Last week, the Office of Management and Budget (OMB) issued supplementary guidance on how federal agencies should protect privacy rights when using the “Do Not Pay” (DNP) list of government contractors.

In a memo issued by OMB Director Sylvia Burwell, the new guidance will “help agencies protect privacy while reducing improper payments under the DNP Initiative.”

Contractors on the DNP list have been declared ineligible for government work because of past actions that resulted in sanctions by a federal agency. The list is comprised of the Social Security Administration’s Death Master File, GSA’s Excluded Parties List System, Treasury’s Debt Check Database, HUD’s Credit Alert System and Credit Alert Interactive Voice Response System, HHS IG’s List of Excluded Individuals/Entities, and other databases designed specially by OMB. Additional information is available on the Treasury Department’s Do Not Pay website.

A presidential memorandum in 2010 initiated the DNP initiative to comply with the Improper Payments Elimination and Recovery Improvement Act of 2102 (IMPERIA), which directed federal agencies to share information to “improve eligibility verification and pre-payment eligibility.”

The Administration launched a special DNP tool last year to help agencies implement the DNP solution. The tool provides agencies with a single port of entry for accessing databases to match and analyze payment files directly against available data sources and checking for payment file irregularities.

The new memorandum (and accompanying guidance) creates new policies to protect privacy while reducing improper payment through the DNP initiative, but does not, OMB emphasized, change the definitions in the Privacy Act.

Under the OMB guidance, only data relevant and necessary to meet the legal requirements of Section 5 of IMPERIA will be included in the DNP list. Agencies must have legal authority to disclose records before they can be shared (such authority is not provided in this guidance). Source agencies must confirm that Treasury (host of the list) provides security controls comparable to those of the source agency.

Records included in the DNP list can only be used, maintained, duplicated, or redisclosed for purposes described in Section 5 of IMPERIA, according to the guidance. Agencies will follow applicable record retention requirements and Treasury will agree to abide by these rules. Treasury take necessary steps to ensure that records are accurate, complete, and up-to-date. Any corrections to data in the list will be made in compliance with the Privacy Act.