TN 6 (11-23)

DX 00101.020 Data Exchange Agreement Types

A. Data exchange agreements

The Social Security Administration (SSA) uses data exchange agreements to govern its data exchange activities. A data exchange agreement establishes and outlines the terms and conditions that SSA and the data exchange partner agree to adhere to in order to exchange legally permissible information. The agreement may also include the costs of the exchange, when applicable. The terms of a data exchange agreement depend on the factors surrounding the exchange, such as how the partner will use the data and the frequency of the exchange. The signatory for an agreement depends on the type of agreement, and whether the agreement is reimbursable.

This section of policy provides a general overview of the types of data exchange agreements under the purview of the Office of Data Exchange, Policy Publications, and International Negotiations (ODEPPIN) and is not meant to be an all-inclusive list of all agency-related data exchange agreements.

B. Associated definitions

The following definitions are associated with SSA’s data exchange program.

  1. 1. 

    Computer matching (matching program) is defined as any computerized comparison of

    1. a. 

      two or more automated systems of records or a system of records with non-Federal records for the purpose of establishing or verifying the eligibility of, or continuing compliance with statutory and regulatory requirements by, applicants for, recipients or beneficiaries of, participants in, or providers of services with respect to, cash or in-kind assistance or payments under Federal benefit programs, or recouping payments or delinquent debts under such federal benefit programs, or

    2. b. 

      two or more automated Federal personnel or payroll systems of records or a system of Federal personnel or payroll records with non-Federal records.

  2. 2. 

    Computer Matching and Privacy Protection Act (CMPPA) of 1988 (Pub. L. 100-503) - The CMPPA amended the Privacy Act of 1974 (5 U.S.C. 552a) to add procedural requirements for agencies to follow when engaging in computer matching activities.

  3. 3. 

    Federally-administered – Managed by a United States (U.S.) agency.

  4. 4. 

    Federally-funded - Funded by the U.S. Government.

  5. 5. 

    Federal Register - Published by the Office of the Federal Register, National Archives and Records Administration (NARA), the Federal Register is the official daily publication for rules, proposed rules, and notices of Federal agencies and organizations, as well as executive orders and other presidential documents.

  6. 6. 

    Office of Management and Budget (OMB) Circular No. A-108 - OMB circular titled Federal Agency Responsibilities for Review, Reporting, and Publication under the Privacy Act. This circular provides information on Federal Register requirements for matching programs.

  7. 7. 

    Recipient agency - Any agency, or contractor thereof, receiving records contained in a system of records from a source agency for use in a matching program.

  8. 8. 

    Non-Federal agency - Any State or local government, or agency thereof, which receives records contained in a system of records from a source agency for use in a matching program.

  9. 9. 

    Source agency - Any agency which discloses records contained in a system of records to be used in a matching program, or any State or local government, or agency thereof, which discloses records to be used in a matching program.

  10. 10. 

    Federal benefit program - Any program administered or funded by the Federal Government, or by any agent or State on behalf of the Federal Government, providing cash or in-kind assistance in the form of payments, grants, loans, or loan guarantees to individuals.

  11. 11. 

    State-administered – Managed by a State agency.

  12. 12. 

    12. State-funded – Funded by a State government.

Note: 

Refer to OMB Circular No. A-108 Federal Agency Responsibilities for Review, Reporting, and Publication under the Privacy Act for more information on Federal Register requirements for matching programs.

C. Data exchange agreement categories

SSA governs a data exchange by one or more of the following types of agreements:

Type of Agreement

Elements Included in the Agreement

Administrative (or Legal) Agreement
  • purpose

  • legal authority

  • data definitions (optional)

  • scope of work or responsibilities of parties

  • description of records to be exchanged

  • procedures for retention/destruction

  • data security and safeguards

  • reimbursement information

  • duration, modifications, and terminations

  • dispute resolution or correction

  • integration clause

  • disclaimer

  • persons to contact

  • authorization and signatures

Financial Agreement
  • financial responsibilities

  • general itemization of cost for work performed

  • frequencies associated with the data exchange

  • yearly estimated volumes or actual volumes when possible

  • financial contacts

  • duration, modifications, and termination

  • integration clause

  • disclaimer

  • authorization and

    signatures

Security Agreement
  • software and hardware requirements to assure the security of the exchange of SSA’s data

  • other requirements that the Federal Information Security Management Act (FISMA) outlines as necessary considerations

  • security contacts

  • authorization and

    signatures

D. Administrative agreements

The Office of the General Counsel (OGC) plays an important role in drafting administrative data exchange agreements and providing legal counsel for the exchange process. They evaluate new data exchange requests and provide disclosure policy and legal guidance on lawfully sharing data with other Federal, State, local, and private entities.

1. Types of administrative agreements

An administrative agreement outlines the legal terms and conditions for a particular data exchange. SSA uses four types of administrative agreements:

a. Matching Agreement or Computer Matching Agreement (CMA)

A CMA is a written agreement between a recipient agency and a source agency that is required by the CMPPA for parties engaging in computer matching to make eligibility or entitlement determinations for a federal benefit program. A CMA is also required if the purpose of the matching program is to recoup payments or delinquent debts in a federal benefit program. A CMA must include the terms and conditions governing that data exchange, which includes: the legal authority that permits that data exchange, the parties involved, and other requirements set forth in the CMPPA. CMAs are effective for 18 months, but can be renewed for an additional 12 months.

When implementing a CMA, SSA must:

  • Obtain comments and clearance from OGC,

  • Obtain comments and clearance from the Data Integrity Board (DIB),

  • Obtain the appropriate signatures from both agencies, including from the DIB Chair,

  • Report the matching program to OMB and Congress when SSA is the recipient agency, and

  • Publish the CMA in the Federal Register when SSA is the recipient agency.

    NOTE: A cost benefit analysis (CBA) is required for all CMAs, unless an exception applies.

b. Information Exchange Agreement (IEA)

An IEA is a written agreement that outlines the terms, conditions, and safeguards under which SSA exchanges information. We may cover a data exchange by an IEA if the data exchange does not meet the technical definition of a “matching program” in accordance with the CMPPA. IEAs do not require DIB clearance, OMB or Congressional notification, Federal Register publication, or a CBA. SSA uses IEAs to cover certain data exchanges with both Federal and State agencies.

When implementing an IEA, the agency must:

  • Obtain comments and clearance from stakeholders,

  • Obtain comments and clearance from OGC,

  • Obtain approval for the IEA from the Office of Finance OF), as applicable, and

  • Acquire the appropriate signatures from both agencies.

There are several types of IEAs used to document and facilitate agency data exchanges:

103A of Strengthening Protections for Social Security Beneficiaries Act of 2018 IEA

This agreement forth the terms, conditions, and safeguards under which the State’s foster care agency will disclose information regarding children in foster care to SSA. SSA will use the data to: (1) determine the appropriate representative payee (payee) for represented minor beneficiaries who have entered or exited foster care or changed foster care placement location; (2) determine whether a payee is appropriate for unrepresented minor beneficiaries who have entered foster care; and (3) identify when the State is responsible for an overpayment issued to a minor beneficiary. Each party is responsible for its own costs or expenditures incurred in performing its responsibilities under this agreement.

Achieving a Better Life Experience (ABLE) IEA

This agreement sets forth the terms, conditions, and safeguards under which the State or State Agency will disclose ABLE account statements on distributions and account balances of all ABLE accounts to SSA. SSA uses the data to verify the accuracy of information applicants and recipients furnish concerning eligibility for the Supplemental Security Income (SSI) program. Each party is responsible for its own costs or expenditures incurred in implementing this agreement.

Help America Vote Act (HAVA) IEA

Help America Vote Act (HAVA) IEA HAVA of 2002, P.L. 107-252 requires States to verify the information of newly registered voters for Federal elections. Each state must establish a computerized state-wide voter registration list and verify new voter information with the State’s Motor Vehicle Administration (MVA) or verify the last four digits of the Social Security number (SSN).

The purpose of this agreement is to establish the terms, conditions, and safeguards under which SSA provides verification of the name, date of birth, and last four digits of the submitting SSN for new voter registration applicants, who do not have a driver’s license, to State and Territory MVAs. SSA also sends an indication of whether our records show that the applicant is deceased.

Interstate Benefit Inquiry (IBIQ) IEA

This agreement establishes the terms, conditions, and safeguards under which SSA accesses, via a single electronic query, wage and unemployment information of the State agency through the Interstate Connection Network (ICON). SSA uses the information to establish and verify eligibility and payment amounts under certain benefit programs administered by SSA. There is no cost to SSA for access to this information.

IEA-F – Federally-funded programs

This is an agreement between SSA and the State or State agency that accompanies the state level or agency level CMPPA agreement, i.e., the CMPPA agreement is an attachment to the IEA-F. The IEA-F describes in additional detail the type of data SSA discloses for the program(s) specified in the agreement, as well as the authorized data exchange system(s), data delivery method, and additional security requirements. The IEA- F covers Federally-funded, State-administered programs.

Note: 

SSA waives CBAs for CMPPA agreements between SSA and the State.

IEA-S – State-funded, State-administered programs

This is a stand-alone agreement between SSA and the State or State agency that contains the same detailed information in the IEA/F, with the exception that this agreement covers State-funded, State-administered programs. SSA may not charge the State or State agency for the data SSA provides under its established IEA/S as determined by the Commissioner of SSA. Any new, approved requests for SSA data for a State or State agency’s administration of a State-funded benefit programs are provided at cost to the State agency and typically documented via the Reimbursable IEA (R-IEA).

Motor Vehicle Administration (MVA) IEA

This agreement establishes the terms, conditions, and safeguards under which SSA will provide Social Security number (SSN) verifications via an overnight batch to the MVA. The MVA uses the SSN verifications for the purposes of administering its drivers’ licenses and identification card programs.

Reimbursable Information Exchange Agreement (R-IEA)

This is an agreement between SSA and the State agency for the State agency’s administration of State-funded programs (as identified in the agreement). There is a charge to the State agency for the SSA data provided under this agreement; SSA must seek reimbursement for the costs of performing data exchanges for the State agency’s administration of State-funded programs.

SSA Access to State Records Online (SASRO) IEA

This agreement establishes the terms, conditions, and safeguards under which SSA accesses, via a single electronic query, certain information from the State Agency. SSA uses the information to update SSA files of individuals, to assign SSNs, and to establish and verify eligibility and payment amounts under certain benefit programs administered by SSA, as required under Titles II and XVI of the Act. There is no cost to SSA for access to this information.

Social Security Online Verification (SSOLV) IEA

The purpose of this agreement is to establish the terms, conditions, and safeguards under which the American Association of Motor Vehicle Administrators (AAMVA) will provide connectivity, billing services, and staff a help desk for State Motor Vehicle Administrations and other state agencies charged with administering identification card programs (collectively, MVAs) for SSA. SSA will provide SSN verifications through AAMVA’s network to assist MVAs in administering their driver’s license and identification card programs.

State Transmission or Transfer Component (STC) IEA

SSA uses STC agreements to outline the terms, conditions, and safeguards of the data exchange. The STC must define the State agency who receives SSA data through the STC. An STC serves as a conduit between SSA and the specified State agency or agencies that receive SSA data under the conditions of separate agreements with SSA.

The role of the STC under this agreement is limited to that of a conduit, responsible for transmitting or transferring only the authorized data files between SSA and the applicable State agency for the administration of their approved program(s). The STC is not responsible for the Federal agency’s use, access, or disclosure of the authorized data once the STC transmits or transfers the authorized data. An STC requires the Office of Information Security (OIS) to perform an on-site Security Compliance Review every three years.

c. Memorandum of Understanding (MOU)/Memorandum of Agreement (MOA)

An MOU and an MOA is a formal written administrative agreement that details the responsibilities of each party to the agreement and the terms and conditions under which each party will operate. SSA uses an MOU or an MOA for a data exchange when the direct results of the data sharing does not adversely affect an individual’s cash benefits, for research and statistical purposes, or in cases where the data we are sharing is not a result of a computerized match of two federal systems.

When implementing a data exchange agreement that is an MOU or an MOA, the agency must:

  • Send the data exchange agreement for review by all stakeholders of the agreement,

  • Send the data exchange request to OGC and OF for review and approval, and

  • Acquire the appropriate signatures from both agencies, if approved.

d. Model Agreements

A model agreement is a standard agreement template that SSA creates to use when a data exchange will occur with several states or private entities involving the same type of data for the same purpose and use. We call them model agreements, because these agreements are not unique in nature and usually have identical agreement terms. Since the agreement terms are identical, it is more efficient for the agency to create the same agreement for these data exchange partners and distribute, as the agency deems appropriate and necessary. A model agreement for a state exchange is generally an IEA or CMA, but can be an MOU.

Once SSA Headquarters-level components approve and sign a model agreement, other AC-level components and Regions become the signing authorities for each data exchange established under the model agreements under their purview.

2. Administrative Data Exchange Agreements Comparison Chart

Type of Agreement/Topic

CMA

IEA

MOU/MOA

Governing Law Computer Matching and Privacy Protection Act (CMPPA) of 1988 Privacy Act of 1974 Privacy Act of 1974
Type of Exchange

Computer Matching Program

Non-matching Data Exchanges Covers all other exchanges that do not meet the CMA and IEA requirements, such as research agreements.
What is it?

A computerized comparison of records for the purpose of:

  • Establishing or verifying eligibility for a Federal benefit program, and

  • Recouping payments or delinquent debts under such programs.

 

An electronic comparison of data for the purpose of establishing eligibility for a Federal benefit program or verifying information on individuals that is not a matching program as defined in the CMPPA .

An electronic comparison of data for the purpose of:

  • Gathering aggregated data for statistical purposes, or

  • Obtaining data used for research or collecting information as a lead.

Lifecycle

30 months

(18 months + 12 month re-establishment)

The Privacy Act does not specify a maximum time-frame for IEAs Note: The IEAs/F and IEAs/S require signature on a Certification of Compliance Document every 30 months The Privacy Act does not specify a maximum time-frame for MOU/MOAs
Examples

Administration of Federally- funded benefit programs such as:

  • Temporary Assistance for Needy Families (TANF)

  • The Department of Labor's Unemployment Insurance (UI) programs

  • Supplemental Nutrition Assistance Program (SNAP)

  • Data exchange for verifying eligibility for Medicare where the State administers the benefit on behalf of the Federal government

  • Verifying and updating individual records

  • Non-programmatic exchanges between SSA and other government and private entities.

 

  • Social Security Number Verification Service data exchange

  • Data exchanges for research and statistical data between SSA and other government and private entities, such as universities

NOTE: The Office of General Law, Division 1, advises on the type of agreement to use to establish a data exchange.

E. Financial Agreements

A financial agreement is a written document that details the cost of services that SSA provides or that another agency provides to SSA. OMB Circular A-25 establishes Federal policy regarding the fees assessed for government services. You can also refer to 31 U.S.C. § 1535, Economy Act, which requires that all Federal agencies recover full cost of direct and indirect cost of goods and services.

SSA has the authority to charge for a data exchange as well as pay other agencies that provide data to SSA. SSA uses two types of financial agreements for data exchanges: Interagency Agreements (IAA) and Reimbursable Agreements (RA).

1. IAA

An IAA is established when a Federal agency agrees to perform work for SSA and SSA reimburses the agency for that work. The agency receives payment for the work regardless of whether the agency’s employees or contractors working for the agency performs the work. The IAA package includes an Interagency Agreement Data Sheet (Form SSA-429), an MOU or an MOA identifying the provisions of the agreement, and a clearance memorandum from OGC.

2. RA

An RA is established when an agency or entity (Federal or non-Federal) requests SSA to perform non-programmatic related work and the agency or entity reimburses SSA for that work. The RA obligates SSA to commit resources to perform work at a mutually agreed upon price and must be cleared by SSA’s OGC and the Office of Budget, Finance, and Management (DCBFM). RAs set forth each party's responsibilities and the terms and conditions under which SSA will provide information or services to the requesting agency or entity, as well as each party's legal and financial obligations. The term "Reimbursable Agreement" includes both an administrative agreement and the appropriate financial form. NOTE: An RA is not required for data exchanges if legislation requires SSA to enter into a data exchange at no cost to the other agencies or if SSA establishes a mutual benefit for both agencies.

F. Interconnection Security Agreement (ISA)

Data exchanges require secure connections to exchange the data over a network. Therefore, the Office of Information Security (OIS) evaluates all data exchanges to determine the level of interconnection security needed to assure that any data SSA shares is secure. An ISA is a security agreement that specifies the technical and security requirements for planning, establishing, and maintaining an interconnection between SSA’s information systems and the information systems of external entities. SSA mandates that any Federal system, contractor, or agency that interacts directly with SSA’s network must have an ISA. Although SSA only enters into ISAs with Federal entities, SSA is responsible for ensuring the FISMA requirements are applied by stewards of the data with whom we share information. As such, the applicable data exchange agreement or contract must appropriately address the US Government information security requirements. The Office of Data Exchange and International Agreements (ODXIA) should ensure that all necessary data exchange agreements are valid for each data exchange under ODXIA’s purview.

G. References

DX 00101.001 Overview of the Data Exchange Program

GN 03301.000 Law and Regulations - Disclosure/Confidentiality

GN 03313.000 Disclosure to Federal Agencies and Officials

GN 03314.000 Disclosure to State and Local Agencies and Tribal Authorities


To Link to this section - Use this URL:
http://policy.ssa.gov/poms.nsf/lnx/2400101020
DX 00101.020 - Data Exchange Agreement Types - 11/17/2023
Batch run: 11/17/2023
Rev:11/17/2023