United States General Accounting Office GAO Report to the Chairman, Subcommittee on the Postal Service, Committee on Government Reform, House of Representatives July 1999 U.S. Postal Service Status of Efforts to Protect Privacy of Address Changes GAO/GGD-99-102 United States General Accounting Office General Government Division Washington, D.C. 20548 B-281674 July 30, 1999 The Honorable John M. McHugh Chairman, Subcommittee on the Postal Service Committee on Government Reform House of Representatives Dear Mr. Chairman: As you know, the Postal Service’s National Change of Address (NCOA) program is intended to improve the quality of addresses on mail by providing business mailers with accurate, properly formatted change-of- address data that are automation compatible. To do this, the Service collects change-of-address information reported by postal customers nationally and disseminates corrected addresses through a number of private firms licensed by the Service to provide address correction services. A recently completed audit of the costs and benefits of the NCOA program for the Service’s Office of Inspector General found that, through the program, the Service was able to avoid nearly $1.2 billion in rehandling 1 costs associated with forwarding mail in fiscal year 1998. Accompanying the benefits the Service derives from this program, however, is the responsibility for oversight and control over postal customers’ change-of-address data, which are protected from inappropriate release or use under applicable federal privacy laws. In our 1996 report, we pointed out that the NCOA program was operating without clearly delineated procedures and sufficient management attention to always prevent, detect, and correct the inappropriate release or use of 2 change-of-address data. We recommended specific actions the Service should take to strengthen its oversight and control of these data. This report responds to your November 19, 1998, request that we determine what actions the Service has taken in response to our 1996 report and whether any additional actions are needed to strengthen the Service’s oversight of the program. 1 Performance Audit of the National Change of Address Program, DS-AR-99-001, United States Postal Service Office of Inspector General, Mar. 31, 1999. 2 U.S. Postal Service: Improved Oversight Needed to Protect Privacy of Address Changes (GAO/GGD-96- 119, Aug. 13, 1996) Page 1 GAO/GGD-99-102 Address Change Privacy B-281674 As we recommended, the Service has developed and implemented written Results in Brief procedures that addressed its NCOA program oversight and control 3 responsibilities for (1) using seed records to help detect the unauthorized disclosure of NCOA data by licensees, should it occur; and (2) reviewing, responding to, and documenting NCOA-related complaints and inquiries from postal customers and NCOA-related proposed advertisements by licensees. However, procedures designed by the Service to ensure that it is alerted when mail is sent to seed record addresses were not working as intended; thus, the Service lacked assurance that the seeding process provided an effective program oversight mechanism. Further, even though required to do so by the licensing agreement or by prescribed program procedures, during the 1996 through 1998 period we examined, the Service did not always (1) conduct the minimum number of licensee audits, including on-site audits; (2) promptly reaudit licensees that failed initial audits; or (3) promptly or always suspend or terminate licensees that failed successive audits. Also, the Service reported that it had performed more licensee audits than were documented in its audit files; however, even when we included these additional audits in our data, we determined that the Service did not perform all audits required. We make recommendations near the end of this report to address these weaknesses. The Service has taken no action on our recommendation that it explicitly state, in the acknowledgment form signed by customers of licensees, that NCOA program-linked data are not to be used to create or maintain new- movers lists (a list of postal customers who have submitted address change orders to the Service, usually created for marketing purposes). We continue to believe that more specific language in the acknowledgment form could help ensure that use of NCOA program-linked data is limited to the purposes for which they were collected. Congress may want to consider intervening if it believes that the Service should act on our recommendation. The automation of mail sorting and distribution activities with state-of-the- Background art technology is a core component of the Service’s strategy to achieve its goals for efficiency, effectiveness, and financial performance. According to the Service, the success of this strategy relies, in considerable part, on the Service’s ability to provide address management services that help mailers accurately address their mail and adopt automation-compatible address standards. The NCOA program is one of several Service address 3 A seed record is a record inserted into a file to detect the unauthorized disclosure or inappropriate release of that record or file. The practice of seeding is reportedly widely used in the mailing industry to control proprietary information. Page 2 GAO/GGD-99-102 Address Change Privacy B-281674 management programs under the direction of the Manager, Address Management, located at the National Customer Support Center in Memphis, TN. The Manager reports to the Vice President, Operations Planning, at Service headquarters. The NCOA program began in 1986 and extended the use of change-of- address information submitted by postal customers to the Service by providing that information to business mailers for updating their mailing lists. This is important to the Service because sorting, transporting, delivering, and, in some cases, disposing of improperly addressed mail costs the Service money—estimated by the Service in 1996 at about $1.5 billion a year. The Service estimated that of the 191 billion pieces of mail it processed in 1997, incomplete or inaccurate address elements adversely affected the delivery of about one-third, or over 63 billion pieces. NCOA change-of-address data are widely disseminated to business mailers through a network of 21 private businesses licensed, for a fee, by the Service. Licensees are responsible for maintaining a complete and current NCOA master file. Every week, the NCOA program office is to provide licensees a copy of the latest NCOA file update via computer tape. Licensees are to use these tapes to update the NCOA files they maintain. These tapes include address deletions, additions, and changes. Licensees are to use their updated NCOA master files and the address- matching logic designed into their computer software to update addresses on their and their customers’ mailing lists. Each licensee’s address matching software is to be tested and approved by the NCOA program office. The Service requires the software to meet strict performance standards as specified in the licensing agreement, and licensees are to use only the approved software to provide the NCOA service. In providing this service, licensees are to update an address on a mailing list only when a name and address on that list match a name and old address in the NCOA file. Service authority to disclose address information about its customers is limited by certain privacy guarantees in two federal laws. One of them, Section 412 of the Postal Reorganization Act of 1970, as amended (39 U.S.C. 412), provides that no officer or employee of the Postal Service shall make available to the public by any means or for any purpose any mailing or other list of names or addresses of postal patrons or other persons, except for census purposes or as otherwise specifically provided by law. Page 3 GAO/GGD-99-102 Address Change Privacy B-281674 The Privacy Act of 1974 (5 U.S.C. 552a) provides individuals broader protection from the unauthorized use of records that federal agencies maintain about them and gives them right of access to those records. Subsection (n) of the act specifically restricts certain uses of a name and address as follows: “An individual’s name and address may not be sold or rented by an agency unless such action is specifically authorized by law.” More generally, under the Privacy Act, agency records may be disclosed provided such disclosures are compatible with the purpose for which the records were collected. Under subsection (m)(1) of the act, NCOA licensees operate on behalf of the Service and are subject to the provisions of the act to the same extent that employees of the Service would be. To determine the actions the Service has taken in response to our Scope and recommendations that it prepare and implement formal written Methodology procedures to strengthen its oversight of the NCOA program, we interviewed the Manager, Address Management and National Customer Support Center; technical managers who oversee certain Service- administered address management processes and programs, including the NCOA program; and the NCOA program manager. We obtained and reviewed the two procedures manuals the Service prepared in response to our earlier recommendations. The “NCOA Procedure Guide” was undated but, according to the program manager, became effective beginning in about September 1996. It prescribes oversight procedures and processes for (1) reviewing and documenting reviews of licensees’ proposed NCOA-related advertisements and sales methods; (2) receiving, responding to, and documenting Service responses to postal customer NCOA-related inquiries and complaints; and (3) scheduling, conducting, and managing the results of Service audits of NCOA program licensees. The second manual, the “NCOA Integrity Procedures Manual,” dated October 1998, describes seed records, their purposes, and the procedures and organizational responsibilities for carrying out the seeding process. To verify that written procedures were being followed and assess whether they responded to our recommendations, we (1) discussed the procedures with the NCOA program manager and other managers and staff responsible for program operations and oversight; and (2) reviewed records and files documenting the oversight processes of seeding, responding to and resolving postal customer inquiries and complaints, reviewing licensee’s proposed advertisement, and auditing licensees. Specifically, we discussed the seeding process with the program office’s project leader, who had primary responsibility for carrying out the Page 4 GAO/GGD-99-102 Address Change Privacy B-281674 process. We reviewed reports and documentation related to the seeding process, including tests of the process for alerting NCOA program officials to the possible release of seed record addresses, during the January 1996 through March 1999 period. We had discussions with the program manager responsible for handling customer inquiries and complaints and reviewed program files and records. We had no way to determine whether all inquiries and complaints received at the program office were logged and responded to. However, we randomly selected 18 of the 32 file drawers where inquiry and complaint records were stored, and we reviewed the entire contents of each. We discussed selected examples with the program office technical staff responsible for researching and responding to customer concerns. We examined documentation of licensees’ NCOA-related advertisements that had been submitted to and reviewed and approved/disapproved by the Service as required by the licensing agreement and specified in the NCOA Procedure Guide. We reviewed all available documentation in the program office’s official licensee files, and we discussed selected examples of advertisements with the program office staff responsible for the review and approval process. For the licensee audit process, we reviewed the results of all audits conducted from September 1995 through March 1999 that were documented in the program office’s audit files. We discussed the audits with the program manager and reviewed examples of audit results with responsible program office staff. To assess the Service’s response to our recommendation that the Privacy Act-related restriction on the use of NCOA-linked data to create new- movers lists be communicated explicitly to licensees’ customers, we discussed the issue with the Service’s Chief Counsel, Consumer Protection Law; a Service Senior Attorney in Washington, D.C.; and the Manager, Address Management, in Memphis. We conducted our review between September 1998 and May 1999 in accordance with generally accepted government auditing standards. We requested comments on a draft of this report from the Service and received written comments from the Postmaster General, which we have included in appendix I. His comments are discussed near the end of this report. Page 5 GAO/GGD-99-102 Address Change Privacy B-281674 The Service has taken steps to strengthen its oversight of the NCOA Program Oversight program and help ensure that the program operates in compliance with the Strengthened, but privacy provisions of federal laws. The Service has developed and Seeding Process implemented written procedures formalizing its oversight processes and responsibilities for (1) seeding NCOA address change updates released to Weaknesses Still Exist licensees, (2) addressing customer NCOA-related inquiries and complaints, and (3) reviewing and approving licensees’ proposed advertisements promoting NCOA-related services. However, our review revealed that the procedures the Service developed to ensure that mail sent to seed record addresses is appropriately identified, and the program office alerted to a possible release of a seed record address by a licensee, were not working as intended. As a result, the Service has no assurance that the seeding process provided an effective oversight mechanism. Use of Seed Records In 1996, we found several weaknesses in the Service’s practice of using seed records as an oversight measure to detect the improper release of NCOA data by licensees. We recommended that the Service develop and implement formal, written procedures that addressed the responsibilities and timetables for using the seeding process as an oversight mechanism. Our more recent work at the NCOA program office showed that, in response to our recommendations, the Service prepared formal written procedures that delineate program office responsibilities for carrying out the seeding process. Further, our work showed that the written procedures were generally being followed. However, we found another problem—the program’s process for alerting program officials that mail was sent to a seed record address (and therefore a licensee had possibly released a seed record address) was not working as intended. As a result, the Service had no assurance that the seeding process was providing the program oversight intended. According to NCOA program officials, the process of seeding NCOA files provides program oversight by helping to detect and deter the improper release of NCOA data by licensees. They said that NCOA file updates have been seeded since the program began in 1986. Seed records are fictitious name and address data that the program office periodically places in NCOA file updates provided to licensees. These names and addresses are designed uniquely and do not identify postal customers who have moved and submitted mail-forwarding forms to the Service, or any other postal customer. Therefore, licensees should not be able to match the seed record names and addresses with names and addresses on their mailing lists or their customer’s mailing lists when using the Service-approved name and address-matching computer software. Page 6 GAO/GGD-99-102 Address Change Privacy B-281674 Service procedures state that mail sent to a seed record address is to be intercepted by the local post office and photocopied. The photocopy is to be returned to the NCOA program office, thereby alerting program officials of the possibility that a licensee has improperly released a seed record address. Program officials could then identify the licensee that released the seed record by tracing it back to the licensee that received (and subsequently released) the seed record. According to program officials, licensees are aware that NCOA file updates are seeded but are not able to identify the seed records. In our 1996 review, we found that the Service had informal, unwritten procedures for seeding. Specific responsibilities and timetables for carrying out the seeding process were not delineated. We found that, because of inattention to program management, seed record addresses for a 9-month period in 1993 and 1994 were inadvertently not included in licensee file updates. Thus, the Service’s oversight of the program through use of the seeding process was not in effect during this period. Subsequent to our 1996 review, the Service developed written procedures that describe seed records; their purpose; and the procedures, responsibilities, and timetables for implementing and using the seeding process as an oversight mechanism. The procedures include steps such as developing the seed record addresses, placing them into the licensees’ NCOA file updates at specified times, and testing the retrieval process for mail sent to seed record addresses. On the basis of our discussions with NCOA officials and our review of seeding files and reports, it appears that program office staff were following most of the written procedures. For example, files we examined showed that 10,000 to 20,000 seed records were implanted in licensees’ databases continuously throughout the period January 1996 through March 1999. Also, as required by the procedures, the Service annually added new seed records to the licensees’ master file updates. However, we found that Service “tests” of the seeding process revealed that procedures for alerting program officials that mail had been sent to a seed record address were not working as intended. Specifically, we found that the NCOA program office was not always alerted by postal delivery units when test mail was sent to seed record addresses. As a result, the Service could not be assured that it would be appropriately alerted if actual mail were to be sent to seed record addresses. In turn, the Service could not be assured that it would always be made aware that a licensee had released a seed record address, should this occur. Page 7 GAO/GGD-99-102 Address Change Privacy B-281674 According to the Service, instructions for appropriately identifying and notifying program officials of mail sent to seed record addresses are sent by the program office to affected postal delivery units throughout the postal system each year. Periodically, the program office sends mail to seed record addresses to test whether the identification and notification process for mail sent to seed record addresses is working properly. If it is working properly, the applicable delivery units will identify mail sent to seed record addresses and return a photocopy of it to the program office, thereby alerting program officials that mail was sent to a seed record address. However, we found that local delivery units were not always appropriately alerting program officials when test mail was sent to seed record addresses. Data provided to us by the program office showed that program officials were appropriately notified of only about 6 percent of nearly 1,000 test mailings sent out during the period October 1998 to February 1999. The program office did not have complete records showing the results of test mailings prior to this period. Although the program office has procedures for following up with delivery units when these units do not handle test mail appropriately, program office reports on test mail results showed that these procedures were not always followed. The program manager said that the process of sending test mail to seed record addresses, and following up with the appropriate delivery units when test mail was not returned, had been a manual process; however, because the process was labor intensive, it was automated in early 1999. The program manager said that, because the process is automated, when program officials are not appropriately notified that a delivery unit received test mail, the system will automatically generate correspondence advising the delivery unit manager that procedures were not followed for test mail sent to a seed record address. According to program officials, the automated process was only recently implemented. Therefore, its effectiveness in identifying and correcting problems in handling test mail sent to seed record addresses had not been determined at the time of our review. Determining why delivery units did not always appropriately notify NCOA program officials when test mail was received was not within the scope of our review. Further, delivery units are in a different Service organizational component and are not under the authority of NCOA program officials. However, until the process for appropriately identifying test mail and notifying program officials when test mail is sent to seed record addresses is working completely as intended, the Service cannot be assured that Page 8 GAO/GGD-99-102 Address Change Privacy B-281674 program officials would be appropriately notified if actual mail were sent to seed record addresses. In turn, the Service cannot be assured that the seeding process would detect an improper release of NCOA data by a licensee. Program-Related Inquiries In our 1996 review, we found that the NCOA program office’s complaint investigation process was informal and lacked structure. We were and Complaints therefore unable to assess the effectiveness of the complaint process as a program oversight mechanism. We recommended that the NCOA program office develop and implement written oversight procedures providing for the systematic recording of all NCOA-related complaints received, including actions taken to resolve the complaints. On the basis of our recent review, we believe that the actions taken by the Service provide the formal structure needed to ensure that the complaint investigation process could be an effective licensee oversight mechanism. In our earlier review, NCOA program officials told us that they investigate program-related inquiries and complaints from postal customers, licensees, and the licensees’ customers to provide another program oversight and control mechanism. They said that inquiries and complaints were important because they can alert the Service to possible problems involving the quality of NCOA program services that licensees are providing, as well as to instances of licensees’ noncompliance with the terms and provisions of the licensing agreement. However, the office could not provide us with any evidence of a process for logging inquiries and complaints received, investigating them, and reporting the results of the investigations internally or to the inquirers or complainants. In our most recent review, we found that the procedure guide contained written procedures providing formal structure to the program’s process for receiving, researching, and responding to customer inquiries and complaints and documenting the results of these actions. Our examination of the program office’s inquiry and complaint files, combined with our discussions with program office managers and staff, showed that the procedures had been implemented. Specifically, we found documentation showing that (1) NCOA-related inquiries and complaints had been entered into an electronic tracking system and (2) research and analysis needed to respond to inquiries and complaints had been conducted and, where appropriate, responses provided. The NCOA program manager told us that since about September 1997, over 38,000 inquiries and complaints had been logged into a database at the program office. Documentation relating to these inquiries and Page 9 GAO/GGD-99-102 Address Change Privacy B-281674 complaints was retained in 32 file drawers located in the program office. Although we had no way to verify that all inquiries and complaints received were logged in and responded to, we randomly selected 18 of these drawers and reviewed the entire contents of each. On the basis of this review and our discussions with program managers and staff, it appears that the Service was following procedures and appropriately utilizing inquiries and complaints as a program oversight mechanism. Program–Related We reported in 1996 that we had been unable to fully evaluate the effectiveness of the NCOA program office’s oversight of licensees’ Advertising program-related proposed advertising as prescribed in the licensing agreement because program officials had not documented their oversight efforts. We recommended that the Service develop and implement written oversight procedures for obtaining and reviewing licensees’ program- related proposed advertisements, documenting the review, and notifying licensees of the results within the time period prescribed in the licensing agreement. On the basis of the results of our current review, we believe that the Service has substantially complied with our recommendations and has in place a formalized process for ensuring generally that licensees’ proposed advertising is in compliance with the provisions of the licensing agreement. The licensing agreement requires licensees to adhere to Service guidelines relating to the wording, content, and design of proposed advertisements that mention the NCOA program to ensure that the relationship between licensees and the Service is correctly represented. In addition, the licensing agreement requires that all licensee advertisements be pre- approved by the NCOA program office prior to their use. According to the agreement, the program office is to provide licensees a written notice of its approval or disapproval of proposed advertisements within 20 days of receipt of this material, or the licensees may consider the proposed advertisement approved. In our earlier review, however, we found little documentation of an advertisement review process, and it appeared that NCOA program officials did not always review licensees’ program-related advertisements. For example, we found that at least two licensees had submitted proposed advertisements for review that contained material promoting the availability of new-movers lists linked to NCOA data, which was in violation of the licensing agreement. Even though licensees were precluded by the licensing agreement from advertising the availability of new-movers lists based in any part on NCOA-related data, program officials took no action to disapprove the advertisements. Page 10 GAO/GGD-99-102 Address Change Privacy B-281674 In our most recent review, we found that the program office’s oversight of NCOA-related proposed advertisements had improved, and licensees were generally meeting the terms of the licensing agreement related to advertising. Specifically, we found that licensee files in the program office contained varying types and amounts of proposed advertisements. In addition, most of the advertisements submitted for approval had a document noting either the approval or disapproval of the advertisement within the 20-day period prescribed. If the advertisement had been disapproved, reasons for the disapproval and suggested changes were also documented. Although we reviewed all advertisements contained in the program office files, we had no way to determine whether licensees had submitted all of their advertisements for review. Program officials told us, however, that office staff regularly review publications where licensees are known to advertise frequently to help verify that the licensees are using only approved advertisements. In addition, we found examples of advertisements that had not been approved and the related follow-up correspondence with the licensees. Program officials told us that when these situations are discovered, they contact the licensee and require a written explanation. In December 1998, the program office sent letters to all of the licensees stating that effective January 1, 1999, if a licensee fails three times within a 1-year period to obtain program office approval before an NCOA-related advertisement is used, the licensee may be suspended from the NCOA program. Our 1996 review disclosed that licensee audit files at the NCOA program Requirements for office were poorly maintained, and that the number of licensee audits Licensee Audits and conducted by the program office was unclear. As a result, we could not Suspensions Not Met determine whether the Service’s licensee audits were providing effective and meaningful oversight of licensees’ compliance with the licensing agreement or the applicable privacy provisions of federal law. We recommended that the Service enforce the provision of the licensing agreement that licensees be audited a prescribed minimum number of times each year and suspend or terminate, as appropriate, licensees that fail consecutive audits. Our follow-up review of licensee audit files at the program office revealed that problems similar to what we found earlier still existed. Specifically, we found that the program office had not (1) performed the required minimum number of annual licensee audits, (2) performed the required minimum number of on-site licensee audits every 24 months, (3) performed timely licensee reaudits after a failed audit, and (4) always or Page 11 GAO/GGD-99-102 Address Change Privacy B-281674 promptly suspended or terminated licensees that failed two consecutive audits. Further, it appears that the licensee audit files at the program office were still incomplete because program officials told us that they had performed more on-site audits than could be verified by documentation in the audit files. Nevertheless, even when these additional audits are taken into consideration, we determined that the Service did not perform all audits required. The licensing agreement requires licensees to pass three audits each year, and the Service’s procedure guide specifies that the program office is to audit each licensee a minimum of three times per year. Also, at least one on-site audit is to be conducted at the premises of each licensee every 24 months. On-site audits can be unannounced and include both tests of the licensees’ NCOA software accuracy and verification of the licensees’ compliance with other provisions of the licensing agreement, such as the provision that licensees prevent unauthorized access to the NCOA file. Audits not conducted on-site are administered by the program office through a test computer tape mailed to the licensees. According to program officials, these audits focus on the comprehensive assessment of the accuracy of the licensees’ NCOA name and address-matching software. The licensing agreement sets a strict standard of 99-percent accuracy for licensees’ name and address-matching software that is to be rigorously tested in the audit process. Licensee software that does not meet the standard is to fail the audit. NCOA program officials told us that when a licensee fails an audit, they notify the licensee by telephone. Additionally, the Service’s Contracting Officer, who is located at the Service’s headquarters in Washington, D.C., officially notifies the licensee of the audit failure by sending a written 30-day “Cure Notice” with a description of the deficiencies identified in the audit. When the licensee notifies the program office that the deficiencies have been corrected, or after the 30- day period has expired, whichever comes first, the NCOA program office is to reaudit the licensee. Although in practice the Service does not suspend licensees that fail an initial audit, its procedure guide states that the Service can suspend licensees that fail audits and do not correct the deficiencies identified by the end of the 30-day period. The suspension may continue until the deficiencies have been corrected and confirmed by a reaudit. Further, the license agreement provides that licensees that fail two consecutive audits are to be suspended or terminated. Upon a third consecutive audit failure, licensees are to be terminated. Because of the contractual relationship between the Service and the licensees, only the Contracting Officer, who is Page 12 GAO/GGD-99-102 Address Change Privacy B-281674 not under the authority of the NCOA program office, may suspend or terminate licensees. Service licensee audits are designed to check for both the failure of the software to make correct name and address matches and for instances where the software produces an incorrect match. The failure of a licensee’s software to make appropriate matches can result in the licensee not providing its customers all the address corrections that should be provided through the NCOA program service. Incorrect matches, which are more serious, can result in the licensee improperly releasing new addresses from the NCOA database in violation of privacy law. The procedure guide states that incorrect matches found during an initial audit will result in an automatic audit failure, and that the licensee will be required to immediately make the necessary software corrections and will be reaudited. According to the licensing agreement, Service licensee audits are an important oversight measure for helping to ensure that the provisions and performance standards of the licensing agreement are met, the integrity of the address correction services licensees provide is maintained, and the program operates in compliance with privacy guarantees of federal law. Because licensees’ NCOA software that fails an audit is not performing to the prescribed licensing standards, we believe that (1) performing the required number of licensee audits, (2) promptly reauditing licensees that fail audits, and (3) promptly suspending or terminating licensees that fail successive audits are important features of the Service’s responsibility to help ensure the integrity of the NCOA program. However, according to the documentation in the licensee audit files at the program office and other information provided by the Service indicating that additional audits had been performed, the program office did not perform the minimum number of annual licensee audits prescribed by its procedure guide during fiscal years 1996 through 1998. Table 1 illustrates that in fiscal year 1996, the Service did not audit 7 of 25 licensee systems the required minimum number of 3 times; in fiscal year 1997, 10 of 25 licensee systems were not audited the required minimum number of 3 times; and in fiscal year 1998, 8 of 25 licensee systems were not audited the 4 required minimum number of 3 times. 4 Licensees may have more than one NCOA software matching computer system. During the period of our review, 17 licensees operated a single system, and 4 licensees each operated 2 separate systems, for a total of 25 systems. Page 13 GAO/GGD-99-102 Address Change Privacy B-281674 Table 1: Summary of Number of Annual Audits Performed on 25 Licensee Systems receiving Systems for Fiscal Years 1996-1998 Fiscal year 3 audits 2 audits 1 audit 1996 18 (72%) 7 (28%) 0 1997 15 (60%) 9 (36%) 1 (4%) 1998 17 (68%) 6 (24%) 2 (8%) Note: Total licensee systems include all 25 computer systems providing NCOA program services. Source: GAO analysis of licensee audit documentation in NCOA program office files and additional information provided by the Service. Moreover, because the program office did not always perform the minimum number of annual licensee systems’ audits prescribed by its procedure guide, licensees were not always required to prove the integrity of their systems by passing at least three audits each year, as specified in the licensing agreement. Specifically, documentation in the licensee audit files at the program office, combined with additional documentation provided to us by program officials, showed that in fiscal year 1996 only 12 (48 percent) of 25 licensee systems passed the minimum of 3 audits; in fiscal year 1997, only 7 (28 percent) of 25 systems passed 3 audits; and in fiscal year 1998, only 9 (36 percent) of 25 systems passed 3 audits. Thus, the Service cannot be assured that licensees are consistently providing the address correction services intended by the program or consistently releasing only name and address data permitted by law. In addition, according to documentation in the audit files and additional information provided by program officials, the program office did not conduct at least one on-site audit of each licensee system every 24 months as prescribed by the procedure guide. Only 18 licensee systems received on-site audits during the 42-month period we reviewed; also, as of May 1999, 14 licensee systems were overdue for an on-site audit. Further, according to documentation in the audit files and the additional information provided by program officials, the program office did not always do timely reaudits of licensees that failed initial audits. We believe that promptly reauditing licensees that fail initial audits is important to ensure program integrity because after failing an initial audit, licensees are permitted to continue providing NCOA program services with software that does not comply with performance standards specified in the licensing agreement. However, as table 2 shows, of 35 licensee system audit failures during the period we reviewed, 9 systems were not reaudited until 61 to 90 days after the initial audit failure; and 3 were not reaudited until over 90 days after the initial audit failure. Page 14 GAO/GGD-99-102 Address Change Privacy B-281674 Table 2: Number of Days Between NCOA Licensee’s Failed Audit and Subsequent Total number of reaudits Reaudit Between Fiscal Year 1996 and Days for timespan March 1999 30 days or less 10 31 to 60 days 13 61 to 90 days 9 Over 90 days 3 Total number of reaudits 35 Source: GAO analysis of licensee audit documentation in NCOA program office files and additional information provided by the Service. We noted that one licensee system reaudit in the “over 90 days” category was not completed until 210 days after the failed initial audit. Because this audit failure involved an incorrect name and address match—an automatic failure because of the possibility that the licensee was releasing name and address data in violation of privacy law—for this 210-day period, the licensee could have been inappropriately releasing NCOA-related data. Finally, we found three instances where licensees failed two consecutive audits yet were not promptly suspended, suspended at all, or terminated from the program. One licensee failed two successive audits and was not suspended until 17 days after the second audit. Another licensee failed two successive audits and was not suspended until 67 days after failing the second audit. A third licensee failed two successive audits and was never suspended. That licensee received a passing score on the third audit, which was conducted 147 days after the initial failed audit. According to the licensing agreement, licensees that fail two successive audits are to be either suspended or terminated from the program. By not promptly suspending or terminating these licensees, the Service allowed these licensees to continue providing NCOA program services for varying periods of time with software that was not in compliance with the performance standards specified in the licensing agreement. Program officials told us they had performed more on-site audits than could be verified by evidence in the audit files, but they were initially unable to provide us with supporting documentation. However, after we had completed our audit work at the program office, program officials sent us documentation indicating that 18 licensee systems had received on-site audits during the period we reviewed—10 more than indicated by documentation we had found in the program office audit files. The documentation the Service sent us consisted of recently signed statements from officials of some licensees indicating that these additional on-site audits had been performed. Page 15 GAO/GGD-99-102 Address Change Privacy B-281674 Even after counting these additional audits reported by the Service, we determined that it did not perform the minimum number of annual audits or on-site audits required during the periods included in our review. This deficiency in the number of audits performed, coupled with the lack of documentation in the audit files evidencing all of the audits reported by the Service, indicated that the NCOA program audit process was not a fully effective oversight mechanism. The NCOA program manager attributed these problems—not performing the required minimum number of annual audits and on-site audits, not performing timely reaudits, and not promptly suspending or terminating licensees that failed successive audits—to (1) an insufficient number of staff to handle the program office’s increasing workload; (2) high rates of turnover among program audit staff during this period, which reduced the number of experienced auditors; and (3) the need to assign program office staff to respond to an unexpectedly high volume of customer calls to the program office regarding the Service Move Update program implemented 5 in 1997. Previously, we reported that the Service had not clearly communicated Service Believes through NCOA program licensees to the licensees’ customers the privacy Privacy Restrictions law-related restriction on the use of NCOA-linked data to create or Do Not Apply to the maintain new-movers lists. Specifically, the Service had not stated in the NCOA Processing Acknowledgment Form that NCOA data are not to be Secondary Use of used to create or maintain new-movers lists. The licensing agreement NCOA Data requires licensees to have their customers sign this form before receiving NCOA-linked services. The Service, however, had communicated this restriction to the licensees in the licensing agreement. The licensing agreement stated, in part, that “Information obtained or derived from the NCOA File or service shall not be used by the Licensee, either on its own behalf or knowingly for its customers, for the purpose of creating or maintaining new-movers lists.” The Service stated that it placed this restriction on licensees as a “good business practice” and to address concerns raised by Congress and the public, not because use of the NCOA-linked data to create or maintain new-movers lists was restricted under the Privacy Act. 5 Move Update, implemented by the Service in July 1997, required First-Class presort and automation rate customers to update mailing lists using Service-approved address-correction services within 6 months prior to the date of any mailing on which a postage discount would be claimed. Page 16 GAO/GGD-99-102 Address Change Privacy B-281674 We disagreed with the Service’s assessment of the Privacy Act and expressed our view that use of NCOA-linked data by a licensee to create a new-movers list would not be consistent with the limitations imposed by the act. We recommended that the Service use the acknowledgment form that licensees’ customers are to sign to explicitly notify the customers that the use of NCOA-linked data to create or maintain new-movers lists is not permitted. The Service disagreed with our recommendation in 1996 and stated that it believed that (1) a restriction on the creation and maintenance of new- movers lists from NCOA-linked data was not required by privacy law, (2) enforcement of such a restriction on customers of licensees would be impracticable, and (3) we had misinterpreted the purpose of the acknowledgment form when we said that it was “to limit the use of NCOA- linked data by the customers of licensees.” Our recent review showed that the Service has not implemented our recommendation that it amend or revise the acknowledgment form to explicitly convey this restriction to the customers of licensees. Service officials believe that the design and implementation of the NCOA program fully complies with applicable federal privacy laws. Service attorneys responsible for this issue told us that the Service continues to believe that the use of NCOA-linked data to create or maintain new-movers lists is not restricted by the Privacy Act. With regard to licensees, the Service’s position stems from the view that a licensee wears two hats—one when performing address correction services as an agent of the Service and another as a private business. In the Service’s view, after a licensee performs address correction services as an agent of the Service, it is then free under the Privacy Act to use NCOA-linked data to create or maintain new-movers lists. With regard to the licensees’ customers, the attorneys said that the Service has no responsibility to attempt to restrict the use of NCOA-linked data by a private business with which it has no legal relationship. We disagree. The Service collects change-of-address information from postal customers for the limited purposes of address list correction and mail forwarding, not for the purpose of creating and maintaining new- movers lists. Therefore, we continue to believe that use of NCOA-linked data to create or maintain new-movers lists by licensees of the Service, who are viewed under the Privacy Act as if they were employees of the Service, would not be consistent with the limitations imposed by the Privacy Act. Further, we continue to believe that more specific language in Page 17 GAO/GGD-99-102 Address Change Privacy B-281674 the acknowledgment form that licensees’ customers sign could help ensure that use of NCOA-linked data is limited to the purposes for which it was collected. Through the NCOA program, the Service has extended the use of address Conclusions change information that its customers report for mail forwarding purposes to provide business mailers with current name and address and address- format information for customers on their mailing lists. This program helps ensure that postal customers’ mail is more accurately addressed and thereby reduces Service costs associated with additional handling of improperly and inaccurately addressed mail. However, by creating a postal customers’ change-of-address database, the Service is obligated to use and protect the data in compliance with the constraints of applicable federal privacy laws. The Service has been partially responsive to our previous recommendations to strengthen oversight of the NCOA program in that it developed and implemented written procedures for (1) seeding NCOA file updates released to licensees and (2) reviewing, responding to, and documenting customers’ NCOA-related inquiries and complaints and licensees’ NCOA-related advertising. However, the Service has not effectively implemented program procedures and requirements for (1) ensuring that it is appropriately alerted when mail is sent to seed record addresses, (2) auditing and reauditing licensees, and (3) suspending or terminating licensees that fail successive audits. Although in early 1999 the Service made procedural changes that it believes will help ensure that mail sent to seed record addresses is appropriately brought to its attention, it is too early to determine the effectiveness of those changes. In addition, the Service reported that it had performed more licensee on-site audits than were documented in licensee audit files at the NCOA program office. However, the effectiveness of the licensee audit process as a program oversight mechanism is diminished when the Service does not perform all required audits and does not document the audit results. Until these program oversight and enforcement procedures are effectively implemented and documented, the Service cannot be assured that (1) the process of seeding NCOA file updates provided to licensees will be effective in alerting the Service to licensees’ improper releases of NCOA data, (2) licensees are audited to ensure that they are in full compliance with federal privacy law and NCOA program requirements, and (3) Page 18 GAO/GGD-99-102 Address Change Privacy B-281674 licensees not in compliance are precluded from continuing to receive and disseminate program data. Although the NCOA program office is responsible for auditing and reauditing licensees, the problems we identified related to ensuring the effectiveness of seeding NCOA file updates as an oversight mechanism, and delays in suspending or terminating licensees that fail two consecutive audits do not appear to be completely under its control. Local postal delivery units that are in a different Service organizational component and are not under the authority of NCOA program officials appear to be involved in the former problem. Only the Contracting Officer, also in a different organizational component and not under the authority of NCOA program officials, has authority to suspend or terminate licensees from the NCOA program. Finally, in spite of the recommendation we made in our previous report, the Service has not changed the acknowledgment form to explicitly convey to licensees’ customers the restriction against using NCOA-linked data to create or maintain new-movers lists. The Service also has not changed its position that it has no responsibility to attempt to restrict the use of NCOA -linked data by licensees’ customers with whom it has no legal relationship. We disagree with the Service. We continue to believe that by including specific language in the acknowledgment form signed by licensees’ customers that they should not use NCOA-linked data to create or maintain new-movers lists, the Service would help to ensure that NCOA program data are used only for the purposes for which such data were collected. If Congress is concerned about the failure of the Postal Service to Matter for implement the recommendation we made in our prior report concerning Congressional the creation and maintenance of new-movers lists by customers of its Consideration licensees, it may wish to amend the Postal Reorganization Act of 1970. An amendment could either (1) expressly prohibit the use of change-of- address data by licensees and their customers in the creation or maintenance of new-movers lists or (2) specifically require the Service to have its licensees and their customers acknowledge in writing that they have been informed and understand that change-of-address data may not be used for any purpose not authorized by law, including the creation or maintenance of new-movers lists. Page 19 GAO/GGD-99-102 Address Change Privacy B-281674 To help ensure that the NCOA program operates in compliance with Recommendations applicable provisions of federal privacy law and NCOA program requirements, we are making the following recommendations. • The Postmaster General should ensure that NCOA program officials (1) conduct the minimum number of annual and on-site audits, as well as reaudits of licensees as required by the licensing agreement and the program procedure guide and (2) document in the program office files licensee audits performed, the results of those audits, and actions taken. • The Postmaster General should also ensure that NCOA program officials and other appropriate Service officials coordinate actions to • identify and correct weaknesses in the process of alerting program officials when mail is sent to seed record addresses so that the process works as intended and • ensure that licensees that fail successive audits are promptly suspended or terminated, as appropriate, from the program or that the licensing agreement is revised to reflect Service policy regarding when licensees will be suspended or terminated. On July 19, 1999, we received written comments from the Postmaster Agency Comments and General on a draft of this report. Among other points he made about the Our Evaluation NCOA program, the Postmaster General stated that the Service believes that the program is a valuable service that directly benefits ratepayers by contributing to the stabilization of postage rates. Regarding the Matter for Congressional Consideration and our position that the Service should explicitly convey to licensees’ customers the restriction against using NCOA-linked data to create or maintain new-movers lists, he stated that the Service continued to believe that it has neither the legal responsibility nor the practical ability to regulate how the owners of mailing lists may use those lists once they have been matched against the NCOA database. He said that without an effective way to enforce a prohibition on the creation of new-movers lists, such as sending Postal Inspectors into mailers’ plants, revising the acknowledgment form to explicitly prohibit their use would be an empty gesture. We recognize the Service’s view regarding the challenges associated with enforcing a restriction on licensees’ customers with whom they have no contractual relationship. Nevertheless, as discussed in this report, the Service collects change-of-address information for the limited purposes of address list correction and mail forwarding, not for the purposes of Page 20 GAO/GGD-99-102 Address Change Privacy B-281674 creating and maintaining new-movers lists. Thus, in our view, the challenges associated with enforcement should not preclude the Service from notifying and receiving acknowledgment from licensees’ customers that use of NCOA-linked data to create new-movers lists is not permitted. Given that our views on this issue differ from the Service’s, we believe that our suggestion that Congress consider the issue remains appropriate. The Postmaster General generally agreed with our recommendations for improving oversight of the NCOA program. Specifically, he stated that regarding our recommendation concerning the periodic audits and reaudits of licensees as required by the license agreement and the program procedure guide, the Service understands the importance of licensee oversight through regularly scheduled audits and has taken steps to ensure that the required audits will be performed for each licensee each year. He stated, however, that because these audits, particularly the on-site audits, are labor intensive and can be performed only by technically knowledgeable staff, on occasion it may be necessary to defer some audits temporarily in order to have the resources available for other high-priority tasks. He stated that, nevertheless, the Service would make every effort to keep the licensee audit schedule current. The Postmaster General stated that the Service also agreed with the second part of our recommendation concerning the need for more thorough documentation of licensee audits, the results of those audits, and the actions taken. He stated that the NCOA program office has already implemented the recommendation and developed a standardized documentation process that accurately reports the results of audits. Regarding our recommendation to strengthen the process for alerting program officials when mail is sent to seed record addresses, the Postmaster General stated that the Service believes that the improvements currently being implemented will fully respond to the concerns we raised and that these improvements should be implemented nationally by September 1999. Regarding our proposed recommendation that the Service comply with the provisions of the licensing agreement to suspend or terminate licensees that fail successive audits, the Postmaster General stated that while the Service agrees with the recommendation, it thinks it is important to evaluate each audit failure on its own merits because it is in the best interest of the Service to work with licensees in ensuring that their systems work properly and are compatible with NCOA’s programs. He further stated that, when warranted and appropriate, the Service would invoke these provisions against licensees to preserve the integrity of the Page 21 GAO/GGD-99-102 Address Change Privacy B-281674 program and to protect the privacy of customers’ change-of-address information. We believe that the actions taken or planned described by the Postmaster General are responsive to our recommendations to him. Furthermore, we believe that the Postmaster General’s position that it is in the best interest of the Service to work with licensees in ensuring that their systems work properly and are compatible with the NCOA’s programs and that licensees would be suspended or terminated when warranted and appropriate is reasonable. However, we believe that the Service should change its licensing agreement to reflect such a policy. Accordingly, we have revised our recommendation to state that the Service should either suspend or terminate licensees that fail successive audits in accordance with the licensing agreement or change the licensing agreement to reflect the Service policy that licensees will be suspended or terminated when the Service believes that such actions are warranted. We are sending copies of this report to Representative Chaka Fattah, Ranking Minority Member of your Subcommittee; Senator Thad Cochran, Chairman, and Senator Daniel Akaka, Ranking Minority Member, Subcommittee on International Security, Proliferation, and Federal Services, Senate Committee on Governmental Affairs; William J. Henderson, Postmaster General; and Karla W. Corcoran, Postal Service Inspector General. We will make copies available to others upon request. Major contributors to this report are acknowledged in appendix II. If you have any questions about this report, please call Bernard L. Ungar on (202) 512-8387 or Sherrill Johnson on (214) 777-5600. Sincerely yours, Nancy Kingsbury Acting Assistant Comptroller General Page 22 GAO/GGD-99-102 Address Change Privacy Page 23 GAO/GGD-99-102 Address Change Privacy Contents Letter 1 Appendix I 26 Comments From the U.S. Postal Service Appendix II 28 GAO Contacts and Staff Acknowledgments Tables Table 1: Summary of Number of Annual Audits 14 Performed on 25 Licensee Systems for Fiscal Years 1996-1998 Table 2: Number of Days Between NCOA Licensee’s 15 Failed Audit and Subsequent Reaudit Between Fiscal Year 1996 and March 1999 Abbreviations NCOA National Change of Address (program) Page 24 GAO/GGD-99-102 Address Change Privacy Page 25 GAO/GGD-99-102 Address Change Privacy Appendix I Comments From the U.S. Postal Service Page 26 GAO/GGD-99-102 Address Change Privacy Appendix I Comments From the U.S. Postal Service Page 27 GAO/GGD-99-102 Address Change Privacy Appendix II GAO Contacts and Staff Acknowledgments Bernard L. Ungar, (202) 512-8387 GAO Contacts Sherrill H. Johnson, (214) 777-5600 In addition to those named above, Robert T. Griffis, Dorothy M. Tejada, Acknowledgments Alan N. Belkin, and Jill P. Sayre made key contributions to this report. Page 28 GAO/GGD-99-102 Address Change Privacy Ordering Information The first copy of each GAO report and testimony is free. Additional copies are $2 each. Orders should be sent to the following address, accompanied by a check or money order made out to the Superintendent of Documents, when necessary. VISA and MasterCard credit cards are accepted, also. Orders for 100 or more copies to be mailed to a single address are discounted 25 percent. Order by mail: U.S. General Accounting Office P.O. Box 37050 Washington, DC 20013 or visit: Room 1100 th th 700 4 St. NW (corner of 4 and G Sts. NW) U.S. General Accounting Office Washington, DC Orders may also be placed by calling (202) 512-6000 or by using fax number (202) 512-6061, or TDD (202) 512-2537. Each day, GAO issues a list of newly available reports and testimony. To receive facsimile copies of the daily list or any list from the past 30 days, please call (202) 512-6000 using a touch-tone phone. A recorded menu will provide information on how to obtain these lists. For information on how to access GAO reports on the INTERNET, send e-mail message with “info” in the body to: email@example.com or visit GAO’s World Wide Web Home Page at: http://www.gao.gov United States Bulk Rate General Accounting Office Postage & Fees Paid Washington, D.C. 20548-0001 GAO Permit No. G100 Official Business Penalty for Private Use $300 Address Correction Requested 240322
U.S. Postal Service: Status of Efforts to Protect Privacy of Address Changes
Published by the Government Accountability Office on 1999-07-30.
Below is a raw (and likely hideous) rendition of the original report. (PDF)