The Postal Service's national change of address program is intended to
improve the quality of addresses on mail by providing business mailers
with accurate, properly formatted change-of-address data that are
automation compatible. To do this, the Service collects
change-of-address information reported by postal customers nationwide
and sends corrected addresses through several private firms licensed to
provide address correction services. A recent audit found that the
program saved the Service nearly $1.2 billion in rehandling costs
associated with forwarding mail in fiscal year 1998. GAO pointed out in
a 1996 report that the program was operating without clearly delineated
procedures and sufficient management attention to always prevent,
detect, and correct the inappropriate release or use of
change-of-address data. (See GAO/GGD-96-119, Aug. 1996.) This report
discusses the steps that the Service has taken in response to the 1996
report and whether any additional actions are needed to strengthen the
Service's oversight of the program.
--------------------------- Indexing Terms -----------------------------
REPORTNUM: GGD-99-102
TITLE: U.S. Postal Service: Status of Efforts to Protect Privacy
of Address Changes
DATE: 07/30/1999
SUBJECT: Postal service
Postal law
Privacy law
Proprietary data
Mailing lists
Mail delivery problems
Data collection
IDENTIFIER: USPS National Change of Address Program
******************************************************************
** This file contains an ASCII representation of the text of a **
** GAO report. This text was extracted from a PDF file. **
** Delineations within the text indicating chapter titles, **
** headings, and bullets have not been preserved, and in some **
** cases heading text has been incorrectly merged into **
** body text in the adjacent column. Graphic images have **
** not been reproduced, but figure captions are included. **
** Tables are included, but column deliniations have not been **
** preserved. **
** **
** Please see the PDF (Portable Document Format) file, when **
** available, for a complete electronic file of the printed **
** document's contents. **
** **
** A printed copy of this report may be obtained from the GAO **
** Document Distribution Center. For further details, please **
** send an e-mail message to: **
** **
** <info@www.gao.gov> **
** **
** with the message 'info' in the body. **
******************************************************************
United States General Accounting Office GAO Report
to the Chairman, Subcommittee on the Postal Service, Committee on
Government Reform, House of Representatives July 1999 U.S.
Postal Service Status of Efforts to Protect Privacy of Address
Changes GAO/GGD-99-102 United States General Accounting Office
General Government Division Washington, D.C. 20548 B-281674 July
30, 1999 The Honorable John M. McHugh Chairman, Subcommittee on
the Postal Service Committee on Government Reform House of
Representatives Dear Mr. Chairman: As you know, the Postal
Service's National Change of Address (NCOA) program is intended to
improve the quality of addresses on mail by providing business
mailers with accurate, properly formatted change-of- address data
that are automation compatible. To do this, the Service collects
change-of-address information reported by postal customers
nationally and disseminates corrected addresses through a number
of private firms licensed by the Service to provide address
correction services. A recently completed audit of the costs and
benefits of the NCOA program for the Service's Office of Inspector
General found that, through the program, the Service was able to
avoid nearly $1.2 billion in rehandling costs associated with
forwarding mail in fiscal year 1998.1 Accompanying the benefits
the Service derives from this program, however, is the
responsibility for oversight and control over postal customers'
change-of-address data, which are protected from inappropriate
release or use under applicable federal privacy laws. In our 1996
report, we pointed out that the NCOA program was operating without
clearly delineated procedures and sufficient management attention
to always prevent, detect, and correct the inappropriate release
or use of change-of-address data.2 We recommended specific actions
the Service should take to strengthen its oversight and control of
these data. This report responds to your November 19, 1998,
request that we determine what actions the Service has taken in
response to our 1996 report and whether any additional actions are
needed to strengthen the Service's oversight of the program.
1Performance Audit of the National Change of Address Program, DS-
AR-99-001, United States Postal Service Office of Inspector
General, Mar. 31, 1999. 2U.S. Postal Service: Improved Oversight
Needed to Protect Privacy of Address Changes (GAO/GGD-96- 119,
Aug. 13, 1996) Page 1
GAO/GGD-99-102 Address Change Privacy B-281674 As we recommended,
the Service has developed and implemented written Results in Brief
procedures that addressed its NCOA program oversight and control
responsibilities for (1) using seed records3 to help detect the
unauthorized disclosure of NCOA data by licensees, should it
occur; and (2) reviewing, responding to, and documenting NCOA-
related complaints and inquiries from postal customers and NCOA-
related proposed advertisements by licensees. However, procedures
designed by the Service to ensure that it is alerted when mail is
sent to seed record addresses were not working as intended; thus,
the Service lacked assurance that the seeding process provided an
effective program oversight mechanism. Further, even though
required to do so by the licensing agreement or by prescribed
program procedures, during the 1996 through 1998 period we
examined, the Service did not always (1) conduct the minimum
number of licensee audits, including on-site audits; (2) promptly
reaudit licensees that failed initial audits; or (3) promptly or
always suspend or terminate licensees that failed successive
audits. Also, the Service reported that it had performed more
licensee audits than were documented in its audit files; however,
even when we included these additional audits in our data, we
determined that the Service did not perform all audits required.
We make recommendations near the end of this report to address
these weaknesses. The Service has taken no action on our
recommendation that it explicitly state, in the acknowledgment
form signed by customers of licensees, that NCOA program-linked
data are not to be used to create or maintain new- movers lists (a
list of postal customers who have submitted address change orders
to the Service, usually created for marketing purposes). We
continue to believe that more specific language in the
acknowledgment form could help ensure that use of NCOA program-
linked data is limited to the purposes for which they were
collected. Congress may want to consider intervening if it
believes that the Service should act on our recommendation. The
automation of mail sorting and distribution activities with state-
of-the- Background art technology is a core component of
the Service's strategy to achieve its goals for efficiency,
effectiveness, and financial performance. According to the
Service, the success of this strategy relies, in considerable
part, on the Service's ability to provide address management
services that help mailers accurately address their mail and adopt
automation-compatible address standards. The NCOA program is one
of several Service address 3A seed record is a record inserted
into a file to detect the unauthorized disclosure or inappropriate
release of that record or file. The practice of seeding is
reportedly widely used in the mailing industry to control
proprietary information. Page 2
GAO/GGD-99-102 Address Change Privacy B-281674 management programs
under the direction of the Manager, Address Management, located at
the National Customer Support Center in Memphis, TN. The Manager
reports to the Vice President, Operations Planning, at Service
headquarters. The NCOA program began in 1986 and extended the use
of change-of- address information submitted by postal customers to
the Service by providing that information to business mailers for
updating their mailing lists. This is important to the Service
because sorting, transporting, delivering, and, in some cases,
disposing of improperly addressed mail costs the Service money-
estimated by the Service in 1996 at about $1.5 billion a year. The
Service estimated that of the 191 billion pieces of mail it
processed in 1997, incomplete or inaccurate address elements
adversely affected the delivery of about one-third, or over 63
billion pieces. NCOA change-of-address data are widely
disseminated to business mailers through a network of 21 private
businesses licensed, for a fee, by the Service. Licensees are
responsible for maintaining a complete and current NCOA master
file. Every week, the NCOA program office is to provide licensees
a copy of the latest NCOA file update via computer tape. Licensees
are to use these tapes to update the NCOA files they maintain.
These tapes include address deletions, additions, and changes.
Licensees are to use their updated NCOA master files and the
address- matching logic designed into their computer software to
update addresses on their and their customers' mailing lists. Each
licensee's address matching software is to be tested and approved
by the NCOA program office. The Service requires the software to
meet strict performance standards as specified in the licensing
agreement, and licensees are to use only the approved software to
provide the NCOA service. In providing this service, licensees are
to update an address on a mailing list only when a name and
address on that list match a name and old address in the NCOA
file. Service authority to disclose address information about its
customers is limited by certain privacy guarantees in two federal
laws. One of them, Section 412 of the Postal Reorganization Act of
1970, as amended (39 U.S.C. 412), provides that no officer or
employee of the Postal Service shall make available to the public
by any means or for any purpose any mailing or other list of names
or addresses of postal patrons or other persons, except for census
purposes or as otherwise specifically provided by law. Page 3
GAO/GGD-99-102 Address Change Privacy B-281674 The Privacy Act of
1974 (5 U.S.C. 552a) provides individuals broader protection from
the unauthorized use of records that federal agencies maintain
about them and gives them right of access to those records.
Subsection (n) of the act specifically restricts certain uses of a
name and address as follows: "An individual's name and address may
not be sold or rented by an agency unless such action is
specifically authorized by law." More generally, under the Privacy
Act, agency records may be disclosed provided such disclosures are
compatible with the purpose for which the records were collected.
Under subsection (m)(1) of the act, NCOA licensees operate on
behalf of the Service and are subject to the provisions of the act
to the same extent that employees of the Service would be. To
determine the actions the Service has taken in response to our
Scope and recommendations that it prepare and implement
formal written Methodology procedures to strengthen its
oversight of the NCOA program, we interviewed the Manager, Address
Management and National Customer Support Center; technical
managers who oversee certain Service- administered address
management processes and programs, including the NCOA program; and
the NCOA program manager. We obtained and reviewed the two
procedures manuals the Service prepared in response to our earlier
recommendations. The "NCOA Procedure Guide" was undated but,
according to the program manager, became effective beginning in
about September 1996. It prescribes oversight procedures and
processes for (1) reviewing and documenting reviews of licensees'
proposed NCOA-related advertisements and sales methods; (2)
receiving, responding to, and documenting Service responses to
postal customer NCOA-related inquiries and complaints; and (3)
scheduling, conducting, and managing the results of Service audits
of NCOA program licensees. The second manual, the "NCOA Integrity
Procedures Manual," dated October 1998, describes seed records,
their purposes, and the procedures and organizational
responsibilities for carrying out the seeding process. To verify
that written procedures were being followed and assess whether
they responded to our recommendations, we (1) discussed the
procedures with the NCOA program manager and other managers and
staff responsible for program operations and oversight; and (2)
reviewed records and files documenting the oversight processes of
seeding, responding to and resolving postal customer inquiries and
complaints, reviewing licensee's proposed advertisement, and
auditing licensees. Specifically, we discussed the seeding process
with the program office's project leader, who had primary
responsibility for carrying out the Page 4
GAO/GGD-99-102 Address Change Privacy B-281674 process. We
reviewed reports and documentation related to the seeding process,
including tests of the process for alerting NCOA program officials
to the possible release of seed record addresses, during the
January 1996 through March 1999 period. We had discussions with
the program manager responsible for handling customer inquiries
and complaints and reviewed program files and records. We had no
way to determine whether all inquiries and complaints received at
the program office were logged and responded to. However, we
randomly selected 18 of the 32 file drawers where inquiry and
complaint records were stored, and we reviewed the entire contents
of each. We discussed selected examples with the program office
technical staff responsible for researching and responding to
customer concerns. We examined documentation of licensees' NCOA-
related advertisements that had been submitted to and reviewed and
approved/disapproved by the Service as required by the licensing
agreement and specified in the NCOA Procedure Guide. We reviewed
all available documentation in the program office's official
licensee files, and we discussed selected examples of
advertisements with the program office staff responsible for the
review and approval process. For the licensee audit process, we
reviewed the results of all audits conducted from September 1995
through March 1999 that were documented in the program office's
audit files. We discussed the audits with the program manager and
reviewed examples of audit results with responsible program office
staff. To assess the Service's response to our recommendation that
the Privacy Act-related restriction on the use of NCOA-linked data
to create new- movers lists be communicated explicitly to
licensees' customers, we discussed the issue with the Service's
Chief Counsel, Consumer Protection Law; a Service Senior Attorney
in Washington, D.C.; and the Manager, Address Management, in
Memphis. We conducted our review between September 1998 and May
1999 in accordance with generally accepted government auditing
standards. We requested comments on a draft of this report from
the Service and received written comments from the Postmaster
General, which we have included in appendix I. His comments are
discussed near the end of this report. Page 5
GAO/GGD-99-102 Address Change Privacy B-281674 The Service has
taken steps to strengthen its oversight of the NCOA Program
Oversight program and help ensure that the program
operates in compliance with the Strengthened, but
privacy provisions of federal laws. The Service has developed and
implemented written procedures formalizing its oversight processes
and Seeding Process responsibilities for (1)
seeding NCOA address change updates released to Weaknesses Still
Exist licensees, (2) addressing customer NCOA-related inquiries
and complaints, and (3) reviewing and approving licensees'
proposed advertisements promoting NCOA-related services. However,
our review revealed that the procedures the Service developed to
ensure that mail sent to seed record addresses is appropriately
identified, and the program office alerted to a possible release
of a seed record address by a licensee, were not working as
intended. As a result, the Service has no assurance that the
seeding process provided an effective oversight mechanism. In
1996, we found several weaknesses in the Service's practice of
using Use of Seed Records seed records as an oversight
measure to detect the improper release of NCOA data by licensees.
We recommended that the Service develop and implement formal,
written procedures that addressed the responsibilities and
timetables for using the seeding process as an oversight
mechanism. Our more recent work at the NCOA program office showed
that, in response to our recommendations, the Service prepared
formal written procedures that delineate program office
responsibilities for carrying out the seeding process. Further,
our work showed that the written procedures were generally being
followed. However, we found another problem-the program's process
for alerting program officials that mail was sent to a seed record
address (and therefore a licensee had possibly released a seed
record address) was not working as intended. As a result, the
Service had no assurance that the seeding process was providing
the program oversight intended. According to NCOA program
officials, the process of seeding NCOA files provides program
oversight by helping to detect and deter the improper release of
NCOA data by licensees. They said that NCOA file updates have been
seeded since the program began in 1986. Seed records are
fictitious name and address data that the program office
periodically places in NCOA file updates provided to licensees.
These names and addresses are designed uniquely and do not
identify postal customers who have moved and submitted mail-
forwarding forms to the Service, or any other postal customer.
Therefore, licensees should not be able to match the seed record
names and addresses with names and addresses on their mailing
lists or their customer's mailing lists when using the Service-
approved name and address-matching computer software. Page 6
GAO/GGD-99-102 Address Change Privacy B-281674 Service procedures
state that mail sent to a seed record address is to be intercepted
by the local post office and photocopied. The photocopy is to be
returned to the NCOA program office, thereby alerting program
officials of the possibility that a licensee has improperly
released a seed record address. Program officials could then
identify the licensee that released the seed record by tracing it
back to the licensee that received (and subsequently released) the
seed record. According to program officials, licensees are aware
that NCOA file updates are seeded but are not able to identify the
seed records. In our 1996 review, we found that the Service had
informal, unwritten procedures for seeding. Specific
responsibilities and timetables for carrying out the seeding
process were not delineated. We found that, because of inattention
to program management, seed record addresses for a 9-month period
in 1993 and 1994 were inadvertently not included in licensee file
updates. Thus, the Service's oversight of the program through use
of the seeding process was not in effect during this period.
Subsequent to our 1996 review, the Service developed written
procedures that describe seed records; their purpose; and the
procedures, responsibilities, and timetables for implementing and
using the seeding process as an oversight mechanism. The
procedures include steps such as developing the seed record
addresses, placing them into the licensees' NCOA file updates at
specified times, and testing the retrieval process for mail sent
to seed record addresses. On the basis of our discussions with
NCOA officials and our review of seeding files and reports, it
appears that program office staff were following most of the
written procedures. For example, files we examined showed that
10,000 to 20,000 seed records were implanted in licensees'
databases continuously throughout the period January 1996 through
March 1999. Also, as required by the procedures, the Service
annually added new seed records to the licensees' master file
updates. However, we found that Service "tests" of the seeding
process revealed that procedures for alerting program officials
that mail had been sent to a seed record address were not working
as intended. Specifically, we found that the NCOA program office
was not always alerted by postal delivery units when test mail was
sent to seed record addresses. As a result, the Service could not
be assured that it would be appropriately alerted if actual mail
were to be sent to seed record addresses. In turn, the Service
could not be assured that it would always be made aware that a
licensee had released a seed record address, should this occur.
Page 7 GAO/GGD-99-102 Address
Change Privacy B-281674 According to the Service, instructions for
appropriately identifying and notifying program officials of mail
sent to seed record addresses are sent by the program office to
affected postal delivery units throughout the postal system each
year. Periodically, the program office sends mail to seed record
addresses to test whether the identification and notification
process for mail sent to seed record addresses is working
properly. If it is working properly, the applicable delivery units
will identify mail sent to seed record addresses and return a
photocopy of it to the program office, thereby alerting program
officials that mail was sent to a seed record address. However, we
found that local delivery units were not always appropriately
alerting program officials when test mail was sent to seed record
addresses. Data provided to us by the program office showed that
program officials were appropriately notified of only about 6
percent of nearly 1,000 test mailings sent out during the period
October 1998 to February 1999. The program office did not have
complete records showing the results of test mailings prior to
this period. Although the program office has procedures for
following up with delivery units when these units do not handle
test mail appropriately, program office reports on test mail
results showed that these procedures were not always followed. The
program manager said that the process of sending test mail to seed
record addresses, and following up with the appropriate delivery
units when test mail was not returned, had been a manual process;
however, because the process was labor intensive, it was automated
in early 1999. The program manager said that, because the process
is automated, when program officials are not appropriately
notified that a delivery unit received test mail, the system will
automatically generate correspondence advising the delivery unit
manager that procedures were not followed for test mail sent to a
seed record address. According to program officials, the automated
process was only recently implemented. Therefore, its
effectiveness in identifying and correcting problems in handling
test mail sent to seed record addresses had not been determined at
the time of our review. Determining why delivery units did not
always appropriately notify NCOA program officials when test mail
was received was not within the scope of our review. Further,
delivery units are in a different Service organizational component
and are not under the authority of NCOA program officials.
However, until the process for appropriately identifying test mail
and notifying program officials when test mail is sent to seed
record addresses is working completely as intended, the Service
cannot be assured that Page 8
GAO/GGD-99-102 Address Change Privacy B-281674 program officials
would be appropriately notified if actual mail were sent to seed
record addresses. In turn, the Service cannot be assured that the
seeding process would detect an improper release of NCOA data by a
licensee. In our 1996 review, we found that the NCOA program
office's complaint Program-Related Inquiries investigation
process was informal and lacked structure. We were and Complaints
therefore unable to assess the effectiveness of the complaint
process as a program oversight mechanism. We recommended that the
NCOA program office develop and implement written oversight
procedures providing for the systematic recording of all NCOA-
related complaints received, including actions taken to resolve
the complaints. On the basis of our recent review, we believe that
the actions taken by the Service provide the formal structure
needed to ensure that the complaint investigation process could be
an effective licensee oversight mechanism. In our earlier review,
NCOA program officials told us that they investigate program-
related inquiries and complaints from postal customers, licensees,
and the licensees' customers to provide another program oversight
and control mechanism. They said that inquiries and complaints
were important because they can alert the Service to possible
problems involving the quality of NCOA program services that
licensees are providing, as well as to instances of licensees'
noncompliance with the terms and provisions of the licensing
agreement. However, the office could not provide us with any
evidence of a process for logging inquiries and complaints
received, investigating them, and reporting the results of the
investigations internally or to the inquirers or complainants. In
our most recent review, we found that the procedure guide
contained written procedures providing formal structure to the
program's process for receiving, researching, and responding to
customer inquiries and complaints and documenting the results of
these actions. Our examination of the program office's inquiry and
complaint files, combined with our discussions with program office
managers and staff, showed that the procedures had been
implemented. Specifically, we found documentation showing that (1)
NCOA-related inquiries and complaints had been entered into an
electronic tracking system and (2) research and analysis needed to
respond to inquiries and complaints had been conducted and, where
appropriate, responses provided. The NCOA program manager told us
that since about September 1997, over 38,000 inquiries and
complaints had been logged into a database at the program office.
Documentation relating to these inquiries and Page 9
GAO/GGD-99-102 Address Change Privacy B-281674 complaints was
retained in 32 file drawers located in the program office.
Although we had no way to verify that all inquiries and complaints
received were logged in and responded to, we randomly selected 18
of these drawers and reviewed the entire contents of each. On the
basis of this review and our discussions with program managers and
staff, it appears that the Service was following procedures and
appropriately utilizing inquiries and complaints as a program
oversight mechanism. We reported in 1996 that we had been unable
to fully evaluate the ProgramRelated effectiveness of the NCOA
program office's oversight of licensees' Advertising
program-related proposed advertising as prescribed in the
licensing agreement because program officials had not documented
their oversight efforts. We recommended that the Service develop
and implement written oversight procedures for obtaining and
reviewing licensees' program- related proposed advertisements,
documenting the review, and notifying licensees of the results
within the time period prescribed in the licensing agreement. On
the basis of the results of our current review, we believe that
the Service has substantially complied with our recommendations
and has in place a formalized process for ensuring generally that
licensees' proposed advertising is in compliance with the
provisions of the licensing agreement. The licensing agreement
requires licensees to adhere to Service guidelines relating to the
wording, content, and design of proposed advertisements that
mention the NCOA program to ensure that the relationship between
licensees and the Service is correctly represented. In addition,
the licensing agreement requires that all licensee advertisements
be pre- approved by the NCOA program office prior to their use.
According to the agreement, the program office is to provide
licensees a written notice of its approval or disapproval of
proposed advertisements within 20 days of receipt of this
material, or the licensees may consider the proposed advertisement
approved. In our earlier review, however, we found little
documentation of an advertisement review process, and it appeared
that NCOA program officials did not always review licensees'
program-related advertisements. For example, we found that at
least two licensees had submitted proposed advertisements for
review that contained material promoting the availability of new-
movers lists linked to NCOA data, which was in violation of the
licensing agreement. Even though licensees were precluded by the
licensing agreement from advertising the availability of new-
movers lists based in any part on NCOA-related data, program
officials took no action to disapprove the advertisements. Page 10
GAO/GGD-99-102 Address Change Privacy B-281674 In our most recent
review, we found that the program office's oversight of NCOA-
related proposed advertisements had improved, and licensees were
generally meeting the terms of the licensing agreement related to
advertising. Specifically, we found that licensee files in the
program office contained varying types and amounts of proposed
advertisements. In addition, most of the advertisements submitted
for approval had a document noting either the approval or
disapproval of the advertisement within the 20-day period
prescribed. If the advertisement had been disapproved, reasons for
the disapproval and suggested changes were also documented.
Although we reviewed all advertisements contained in the program
office files, we had no way to determine whether licensees had
submitted all of their advertisements for review. Program
officials told us, however, that office staff regularly review
publications where licensees are known to advertise frequently to
help verify that the licensees are using only approved
advertisements. In addition, we found examples of advertisements
that had not been approved and the related follow-up
correspondence with the licensees. Program officials told us that
when these situations are discovered, they contact the licensee
and require a written explanation. In December 1998, the program
office sent letters to all of the licensees stating that effective
January 1, 1999, if a licensee fails three times within a 1-year
period to obtain program office approval before an NCOA-related
advertisement is used, the licensee may be suspended from the NCOA
program. Our 1996 review disclosed that licensee audit files at
the NCOA program Requirements for office were poorly
maintained, and that the number of licensee audits Licensee Audits
and conducted by the program office was unclear. As a result,
we could not determine whether the Service's licensee audits were
providing effective Suspensions Not Met and meaningful
oversight of licensees' compliance with the licensing agreement or
the applicable privacy provisions of federal law. We recommended
that the Service enforce the provision of the licensing agreement
that licensees be audited a prescribed minimum number of times
each year and suspend or terminate, as appropriate, licensees that
fail consecutive audits. Our follow-up review of licensee audit
files at the program office revealed that problems similar to what
we found earlier still existed. Specifically, we found that the
program office had not (1) performed the required minimum number
of annual licensee audits, (2) performed the required minimum
number of on-site licensee audits every 24 months, (3) performed
timely licensee reaudits after a failed audit, and (4) always or
Page 11 GAO/GGD-99-102 Address
Change Privacy B-281674 promptly suspended or terminated licensees
that failed two consecutive audits. Further, it appears that the
licensee audit files at the program office were still incomplete
because program officials told us that they had performed more on-
site audits than could be verified by documentation in the audit
files. Nevertheless, even when these additional audits are taken
into consideration, we determined that the Service did not perform
all audits required. The licensing agreement requires licensees to
pass three audits each year, and the Service's procedure guide
specifies that the program office is to audit each licensee a
minimum of three times per year. Also, at least one on-site audit
is to be conducted at the premises of each licensee every 24
months. On-site audits can be unannounced and include both tests
of the licensees' NCOA software accuracy and verification of the
licensees' compliance with other provisions of the licensing
agreement, such as the provision that licensees prevent
unauthorized access to the NCOA file. Audits not conducted on-site
are administered by the program office through a test computer
tape mailed to the licensees. According to program officials,
these audits focus on the comprehensive assessment of the accuracy
of the licensees' NCOA name and address-matching software. The
licensing agreement sets a strict standard of 99-percent accuracy
for licensees' name and address-matching software that is to be
rigorously tested in the audit process. Licensee software that
does not meet the standard is to fail the audit. NCOA program
officials told us that when a licensee fails an audit, they notify
the licensee by telephone. Additionally, the Service's Contracting
Officer, who is located at the Service's headquarters in
Washington, D.C., officially notifies the licensee of the audit
failure by sending a written 30-day "Cure Notice" with a
description of the deficiencies identified in the audit. When the
licensee notifies the program office that the deficiencies have
been corrected, or after the 30- day period has expired, whichever
comes first, the NCOA program office is to reaudit the licensee.
Although in practice the Service does not suspend licensees that
fail an initial audit, its procedure guide states that the Service
can suspend licensees that fail audits and do not correct the
deficiencies identified by the end of the 30-day period. The
suspension may continue until the deficiencies have been corrected
and confirmed by a reaudit. Further, the license agreement
provides that licensees that fail two consecutive audits are to be
suspended or terminated. Upon a third consecutive audit failure,
licensees are to be terminated. Because of the contractual
relationship between the Service and the licensees, only the
Contracting Officer, who is Page 12
GAO/GGD-99-102 Address Change Privacy B-281674 not under the
authority of the NCOA program office, may suspend or terminate
licensees. Service licensee audits are designed to check for both
the failure of the software to make correct name and address
matches and for instances where the software produces an incorrect
match. The failure of a licensee's software to make appropriate
matches can result in the licensee not providing its customers all
the address corrections that should be provided through the NCOA
program service. Incorrect matches, which are more serious, can
result in the licensee improperly releasing new addresses from the
NCOA database in violation of privacy law. The procedure guide
states that incorrect matches found during an initial audit will
result in an automatic audit failure, and that the licensee will
be required to immediately make the necessary software corrections
and will be reaudited. According to the licensing agreement,
Service licensee audits are an important oversight measure for
helping to ensure that the provisions and performance standards of
the licensing agreement are met, the integrity of the address
correction services licensees provide is maintained, and the
program operates in compliance with privacy guarantees of federal
law. Because licensees' NCOA software that fails an audit is not
performing to the prescribed licensing standards, we believe that
(1) performing the required number of licensee audits, (2)
promptly reauditing licensees that fail audits, and (3) promptly
suspending or terminating licensees that fail successive audits
are important features of the Service's responsibility to help
ensure the integrity of the NCOA program. However, according to
the documentation in the licensee audit files at the program
office and other information provided by the Service indicating
that additional audits had been performed, the program office did
not perform the minimum number of annual licensee audits
prescribed by its procedure guide during fiscal years 1996 through
1998. Table 1 illustrates that in fiscal year 1996, the Service
did not audit 7 of 25 licensee systems the required minimum number
of 3 times; in fiscal year 1997, 10 of 25 licensee systems were
not audited the required minimum number of 3 times; and in fiscal
year 1998, 8 of 25 licensee systems were not audited the required
minimum number of 3 times.4 4Licensees may have more than one NCOA
software matching computer system. During the period of our
review, 17 licensees operated a single system, and 4 licensees
each operated 2 separate systems, for a total of 25 systems. Page
13
GAO/GGD-99-102 Address Change Privacy B-281674 Table 1: Summary of
Number of Annual
Systems receiving Audits Performed on 25 Licensee Fiscal
year 3 audits 2 audits
1 audit Systems for Fiscal Years 1996-1998 1996
18 (72%) 7 (28%) 0 1997
15 (60%) 9 (36%) 1 (4%) 1998
17 (68%) 6 (24%) 2 (8%) Note:
Total licensee systems include all 25 computer systems providing
NCOA program services. Source: GAO analysis of licensee audit
documentation in NCOA program office files and additional
information provided by the Service. Moreover, because the program
office did not always perform the minimum number of annual
licensee systems' audits prescribed by its procedure guide,
licensees were not always required to prove the integrity of their
systems by passing at least three audits each year, as specified
in the licensing agreement. Specifically, documentation in the
licensee audit files at the program office, combined with
additional documentation provided to us by program officials,
showed that in fiscal year 1996 only 12 (48 percent) of 25
licensee systems passed the minimum of 3 audits; in fiscal year
1997, only 7 (28 percent) of 25 systems passed 3 audits; and in
fiscal year 1998, only 9 (36 percent) of 25 systems passed 3
audits. Thus, the Service cannot be assured that licensees are
consistently providing the address correction services intended by
the program or consistently releasing only name and address data
permitted by law. In addition, according to documentation in the
audit files and additional information provided by program
officials, the program office did not conduct at least one on-site
audit of each licensee system every 24 months as prescribed by the
procedure guide. Only 18 licensee systems received on-site audits
during the 42-month period we reviewed; also, as of May 1999, 14
licensee systems were overdue for an on-site audit. Further,
according to documentation in the audit files and the additional
information provided by program officials, the program office did
not always do timely reaudits of licensees that failed initial
audits. We believe that promptly reauditing licensees that fail
initial audits is important to ensure program integrity because
after failing an initial audit, licensees are permitted to
continue providing NCOA program services with software that does
not comply with performance standards specified in the licensing
agreement. However, as table 2 shows, of 35 licensee system audit
failures during the period we reviewed, 9 systems were not
reaudited until 61 to 90 days after the initial audit failure; and
3 were not reaudited until over 90 days after the initial audit
failure. Page 14
GAO/GGD-99-102 Address Change Privacy B-281674 Table 2: Number of
Days Between NCOA
Total number of reaudits Licensee's Failed Audit and Subsequent
Days
for timespan Reaudit Between Fiscal Year 1996 and 30 days or
less
10 March 1999 31 to 60 days
13 61 to 90 days
9 Over 90 days
3 Total number of reaudits
35 Source: GAO analysis of licensee audit documentation in NCOA
program office files and additional information provided by the
Service. We noted that one licensee system reaudit in the "over 90
days" category was not completed until 210 days after the failed
initial audit. Because this audit failure involved an incorrect
name and address match-an automatic failure because of the
possibility that the licensee was releasing name and address data
in violation of privacy law-for this 210-day period, the licensee
could have been inappropriately releasing NCOA-related data.
Finally, we found three instances where licensees failed two
consecutive audits yet were not promptly suspended, suspended at
all, or terminated from the program. One licensee failed two
successive audits and was not suspended until 17 days after the
second audit. Another licensee failed two successive audits and
was not suspended until 67 days after failing the second audit. A
third licensee failed two successive audits and was never
suspended. That licensee received a passing score on the third
audit, which was conducted 147 days after the initial failed
audit. According to the licensing agreement, licensees that fail
two successive audits are to be either suspended or terminated
from the program. By not promptly suspending or terminating these
licensees, the Service allowed these licensees to continue
providing NCOA program services for varying periods of time with
software that was not in compliance with the performance standards
specified in the licensing agreement. Program officials told us
they had performed more on-site audits than could be verified by
evidence in the audit files, but they were initially unable to
provide us with supporting documentation. However, after we had
completed our audit work at the program office, program officials
sent us documentation indicating that 18 licensee systems had
received on-site audits during the period we reviewed-10 more than
indicated by documentation we had found in the program office
audit files. The documentation the Service sent us consisted of
recently signed statements from officials of some licensees
indicating that these additional on-site audits had been
performed. Page 15
GAO/GGD-99-102 Address Change Privacy B-281674 Even after counting
these additional audits reported by the Service, we determined
that it did not perform the minimum number of annual audits or on-
site audits required during the periods included in our review.
This deficiency in the number of audits performed, coupled with
the lack of documentation in the audit files evidencing all of the
audits reported by the Service, indicated that the NCOA program
audit process was not a fully effective oversight mechanism. The
NCOA program manager attributed these problems-not performing the
required minimum number of annual audits and on-site audits, not
performing timely reaudits, and not promptly suspending or
terminating licensees that failed successive audits-to (1) an
insufficient number of staff to handle the program office's
increasing workload; (2) high rates of turnover among program
audit staff during this period, which reduced the number of
experienced auditors; and (3) the need to assign program office
staff to respond to an unexpectedly high volume of customer calls
to the program office regarding the Service Move Update program
implemented in 1997.5 Previously, we reported that the Service had
not clearly communicated Service Believes through NCOA
program licensees to the licensees' customers the privacy Privacy
Restrictions law-related restriction on the use of NCOA-linked
data to create or maintain new-movers lists. Specifically, the
Service had not stated in the Do Not Apply to the NCOA
Processing Acknowledgment Form that NCOA data are not to be
Secondary Use of used to create or maintain new-movers
lists. The licensing agreement NCOA Data requires
licensees to have their customers sign this form before receiving
NCOA-linked services. The Service, however, had communicated this
restriction to the licensees in the licensing agreement. The
licensing agreement stated, in part, that "Information obtained or
derived from the NCOA File or service shall not be used by the
Licensee, either on its own behalf or knowingly for its customers,
for the purpose of creating or maintaining new-movers lists." The
Service stated that it placed this restriction on licensees as a
"good business practice" and to address concerns raised by
Congress and the public, not because use of the NCOA-linked data
to create or maintain new-movers lists was restricted under the
Privacy Act. 5Move Update, implemented by the Service in July
1997, required First-Class presort and automation rate customers
to update mailing lists using Service-approved address-correction
services within 6 months prior to the date of any mailing on which
a postage discount would be claimed. Page 16
GAO/GGD-99-102 Address Change Privacy B-281674 We disagreed with
the Service's assessment of the Privacy Act and expressed our view
that use of NCOA-linked data by a licensee to create a new-movers
list would not be consistent with the limitations imposed by the
act. We recommended that the Service use the acknowledgment form
that licensees' customers are to sign to explicitly notify the
customers that the use of NCOA-linked data to create or maintain
new-movers lists is not permitted. The Service disagreed with our
recommendation in 1996 and stated that it believed that (1) a
restriction on the creation and maintenance of new- movers lists
from NCOA-linked data was not required by privacy law, (2)
enforcement of such a restriction on customers of licensees would
be impracticable, and (3) we had misinterpreted the purpose of the
acknowledgment form when we said that it was "to limit the use of
NCOA- linked data by the customers of licensees." Our recent
review showed that the Service has not implemented our
recommendation that it amend or revise the acknowledgment form to
explicitly convey this restriction to the customers of licensees.
Service officials believe that the design and implementation of
the NCOA program fully complies with applicable federal privacy
laws. Service attorneys responsible for this issue told us that
the Service continues to believe that the use of NCOA-linked data
to create or maintain new-movers lists is not restricted by the
Privacy Act. With regard to licensees, the Service's position
stems from the view that a licensee wears two hats-one when
performing address correction services as an agent of the Service
and another as a private business. In the Service's view, after a
licensee performs address correction services as an agent of the
Service, it is then free under the Privacy Act to use NCOA-linked
data to create or maintain new-movers lists. With regard to the
licensees' customers, the attorneys said that the Service has no
responsibility to attempt to restrict the use of NCOA-linked data
by a private business with which it has no legal relationship. We
disagree. The Service collects change-of-address information from
postal customers for the limited purposes of address list
correction and mail forwarding, not for the purpose of creating
and maintaining new- movers lists. Therefore, we continue to
believe that use of NCOA-linked data to create or maintain new-
movers lists by licensees of the Service, who are viewed under the
Privacy Act as if they were employees of the Service, would not be
consistent with the limitations imposed by the Privacy Act.
Further, we continue to believe that more specific language in
Page 17 GAO/GGD-99-102 Address
Change Privacy B-281674 the acknowledgment form that licensees'
customers sign could help ensure that use of NCOA-linked data is
limited to the purposes for which it was collected. Through the
NCOA program, the Service has extended the use of address
Conclusions change information that its customers report for
mail forwarding purposes to provide business mailers with current
name and address and address- format information for customers on
their mailing lists. This program helps ensure that postal
customers' mail is more accurately addressed and thereby reduces
Service costs associated with additional handling of improperly
and inaccurately addressed mail. However, by creating a postal
customers' change-of-address database, the Service is obligated to
use and protect the data in compliance with the constraints of
applicable federal privacy laws. The Service has been partially
responsive to our previous recommendations to strengthen oversight
of the NCOA program in that it developed and implemented written
procedures for (1) seeding NCOA file updates released to licensees
and (2) reviewing, responding to, and documenting customers' NCOA-
related inquiries and complaints and licensees' NCOA-related
advertising. However, the Service has not effectively implemented
program procedures and requirements for (1) ensuring that it is
appropriately alerted when mail is sent to seed record addresses,
(2) auditing and reauditing licensees, and (3) suspending or
terminating licensees that fail successive audits. Although in
early 1999 the Service made procedural changes that it believes
will help ensure that mail sent to seed record addresses is
appropriately brought to its attention, it is too early to
determine the effectiveness of those changes. In addition, the
Service reported that it had performed more licensee on-site
audits than were documented in licensee audit files at the NCOA
program office. However, the effectiveness of the licensee audit
process as a program oversight mechanism is diminished when the
Service does not perform all required audits and does not document
the audit results. Until these program oversight and enforcement
procedures are effectively implemented and documented, the Service
cannot be assured that (1) the process of seeding NCOA file
updates provided to licensees will be effective in alerting the
Service to licensees' improper releases of NCOA data, (2)
licensees are audited to ensure that they are in full compliance
with federal privacy law and NCOA program requirements, and (3)
Page 18 GAO/GGD-99-102 Address
Change Privacy B-281674 licensees not in compliance are precluded
from continuing to receive and disseminate program data. Although
the NCOA program office is responsible for auditing and reauditing
licensees, the problems we identified related to ensuring the
effectiveness of seeding NCOA file updates as an oversight
mechanism, and delays in suspending or terminating licensees that
fail two consecutive audits do not appear to be completely under
its control. Local postal delivery units that are in a different
Service organizational component and are not under the authority
of NCOA program officials appear to be involved in the former
problem. Only the Contracting Officer, also in a different
organizational component and not under the authority of NCOA
program officials, has authority to suspend or terminate licensees
from the NCOA program. Finally, in spite of the recommendation we
made in our previous report, the Service has not changed the
acknowledgment form to explicitly convey to licensees' customers
the restriction against using NCOA-linked data to create or
maintain new-movers lists. The Service also has not changed its
position that it has no responsibility to attempt to restrict the
use of NCOA -linked data by licensees' customers with whom it has
no legal relationship. We disagree with the Service. We continue
to believe that by including specific language in the
acknowledgment form signed by licensees' customers that they
should not use NCOA-linked data to create or maintain new-movers
lists, the Service would help to ensure that NCOA program data are
used only for the purposes for which such data were collected. If
Congress is concerned about the failure of the Postal Service to
Matter for implement the recommendation we made in our prior
report concerning Congressional the creation and maintenance of
new-movers lists by customers of its licensees, it may wish to
amend the Postal Reorganization Act of 1970. An Consideration
amendment could either (1) expressly prohibit the use of change-
of- address data by licensees and their customers in the creation
or maintenance of new-movers lists or (2) specifically require the
Service to have its licensees and their customers acknowledge in
writing that they have been informed and understand that change-
of-address data may not be used for any purpose not authorized by
law, including the creation or maintenance of new-movers lists.
Page 19 GAO/GGD-99-102 Address
Change Privacy B-281674 To help ensure that the NCOA program
operates in compliance with Recommendations
applicable provisions of federal privacy law and NCOA program
requirements, we are making the following recommendations. * The
Postmaster General should ensure that NCOA program officials (1)
conduct the minimum number of annual and on-site audits, as well
as reaudits of licensees as required by the licensing agreement
and the program procedure guide and (2) document in the program
office files licensee audits performed, the results of those
audits, and actions taken. * The Postmaster General should also
ensure that NCOA program officials and other appropriate Service
officials coordinate actions to * identify and correct weaknesses
in the process of alerting program officials when mail is sent to
seed record addresses so that the process works as intended and *
ensure that licensees that fail successive audits are promptly
suspended or terminated, as appropriate, from the program or that
the licensing agreement is revised to reflect Service policy
regarding when licensees will be suspended or terminated. On July
19, 1999, we received written comments from the Postmaster Agency
Comments and General on a draft of this report. Among other
points he made about the Our Evaluation NCOA
program, the Postmaster General stated that the Service believes
that the program is a valuable service that directly benefits
ratepayers by contributing to the stabilization of postage rates.
Regarding the Matter for Congressional Consideration and our
position that the Service should explicitly convey to licensees'
customers the restriction against using NCOA-linked data to create
or maintain new-movers lists, he stated that the Service continued
to believe that it has neither the legal responsibility nor the
practical ability to regulate how the owners of mailing lists may
use those lists once they have been matched against the NCOA
database. He said that without an effective way to enforce a
prohibition on the creation of new-movers lists, such as sending
Postal Inspectors into mailers' plants, revising the
acknowledgment form to explicitly prohibit their use would be an
empty gesture. We recognize the Service's view regarding the
challenges associated with enforcing a restriction on licensees'
customers with whom they have no contractual relationship.
Nevertheless, as discussed in this report, the Service collects
change-of-address information for the limited purposes of address
list correction and mail forwarding, not for the purposes of Page
20 GAO/GGD-99-102 Address Change
Privacy B-281674 creating and maintaining new-movers lists. Thus,
in our view, the challenges associated with enforcement should not
preclude the Service from notifying and receiving acknowledgment
from licensees' customers that use of NCOA-linked data to create
new-movers lists is not permitted. Given that our views on this
issue differ from the Service's, we believe that our suggestion
that Congress consider the issue remains appropriate. The
Postmaster General generally agreed with our recommendations for
improving oversight of the NCOA program. Specifically, he stated
that regarding our recommendation concerning the periodic audits
and reaudits of licensees as required by the license agreement and
the program procedure guide, the Service understands the
importance of licensee oversight through regularly scheduled
audits and has taken steps to ensure that the required audits will
be performed for each licensee each year. He stated, however,
that because these audits, particularly the on-site audits, are
labor intensive and can be performed only by technically
knowledgeable staff, on occasion it may be necessary to defer some
audits temporarily in order to have the resources available for
other high-priority tasks. He stated that, nevertheless, the
Service would make every effort to keep the licensee audit
schedule current. The Postmaster General stated that the Service
also agreed with the second part of our recommendation concerning
the need for more thorough documentation of licensee audits, the
results of those audits, and the actions taken. He stated that
the NCOA program office has already implemented the recommendation
and developed a standardized documentation process that accurately
reports the results of audits. Regarding our recommendation to
strengthen the process for alerting program officials when mail is
sent to seed record addresses, the Postmaster General stated that
the Service believes that the improvements currently being
implemented will fully respond to the concerns we raised and that
these improvements should be implemented nationally by September
1999. Regarding our proposed recommendation that the Service
comply with the provisions of the licensing agreement to suspend
or terminate licensees that fail successive audits, the Postmaster
General stated that while the Service agrees with the
recommendation, it thinks it is important to evaluate each audit
failure on its own merits because it is in the best interest of
the Service to work with licensees in ensuring that their systems
work properly and are compatible with NCOA's programs. He further
stated that, when warranted and appropriate, the Service would
invoke these provisions against licensees to preserve the
integrity of the Page 21
GAO/GGD-99-102 Address Change Privacy B-281674 program and to
protect the privacy of customers' change-of-address information.
We believe that the actions taken or planned described by the
Postmaster General are responsive to our recommendations to him.
Furthermore, we believe that the Postmaster General's position
that it is in the best interest of the Service to work with
licensees in ensuring that their systems work properly and are
compatible with the NCOA's programs and that licensees would be
suspended or terminated when warranted and appropriate is
reasonable. However, we believe that the Service should change its
licensing agreement to reflect such a policy. Accordingly, we have
revised our recommendation to state that the Service should either
suspend or terminate licensees that fail successive audits in
accordance with the licensing agreement or change the licensing
agreement to reflect the Service policy that licensees will be
suspended or terminated when the Service believes that such
actions are warranted. We are sending copies of this report to
Representative Chaka Fattah, Ranking Minority Member of your
Subcommittee; Senator Thad Cochran, Chairman, and Senator Daniel
Akaka, Ranking Minority Member, Subcommittee on International
Security, Proliferation, and Federal Services, Senate Committee on
Governmental Affairs; William J. Henderson, Postmaster General;
and Karla W. Corcoran, Postal Service Inspector General. We will
make copies available to others upon request. Major contributors
to this report are acknowledged in appendix II. If you have any
questions about this report, please call Bernard L. Ungar on (202)
512-8387 or Sherrill Johnson on (214) 777-5600. Sincerely yours,
Nancy Kingsbury Acting Assistant Comptroller General Page 22
GAO/GGD-99-102 Address Change Privacy Page 23 GAO/GGD-99-102
Address Change Privacy Contents 1 Letter 26 Appendix I Comments
From the U.S. Postal Service 28 Appendix II GAO Contacts and Staff
Acknowledgments Table 1: Summary of Number of Annual Audits
14 Tables Performed on 25 Licensee Systems for
Fiscal Years 1996-1998 Table 2: Number of Days Between NCOA
Licensee's 15 Failed Audit and Subsequent
Reaudit Between Fiscal Year 1996 and March 1999 Abbreviations NCOA
National Change of Address (program) Page 24
GAO/GGD-99-102 Address Change Privacy Page 25 GAO/GGD-99-102
Address Change Privacy Appendix I Comments From the U.S. Postal
Service Page 26 GAO/GGD-99-102 Address Change Privacy
Appendix I Comments From the U.S. Postal Service Page 27
GAO/GGD-99-102 Address Change Privacy Appendix II GAO Contacts and
Staff Acknowledgments Bernard L. Ungar, (202) 512-8387 GAO
Contacts Sherrill H. Johnson, (214) 777-5600 In addition to
those named above, Robert T. Griffis, Dorothy M. Tejada,
Acknowledgments Alan N. Belkin, and Jill P. Sayre made key
contributions to this report. Page 28
GAO/GGD-99-102 Address Change Privacy Ordering Information The
first copy of each GAO report and testimony is free. Additional
copies are $2 each. Orders should be sent to the following
address, accompanied by a check or money order made out to the
Superintendent of Documents, when necessary. VISA and MasterCard
credit cards are accepted, also. Orders for 100 or more copies to
be mailed to a single address are discounted 25 percent. Order by
mail: U.S. General Accounting Office P.O. Box 37050 Washington, DC
20013 or visit: Room 1100 700 4th St. NW (corner of 4th and G Sts.
NW) U.S. General Accounting Office Washington, DC Orders may also
be placed by calling (202) 512-6000 or by using fax number (202)
512-6061, or TDD (202) 512-2537. Each day, GAO issues a list of
newly available reports and testimony. To receive facsimile copies
of the daily list or any list from the past 30 days, please call
(202) 512-6000 using a touch-tone phone. A recorded menu will
provide information on how to obtain these lists. For information
on how to access GAO reports on the INTERNET, send e-mail message
with "info" in the body to: info@www.gao.gov or visit GAO's World
Wide Web Home Page at: http://www.gao.gov United States General
Accounting Office Bulk Rate Washington, D.C. 20548-0001
Postage & Fees Paid GAO Permit No. G100 Official Business Penalty
for Private Use $300 Address Correction Requested 240322
*** End of document. ***
|
