Version:
DRAFT
Date:
April 17, 2012
Prepared
for:
Privacy
Impact Assessment
Privacy Impact Assessment for the
NSLP Direct Certification Implementation Study
<< April 17, 2012 >>
Contact Point
Reviewing Official
This is a Privacy Impact Assessment (PIA) of the National School Lunch Program Direct Certification Improvement Study (NSLP), which builds on a previous study that was approved by OMB. On behalf of the Food and Nutrition Service (FNS), Mathematica Policy Research (Mathematica) is conducting a two-year study to update FNS’ understanding of the methods of directly certifying households with school-aged children for NSLP. This PIA is being conducted to identify risks and potential effects of collecting identifiable information for the NSLP project, and to demonstrate the FNS contractor's compliance with relevant privacy regulations.
The National School Lunch Program (NSLP), which has as its main goal the promotion of the health and well-being of the Nation’s children, is one of the largest food and nutrition assistance programs in the United States. It provides nutritionally balanced lunches to more than 30 million children each school day, with free or reduced-price meals provided to income-eligible children. As such, increasing the participation of eligible students through direct certification is likely to have a positive impact on the overall health of children across the country.
Direct certification was required of States and local education agencies (LEAs) in the Child Nutrition and WIC Reauthorization Act of 2004. Direct certification enables children in households that receive Supplemental Nutrition Assistance Program (SNAP) or other public assistance program benefits to be certified to receive school lunches without application. Currently, most States employ computer data-matching techniques to certify such students directly, but have varied levels of success (See “Direct Certification in the National School Lunch Program: State Implementation Progress, Report to Congress” [2008, 2009, 2010, and 2011]). The Food and Nutrition Service (FNS) has tasked Mathematica to conduct an NSLP direct certification improvement study in an effort to provide a comprehensive picture of the direct certification methods employed across the country. Such information will be useful in helping FNS, State child nutrition directors, and LEAs recognize promising trends, understand new approaches, and identify steps needed for continuous improvement of their direct certification efforts.
Mathematica will be conducting a two-year study to update FNS’ understanding of the methods of directly certifying households with school-aged children for NSLP. The primary data collection methods will be a web-based survey of direct certification practices, in-depth case studies of seven States, and an analysis of unmatched SNAP records and NSLP applications. The core aims of the study are to describe current direct certification processes and procedures employed by States and LEAs; to explore the relationship between these methods and overall direct certification performance measures; and to identify steps for continuous improvement in data-matching techniques and tools to increase matching rates, no matter the direct certification method employed by States and LEAs.
The following questions are intended to define the scope of the information requested and/or collected as well as reasons for its collection as part of the program, system, rule, or technology being developed.
To answer the research questions and address the study objectives, Mathematica will integrate information from several data sources. Listed next are the three key data collection tasks to be performed in this study:
No PII - National survey of direct certification practices of all 50 States, the District of Columbia, five territories, and LEAs in district-level data matching States. The survey design tailors questions based on a State’s data-matching method (State- or district-level) and the level of respondent (State or LEA). In a State that is using district-level matching, a representative sample of LEAs will be asked to complete the survey, with remaining LEAs in those States being administered a shortened version. The survey is designed to gather detailed information on key areas of direct certification to fully address the study objectives and research questions.
No PII - In-depth case studies in seven States and selected LEAs. In each participating State, we will conduct site visits to interview program and technical staff involved in direct certification at the State and LEA levels. Mathematica will gather specific technical information about State and LEA data-matching system characteristics; probe the potential use of Medicaid data for direct certification; and explore the issues, challenges, and potential solutions to barriers that might impede States’ efforts to certify directly all eligible SNAP participants.
PII - Exploring 2,150 records of unmatched SNAP participants. Mathematica will collect SNAP participant data from the in-depth case study States and perform a descriptive analysis of the unmatched participant population. Mathematica will also collect NSLP applications from a sample of districts within those seven States and match them to the SNAP participant data that were used for direct certification. The collection of NSLP applications and SNAP participants will form the basis for the analysis of the accuracy of the matches and provide insight into how data matching could be improved.
1.2 What are the sources of the information in the system?
Sources of information for the study are:
Survey responses collected from NSLP administrators in all 50 states, the District of Columbia, five territories, and LEAs in district-level data matching States – no PII;
Site visit/case study data collected from NSLP administrators from seven States and selected LEAs – no PII;
SNAP participant data (administrative records) from the site visit/case study states - PII; and
NSLP applications (administrative records) from districts within the site visit/case study states – PII.
The primary purpose of the collection of this data is to fill critical data gaps (see 1.1 above) that are needed to address questions about direct certification practices (see Overview above).
National survey of direct certification practices - self-administered web survey of administrators.
In-depth case studies - site visits to interview program and technical staff responsible for direct certification.
Exploring the records of unmatched SNAP participants
SNAP participant data from the in-depth case study States and a sample of LEAs.
NSLP applications from a sample of districts.
State or district staff will collect the NSLP applications and transmit them to the Mathematica in one of three ways. First, if the applications are available electronically, they can be sent via a secure transfer site. If applications are available only by hard copy, then State or district staff can either (1) deliver the necessary files in-person to Mathematica staff during a site visit (who will use physical data security methods to maintain the confidentiality of the records) or (2) ship, track and confirm receipt of the hard-copy applications via mail or trusted courier such as FedEx.
When received at Mathematica’s location, these files will be kept in a secure, locked location accessible only by authorized project staff. Upon completion of the study, the SNAP participant data and NSLP applications will be securely destroyed.
Mathematica has a long history of protecting the privacy of records and considers it a critical aspect of any study’s scientific integrity and legality. Mathematica’s policies, procedures, and technical safeguards are designed to efficiently protect confidential information and data from unauthorized disclosure, use, or alteration. Only authorized personnel with a need-to-know will have access to data containing personally identifiable information (PII). These measures are implemented companywide, and are consistent with the Federal Information Security Management Act of 2002 (FISMA), Office of Management and Budget (OMB) Circular A-130, Management of Federal Information Resources, the Privacy Act, and National Institute of Standards and Technology (NIST) computer security standards and guidance. In addition, Mathematica’s standard safeguards include Federal Information Processing Standard (FIPS) 140-2 compliant data encryption methods, removing identifiers from data as soon as practicable and controlling access to information on a need-to-know basis.
Mathematica pilot tested the national survey of direct certification practices in four States, two of which were identified as employing State-level matching—Idaho and New Jersey—and two of which that were identified as employing district-level matching—Kansas and Wyoming. Mathematica sought input from a total of nine pretest respondents in these four States. There were four State-level respondents and, in the district-level matching States, three districts received the full survey and two districts received the brief survey. Each of these States, except New Jersey, has been a case study site for the best practices component of recent Reports to Congress. As such, we were able to assess the accuracy of the survey responses effectively to ensure the questions elicited true answers. Mathematica included New Jersey to ensure a fair balance of the early burden across FNS regions.
The pilot test followed the protocols developed for the survey instrument:
Sending each participant an email invitation along with a study description, the relevant survey instrument, and contact information
Calling participants to confirm participation and schedule a telephone debriefing interview
Providing technical assistance as needed
Conducting debriefing interview
After the pilot States returned the surveys, we conducted 30-minute interviews with each respondent to collect feedback on the survey. These debriefs followed a structured set of questions to ensure that we obtained comparable information from each of the pilot respondents on the flow of the survey and to collect any recommendations they might have. During the debriefing interview, we asked participants to identify any questions that they found difficult to answer or that seemed irrelevant, and any topics we may have missed. Mathematica also sought feedback on specific questions based on our own concerns about item difficulty or because participants’ responses required clarification.
Based on the findings from the debriefing, we have made minor revisions to the survey. In a number of questions, we are incorporating definitions and providing examples to minimize respondent confusion. Mathematica have added additional answer categories in some questions, as was suggested by pilot test respondents. Mathematica have also added soft and hard checks to particular questions to minimize the possibility of misclassification of States as either State- or district-level matching. Mathematica limited one question to State-level respondents only to minimize confusion, burden, and inaccurate data from districts. The pilot tests also showed that the burden estimates published in the Federal Register are largely accurate, except that State-level respondents did not take as long as expected. As such, we reduced the burden estimate for State-level respondents from 75 minutes to 65 minutes.
Mathematica will program the national survey of direct certification practices as a web survey. Prior to going into the field, we will make test case IDs available to project staff members, who will develop scenarios in order to check programming logic paths, edit checks, question wording, and formatting. Testers will also ensure that partially completed cases route to the next unanswered question upon reentry to the survey.
The interview guides for the data collected in the in-depth study States are semi-structured and, therefore, were not pilot tested. Mathematica will tailor the instruments to the specific direct certification practices and data matching techniques employed by each study State. As such, the specific questions asked of each respondent category will vary greatly from State to State. Before each site visit, project staff will create individualized protocols for each respondent that are tailored to the specific processes and procedures in place, which will be determined by the responses to the national survey.
FNS has authority to conduct this study under its responsibility for the development and implementation of national policy for the NSLP. This responsibility includes the promulgation of regulations, monitoring State operations, review and reimbursement of State and local expenditures, and program evaluations. States and districts, as well as schools and other institutions, participating in the NSLP are expected to cooperate with officials and contractors acting on behalf of FNS, in the conduct of evaluations and studies under the Richard B. Russell National School Lunch Act and the Child Nutrition Act of 1966.
No confidential personal data will be collected in the web survey or the in-depth interviews with State and local staff conducted during site visits.
The exploration of unmatched records of SNAP participants in seven in-depth study States will require the collection of up to 2,150 SNAP participant data and NSLP applications. Both the SNAP participant data and NSLP applications will contain private information, such as names, addresses, dates of birth, Social Security numbers, and program participation information.
To mitigate the privacy risks, electronic data will be encrypted in transmission and at rest. If hard copy data is required, it will be hand delivered to Mathematica during a site visit or shipped, tracked, and receipt confirmed by trusted courier, such as FedEx, as described in 1.4.3. Identifiers will be removed from the data as soon as practicably possible.
This data will reside on a study-specific network folder on a server in a locked data center located in Mathematica’s locked, access-controlled office suite. The data will be encrypted as it is stored on the server using AES 256-bit encryption, which is FIPS 140-2 compliant. The encryption will persist for the life of the volume. Mathematica uses identity-based policies and access control lists to control access to the folders that reside on the server. The study data will be accessible only by Mathematica staff who have a business need-to-know. The folder in which the data will reside is backed up onto encrypted disks. These backups are overwritten every two months by backups of newer encrypted data, a process that enables compliance with data destruction requirements.
All Mathematica employees receive Mathematica office security and awareness training as part of their new employee orientation. As part of this training, users are provided with information regarding their access rights, the system Rules of Behavior, and Mathematica’s security policies. In addition to the in-person training that all new Mathematica employees receive, all staff are obligated to complete online refresher training sessions annually. All Mathematica staff sign a confidentiality pledge that stipulates sanctions for non-compliance with security policies (see attached).
FNS will not have any connection to the personal data collected by Mathematica. The only information FNS will receive is the aggregated report which contains no personal information and will be publicly posted.
Upon completion of the project, Mathematica staff will securely destroy all data using Eraser, a DOD compliant file deletion utility, or equivalent software. Once data destruction is completed, the project staff will provide attestation of the destruction to FNS.
The following questions are intended to delineate clearly the use of information and the accuracy of the data being used.
On behalf of FNS, Mathematica will collect information for the National School Lunch Program Direct Certification Improvement Study. The project has 11 study objectives:
(1) update national information on current practices used by States and districts to conduct direct certification;
(2) describe State information systems (ISs) and databases that are used to conduct direct certification and what analyses are conducted to determine the efficiency of the data matching, and correlate State system and database characteristics with State performance measures, including those based on the agency’s direct certification reporting;
(3) develop a comprehensive, up-to-date reference library of data-matching algorithms and computer code used for NSLP direct certification at the State and local levels, including a library of the data elements, formats, and definitions for all variables used in the matching;
(4) examine relationships between direct certification implementation procedures, information systems and databases, and State performance measures of direct certification;
(5) determine what barriers exist in the use of data matching in direct certification in NSLP in different States and districts;
(6) determine what States have been doing with direct certification grants awarded by FNS, in terms of improvements made and their effects;
(7) identify best practices that could be used to provide technical assistance to those States developing continuous improvement plans to reach higher rates of data matching;
(8) examine the current plans for improvement of the direct certification process in the future and the capability to adopt any potential changes that might be required in the Child Nutrition and WIC Reauthorization;
(9) explore the records of unmatched SNAP households with school-aged children and of categorically eligible SNAP children (as determined by NSLP application) to determine how direct certification could be further improved;
(10) estimate the “national” direct certification matching rates under various scenarios (Optional Task); and
(11) develop model continuous improvement plans for States using State-level matching and for States using district-level matching (Optional Task).
Tools used to analyze data include SAS, Stata, and other statistical software.
Types of data to be produced include descriptive and statistical analysis for journal publications, FNS publications, posters, and conference presentations at FNS or other venues. No identifiable data will be released from this project. Anything published from this work will be an aggregated estimate based on regression analysis or cross-tabulated means.
The system does not use commercial or publicly available data.
Mathematica complies with FNS’ data security requirements through the implementation of security controls for processes and systems that Mathematica routinely uses in carrying out projects that use sensitive client data. These safeguards are consistent with the Privacy Act of 1974, the Computer Security Act of 1987, the Federal Information Security Management Act of 2002 (FISMA), Office of Management and Budget (OMB) Circular A-130, and National Institute of Standards and Technology (NIST) computer security standards. Mathematica secures individually identifiable and other sensitive project information and strictly controls access to sensitive information on a need-to-know basis. In addition, data is encrypted when in transit and at rest using Federal Information Processing Standard (FIPS) 140-2 compliant cryptographic modules. These practices are documented in the Mathematica Corporate Security Manual, which we will provide to FNS upon request.
To mitigate the privacy risks, electronic data will be encrypted in transmission and at rest. If hard copy data is required, it will be hand delivered to Mathematica during a site visit or shipped, tracked and receipt confirmed by trusted courier, such as FedEx, as described in 1.4.3. Identifiers will be removed from the data as soon as practicably possible.
This data will reside on a study-specific network folder on a server in a locked data center located in Mathematica’s locked, access-controlled office suite. The data will be encrypted as it is stored on the server using AES 256-bit encryption, which is FIPS 140-2 compliant. The encryption will persist for the life of the volume. Mathematica uses identity-based policies and access control lists to control access to the folders that reside on the server. The study data will be accessible only by Mathematica staff who have a business need-to-know. The folder in which the data will reside is backed up onto encrypted disks. These backups are overwritten every two months by backups of newer secure data, a process that enables compliance with data destruction requirements.
All Mathematica employees receive Mathematica office security and awareness training as part of their new employee orientation. As part of this training, users are provided with information regarding their access rights, the system Rules of Behavior, and Mathematica’s security policies. In addition to the in-person training that all new Mathematica employees receive, all staff are obligated to complete online refresher training sessions annually. All Mathematica staff sign a confidentiality pledge that stipulates sanctions for non-compliance with security policies (see attached).
Upon completion of the project, project staff will securely destroy all data using Eraser, a DOD compliant file deletion utility, or equivalent software. Once data destruction is completed, the project staff will provide attestation of the destruction to FNS.
The following questions are intended to outline how long information will be retained after the initial collection.
Upon completion of the project, Mathematica will securely destroy all electronic data using Eraser, a DOD compliant file deletion utility, or equivalent software. Hard copy records, if any, will be cross-cut shredded. Once data destruction is completed, the project staff will provide attestation of the destruction to FNS.
N/A
Mathematica will retain the data for the duration of the project and no longer. This is the minimum time necessary for the retention of the data. While the data is in Mathematica’s possession, we will implement the necessary physical, technical, and administrative controls to ensure its confidentiality, integrity, and availability.
The following questions are intended to define the scope of sharing within the United States Department of Agriculture.
Mathematica will not share project PII with FNS. Therefore, there will be no USDA internal sharing or disclosure of PII.
Mathematica will not share project PII with FNS. Therefore, there will be no USDA internal sharing or disclosure of PII.
Mathematica will not share project PII with FNS. Therefore, there will be no USDA internal sharing or disclosure of PII.
The following questions are intended to define the content, scope, and authority for information sharing external to USDA which includes Federal, state and local government, and the private sector.
Mathematica will not disclose PII or other sensitive, confidential information to FNS or any unauthorized group or individual, except as may be required by law or by a court of competent jurisdiction. Mathematica will notify FNS if required either by law or by a court of competent jurisdiction to disclose the information and will cooperate with FNS in all lawful efforts to resist the ordered disclosure.
Mathematica will not disclose PII or other sensitive, confidential information to FNS or any unauthorized group or individual, except as may be required by law or by a court of competent jurisdiction. Mathematica will notify FNS if required either by law or by a court of competent jurisdiction to disclose the information and will cooperate with FNS in all lawful efforts to resist the ordered disclosure.
Mathematica will not disclose PII or other sensitive, confidential information to FNS or any unauthorized group or individual, except as may be required by law or by a court of competent jurisdiction. Mathematica will notify FNS if required either by law or by a court of competent jurisdiction to disclose the information and will cooperate with FNS in all lawful efforts to resist the ordered disclosure.
Mathematica will not disclose PII or other sensitive, confidential information to FNS or any unauthorized group or individual, except as may be required by law or by a court of competent jurisdiction. Mathematica will notify FNS if required either by law or by a court of competent jurisdiction to disclose the information and will cooperate with FNS in all lawful efforts to resist the ordered disclosure.
The following questions are directed at notice to the individual of the scope of information collected, the right to consent to uses of said information, and the right to decline to provide information.
Notice is provided to the participants in the national survey of direct certification practices and the in-depth case studies.
The 2,150 SNAP and NSLP participants whose administrative records will be analyzed are notified when they provide their information for application to SNAP and NSLP that the information may be used for program evaluation, such as this study.
Participants in the national survey of direct certification practices and the in-depth case studies have the opportunity and/or right to decline to provide information.
The 2,150 SNAP and NSLP participants whose administrative records will be analyzed are informed when they provide their information for application to SNAP and NSLP that the information may be used for program evaluation, such as this study.
Participants in the national survey of direct certification practices and the in-depth case studies do not have the right to consent to particular uses of the information. The data are collected for the sole purpose of conducting policy research at the national level. Respondents not willing to consent to this use will not be part of the sample.
The 2,150 SNAP and NSLP participants whose administrative records will be analyzed are informed when they provide their information for application to SNAP and NSLP that their information may be used for program evaluation, such as this study.
Notice is provided to participants in the national survey of direct certification practices and the in-depth case studies through introductory materials provided to respondents.
Risks associated with individuals being unaware of the collection of administrative data, most likely individuals whose data are among the data provided by the districts and states, are mitigated in four ways. First, the National School Lunch Program Act of 1966, and the Food and Nutrition Act of 2008, provide the authority for Mathematica, acting on behalf of FNS, to collect administrative data in order to support program evaluation. Second, the SNAP and NSLP participants are informed at the time of application that their data may be used to support program evaluation. Third, secure data handling methods will be employed such as all electronic data will be encrypted during transmission and at rest, identifiers will be removed as soon as practicable and appropriate management, operational and technical controls will be in place. Finally, all Mathematica staff sign a confidentiality pledge that stipulates sanctions for non-compliance with security policies as a condition of employment (see attached).
The following questions are directed at an individual’s ability to ensure the accuracy of the information collected about them.
No PII will be collected during the survey and site visits.
Individuals whose information is contained in district and state administrative records may gain access to their information through district, state and/or FNS guidelines.
No PII will be collected during the survey and site visits. However, the letter accompanying the survey will identify points-of-contact which the respondent may use to correct or modify their responses or information.
Individuals whose information is contained in district and state administrative records may correct inaccurate or erroneous information through district, state, and/or FNS guidelines.
No PII will be collected during the survey and site visits. However, the letter accompanying the survey will identify points-of-contact which the respondent may use to correct or modify their responses or information.
Individuals whose information is contained in district and state administrative records are notified of the procedures for correcting inaccurate or erroneous information on the applications for NSLP and SNAP benefits.
Not Applicable
Privacy redress risks are minimal. If a participant cannot redress inaccurate or erroneous information related to this study, there is no impact to their privacy, their role in administering NSLP and SNAP benefits, nor to the benefits participants are entitled to. Survey and site visit participants are addressing programmatic questions about the direct certification program, as opposed to providing personal information about themselves; therefore, there is minimal privacy risk associated with redress. In addition, all project data will be secured through appropriate management, operational and technical controls, so that any information regarding redress will be communicated to Mathematica in a secure fashion.
The following questions are intended to describe technical safeguards and security measures.
Mathematica staff are granted access to the Mathematica network upon hire and after completing Corporate Security Awareness Training. Only Mathematica project staff with a business need-to-know are granted access to the secure network folders where project data resides, and only with the explicit permission of the Mathematica Project Director. The secure network folders reside on servers which are housed in a secure data center. Physical access is controlled and logged through proximity card. Logical access is controlled through unique ID and password for individuals. Audit records are maintained. These procedures are documented in the Mathematica Corporate Security Manual.
Only authorized Mathematica project staff access the system with approval granted based on the procedures outlined in section 8.1.
All Mathematica employees are required to take Corporate Security Awareness training annually which covers PII and protecting data.
An Authorization to Operate was granted to Mathematica by the Social Security Administration in December 2010.
All Mathematica employees read and sign a confidentiality pledge that stipulates sanctions for non-compliance with security policies (see attached). Physical access to Mathematica facilities, and logical access to project data at Mathematica, are tracked. FNS will review and approve any publications prior to release to assure acceptable use.
Privacy risks associated with technical access and security are minimal. There is no sharing of project PII between Mathematica and PNS. Project data will be secured through appropriate management, operational and technical controls,
The following questions are directed at critically analyzing the selection process for any technologies utilized by the system, including system hardware and other technology.
This is a data collection, analysis and reporting project, using Mathematica’s existing, secure infrastructure and secure data handling practices. There will be no use of a new program or system.
The project does not employ technology which may raise privacy concerns (e.g. social media).
Mathematica Project Director
________________________________
Food and Nutrition Service
United States Department of Agriculture
File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
Author | Patricia Guroff |
File Modified | 0000-00-00 |
File Created | 2021-02-01 |