March 27, 1998
MEMORANDUM FOR:
RAYMOND J. UHALDE
Acting Assistant Secretary for Employment
and Training
/ s /
FROM:
JOHN J. GETEK
Assistant Inspector General
for Audit
SUBJECT:
Iowa Workforce Development
Final Audit Report No. 05-98-003-03-315
The attached subject final report is submitted for your resolution action. We request a response to this report within 60 days.
You are responsible for transmitting a copy of this report to the Iowa Workforce Development.
If you have any questions regarding this report, contact Preston Firmin, Regional Inspector General in Chicago at (312) 353-2416.
Attachment
Background 1Chapter 2 -- Informed Consent
Principal Criteria 1
Objective, Scope, and Methodology 2
Is IWD in compliance with the UIPL and applicable State laws governingChapter 3 -- Safeguards
confidentiality and disclosure? 4
Are adequate controls in place to ensure that privacy is adequately protectedChapter 4 -- Income and Costs
once the data are in the hands of private interests? 6
Is the State's accounting for costs and revenues applicable to the VIEAppendix A
Agreement adequate? 15Did VIE pay for all additional equipment and system design changes
necessary to provide the services? 18
Excerpts from Iowa Code 19Appendix B
Analysis of Audits Performed 22Appendix C
Iowa Workforce Development Response to Draft Report 25
AE Auditing Entity
Agreement
The Agreement between IWD and VIE dated
September 22, 1995
DOL U.S. Department of Labor
FCRA Fair Credit Reporting Act
IWD Iowa Workforce Development
OIG Office of Inspector General
SESA State Employment Security Agency
UI Unemployment Insurance
UIPL Unemployment Insurance Program Letter
UIS Unemployment Insurance Service (DOL)
VIE
Verification of Income and Employment, Inc. (A division of Norwest Mortgage,
Inc.)
The DOL Office of Inspector General (OIG) has completed a program audit of the first State Agreement subject to the UIPL. We audited the procedures associated with the Agreement between Iowa Workforce Development (IWD) and Verification of Income and Employment, Inc. (VIE) for the period August 1, 1995 through May 19, 1997.
The audit objective was to answer the following questions regarding IWD's compliance with UIPL No. 23-96:
1. Is IWD in compliance with the UIPL and applicable State laws governing confidentiality and disclosure?To answer the audit objective, we interviewed key IWD and VIE staff, audited receipts and disbursements of IWD fund ledgers for the VIE project, reviewed IWD internal controls, and tested compliance with the provisions of UIPL No. 23-96.
2. Are adequate controls in place to ensure that privacy is adequately protected once the data are in the hands of private interests?
3. Accounting:
a. Is the State's accounting for costs and revenues applicable to the VIE Agreement adequate?
b. Did VIE pay for all additional equipment and system design changes necessary to provide the services?
Our audit disclosed that:
1. require IWD to develop written policies and procedures for conducting periodic audits of VIE's audit process to assure that each subscriber has on file a written release authorizing each access;IWD officials generally concurred with our audit findings. (See IWD's complete response in Appendix C.)
2. require IWD to develop written policies and procedures for conducting periodic audits to assure that the information is not being misused; and
3. direct the Unemployment Insurance Service to monitor VIE project revenues received by IWD to ensure that excess revenues are used only for UI purposes, in accordance with UIPL No. 23-96.
In September 1995, Iowa Department of Employment Services, now known as Iowa Workforce Development (IWD) entered into an Agreement with Verification of Income and Employment, Inc. (VIE), a wholly owned subsidiary of Norwest Mortgage, Inc. The Agreement allows VIE to obtain electronic access to state unemployment insurance (UI) wage reporting records for the purpose of consumer credit verification. VIE, in turn, has Agreements with subscribers who can access the wage records through VIE. The purpose of the Agreements is to provide consumers with a vehicle to expedite the loan approval process by furnishing their wage record information to third party lending institutions. Access is based upon the consent of the individual consumer whose wage record is the subject of the inquiry.
On May 31, 1996, the Unemployment Insurance Service (UIS) issued Unemployment Insurance Program Letter (UIPL) No. 23-96 to clarify the Department of Labor's position regarding disclosure. In summary, the Department permits the disclosure of wage records if state law permits such disclosure and if certain conditions related to informed consent, safeguards, and income and costs are satisfied.
Principal Criteria:
Objective
The audit objective was to answer the following questions regarding IWD's compliance with UIPL No. 23-96:
1. Is IWD in compliance with the UIPL and applicable State laws governing confidentiality and disclosure?Scope2. Are adequate controls in place to ensure that privacy is adequately protected once the data are in the hands of private interests?
3. Accounting:
a. Is the State's accounting for costs and revenues applicable to the VIE Agreement adequate?b. Did VIE pay for all additional equipment and system design changes necessary to provide the services?
IWD entered into an Agreement with VIE on September 22, 1995. We audited
the IWD fund ledgers and procedures associated with the Agreement from
project startup on
August 1, 1995 through February 28, 1997. We performed a reconciliation
of IWD and VIE inquiry files for the period January 20 through April 19,
1997. We then selected a sample of 141 IWD transactions during the period
April 20 through May 19, 1997, to determine if there was a written release
authorizing each access and if it contained the required language. Fieldwork
was conducted from March 18, 1997 through
January 22, 1998.
Methodology
To answer the audit objective, we interviewed key IWD and VIE staff, audited receipts and disbursements of IWD fund ledgers for the VIE project, reviewed IWD internal controls, and tested compliance with the provisions of UIPL No. 23-96. Work was performed at IWD offices in Des Moines, Iowa; VIE headquarters in West Des Moines, Iowa; and selected subscribers in the Des Moines metropolitan area.
The audit was performed in accordance with Government Auditing Standards as issued by the Comptroller General of the United States.
This report addresses IWD's compliance with the requirements of UIPL No. 23-96 as follows:
Is IWD in compliance with the UIPL and applicable State laws governing
confidentiality and disclosure?
We focused our review on:
a. determining if the State statutes permit disclosure, anda. State Law Regarding Disclosureb. ensuring that the individual signed a release form, and that it contained a clear statement informing the individual that the credit company may use information from State government files.
Section 303 (a) (1) of the Social Security Act has long been interpreted to prohibit disclosure of claimant and employer UI information. The UIPL No. 23-96 was issued to clarify the Department of Labor's position regarding disclosure, which is summarized in the statement:
. . . provided certain conditions are met, no issues are raised with respect to Federal UI law requirements when State law permits the information to be released.We reviewed the following provisions of Iowa Code (included in Appendix A) in an attempt to determine if State law permits the information to be released:
The UIPL No. 23-96 further stipulates:
States must assure that all statements or forms provided under the terms of any Agreements require the informed consent of the individual to use the State's records.From the very beginning, the IWD Agreement with VIE required that a release be obtained from the individual prior to requesting wage records. The VIE Subscriber Agreement likewise required the same and provided a sample consent form.
To satisfy the requirements of UIPL No. 23-96, an Addendum to the Agreement, dated February 4, 1997, revised the sample consent form to include language that the applicant authorizes the lender to verify employment and income history from such sources as Federal or state records, including State Employment Security Agency (SESA) records.
We selected a random sample of 141 IWD transactions during the period April 20 through May 19, 1997, to determine if there was a written release authorizing each access and if it contained the required language. Our testing disclosed five errors.
We believe IWD has complied with the informed consent provision to include a written release authorizing each access and that it contain the required language.
IWD Response:
IWD officials concurred with our conclusions.
Are adequate controls in place to ensure that privacy is adequately
protected once the data are in the hands of private interests?
For purposes of discussion, we divided the UIPL No. 23-96 Safeguard
provision into four parts:
A. Written assurancesA. Written assurances:
B. Audit requirements
C. Termination provisions
D. Criminal penalties
States must safeguard the confidentiality of the UI information once a private entity has been granted access to it. In cases where the private entity is acting as a gateway and passes the information along to a subscriber or client, States must obtain written assurances from the private entity that such subscribers will also safeguard the confidentiality of the information and that the information may be used only for the specific credit transaction authorized by the individual's release.To safeguard the UI data, IWD included controls in the Agreement with VIE. Per the Agreement, VIE must "take reasonable steps to assure that such information is not misused by the parties or any other person." In addition, "VIE agrees to take precautions to secure any access devices which allow access to Department's (IWD) wage record information."
VIE implemented safeguards to: 1) restrict access of the password to
only supervisory personnel, 2) restrict access to the system to key personnel,
3) require the operator's initials on each inquiry, and 4) secure the access
system within the facility. The Agreement also requires VIE to retain the
wage record information for 24 months. In addition, VIE must "hold the
wage record information confidential and shall not use it for any purpose
other than as required by FCRA [Fair Credit Reporting Act] Section 609,
including but not limited to preparation of any future reports on that
individual."
Only companies who are approved members of our service, certify that they have a permissible purpose for obtaining credit reports and obtain prior, written consent from the consumer, are permitted access to the credit information in our database.The Subscriber Agreement also contains the following requirements:
- Your VIE subscriber number and password must be protected . . . known only to key personnel.
- Any system access software . . . must have your VIE subscriber password "hidden" or embedded so that the password is known only to supervisory personnel. Each user . . .must then be assigned unique logon passwords.
- Your VIE subscriber number and password are not to be released by telephone. . . .
- The ability to obtain credit information from VIE must be restricted to a few key personnel.
- Any terminal devices . . . should be placed in a secure location within your facility. Access . . . should be difficult for unauthorized persons.
- Operator's initials or user ID are to be included on each inquiry made to VIE.
- Any devices/systems . . . should be turned off and locked . . .when unattended by your key personnel.
- Hard copy VIE consumer reports are to be secured . . .and protected against release or disclosure to unauthorized persons.
- Hard copy VIE consumer reports are to be shredded when they are no longer needed. . . .In summary, IWD has obtained reasonable written assurances from VIE that subscribers will also safeguard the confidentiality of the information and that the information may be used only for the specific credit transaction authorized by the individual's release.
The UIPL No. 23-96 stipulates the following audit requirements:
States must periodically audit a sample of transactions accessing the wage records to assure that the private entity has on file a written release authorizing each access and that the information is not being misused or stored in a database for resale or other unauthorized purpose to assure that no access is made to the wage records without authorization. If the private entity acts as a gateway and audits its subscribers, it will be sufficient for the State to periodically audit the gateway's audit process. . . . System security through increased audits and other means must be such that any breach will be easily detected.This provision requires that audits meet two criteria: 1) that the private entity has on file a written release authorizing each access; and 2) that the information is not being misused.
1. Audit to Assure a Written Release Authorizing Each Access:
IWD has not developed written policies and procedures for conducting periodic audits of the gateway's (VIE) audit process to assure that a written release is obtained authorizing each access.
The gateway (VIE) has been auditing the subscribers monthly since the inception of the Agreement with IWD. VIE's audits historically have determined if 1) there is a consent form signed by the consumer, and 2) the consent form advises the consumer that the subscriber may use information from SESA records. The results are reported to IWD in VIE's monthly billing reports. We believe that the VIE audit meets the gateway's UIPL No. 23-96 requirement for sampling transactions to assure a written release authorizing each access.
The UIPL also requires the State to audit VIE's audit process periodically. During the 19-month period we reviewed, the IWD Investigations and Recovery Bureau conducted one internal audit of VIE. However, the audit did not determine if the subscriber has on file a written release authorizing each access, and if it contained the required language, as required by UIPL No. 23-96. Instead, the audit focused on surveying consumers to determine if they applied for credit and signed a release. Furthermore, IWD did not audit VIE's audit process. (See Appendix B.)
Therefore, we believe IWD needs to develop written policies and procedures
for conducting periodic audits of the gateway's (VIE) audit process for
compliance with the UIPL No. 23-96 requirement that each subscriber has
on file a written release authorizing each access.
IWD has not developed written policies and procedures for conducting periodic audits to assure that the information is not misused.
This provision may be met in two ways: the State may conduct the audit to assure the information is not misused, or the gateway may conduct the audit, providing the State periodically audits the gateway's audit process. While the UIPL recognizes that no system is foolproof, system security through increased audits and other means must be such that any breach will be easily detected.
VIE, as the gateway, has not performed any procedures to assure the information is not misused. Furthermore, during the 19-month period we reviewed, the IWD auditors conducted one review of security procedures at VIE and visited two subscribers to review safeguards. (See Appendix B.) At the time of the review, there were approximately 100 subscribers. We do not consider this one-time, limited review of two subscribers adequate assurance that the information is not misused, as required by UIPL No. 23-96.
To illustrate the effect of not auditing to assure that the information is not misused, we noted the following examples of unauthorized access during our review:
C. Termination provisions:
The UIPL No. 23-96 stipulates the following termination provisions:
The State must be able to terminate the Agreement if it determines that the confidentiality provisions are not adhered to. The Department also recommends that the Agreement should contain a definite expiration date so that the State is assured an opportunity to periodically evaluate such disclosure.The original Agreement was to continue until terminated by either party, by providing the other party 180 days notice of such termination. The Addendum adds that the Agreement "may be terminated by the SESA upon written notification to VIE, should VIE violate any term, condition, duty or requirement imposed by this Agreement. . . . In the event that the violation of this Agreement consists of a serious and flagrant breach of the requirements for prior written consent or the confidentiality or security of information pursuant to this Agreement and VIE has demonstrated a lack of control over its subscribers with continuation of the breach being probable, the SESA may terminate access within 24 hours after providing written notice of the breach via fax communication." The paragraph goes on to provide cure provisions.
IWD has provided for adequate termination provisions in the Agreement with VIE. However, neither the Agreement nor the Addendum contain a provision for a definite expiration date as recommended in the UIPL No. 23-96. The Assistant Secretary for Employment and Training may deem it appropriate to suggest to the Iowa Workforce Development to consider adding a definite expiration date to the Agreement with VIE.
D. Criminal penalties:
The UIPL No. 23-96 stipulates the following regarding criminal penalties:
All employees of private entities must be subject to the same confidentiality requirements -- and State Criminal penalties for violation of those requirements -- as are employees of the State UI agency.VIE and its subscribers are bound by the confidentiality requirements of the Fair Credit Reporting Act (FCRA), because they meet the definition of a credit reporting agency in Section 603(f) of the Act.
Any person who knowingly and willfully obtains information on a consumer from a consumer reporting agency under false pretenses shall be fined not more than $5,000 or imprisoned not more than one year, or both.The Agreement states:
VIE agrees that it will comply with the FCRA with respect to the wage records both as a Credit Reporting Agency and as a User, and that its Agreements with its subscribers will require the subscriber to comply with the FCRA as a User.The Agreement includes Exhibit 1C, FCRA Acknowledgment, which is required to be signed by each subscriber. Exhibit 1C refers to Section 619 of the FCRA.
Attached to the Subscriber Agreement is a document entitled, "Access Security Requirements," which also includes this FCRA provision.
The Iowa Code also provides criminal penalties. Section 96.11(6)(f) provides for violations of the confidentiality requirements:
An employee of the division, an administrative law judge, or a member of the appeal board who violates this subsection is guilty, upon conviction, of a serious misdemeanor.We found no other relevant State statutes concerning violations of confidentiality requirements. However, the FCRA penalties adopted in the Agreements are more severe than the State Statutes penalty. Therefore, we believe IWD is in compliance with this provision of the UIPL No. 23-96.
We recommend that the Assistant Secretary for Employment and Training require that the Iowa Workforce Development comply with UIPL No. 23-96 by:
a. developing written policies and procedures for conducting periodic audits of VIE's audit process to assure that each subscriber has on file a written release authorizing each access; andIWD Response:b developing written policies and procedures for conducting periodic audits to assure that the information is not being misused.
IWD officials concurred with all our conclusions in chapter 3, except those relating to audit requirements. The response indicates they have drafted and implemented written audit standards.
The response goes on to cite recent audits which IWD officials believe demonstrate compliance with the UIPL No. 23-96 requirement that the State audit the gateway periodically. It details audits conducted by the IWD Investigations and Recovery Bureau, the OIG, and KPMG Peat Marwick LLP. The response indicates IWD officials also believe the monthly VIE audit process ensures security and assures that the information is not being misused.
Auditor's Conclusion:
We analyzed the audits conducted by the IWD Investigations and Recovery Bureau and KPMG Peat Marwick LLP and concluded that neither met the UIPL requirement that the State, at a minimum, audit the gateway's audit process to assure the subscriber has on file a written release authorizing each access and that the information is not being misused. See Appendix B for our analysis.
We also reviewed the document entitled "IWD Audit Procedures and Policies
for VIE," which was recently drafted to address our audit recommendations.
Our analysis on the adequacy of these procedures in meeting the two audit
criteria stipulated in the UIPL
No. 23-96 is as follows:
Audit to Assure a Written Release Authorizing Each Access:
In the Procedures and Policies, IWD has delegated to VIE the responsibility
for assuring there is a consent form signed by the consumer and the consent
form advises the consumer that the subscriber may use information from
SESA records. We believe these
IWD intends to use an independent auditing entity (AE) to:
-review each of VIE's randomly selected audited transactions to ensure VIE has completed its procedures for auditing the transaction; andWe believe these AE procedures, when implemented, will meet the State's UIPL-select a sample of VIE's audited transactions and send the consumers a copy of the consent form to confirm that the signature on the form is theirs.
We consider Recommendation No. 1 resolved, but not closed, until the policies and procedures have been implemented.
Audit to Assure Information is Not Misused:
IWD has delegated to VIE the responsibility for assuring that information is requested only for a permissible purpose. VIE will use its monthly audit process to validate that the user has a permissible purpose (as demonstrated by a copy of the consumer's credit application) for access to IWD wage records.
IWD intends to use the AE procedures to ensure that VIE is performing its duties to assure that the information is not being misused.
However, the Procedures and Policies are silent about ensuring that the following safeguards in the Subscriber Agreement are met:
- Your VIE subscriber number and password must be protected . . . known only to key personnel.
- Any system access software . . . must have your VIE subscriber password "hidden" or embedded so that the password is known only to supervisory personnel. Each user . . . must then be assigned unique logon passwords.
- Your VIE subscriber number and password are not to be released by telephone. . . .
- The ability to obtain credit information from VIE must be restricted to a few key personnel.Therefore, there is little assurance that the wage data is not being misused or stored in a data base for resale or other unauthorized purpose after the initial credit application is processed.- Any terminal devices...should be placed in a secure location within your facility. Access . . . should be difficult for unauthorized persons.
- Operator's initials or user ID are to be included on each inquiry made to VIE.
- Any devices/systems . . . should be turned off and locked . . . when unattended by your key personnel.
- Hard copy VIE consumer reports are to be secured...and protected against release or disclosure to unauthorized persons.
- Hard copy VIE consumer reports are to be shredded when they are no longer needed. . . .
We consider Recommendation No. 2 unresolved.
Is the State's accounting for costs and revenues applicable to
the VIE Agreement adequate?
For purposes of discussion, we divided the UIPL No. 23-96 Income and
Costs provision into three parts:
A. UI allowable costsA. UI unallowable costs:B. State protection for claims
C. Use of revenue
The UIPL No. 23-96 stipulates the following regarding unallowable costs:
Under both the SSA [Social Security Act] and the OMB Circular No. A-87, costs of disclosing information for non-UI purposes are not allowable because such cost items are not necessary or reasonable for proper and efficient performance and administration of the Federal award allocated to carry out the State's UI program.Section 303(a)(8) of the Social Security Act requires, as a condition for a state to receive administrative grants, that the State law provide for:
. . . the expenditure of all moneys received...solely for the purposes and in the amounts found necessary by the Secretary of Labor for the proper and efficient administration of such State law. . . .Departmental regulations at 29 CFR 97.22 (Allowable Costs), state in part:
(b) Applicable cost principles. For each kind of organization, there is a set of Federal principles for determining allowable costs. Allowable costs will be determined in accordance with cost principles applicable to the organization incurring the costs. The following chart lists the kinds of organizations and the applicable cost principles.OMB Circular No. A-87, Cost Principles for State, Local and Indian Tribal Governments, Part C. Basic Guidelines states:For the costs of a--State, local or Indian tribal government, Use the principles in--OMB Circular A-87. . . .
1. Factors affecting allowability of costs. To be allowable under Federal awards, costs must meet the following general criteria:According to the IWD records, the VIE project had a cash balance of $18,410 as of February 28, 1997. However, the VIE project fund ledgers showed a negative cash balance each month from inception until an adjustment for staff salaries was made in June 1996. During the period July 1996 through February 1997, the VIE project had a negative cash flow in 5 of the 8 months.a. Be necessary and reasonable for proper and efficient performance and administration of Federal awards.
We recalculated the staff salaries and related costs for each month of the VIE project through February 1997. We found that by allocating the adjustment monthly, there was only a negative cash balance in the months when startup costs were incurred, prior to the VIE reimbursement.
IWD officials have informed us that future staff salaries will be allocated in the month in which they occur.
B. State protection for claims:
The UIPL No. 23-96 stipulates the following state protection for claims that may arise:
The Department recommends that any Agreement with a private entity should provide protection to the State for claims that may arise from any unauthorized use of UI records obtained under the Agreement.OMB Circular No. A-87, Attachment B - Selected Items of Cost, states in part:
20. Fines and penalties. Fines, penalties, damages, and other settlements resulting from violations (or alleged violations) of, or failure of the governmental unit to comply with, Federal, State, local, or Indian tribal laws and regulations are unallowable except when incurred as a result of compliance with specific provisions of the Federal award or written instructions by the awarding agency authorizing in advance such payments.In the Agreement with IWD ("the Department"), "VIE agrees to hold the Department harmless from any and all claims . . . made by anyone resulting from the release of wage records by the Department to VIE. . . . VIE will maintain a bond in the amount of $25,000 in favor of the Department at all times to secure this hold harmless obligation."
We reviewed VIE's surety bond, bond rider and certificate of insurance, and found them in compliance with OMB Circular A-87, the UIPL, the Agreement and the Addendum.
C. Use of revenue:
Departmental regulations at 29 CFR 97.25, Program Income, state in part:
(g) Use of program income.The UIPL No. 23-96 authorizes the states to add the revenue generated by the disclosure of UI wage records to the UI program funds:(2) Addition. When authorized, program income may be added to the funds committed to the grant Agreement by the Federal agency and the grantee. The program income shall be used for the purposes and under the conditions of the grant Agreement.
It is the Department's position that income generated by a State UI agency from the sale of its wage records must be used only as necessary for the proper and efficient administration of the UI program pursuant to administrative requirements for grants to the States. (See 29 C.F.R. 97.25 (g)(2) and ET Handbook No. 336, the "Program and Budget Plan.") Therefore, States may not use any money generated by the disclosure authorized under this UIPL for any non-UI purposes. For example, income from sales may not benefit a State's general fund or another program.We found that VIE project revenue exceeded costs by $18,410 at February 28, 1997. However, no steps have been taken to apply the excess revenues to UI operations. IWD officials have provided the OIG with written assurance that any and all excess revenue from the VIE project will be used solely to fund unemployment compensation programs in the State of Iowa.
The Agreement between IWD ("the Department") and VIE provides:
VIE shall reimburse the Department for pre-approved costs incurred by the Department for system modifications necessary to the initial establishment of the services herein described; such costs may include, but are not limited to, application program and system conversion, file or database conversion, hardware acquisition, software acquisition, and security system enhancements.As part of our review of the VIE project fund ledgers, we reviewed the separate fund ledger IWD established to track startup costs. We reviewed the costs of system design changes and additional equipment, totaling $39,586. We found them to be complete. IWD was reimbursed $40,760 in December 1995, which covered all these costs. In addition, in accordance with the Addendum, an additional $25,000 was received in February 1997 "to cover data processing and related additional start-up costs."
Recommendation:
We recommend that the Assistant Secretary for Employment and Training direct the Unemployment Insurance Service to monitor VIE project revenues received by IWD to ensure that excess revenues are used only for UI purposes, in accordance with UIPL No. 23-96.
IWD Response:
IWD officials concurred with our conclusions on Income and Costs.
Auditor's Conclusion:
Our finding and recommendation remains unresolved until ETA monitors
the VIE project revenues for compliance with UIPL No. 23-96.
Section 22.11 - Fair Information Practices:
Each state agency as defined in chapter 17A shall adopt rules which provide for the following:
...d. The procedures for allowing a person to review a government record about that person and have additions, dissents, or objections entered in that record unless the review is prohibited by statute.Section 17A.2 - Definitions:e. The procedures by which the subject of a confidential record may have a copy of that record released to a named third party.
As used in this chapter:
1. "Agency" means each board, commission, department, officer or other administrative office or unit of the state. . . .Section 96.11 - Iowa Employment Security Law, Duties, powers, rules--privilege:
6. Records, reports and confidentiality. . . .
b. (1) . . . The department shall not disclose or open this information for public inspection in a manner that reveals the identity of the employing unit or the individual, except as provided in subparagraph (3) or paragraph "c."(3) . . . Information in the department's possession that may affect a claim for benefits or a change in an employer's rating account shall be made available to the interested parties. The information may be used by the interested parties in a proceeding under this chapter to the extent necessary for the proper presentation or defense of a claim.
c. Subject to conditions as the department by rule prescribes, information obtained from an employing unit or individual in the course of administering this
chapter and an initial determination made by a representative of the department under section 96.6, subsection 2, as to benefit rights of an individual may be made available for purposes consistent with the purposes of this chapter to any of the following:Uniform Rules Chapter X - Fair Information Practices:(1) An agency of this or any other state or a federal agency responsible for the administration of an unemployment compensation law or the maintenance of a system of public employment offices. . . .
Agency No. -- X.7(17A,22) Consent to disclosure by the subject of a confidential record. To the extent permitted by any applicable provision of law, a person who is the subject of a confidential record may have a copy of the portion of that record concerning the subject disclosed to a third party. A request for such a disclosure must be in writing and must identify the particular record or records that may be disclosed, and the particular person or class of persons to whom the record may be disclosed (and, where applicable, the time period during which the record may be disclosed). . . .
871 (Workforce Development) Chapter 42 - Public Records and Fair Information Practices:
The department of workforce development hereby adopts the rules of the Governor's Task Force on Uniform Rules of Agency Procedure relating to public records and fair information practices which are printed in the first Volume of the Iowa Administrative Code with the following exceptions and amendments:
...871 -- 42.7(22,84A) Consent to disclosure by the subject of a confidential record. Remove the parentheses around "(and, where applicable, the time period during which the record may be disclosed)". . . .
871 -- 42.11(22.84A) Release to a subject. 42.11(1) The subject of a confidential record may file a written request to review a confidential record about that person as provided in rule 42.6(22,84A). However, the agency shall not release the following records to the subject:
. . . d. As otherwise authorized by law.
The division of job service of the department of employment services hereby adopts the rules of the Governor's Task Force on Uniform Rules of Agency Procedure relating to public records and fair information practices which are printed in Volume I of the Iowa Administrative Code with the following exceptions and amendments:
. . . 345 -- 8.7(22,96) Consent to disclosure by the subject of a confidential record. Remove the brackets around "(and, where applicable, the time period during which the record may be disclosed)". Also, in lieu of the words "(Additional requirements may be necessary for special classes or records)", insert "If the agency is required to obtain from a third party a confidential record about the subject to establish eligibility under a program administered by the agency, the agency has the authority under Iowa Code subsection 96.11(8) to obtain a confidential record deemed necessary for the administration of Iowa Code chapter 96.
Audit to Assure a Written Release Authorizing Each Access:
The IWD Investigations and Recovery Bureau conducted one internal audit of VIE in January 1997. The auditors reviewed procedures at VIE, but failed to address the UIPL No. 23-96 requirements that the subscriber has on file a written release authorizing each access, and that it contain the required language. The auditors reported that this was too difficult to perform in a limited time.
Instead, the auditors randomly selected 50 transactions from the IWD
log of VIE inquiries. They sent a questionnaire to the 50 consumers associated
with transactions. The questionnaire asked the consumer if he/she (a) applied
for credit in the past 90 days and (b) signed a release so the IWD wage
records could be accessed. The IWD Investigations and Recovery Bureau
reported the following results from the sample:
Description | Number of Responses | Percentage |
Consumer did not respond | 33 | 66% |
Consumer responded that he/she applied for credit: | ||
|
11 | 22% |
|
2 | 4% |
|
4 | 8% |
Total sample | 50 | 100% |
Nevertheless, this limited sample of the consumers did not accomplish the objectives required in the UIPL No. 23-96 (the subscriber has on file a written release authorizing each access and that it contain the required language).
VIE engaged KPMG Peat Marwick LLP to review VIE's processes and records to validate compliance with VIE's Agreements to the SESAs, including the State of Iowa. The Agreed-Upon Procedures Audit selected a sample of 50 of VIE's audited transactions and agreed the social security number on the VIE log to the consent form obtained from the subscriber. The report does not address whether the consent forms contained the required language. VIE, on behalf of the auditors, also sent copies of the consent forms to the 50 consumers for verification, requesting only negative confirmations and that they be sent to KPMG Peat Marwick LLP. The report states that no exceptions were noted, but does not disclose the response rate.
Neither of the audits described above met the UIPL No. 23-96 requirement that the State at a minimum audit the gateway's audit process to ensure the subscriber has on file a written release authorizing each access and that it contain the required language.
The OIG subscriber audit was not performed under the auspices of IWD. We selected a random sample of 141 IWD transactions during the period April 20 through May 19, 1997, to determine if there was a written release authorizing each access and if it contained the required language. Our testing disclosed five errors.
Audit to Assure Information Is Not Misused:
As part of the IWD Investigations and Recovery Bureau internal audit
of VIE in
January 1997, the auditors:
found no cases of unauthorized access in our limited review, the opportunity for abuse still exists.
The response concludes that VIE's monthly audit ensures detection of
any lending institution which would use wage record access as a locator
tool. Although the audit ensures detection of any subscriber in VIE's audit
sample which would use the wage record access as a locator tool, it does
not prevent any subscriber from using the system as a locator tool, as
noted in the preceding paragraph. In addition, the subscriber in this example
was not terminated until the practice was reported by the OIG.
[ Return
to Audit Reports ]
[ Return to Audit Reports (Text Only)
]
[ Return
to OA Home Page ]
[ Return to OA
Home Page (Text Only) ]