U.S. Postal Service: Improved Oversight Needed to Protect Privacy of Address Changes GAO/GGD-96-119)
U.S. Postal Service: Improved Oversight Needed to Protect Privacy of Address Changes GAO/GGD-96-119)
Part 2
---------------------------------------------------------- Letter :5.1
Our review of files and discussion of the seeding process with NCOA
program officials disclosed certain management practices and
inattention to procedure that, we believe, have limited the value of
seeding as a control to ensure against the improper disclosure of
NCOA data. Seeding is commonly used in the mailing industry to
control proprietary records. The Postal Service periodically plants
"seed" records when updating licensees' NCOA files. A seed record is
any nonmatch data placed in the NCOA file by the Postal Service and
so designed that it will be released to mailing list holders only
through improper use of the NCOA file. Licensees are aware that the
NCOA files are seeded by the Postal Service, but according to NCOA
program officials, specific seeding data are guarded against
disclosure to licensees and the public.
Postal Service officials said they believe that, if a licensee
disclosed information from the NCOA file by any means other than
through the approved computer software, fictitious seed address
records would also be disclosed. Mail sent to seed record addresses
would then be retrieved by the NCOA program office, alerting it to a
possible improper disclosure of NCOA information. The NCOA program
office would then trace the seed record back to the licensee who
released it, and the Postal Service would take disciplinary and/or
corrective action. The NCOA program manager reported that he was not
aware that any seed mail had ever been received.
Program officials told us that they had seeded NCOA files since the
program began but had not retained historical records of seeding for
the complete period. Available documentation of seeding activities
began with the NCOA file update in July 1990. Our review of this
documentation and information provided by program officials disclosed
several weaknesses in the seeding process and documentation of the
process as an NCOA program control measure.
-- From July 1993 to April 1994, the NCOA files contained no seed
records because the program office neglected to replace those
records when they became 36 months old and were deleted. Seed
records loaded in July 1990 were deleted in July 1993, some 36
months later. Seed records were not replaced in licensees' NCOA
files until April 1994.
-- Program officials were not aware of this gap in seed coverage
until our review. They said the gap was a "technical" error
that was not particularly serious because the main value of
seeding as a control comes from the licensees' awareness that
the Postal Service seeds the NCOA files. Program officials said
they did not believe that licensees were aware that the gap in
seed coverage had occurred.
-- Program officials told us that before November 1994, the program
office used only seed records unique to each licensee. All name
and address updates to the licensees' NCOA files by the Postal
Service were identical, except for seed record names and
addresses unique to each licensee. Program officials said they
believed that this feature would enable them to trace any mail
received at seed addresses to the licensee who released the
record. However, it is possible that seed records could be
identified and neutralized by two or more licensees who agreed
to compare their NCOA files.
-- After we discussed our concerns with NCOA program officials, in
November 1994, the program office began using some "common" seed
records. Under this new feature, a quantity of identical seed
records are introduced into the NCOA files of all licensees,
along with some seed records that are unique to each licensee.
Although this procedure may help to identify any improper
disclosure of addresses by licensees, it will not allow the
Postal Service to identify which licensee was responsible for
the impropriety if licensees compared their NCOA files to
identify unique seed records because all licensees will have had
access to a common seed record.
-- The Postal Service process for seeding, identifying, and
responding to mail that might be sent to a seed address was
informal. There were no written procedures on the seeding
process, the process for retrieving mail sent to seed addresses,
or the process for investigating mail sent to seed addresses and
then reporting the results of the investigation internally.
-- The National Customer Support Center manager stated that the
informal mail retrieval process was tested in 1990 and again in
1992. He said that the test results showed that this process
worked in that test mail sent to the seed addresses through the
regular mail stream was properly forwarded back to the NCOA
program office. However, the manager told us that there was no
record of these tests and that the results were not reported
within the Postal Service. He said that procedures were revised
in January 1995 to specifically cover what postal field
personnel are required to do when they identify mail to be
delivered to seed addresses.
QUESTIONABLE EFFECTIVENESS
OF LICENSEE AUDITS
---------------------------------------------------------- Letter :5.2
On the basis of our examination of poorly maintained audit files and
subsequent discussions with NCOA program officials, we were unable to
(1) confirm that we had identified all Postal Service audits of
licensees or (2) fully assess the Postal Service's management of
audits. However, on the basis of our review of the records available
and on interviews with program officials and staff, we question
whether the licensee audits, as administered by the program office,
provided a meaningful oversight measure of compliance with the
applicable privacy provisions of federal law.
During most of the program's history, unannounced on-site audits were
to be conducted annually at the licensees' facilities. These audits
were to include tests of licensees' NCOA software accuracy and
verification of licensees' compliance with other licensing agreement
provisions, such as the provision to prevent unauthorized access to
the NCOA file. Under the licensing agreement, the Postal Service
allows a licensee that fails an audit 30 days to correct the problem
and be retested. This period is to begin when the Postal Service's
contracting officer notifies the licensee of the audit results.
In 1992, the program office introduced an "automated" audit
administered through a test tape mailed to each licensee. According
to the program manager, the automated audit focused on a more
comprehensive assessment of the accuracy of the licensees' NCOA
software. The audits are designed to detect both the failure of
licensees' NCOA software to make appropriate matches and instances of
incorrect matches. Matching of names and addresses results in the
release of new addresses to the mailing list holders and, eventually,
into the mail stream. Incorrect matches, therefore, are more serious
because they can result in the release of new addresses in violation
of federal privacy laws.
The Postal Service has set a high standard for the performance of
licensees' address-matching software. The licensing agreement
specifies that a licensee's address-matching software must achieve a
99-percent matching accuracy rate. That is, the software may produce
no more than one error per 100 name and address matches as analyzed
and scored by the program office.
In May 1994, the Postal Service significantly modified the licensing
agreement to, among other things, strengthen the Service's oversight
of licensees through audits. Before this modification, NCOA program
officials said that licensees were audited at least once a year and
that the only option available to the Postal Service under the
licensing agreement was to terminate the license of a licensee who
failed successive audits. The modification requires licensees to
pass at least three audits each contract year and provides the option
of either suspending or terminating licensees that fail two
consecutive process audits or that fail to comply with other terms or
conditions of the licensing agreement. Further, the modification
requires the Postal Service to terminate the license of any licensee
that fails three consecutive audits.
Since 1992, the NCOA program office has maintained a separate file on
each licensee containing various items of correspondence, internal
memorandums, notes, and other information relating to process audits
performed. We reviewed the files for details of process audits
conducted during 1992 and 1993. The files we reviewed, however,
generally did not contain complete records of the audits performed,
audit results, or resolution of audit findings.
We were able to ascertain from the files, however, that in 1992 at
least 65 automated audits were made of the 25 firms licensed at that
time to provide NCOA services. All but one licensee failed the
initial audit. Seven licensees passed the first follow-up audit.
Another seven licensees failed the first follow-up audit but passed a
second follow-up audit. However, 10 licensees failed all automated
process audits performed that year.
The Postal Service did not terminate the license of any of the 10
licensees who failed successive process audits during 1992. In fact,
these licensees continued to provide NCOA services with
address-matching software that had failed repeatedly to meet the
performance standards for accuracy required by the licensing
agreement. For example, four licensees failed an initial audit in
May 1992, and then failed two follow-up audits, before finally
passing an audit conducted in March 1993. However, these same
licensees were allowed to continue providing NCOA services during the
10-month period in which their software failed to meet the Service's
minimum standard for accuracy.
The NCOA program manager explained that the pattern of repeated audit
failures resulted from the increased thoroughness, coverage, and
focus on software accuracy of the new automated process audit as
compared with earlier process audits. He acknowledged that program
oversight had not been carried out as strictly as it could have been
because program officials did not want to terminate licensees from
the program, which was the only option available under the licensing
agreement at that time.
The program manager believed that the Postal Service correctly opted
to work with the licensees to resolve the software deficiencies
identified in the 1992 audits. He indicated that, among other
things, most of the software performance errors involved failures to
make any matches rather than making inappropriate matches. He also
said that the program office staff responded promptly to ensure that
licensees corrected software weaknesses identified in the audits,
which may have affected compliance with federal privacy laws.
During 1993, the Postal Service audited the 10 licensees who failed
all audits conducted during 1992. Each of these 10 licensees passed
the 1993 audit. The NCOA program manager explained that other
licensees were not audited during 1993 because, starting in about
March of that year, the entire master NCOA file was redesigned, and
licensees had to change their software to accommodate this redesign.
Further, the NCOA program office had a contract with one of its NCOA
licensees for computer support to build and maintain the master NCOA
file. The program office brought this function in-house in October
1993. Consequently, according to the program manager, all program
staff who would have done the licensee audits were instead used to
support this transition and maintain the NCOA file.
INADEQUATE INFORMATION TO
DETERMINE THE EFFECTIVENESS
OF ADVERTISING REVIEW
---------------------------------------------------------- Letter :5.3
We were unable to completely evaluate this oversight activity because
the NCOA program office did not have historical records of any
advertisements either submitted or reviewed. However, the
information that we were able to obtain indicated that the program
office was not effectively overseeing licensees' advertising
activities. Specifically, we found that although at least two
licensees had advertised NCOA-linked new-movers lists and had
submitted these advertisements to the Postal Service for review, no
action had been subsequently taken by the Postal Service to
disapprove the advertisements. The May 1994 modification stated that
a licensee's advertising will be disapproved if it includes any
reference to NCOA or the Postal Service.
The licensing agreement requires licensees to submit all proposed
advertising and methods of selling NCOA program-related services to
the NCOA program office for review and approval. The purpose of this
requirement is to ensure that licensees' customers are not misled by
the advertising or sales methods used, as well as to specifically
ensure that the relationship between the Postal Service and the
licensee is correctly represented. The licensing agreement states
that the Postal Service will provide the licensee with a written
response on the acceptability of proposed advertising within 20
working days of receipt of the material. However, if the licensee
does not receive a written response within this time, the agreement
states that the licensee may consider the proposed advertisements or
sales methods approved for use.
The program manager told us that licensees had regularly submitted
their proposed NCOA-related advertisements to the program office for
review. However, our review of licensee contract files and
discussions with a licensee disclosed that at least two licensees had
regularly submitted advertising materials for NCOA-linked new-movers
lists for Postal Service review and approval and that the program
office had not responded. For example, a May 19, 1994, letter from a
licensee stated that it had regularly submitted for review copies of
its advertisements promoting NCOA-linked new-movers lists since
inception of the NCOA program but that the Postal Service had never
responded.
As noted earlier, Postal Service officials said that the change to
the licensing agreement that specifically prohibited the creation of
NCOA-linked new-movers lists was to make more explicit the existing
restrictions on uses of NCOA data. Therefore, even before the
licensing agreement was modified in 1994, the exercise of effective
oversight should have dictated that the Service inform licensees who
proposed advertisements promoting NCOA-linked new-movers lists that
such advertisements were not permitted by the licensing agreement.
However, the Postal Service failed to respond to these proposed
advertisements.
In discussing this issue with the program manager, we were told that,
notwithstanding the advertisements submitted for review, the Postal
Service had not fully understood how licensees were using the NCOA
file--i.e., to create NCOA-linked new-movers lists. When it became
clear that licensees were creating such lists, the licensing
agreement was modified to specifically (1) preclude licensees from
creating and maintaining new-movers lists for either their own use or
the use of their customers and (2) state that a licensee's
advertising will be disapproved if it includes any reference to NCOA
or the Postal Service anywhere in any text or graphics that include a
reference to nonmailing products and services, such as new-movers
lists.
UNCERTAIN EFFECTIVENESS OF
COMPLAINT INVESTIGATIONS
---------------------------------------------------------- Letter :5.4
Another oversight or control mechanism over licensees that the Postal
Service reportedly uses is the investigation of NCOA-related
complaints emanating from the public, the licensees themselves, or
their customers. However, because the program office had no records
of complaints received or related investigations, we could not assess
the effectiveness of the complaint investigation process as a control
mechanism.
The NCOA program office's complaint investigation process was
informal and lacked structure. The office could provide us with no
record of complaints received. Further, we found no evidence of a
formal process for logging complaints, investigating complaints, and
reporting the results of investigations internally or to
complainants. According to the program manager, a few complaints had
been received, which were mainly related to customer
misunderstandings about the NCOA-related services that licensees
provide.
CONCLUSIONS
------------------------------------------------------------ Letter :6
In establishing the NCOA program, the Postal Service took a positive
step toward dealing with the inefficiencies of processing
misaddressed mail. In setting up and using a nationwide database of
postal customer names and addresses to provide this address
correction service, the Postal Service has tried, primarily through
changes to licensing agreements, to create controls that help ensure
that the release and use of NCOA information complies with the
provisions of federal privacy laws. The Postal Service said it
believes that it has met its legal responsibilities through program
design and oversight.
However, at the time of our review, the NCOA program was operating
without clearly delineated procedures and without sufficient
management attention to ensure that the program was operating in
compliance with the privacy provisions of federal laws.
Specifically, the Postal Service lacked adequate written procedures
and oversight processes regarding
-- seeding the NCOA files with fictitious records to discourage
unauthorized name and address disclosure by licensees;
-- obtaining and reviewing, in a timely manner, licensees' proposed
advertisements that mention the NCOA program, taking prompt
action to disapprove inappropriate advertisements, and
documenting the results; and
-- documenting all NCOA-related complaints received and actions
taken to address the complaints.
The NCOA program office's absence of written procedures and
inattention to processes allowed seeding control features to lapse
for a 9-month period before the condition was discovered and
corrected. Also, several licensees had advertised NCOA-linked
new-movers lists, submitted the advertisements to the Postal Service
for review, and yet the Postal Service had taken no action to
disapprove the advertisements. Further, with regard to complaints,
the NCOA program office had no records of complaints received or
related investigations, although officials said that complaints had
been received.
The NCOA program office had not implemented and enforced some
provisions of the licensing agreement, including those requiring a
minimum number of licensee audits each year and the termination of
licensees that failed to maintain address-matching software that
meets the performance standards prescribed in the license agreements.
Ten licensees failed successive audits of their software and
continued to provide NCOA services in 1992. When licensees' software
does not perform according to the standards, the Postal Service
cannot be sure that the NCOA program is operating in compliance with
federal privacy laws.
Finally, we found that the Postal Service had not clearly
communicated, through licensees, to licensees' customers, the
restrictions on the use of NCOA data to create or maintain new-movers
lists. That is, the Postal Service had not explicitly stated in the
acknowledgment form--to be signed by customers of licensees--that
NCOA data are not to be used to create or maintain new-movers lists,
a restriction that the Service has communicated to licensees.
RECOMMENDATIONS
------------------------------------------------------------ Letter :7
To strengthen oversight of the NCOA program, we recommend that the
Postmaster General require the NCOA program office to
-- develop and implement written oversight procedures, which should
include (1) the responsibilities and timetables for using seed
records to help verify that licensees release new addresses only
as a result of accurate name and address matching; (2)
requirements to obtain and review licensees' NCOA-related
proposed advertisements, document the review, and notify
licensees of the results within the time period prescribed in
the licensing agreement; and (3) requirements for systematically
recording all NCOA-related complaints received, including
actions taken to resolve complaints; and in addition,
-- enforce all provisions of the licensing agreement, including (1)
conducting at least the prescribed minimum number of licensee
audits, currently three per contract year; and (2) suspending or
terminating, as appropriate, licensees that fail two consecutive
audits or that are determined to be in noncompliance with other
terms or conditions of the licensing agreement. (As provided in
the agreement, licensees that fail three consecutive audits
should be terminated.)
We also recommend that the Postmaster General further restrict the
use of NCOA-linked data to create or maintain new-movers lists by
explicitly stating it on the acknowledgment form that is signed by
customers of NCOA licensees.
POSTAL SERVICE COMMENTS AND OUR
EVALUATION
------------------------------------------------------------ Letter :8
In a May 30, 1996, letter (see app. I) the Postmaster General
commented on a draft of this report. He said that the Postal Service
had implemented our recommendations to develop written oversight
procedures for conducting NCOA seeding operations, reviewing and
responding to NCOA-related advertisements, and investigating
complaints about the program. He said also that the Postal Service
was pleased that we did not question the lawfulness of licensing NCOA
data for the purpose of address-list correction. It is important to
note that, while we did not question the legality of the Postal
Service's arrangements with licensees to provide address list
correction services, we disagree with its view that the Privacy Act
allows licensees to use NCOA-linked data to create new-movers lists.
The Postal Service did not adopt our recommendation that restrictions
on the use of NCOA-linked data to create or maintain new-movers lists
be included in the acknowledgment form that is to be signed by NCOA
licensees' customers. The Postal Service primarily provided three
reasons for its decision to not adopt our recommendation, which are
summarized below along with our evaluation.
First, the Postal Service said it does not believe that a restriction
on the creation and maintenance of new-movers lists from NCOA-derived
data is required by privacy law. For the reasons stated earlier in
this report, we continue to believe that use of NCOA-linked data by a
licensee for creating a new-movers list would not be consistent with
the limitations imposed by the Privacy Act. The Postal Service did
not provide any new evidence or rationale for its view that the
Privacy Act permits licensees to use NCOA-derived data for purposes
other than address-list correction, which is the routine use or
purpose for which the Postal Service collected such information.
Second, the Postal Service said that effective enforcement of such a
restriction on customers of licensees would be impracticable. The
Postal Service said that the Privacy Act does not govern the private
sector and provides no basis for requiring the Service to control
what the private sector does with address corrections legitimately
obtained from the Postal Service. The Postal Service said it
believes that it would be inappropriate to place limitations on
licensees' customers, with whom the Service has no formal
relationship.
Regarding this second point, we recognize that enforcement of the
restrictions on third parties, i.e, licensees' customers, might be
difficult because the Postal Service has no contractual relationship
with licensees' customers. However, we do not believe that a
potential difficulty of enforcing such restrictions under
arrangements made with licensees means that the Postal Service should
not clearly communicate what those restrictions are. NCOA licensees
operate on behalf of the Postal Service and are subject to the same
provisions of the Privacy Act as the Service, which allows an agency
record to be disclosed provided the record is used for a purpose
compatible with that for which it was collected. These records were
collected by the Postal Service for address-list corrections, not to
create new-movers lists.
As a practical matter, it appears that the Postal Service could, at a
minimum, communicate through licensees to the licensees' customers
any restrictions on the use of NCOA data to create or maintain
new-movers lists. Acting on behalf of the Postal Service, licensees
could help ensure compliance with the restrictions by explaining to
their customers the limitations on the release and use of NCOA data
under the Privacy Act. Unless the Postal Service implements and
attempts to enforce these limitations, it cannot ensure that use of
NCOA-derived data is limited to the purpose for which it was
gathered.
Third, the Service said that we misinterpreted the purpose of the
acknowledgment form when we said that it was "to limit the use of
NCOA-linked data by the customers of licensees." The Service said
that the purpose of the form is to ensure that lists presented to
licensees for correction are really mailing lists. The
acknowledgment form states that the sole purpose of the NCOA service
is to provide a mailing-list correction service for lists that will
be used to prepare mailings. We believe that this language does
limit the use of NCOA-linked data. However, the Postal Service had
not explicitly stated in the acknowledgment form the specific
restriction that it communicated to licensees, namely, that NCOA data
are not to be used to create or maintain new-movers lists. We are
recommending that the Postmaster General explicitly state this
restriction on the acknowledgment form. Also, the Postal Service
said that it has never acknowledged that the creation of new-movers
lists by customers is prohibited. We clarified in our report that
the Postal Service had communicated the prohibition on the creation
of new-movers list to licensees--but not to their customers.
---------------------------------------------------------- Letter :8.1
We are sending copies of this report to the Ranking Minority Member
of this Subcommittee, the Postmaster General, and other interested
parties. Copies will also be made available to others upon request.
The major contributors to this report are listed in appendix III. If
you have any questions about the report, please call me on (202)
512-8387.
J. William Gadsby
Director, Government Business
Operations Issues
U.S. POSTAL SERVICE CHANGE OF
ADDRESS ORDER (POSTAL SERVICE FORM
3575, JULY 1995)
=========================================================== Appendix I
(See figure in printed
edition.)
(Front of form)
(See figure in printed
edition.)
(See figure in printed
edition.)
(Back of form)
(See figure in printed
edition.)
(See figure in printed edition.)Appendix II
COMMENTS FROM THE U.S. POSTAL
SERVICE
=========================================================== Appendix I
(See figure in printed edition.)
MAJOR CONTRIBUTORS TO THIS REPORT
========================================================= Appendix III
GENERAL GOVERNMENT DIVISION,
WASHINGTON, D.C.
Michael E. Motley, Associate Director, Government Business
Operations Issues
James T. Campbell, Assistant Director
OFFICE OF GENERAL COUNSEL,
WASHINGTON, D.C.
Alan N. Belkin, Assistant General Counsel
Robert J. Heitzman, Senior Attorney
DALLAS REGIONAL OFFICE
Sherrill H. Johnson, Core Group Leader
Robert T. Griffis, Evaluator-in-Charge
*** End of document. ***