NASWA Response to USDOL's RFI on the Confidentiality and Disclosure of State UC Information

Comments in Response to Request for Information on the Federal-State Unemployment Compensation (UC) Program; Confidentiality and Disclosure of State UC Information

Employment and Training Administration
U.S. Department of Labor
200 Constitution Avenue NW
Washington, DC 20210

Re: UI Confidentiality Regulations RFI (Docket No. ETA–2023–0002; RIN 1205–AC11)

On behalf of the National Association of State Workforce Agencies (NASWA), I am pleased to submit this response to the U.S. Department of Labor Employment and Training Administration’s (ETA) Request for Information (RFI) on the Confidentiality and Disclosure of State Unemployment Compensation (UC) Information.

As a non-profit and non-partisan organization, whose membership is comprised of workforce agencies in all fifty states, the District of Columbia, and U.S. territories, NASWA brings a unique and diverse perspective to the challenges facing our nation’s workforce. Our members are on the frontlines of policy development and service delivery for programs as varied as workforce development, unemployment insurance, and labor market information. Our NASWA Attorney Group and our Workforce Labor Market Information Committee contributed significantly to these comments. Please note that we chose to respond to a subset of all of the questions.

A. Part 603.2 Definitions

1. Are there any terms that should be added to § 603.2? If so, what is the recommended definition for any such new § 603.2 term? If you are recommending defining a new term, please provide the reason the term needs to be defined. If you are proposing a revised or new definition, please explain why you recommend this definition or changes.

Response: The following would be helpful guidance for state workforce agencies:

• Clarification that “elected official” includes the state auditor. § 603.2(d).
• Clarification that local workforce boards may have data for WIOA purposes (Q 9 to 15). Under WIOA, “public officials” are on the LWDB’s, and it appears they are entitled to the data, but clarification would be useful.
• Clarification that an employer’s information (i.e. financial documents submitted in response to an audit; number of employees) are confidential.
• Addition of "federally recognized Indian tribes" to the definition of "public official" because tribes are subject to state UI laws and are treated like state and local governmental units.

Claim Information (§ 603.2(a))

2. When State UC agencies receive requests for UC information disclosures, what types of specific claim information are State UC agencies being requested to disclose and for what purposes are the disclosures being requested? For example, are UC information disclosure requestors requesting all information regarding a claim, confirmation that a UC claim exists, all UC information associated with a specific employer, or all UC information associated with a specific time period? Are requestors requesting that State UC agencies provide names and Social Security numbers as part of the request?

Response: The following would be helpful guidance for state workforce agencies:

• Language making it clear that states are not required to disclose information about the reasons why a particular claim was flagged for a fraud investigation or an identity verification.
• Clarification as to whether a claimant is entitled to information submitted by the employer and vice versa, and whether it makes a difference if the request for information is made during the life of a claim or after the claim has ended.

Private Postsecondary Educational Institutions

16. Should private postsecondary educational institutions be given access to confidential UC information? Why or why not?

17. For what purpose would a private postsecondary educational institution request confidential UC information?

18. What types of private postsecondary educational institutions make disclosure requests?

19. Are private postsecondary educational institutions currently receiving confidential UC information? If so, under what conditions?

Response to questions 16 through 19: Many private postsecondary institutions request data. States generally are in favor of maintaining the discretion under the current 3 regulations giving states the ability to accept or decline any particular request from a private postsecondary institution. Private postsecondary educational institutions should not be treated the same as “public officials.”

B. Permissible Disclosures

28. Have State UC agencies received requests for disclosure of confidential UC information (including specific elements of UC data) that do not fall within the existing permissible disclosure requirements but for which State UC agencies or other stakeholders believe State UC agencies should be able to disclose? If so:

1. What are the nature of those disclosure requests and what entities are making the requests?
2. What is the need, benefit, and estimated cost that would be associated with disclosure of confidential UC information to those entities?

Response: It would be useful to allow disclosure to federal grantees, including those that are non-profit private organizations, which need wage records for federal reporting purposes.

Informed Consent Disclosures § 603.5(D)(2)

30. Do State UC agencies require updated informed consent from claimants after a certain period of time? If yes:

1. What is the period of time?
2. How do State UC agencies effectuate these updates?
3. Does the requirement to specify the period of time unnecessarily limit the utility of data obtained via disclosures by informed consent? If so, how?

Response: The current regulation does not specify whether there is a time limit for sharing data. Clarification, in the way of a specific time limit (such as 2 years), would be helpful.

Some states providing input ask that the "benefit to the individual" requirement in 20 CFR 603.5(d)(2)(ii)(A) be removed because it is administratively burdensome for states to make that determination while others would prefer to have the "benefit to the individual" language clarified to define what constitutes a "benefit to the individual" under that regulation." 4

Agents or Contractors of Public Officials (§ 603.5(f))

31. For purposes of permissible disclosures of confidential UC data to public officials for the performance of their official duties, what are the typical industries of the agents or contractors (including, but not limited to, IT) that public officials hire to assist them in the performance of such duties? Are the agents or contractors using subcontractors to perform work for public officials?

32. Are the agents or contractors of public officials redisclosing confidential UC information obtained on behalf of the public official in performance of the public official's duties? If so, under what circumstances and to what entities? Under what circumstances would public officials need to redisclose confidential UC information and to what entities?

33. Are there any differences in how State law defines the terms “agent” and “contractor”? If so, what are the differences?

Response to questions 31 to 33: It would be useful to have a defined standard for agents and contractors.

Bureau of Labor Statistics (BLS) Disclosures (§ 603.5(g))

34. Current § 603.5(g) specifies that permissible disclosures of confidential UC data to BLS for statistical purposes are not subject to the part 603 confidentiality regulations. Should information collected exclusively for statistical purposes under a cooperative agreement with BLS be subject to the requirements of 20 CFR part 603? Why or why not?

35. What safeguards and limits on redisclosure should be in place for disclosures to BLS for statistical purposes?

Response to questions 34 and 35: The states involved with this response agree that the current practice of sharing data with BLS without an MOU should be allowed to continue. It may help to clarify that BLS can re-disclose aggregate and statistical data.

Costs Associated with Permissible Disclosures Costs for Disclosure Recipients

36. What are the potential costs associated with an entity receiving confidential UC information under a new § 603.5 permissible disclosure if they have never received confidential UC information in the past (for example, costs of developing an agreement with the State UC agency, costs associated with ensuring required data security and safeguard requirements)? 5

Response: It may help to have more express language that the requester is responsible for all costs, including the cost of developing an agreement. It may be helpful to have a set cost for an MOU or for particular data points. There are also costs involved in reviewing requests, including requests that are denied.

Direct Access

39. Do State UC agencies permit ongoing or direct access to certain confidential UC data to certain entities outside of the State UC agency? If so:

1. Which entities are permitted ongoing or direct access?
2. How many direct access users have State UC agencies permitted?
3. For how long do State UC agencies grant ongoing or direct access?

40. What are the data risks associated with allowing continuous access to limited types of confidential UC data for certain permissible disclosures? What recommendations do you have for mitigating these data risks?

41. What are the safeguards and security requirements that State UC agencies currently require for disclosure recipients who access confidential UC data via ongoing or direct access? Are there other safeguards or security parameters that should be considered?

Response to questions 39 to 41: Practices vary as to different states.

C. Disclosures by the UC Agency for the Proper Administration of the State's UC Program

42. In the administration of the State's UC program, do State UC agencies disclose confidential UC information to anyone other than State employees (for example, vendors or non-merit staffed service providers) for the purpose of outsourcing activities such as collections, IT, and offsite data storage?

Response: NASWA suggests an addition to the federal regulations to include that states may disclose confidential UC information to the NASWA Integrity Data Hub, which may then share that information with other states. Although USDOL has interpreted current regulations to permit this sharing, having explicit permission for this in the regulations would be helpful for some states.

In addition, access is allowed to vendors for the proper administration. UIPL 12-01, Change 2 discusses confidentiality provisions for contractors. Some states include the 6 confidentiality provisions in their vending contract; other states have a separate confidentiality agreement. A flexible approach to 603.6 is helpful.

D. Required Disclosures

49. What are the potential impacts that would be associated with the Department specifying additional security, safeguards, or agreement requirements related to required disclosures or potential redisclosure to the entities for which disclosure is required under § 603.6(b)?

Response: States may need additional legislative action or rules to incorporate changes to specific requirements. On the other hand, specific security requirements become outdated.

50. Do State UC agencies currently implement additional security, safeguards, or agreement requirements related to required disclosures or potential redisclosure?

Response: Yes, for example, some states require notification of a breach.

51. Which, if any, of the current requirements are burdensome for State UC agencies?

52. What kind of inquiries do State UC agencies receive relating to required disclosures under § 603.6(b)? How often does the State UC agency receive such inquiries?

53. What clarifications could the Department make relating to § 603.6(b) required disclosures that could minimize State UC agency costs associated with fielding inquiries relating to required disclosures?

54. For programs related to the impacts of trade agreements on the workforce system, are there currently any barriers encountered with regard to receiving disclosures of confidential UC information for program operation and utilization?

Response to questions 51 to 54: The states normally have existing Memorandum of Agreements (MOA’s) and procedures for the required disclosures. Representatives from the states making these recommendations are not looking for changes on this.

55. Are the case management systems used by employees of States or local workforce development areas to administer the workforce-related programs provided by the State workforce agency? If not, are the workforce-related case management systems contracted individually by the local workforce development boards?

Response: Some states have overlapping programs between the UI and workforce programs. Things become complicated with the layers in WIOA, and non-profits seeking access. It might be helpful to have permissive disclosures for the WIOA-related organizations that are not public officials.

E. Costs

57. Are there any provisions in the current part 603 related to the payment of costs for which additional clarification or enumeration would be helpful?

Response: States should be allowed to recover costs for the development of a data sharing agreement, the monitoring of executed agreements for compliance, and the auditing of expired agreements. Each of these life-cycle phases requires appropriate levels of conformity with data stewardship requirements. It might be beneficial to clarify that a standard contract fee is permitted. Some, but not all states involved with this response thought it might also be useful to allow states to charge fees greater than actual costs, and to clarify the permissible use of such funds. There is some concern about states spending time responding to requests which are later withdrawn. Clarification about responding to requests (before data is disclosed) would be helpful.

63. Are there State laws (statute or regulations) that govern what State UC agencies must deem an “incidental amount of staff time” or “nominal processing costs” under § 603.8(b)? If so, please provide statutory or regulatory citations to such provisions.

Response: Some states define incidental staff time as less than 2 hours. Other states view incidental costs as a one-time review of a single claimant. The states note that it takes time and resources to bill for the time, and try to reach a balance. It might be useful to have clarification if USDOL views two hours as more than “incidental costs.”

69. The regulation at § 603.8(d) currently provides that “[t]he requirement of payment of costs is met when a State UC agency has in place a reciprocal cost agreement or arrangement with the recipient.” Would it be helpful if the Department clarified what constitutes a reciprocal benefit? If so, how and why?

Response: Yes, it may be useful to have clarification on what constitutes a reciprocal benefit. It would be useful to have a broad definition.

70. Are State UC agencies making disclosures of confidential UC information that they deem to have a reciprocal benefit with the recipient and thus the costs are incurred by the State's Federal UC administrative grant? If so, what is the nature of such disclosures?

Response: Reciprocal benefit usually means an exchange of data.

Safeguards Required of Recipients (§ 603.9(b))

74. Do State UC agencies currently require that recipients of confidential UC information store data in a specific way? If yes:

1. Are these requirements enumerated in State statute, regulations, or State policy? If so, please explain. 8
2. For what types of disclosures do State UC agencies impose requirements relating to storage of data by recipients of confidential UC information?
3. What requirements do you recommend the Department impose relating to data storage? For example, do you recommend requirements related to on-site data storage, cloud storage, centralized data storage with segregated confidential data, or some combination of these approaches?

Response: One requirement is that cloud storage must be in the US. There is a conflict between the language requiring an on-site audit and cloud storage. It might be useful to update the requirements surrounding cloud storage. Most states require some industry standard for storage of data; it might be useful to clarify the standard for security, i.e. FedRamp standards. It would be useful for the regulation to require notification of a data breach, as many states require this, and it would be easier to negotiate if required.

75. What is the maximum amount of time that State UC agencies allow recipients of confidential UC information to retain or store data? Should the Department specify a length of time that a recipient may retain confidential UC information? If yes, what is an appropriate length of time and why? Would this create additional burden for States or recipients of this data?

Response: Most states require destruction when the data is no longer being used. This requires an audit function and incurs costs. The time depends on the use of the data.

76. Should the Department restrict or limit whether or how a recipient of confidential UC information may use that information for a purpose other than those specifically outlined in the § 603.10 disclosure agreement? Why or why not?

Response: The use of the data should be limited to the purpose stated in the MOU. No change in the reg is being requested by those involved with this response.

79. Should the Department require State UC agencies to conduct audits or inspections of recipients of confidential UC information to ensure that the requirements of the State's law and the disclosure agreement are being met? If no, why not? If yes:

1. Should the Department specify how a State UC agency must audit or inspect recipients of confidential UC information to ensure that the requirements of the State's law and the disclosure agreement are being met?
2. What should be the frequency and conditions of such audits or inspections? 

Response: No, audits should not be required, as they are resource intensive. States should have the authority to conduct audits, but they should not be mandated. There should not be audit requirements for some data disclosures, but not other data disclosures.

G. Agreements

98. Do State UC agencies always require an agreement to be in place before disclosing confidential UC information? For what disclosures (if any) do State UC agencies not require an agreement?

Response: The states involved with this response require agreements where required in the current CFR. States have different interpretations as to whether a written memorandum of agreement is required to share data among units or divisions in the same state agency, and clarification would be useful. In many cases, such data sharing is required by WIOA.

99. Do States have standardized minimum requirements for all confidential UC information disclosure agreements (for example, a template is utilized as the starting point for all disclosure agreements)? If so, what language is included in the template? Would it be helpful if the Department provided such a template? Response: Most states have a template as a starting point. It would be useful for USDOL to have a template, to avoid disagreements about language. As states have existing agreements, it would be best for a USDOL template to be optional, not required.

100. For State UC agencies:

1. What is the process associated with executing a new confidential UC information disclosure agreement with disclosure recipients? For example, how much unique language must be developed?
2. What types of State agency staff (including State agency attorneys) are involved in the drafting, review, and approval processes?
3. What is the average time burden or cost associated with executing a new confidential UC information disclosure agreement with disclosure recipients?
4. What is the average time burden or cost associated with modifying an existing confidential UC information disclosure agreement?

Response: The time for developing an MOU varies. Most states have developed internal processes.

102. How are State UC agencies currently ensuring compliance with disclosure agreements? What proportion of confidential UC information disclosure agreements do State UC agencies actively monitor for compliance?

Response: Some states ensure compliance through audit questionnaires.

H. Notifications to Claimants and Employers

104. How do State UC agencies currently provide § 603.11 required notifications?

105. Do States or other stakeholders believe the notification requirements in § 603.11 are sufficient or burdensome, or should additional notifications to claimants and employers be required? If so, please describe.

106. Do States or other stakeholders believe that, to the extent notifications currently provided do not currently include references to data transfers or third-party storage, notifications should include references to data transfers and third-party storage? Why or why not?

107. How would any changes to § 603.11 notification requirements impact the time burden or costs to State UC agencies associated with notification requirements?

Responses to questions 104 to 107: Some states would prefer that the notification requirements be eliminated. All states involved with this response agree that current requirements are more than sufficient and additional references should not be added.

I. State Implementation of Part 603 Changes

108. What types of changes to part 603 would require a State to amend its existing State law (statutory or regulatory provisions)? What specific State laws or regulations might require changes if the Department revises part 603 requirements?

109. If the Department's part 603 regulatory changes would require a State to amend its existing State law (statutory or regulatory provisions), what is the timeline that the Department should consider for a State to make such changes?

Responses to questions 108 to 109: Some states would require as much as 2 years lead time for changes to state regulations. State agencies do not have control over state laws, and may need considerable lead time.

J. Federal UC Program Oversight and Audits

110. Are there currently any impediments to OIG getting access to confidential UC information for the purposes of UC program oversight and audits? This can include statutory, logistical, operational, financial, or any other impediments.

111. Should there be revisions to the regulation to explicitly address that written agreements are not required for disclosure to OIG, consistent with current guidance? If so, please explain why.

112. What, if any, safeguards should be in place for disclosures to OIG for purposes of UC program oversight and audits?

113. Under the current part 603, State UC agencies are permitted to disclose confidential UC information of the purposes of UC program oversight and audits. If State UC agencies were required to disclose confidential UC information to OIG for purposes of UC program oversight and audits, are there any considerations that the Department should be aware of? If so, please describe.

114. If the Department were to specify safeguards, security requirements, or agreement requirements associated with disclosure of confidential UC information to OIG for purposes of UC program oversight and audits, would there be any time burdens or other costs incurred by State UC agencies?

115. How often do States receive OIG requests for confidential UC information for purposes of UC program oversight and audits?

Responses to questions 110 to 115: It would be helpful for the states to be funded for OIG oversight activities. OIG has asked for data that was not readily available; the data needed to be pulled, with a vendor request. Responding to question 111, yes, such explicit language would be helpful.

K. Miscellaneous

121. If the Department revises part 603, what penalties might State UC agencies incur associated with existing contracts?

Response: The states request that the revised provisions should expressly impact contracts executed after the date the new regulations take effect. In other words, any revised provisions should not apply to previously signed contracts.

Thank you for your thoughtful consideration of our comments and know that we welcome the opportunity to engage on this important issue further.

Sincerely,

Julie Squire Vice-President of Policy and General Counsel
National Association of State Workforce Agencies
444 North Capitol St., NW
Suite 300
Washington, DC 20001