed two consecutive
audits. Further, it appears that the licensee audit files at the program office
were still incomplete because program officials told us that they had
performed more on-site audits than could be verified by documentation in
the audit files. Nevertheless, even when these additional audits are taken
into consideration, we determined that the Service did not perform all
audits required.

The licensing agreement requires licensees to pass three audits each year,
and the Service’s procedure guide specifies that the program office is to
audit each licensee a minimum of three times per year. Also, at least one
on-site audit is to be conducted at the premises of each licensee every 24
months. On-site audits can be unannounced and include both tests of the
licensees’ NCOA software accuracy and verification of the licensees’
compliance with other provisions of the licensing agreement, such as the
provision that licensees prevent unauthorized access to the NCOA file.
Audits not conducted on-site are administered by the program office
through a test computer tape mailed to the licensees. According to
program officials, these audits focus on the comprehensive assessment of
the accuracy of the licensees’ NCOA name and address-matching software.

The licensing agreement sets a strict standard of 99-percent accuracy for
licensees’ name and address-matching software that is to be rigorously
tested in the audit process. Licensee software that does not meet the
standard is to fail the audit. NCOA program officials told us that when a
licensee fails an audit, they notify the licensee by telephone. Additionally,
the Service’s Contracting Officer, who is located at the Service’s
headquarters in Washington, D.C., officially notifies the licensee of the
audit failure by sending a written 30-day “Cure Notice” with a description
of the deficiencies identified in the audit. When the licensee notifies the
program office that the deficiencies have been corrected, or after the 30-
day period has expired, whichever comes first, the NCOA program office is
to reaudit the licensee.

Although in practice the Service does not suspend licensees that fail an
initial audit, its procedure guide states that the Service can suspend
licensees that fail audits and do not correct the deficiencies identified by
the end of the 30-day period. The suspension may continue until the
deficiencies have been corrected and confirmed by a reaudit. Further, the
license agreement provides that licensees that fail two consecutive audits
are to be suspended or terminated. Upon a third consecutive audit failure,
licensees are to be terminated. Because of the contractual relationship
between the Service and the licensees, only the Contracting Officer, who is



Page 12                                    GAO/GGD-99-102 Address Change Privacy
B-281674




not under the authority of the NCOA program office, may suspend or
terminate licensees.

Service licensee audits are designed to check for both the failure of the
software to make correct name and address matches and for instances
where the software produces an incorrect match. The failure of a
licensee’s software to make appropriate matches can result in the licensee
not providing its customers all the address corrections that should be
provided through the NCOA program service. Incorrect matches, which
are more serious, can result in the licensee improperly releasing new
addresses from the NCOA database in violation of privacy law. The
procedure guide states that incorrect matches found during an initial audit
will result in an automatic audit failure, and that the licensee will be
required to immediately make the necessary software corrections and will
be reaudited.

According to the licensing agreement, Service licensee audits are an
important oversight measure for helping to ensure that the provisions and
performance standards of the licensing agreement are met, the integrity of
the address correction services licensees provide is maintained, and the
program operates in compliance with privacy guarantees of federal law.
Because licensees’ NCOA software that fails an audit is not performing to
the prescribed licensing standards, we believe that (1) performing the
required number of licensee audits, (2) promptly reauditing licensees that
fail audits, and (3) promptly suspending or terminating licensees that fail
successive audits are important features of the Service’s responsibility to
help ensure the integrity of the NCOA program.

However, according to the documentation in the licensee audit files at the
program office and other information provided by the Service indicating
that additional audits had been performed, the program office did not
perform the minimum number of annual licensee audits prescribed by its
procedure guide during fiscal years 1996 through 1998. Table 1 illustrates
that in fiscal year 1996, the Service did not audit 7 of 25 licensee systems
the required minimum number of 3 times; in fiscal year 1997, 10 of 25
licensee systems were not audited the required minimum number of 3
times; and in fiscal year 1998, 8 of 25 licensee systems were not audited the
                                         4
required minimum number of 3 times.


4
 Licensees may have more than one NCOA software matching computer system. During the period of
our review, 17 licensees operated a single system, and 4 licensees each operated 2 separate systems,
for a total of 25 systems.




Page 13                                                GAO/GGD-99-102 Address Change Privacy
                                       B-281674




Table 1: Summary of Number of Annual
Audits Performed on 25 Licensee                                                           Systems receiving
Systems for Fiscal Years 1996-1998     Fiscal year                             3 audits             2 audits                     1 audit
                                       1996                                   18 (72%)               7 (28%)                           0
                                       1997                                   15 (60%)               9 (36%)                      1 (4%)
                                       1998                                   17 (68%)               6 (24%)                      2 (8%)
                                       Note: Total licensee systems include all 25 computer systems providing NCOA program services.
                                       Source: GAO analysis of licensee audit documentation in NCOA program office files and additional
                                       information provided by the Service.
                                       Moreover, because the program office did not always perform the
                                       minimum number of annual licensee systems’ audits prescribed by its
                                       procedure guide, licensees were not always required to prove the integrity
                                       of their systems by passing at least three audits each year, as specified in
                                       the licensing agreement. Specifically, documentation in the licensee audit
                                       files at the program office, combined with additional documentation
                                       provided to us by program officials, showed that in fiscal year 1996 only 12
                                       (48 percent) of 25 licensee systems passed the minimum of 3 audits; in
                                       fiscal year 1997, only 7 (28 percent) of 25 systems passed 3 audits; and in
                                       fiscal year 1998, only 9 (36 percent) of 25 systems passed 3 audits. Thus,
                                       the Service cannot be assured that licensees are consistently providing the
                                       address correction services intended by the program or consistently
                                       releasing only name and address data permitted by law.

                                       In addition, according to documentation in the audit files and additional
                                       information provided by program officials, the program office did not
                                       conduct at least one on-site audit of each licensee system every 24 months
                                       as prescribed by the procedure guide. Only 18 licensee systems received
                                       on-site audits during the 42-month period we reviewed; also, as of May
                                       1999, 14 licensee systems were overdue for an on-site audit.

                                       Further, according to documentation in the audit files and the additional
                                       information provided by program officials, the program office did not
                                       always do timely reaudits of licensees that failed initial audits. We believe
                                       that promptly reauditing licensees that fail initial audits is important to
                                       ensure program integrity because after failing an initial audit, licensees are
                                       permitted to continue providing NCOA program services with software
                                       that does not comply with performance standards specified in the
                                       licensing agreement. However, as table 2 shows, of 35 licensee system
                                       audit failures during the period we reviewed, 9 systems were not reaudited
                                       until 61 to 90 days after the initial audit failure; and 3 were not reaudited
                                       until over 90 days after the initial audit failure.




                                       Page 14                                               GAO/GGD-99-102 Address Change Privacy
                                         B-281674




Table 2: Number of Days Between NCOA
Licensee’s Failed Audit and Subsequent                                                                         Total number of reaudits
Reaudit Between Fiscal Year 1996 and     Days                                                                             for timespan
March 1999                               30 days or less                                                                            10
                                         31 to 60 days                                                                              13
                                         61 to 90 days                                                                                9
                                         Over 90 days                                                                                 3
                                         Total number of reaudits                                                                   35
                                         Source: GAO analysis of licensee audit documentation in NCOA program office files and additional
                                         information provided by the Service.
                                         We noted that one licensee system reaudit in the “over 90 days” category
                                         was not completed until 210 days after the failed initial audit. Because this
                                         audit failure involved an incorrect name and address match—an automatic
                                         failure because of the possibility that the licensee was releasing name and
                                         address data in violation of privacy law—for this 210-day period, the
                                         licensee could have been inappropriately releasing NCOA-related data.

                                         Finally, we found three instances where licensees failed two consecutive
                                         audits yet were not promptly suspended, suspended at all, or terminated
                                         from the program. One licensee failed two successive audits and was not
                                         suspended until 17 days after the second audit. Another licensee failed two
                                         successive audits and was not suspended until 67 days after failing the
                                         second audit. A third licensee failed two successive audits and was never
                                         suspended. That licensee received a passing score on the third audit,
                                         which was conducted 147 days after the initial failed audit. According to
                                         the licensing agreement, licensees that fail two successive audits are to be
                                         either suspended or terminated from the program. By not promptly
                                         suspending or terminating these licensees, the Service allowed these
                                         licensees to continue providing NCOA program services for varying
                                         periods of time with software that was not in compliance with the
                                         performance standards specified in the licensing agreement.

                                         Program officials told us they had performed more on-site audits than
                                         could be verified by evidence in the audit files, but they were initially
                                         unable to provide us with supporting documentation. However, after we
                                         had completed our audit work at the program office, program officials sent
                                         us documentation indicating that 18 licensee systems had received on-site
                                         audits during the period we reviewed—10 more than indicated by
                                         documentation we had found in the program office audit files. The
                                         documentation the Service sent us consisted of recently signed statements
                                         from officials of some licensees indicating that these additional on-site
                                         audits had been performed.




                                         Page 15                                               GAO/GGD-99-102 Address Change Privacy
                       B-281674




                       Even after counting these additional audits reported by the Service, we
                       determined that it did not perform the minimum number of annual audits
                       or on-site audits required during the periods included in our review. This
                       deficiency in the number of audits performed, coupled with the lack of
                       documentation in the audit files evidencing all of the audits reported by
                       the Service, indicated that the NCOA program audit process was not a fully
                       effective oversight mechanism.

                       The NCOA program manager attributed these problems—not performing
                       the required minimum number of annual audits and on-site audits, not
                       performing timely reaudits, and not promptly suspending or terminating
                       licensees that failed successive audits—to (1) an insufficient number of
                       staff to handle the program office’s increasing workload; (2) high rates of
                       turnover among program audit staff during this period, which reduced the
                       number of experienced auditors; and (3) the need to assign program office
                       staff to respond to an unexpectedly high volume of customer calls to the
                       program office regarding the Service Move Update program implemented
                                5
                       in 1997.

                       Previously, we reported that the Service had not clearly communicated
Service Believes       through NCOA program licensees to the licensees’ customers the privacy
Privacy Restrictions   law-related restriction on the use of NCOA-linked data to create or
Do Not Apply to the    maintain new-movers lists. Specifically, the Service had not stated in the
                       NCOA Processing Acknowledgment Form that NCOA data are not to be
Secondary Use of       used to create or maintain new-movers lists. The licensing agreement
NCOA Data              requires licensees to have their customers sign this form before receiving
                       NCOA-linked services.

                       The Service, however, had communicated this restriction to the licensees
                       in the licensing agreement. The licensing agreement stated, in part, that
                       “Information obtained or derived from the NCOA File or service shall not
                       be used by the Licensee, either on its own behalf or knowingly for its
                       customers, for the purpose of creating or maintaining new-movers lists.”
                       The Service stated that it placed this restriction on licensees as a “good
                       business practice” and to address concerns raised by Congress and the
                       public, not because use of the NCOA-linked data to create or maintain
                       new-movers lists was restricted under the Privacy Act.




                       5
                        Move Update, implemented by the Service in July 1997, required First-Class presort and automation
                       rate customers to update mailing lists using Service-approved address-correction services within 6
                       months prior to the date of any mailing on which a postage discount would be claimed.




                       Page 16                                                GAO/GGD-99-102 Address Change Privacy
B-281674




We disagreed with the Service’s assessment of the Privacy Act and
expressed our view that use of NCOA-linked data by a licensee to create a
new-movers list would not be consistent with the limitations imposed by
the act. We recommended that the Service use the acknowledgment form
that licensees’ customers are to sign to explicitly notify the customers that
the use of NCOA-linked data to create or maintain new-movers lists is not
permitted.

The Service disagreed with our recommendation in 1996 and stated that it
believed that (1) a restriction on the creation and maintenance of new-
movers lists from NCOA-linked data was not required by privacy law, (2)
enforcement of such a restriction on customers of licensees would be
impracticable, and (3) we had misinterpreted the purpose of the
acknowledgment form when we said that it was “to limit the use of NCOA-
linked data by the customers of licensees.”

Our recent review showed that the Service has not implemented our
recommendation that it amend or revise the acknowledgment form to
explicitly convey this restriction to the customers of licensees. Service
officials believe that the design and implementation of the NCOA program
fully complies with applicable federal privacy laws.

Service attorneys responsible for this issue told us that the Service
continues to believe that the use of NCOA-linked data to create or
maintain new-movers lists is not restricted by the Privacy Act. With regard
to licensees, the Service’s position stems from the view that a licensee
wears two hats—one when performing address correction services as an
agent of the Service and another as a private business. In the Service’s
view, after a licensee performs address correction services as an agent of
the Service, it is then free under the Privacy Act to use NCOA-linked data
to create or maintain new-movers lists. With regard to the licensees’
customers, the attorneys said that the Service has no responsibility to
attempt to restrict the use of NCOA-linked data by a private business with
which it has no legal relationship.

We disagree. The Service collects change-of-address information from
postal customers for the limited purposes of address list correction and
mail forwarding, not for the purpose of creating and maintaining new-
movers lists. Therefore, we continue to believe that use of NCOA-linked
data to create or maintain new-movers lists by licensees of the Service,
who are viewed under the Privacy Act as if they were employees of the
Service, would not be consistent with the limitations imposed by the
Privacy Act. Further, we continue to believe that more specific language in



Page 17                                   GAO/GGD-99-102 Address Change Privacy
              B-281674




              the acknowledgment form that licensees’ customers sign could help ensure
              that use of NCOA-linked data is limited to the purposes for which it was
              collected.

              Through the NCOA program, the Service has extended the use of address
Conclusions   change information that its customers report for mail forwarding purposes
              to provide business mailers with current name and address and address-
              format information for customers on their mailing lists. This program helps
              ensure that postal customers’ mail is more accurately addressed and
              thereby reduces Service costs associated with additional handling of
              improperly and inaccurately addressed mail. However, by creating a postal
              customers’ change-of-address database, the Service is obligated to use and
              protect the data in compliance with the constraints of applicable federal
              privacy laws.

              The Service has been partially responsive to our previous
              recommendations to strengthen oversight of the NCOA program in that it
              developed and implemented written procedures for (1) seeding NCOA file
              updates released to licensees and (2) reviewing, responding to, and
              documenting customers’ NCOA-related inquiries and complaints and
              licensees’ NCOA-related advertising. However, the Service has not
              effectively implemented program procedures and requirements for (1)
              ensuring that it is appropriately alerted when mail is sent to seed record
              addresses, (2) auditing and reauditing licensees, and (3) suspending or
              terminating licensees that fail successive audits.

              Although in early 1999 the Service made procedural changes that it
              believes will help ensure that mail sent to seed record addresses is
              appropriately brought to its attention, it is too early to determine the
              effectiveness of those changes. In addition, the Service reported that it had
              performed more licensee on-site audits than were documented in licensee
              audit files at the NCOA program office. However, the effectiveness of the
              licensee audit process as a program oversight mechanism is diminished
              when the Service does not perform all required audits and does not
              document the audit results.

              Until these program oversight and enforcement procedures are effectively
              implemented and documented, the Service cannot be assured that (1) the
              process of seeding NCOA file updates provided to licensees will be
              effective in alerting the Service to licensees’ improper releases of NCOA
              data, (2) licensees are audited to ensure that they are in full compliance
              with federal privacy law and NCOA program requirements, and (3)




              Page 18                                   GAO/GGD-99-102 Address Change Privacy
                B-281674




                licensees not in compliance are precluded from continuing to receive and
                disseminate program data.

                Although the NCOA program office is responsible for auditing and
                reauditing licensees, the problems we identified related to ensuring the
                effectiveness of seeding NCOA file updates as an oversight mechanism,
                and delays in suspending or terminating licensees that fail two consecutive
                audits do not appear to be completely under its control. Local postal
                delivery units that are in a different Service organizational component and
                are not under the authority of NCOA program officials appear to be
                involved in the former problem. Only the Contracting Officer, also in a
                different organizational component and not under the authority of NCOA
                program officials, has authority to suspend or terminate licensees from the
                NCOA program.

                Finally, in spite of the recommendation we made in our previous report,
                the Service has not changed the acknowledgment form to explicitly convey
                to licensees’ customers the restriction against using NCOA-linked data to
                create or maintain new-movers lists. The Service also has not changed its
                position that it has no responsibility to attempt to restrict the use of NCOA
                -linked data by licensees’ customers with whom it has no legal
                relationship. We disagree with the Service. We continue to believe that by
                including specific language in the acknowledgment form signed by
                licensees’ customers that they should not use NCOA-linked data to create
                or maintain new-movers lists, the Service would help to ensure that NCOA
                program data are used only for the purposes for which such data were
                collected.

                If Congress is concerned about the failure of the Postal Service to
Matter for      implement the recommendation we made in our prior report concerning
Congressional   the creation and maintenance of new-movers lists by customers of its
Consideration   licensees, it may wish to amend the Postal Reorganization Act of 1970. An
                amendment could either (1) expressly prohibit the use of change-of-
                address data by licensees and their customers in the creation or
                maintenance of new-movers lists or (2) specifically require the Service to
                have its licensees and their customers acknowledge in writing that they
                have been informed and understand that change-of-address data may not
                be used for any purpose not authorized by law, including the creation or
                maintenance of new-movers lists.




                Page 19                                   GAO/GGD-99-102 Address Change Privacy
                        B-281674




                        To help ensure that the NCOA program operates in compliance with
Recommendations         applicable provisions of federal privacy law and NCOA program
                        requirements, we are making the following recommendations.

                      • The Postmaster General should ensure that NCOA program officials (1)
                        conduct the minimum number of annual and on-site audits, as well as
                        reaudits of licensees as required by the licensing agreement and the
                        program procedure guide and (2) document in the program office files
                        licensee audits performed, the results of those audits, and actions taken.

                      • The Postmaster General should also ensure that NCOA program officials
                        and other appropriate Service officials coordinate actions to

                           • identify and correct weaknesses in the process of alerting program
                             officials when mail is sent to seed record addresses so that the
                             process works as intended and

                           • ensure that licensees that fail successive audits are promptly
                             suspended or terminated, as appropriate, from the program or that
                             the licensing agreement is revised to reflect Service policy regarding
                             when licensees will be suspended or terminated.

                        On July 19, 1999, we received written comments from the Postmaster
Agency Comments and     General on a draft of this report. Among other points he made about the
Our Evaluation          NCOA program, the Postmaster General stated that the Service believes
                        that the program is a valuable service that directly benefits ratepayers by
                        contributing to the stabilization of postage rates. Regarding the Matter for
                        Congressional Consideration and our position that the Service should
                        explicitly convey to licensees’ customers the restriction against using
                        NCOA-linked data to create or maintain new-movers lists, he stated that
                        the Service continued to believe that it has neither the legal responsibility
                        nor the practical ability to regulate how the owners of mailing lists may
                        use those lists once they have been matched against the NCOA database.
                        He said that without an effective way to enforce a prohibition on the
                        creation of new-movers lists, such as sending Postal Inspectors into
                        mailers’ plants, revising the acknowledgment form to explicitly prohibit
                        their use would be an empty gesture.

                        We recognize the Service’s view regarding the challenges associated with
                        enforcing a restriction on licensees’ customers with whom they have no
                        contractual relationship. Nevertheless, as discussed in this report, the
                        Service collects change-of-address information for the limited purposes of
                        address list correction and mail forwarding, not for the purposes of



                        Page 20                                   GAO/GGD-99-102 Address Change Privacy
B-281674




creating and maintaining new-movers lists. Thus, in our view, the
challenges associated with enforcement should not preclude the Service
from notifying and receiving acknowledgment from licensees’ customers
that use of NCOA-linked data to create new-movers lists is not permitted.
Given that our views on this issue differ from the Service’s, we believe that
our suggestion that Congress consider the issue remains appropriate.

The Postmaster General generally agreed with our recommendations for
improving oversight of the NCOA program. Specifically, he stated that
regarding our recommendation concerning the periodic audits and
reaudits of licensees as required by the license agreement and the program
procedure guide, the Service understands the importance of licensee
oversight through regularly scheduled audits and has taken steps to ensure
that the required audits will be performed for each licensee each year. He
stated, however, that because these audits, particularly the on-site audits,
are labor intensive and can be performed only by technically
knowledgeable staff, on occasion it may be necessary to defer some audits
temporarily in order to have the resources available for other high-priority
tasks. He stated that, nevertheless, the Service would make every effort to
keep the licensee audit schedule current.

The Postmaster General stated that the Service also agreed with the
second part of our recommendation concerning the need for more
thorough documentation of licensee audits, the results of those audits, and
the actions taken. He stated that the NCOA program office has already
implemented the recommendation and developed a standardized
documentation process that accurately reports the results of audits.

Regarding our recommendation to strengthen the process for alerting
program officials when mail is sent to seed record addresses, the
Postmaster General stated that the Service believes that the improvements
currently being implemented will fully respond to the concerns we raised
and that these improvements should be implemented nationally by
September 1999. Regarding our proposed recommendation that the
Service comply with the provisions of the licensing agreement to suspend
or terminate licensees that fail successive audits, the Postmaster General
stated that while the Service agrees with the recommendation, it thinks it
is important to evaluate each audit failure on its own merits because it is in
the best interest of the Service to work with licensees in ensuring that their
systems work properly and are compatible with NCOA’s programs. He
further stated that, when warranted and appropriate, the Service would
invoke these provisions against licensees to preserve the integrity of the




Page 21                                   GAO/GGD-99-102 Address Change Privacy
B-281674




program and to protect the privacy of customers’ change-of-address
information.

We believe that the actions taken or planned described by the Postmaster
General are responsive to our recommendations to him. Furthermore, we
believe that the Postmaster General’s position that it is in the best interest
of the Service to work with licensees in ensuring that their systems work
properly and are compatible with the NCOA’s programs and that licensees
would be suspended or terminated when warranted and appropriate is
reasonable. However, we believe that the Service should change its
licensing agreement to reflect such a policy. Accordingly, we have revised
our recommendation to state that the Service should either suspend or
terminate licensees that fail successive audits in accordance with the
licensing agreement or change the licensing agreement to reflect the
Service policy that licensees will be suspended or terminated when the
Service believes that such actions are warranted.

We are sending copies of this report to Representative Chaka Fattah,
Ranking Minority Member of your Subcommittee; Senator Thad Cochran,
Chairman, and Senator Daniel Akaka, Ranking Minority Member,
Subcommittee on International Security, Proliferation, and Federal
Services, Senate Committee on Governmental Affairs; William J.
Henderson, Postmaster General; and Karla W. Corcoran, Postal Service
Inspector General. We will make copies available to others upon request.

Major contributors to this report are acknowledged in appendix II. If you
have any questions about this report, please call Bernard L. Ungar on (202)
512-8387 or Sherrill Johnson on (214) 777-5600.

Sincerely yours,




Nancy Kingsbury
Acting Assistant Comptroller General




Page 22                                    GAO/GGD-99-102 Address Change Privacy
Page 23   GAO/GGD-99-102 Address Change Privacy
Contents



Letter                                                                                         1


Appendix I                                                                                    26

Comments From the
U.S. Postal Service
Appendix II                                                                                   28

GAO Contacts and
Staff
Acknowledgments
Tables                Table 1: Summary of Number of Annual Audits                             14
                        Performed on 25 Licensee Systems for Fiscal Years
                        1996-1998
                      Table 2: Number of Days Between NCOA Licensee’s                         15
                        Failed Audit and Subsequent Reaudit Between Fiscal
                        Year 1996 and March 1999




                      Abbreviations

                      NCOA          National Change of Address (program)




                      Page 24                               GAO/GGD-99-102 Address Change Privacy
Page 25   GAO/GGD-99-102 Address Change Privacy
Appendix I

Comments From the U.S. Postal Service




              Page 26         GAO/GGD-99-102 Address Change Privacy
Appendix I
Comments From the U.S. Postal Service




Page 27                                 GAO/GGD-99-102 Address Change Privacy
Appendix II

GAO Contacts and Staff Acknowledgments


                  Bernard L. Ungar, (202) 512-8387
GAO Contacts      Sherrill H. Johnson, (214) 777-5600

                  In addition to those named above, Robert T. Griffis, Dorothy M. Tejada,
Acknowledgments   Alan N. Belkin, and Jill P. Sayre made key contributions to this report.




                  Page 28                                  GAO/GGD-99-102 Address Change Privacy
Ordering Information

The first copy of each GAO report and testimony is free. Additional
copies are $2 each. Orders should be sent to the following address,
accompanied by a check or money order made out to the
Superintendent of Documents, when necessary. VISA and
MasterCard credit cards are accepted, also. Orders for 100 or more
copies to be mailed to a single address are discounted 25 percent.

Order by mail:

U.S. General Accounting Office
P.O. Box 37050
Washington, DC 20013

or visit:

Room 1100
     th                  th
700 4 St. NW (corner of 4 and G Sts. NW)
U.S. General Accounting Office
Washington, DC

Orders may also be placed by calling (202) 512-6000 or by using fax
number (202) 512-6061, or TDD (202) 512-2537.

Each day, GAO issues a list of newly available reports and testimony.
To receive facsimile copies of the daily list or any list from the past
30 days, please call (202) 512-6000 using a touch-tone phone. A
recorded menu will provide information on how to obtain these
lists.

For information on how to access GAO reports on the INTERNET,
send e-mail message with “info” in the body to:

info@www.gao.gov

or visit GAO’s World Wide Web Home Page at:

http://www.gao.gov
United States                       Bulk Rate
General Accounting Office      Postage & Fees Paid
Washington, D.C. 20548-0001           GAO
                                Permit No. G100
Official Business
Penalty for Private Use $300

Address Correction Requested




240322