APVOFM DRAFT

Mr. Philip M. Heneghan

Chief Privacy Officer
United States Agency for International Development
1300 Pennsylvania Avenue NW
Office 2.12-003
Washington, DC 20523-2120

BY ELECTONIC MAIL TO: privacy@usaid.gov

RE: Notice, Privacy Act system of Records, Federal Regster, Vol. 72, No 136, July 17, 2007, pages
39041-39044

Dear Mr. Heneghan:

This letter is in response to the announcement, published in the Federal Register of July 17, 2007
(pp.39042-4) proposing to establish a “Partner Vetting System” which would collect and maintain
information related to individuals and organizations applying for USAID assistance or acquisition awards.

The Association of Private Voluntary Organization Financial Managers (APVOFM), a membership

organization that represents the chief financial officers and other administrative professionals from more
than 180 organizations that receive grants, cooperative agreements and contracts from USAID, expresses
strong opposition to this effort.

For the reasons listed below, APVOFM, on behalf of our members, urges USAID to withdraw the subject
proposal and reconsider its necessity. If USAID determines that a system of this type is needed, USAID
should only implement it after full due process, consultation with affected organizations, and after taking
all of the procedural steps that are required by federal law and regulation. USAID should agree to follow
the negotiated rule-making process under the Administrative Procedures Act, for this, and we would add,
all other proposals to ensure better systems and implementation. Such a process would allow for the
practical, programmatic implications of such a system to emerge; such an analysis is absent in the notices.

The July 17 notice, and the two related Federal Register notices published shortly thereafter, allow barely
six weeks for comment, and offer little information about the system itself. Moreover, to request
comments during the height of summer vacation, and to have the system take effect the date that
comments are due, indicates no real desire to consider the comments submitted.

Some of our specific concerns include:

1. Absence of Underlying Programmatic Necessity—There is no evidence that USAID funding

has been flowing to terrorist organizations. In fact, the agency’s Office of Inspector General
submitted this conclusion to Congress in its most recent required Semi-annual Report covering the
period October 1, 2006 through March 31, 2007. On page 18 of the subject report, the OIG stated,
“OIG oversight activities during this period did not identify any instances where terrorist
organizations received USAID funds.
Mr. Philip M. Heneghan
August 16, 2007
Page 2

2. Absence of Underlying Legal Justification—USAID’s regulation implementing Office of

Management and Budget Circular A-110 governing administration of grants and cooperative
agreements to U.S. non-governmental organizations and commercial entities states clearly and
explicitly in 22 CFR 226.1 that “USAID shall not (emphasis added) impose additional or
inconsistent requirements except as provided in Sections 226.4 and 226.14, or unless specifically
(emphasis added) required by Federal statute or executive order.” Collecting extensive personal
information about individuals who work for grant applicants or recipients is not authorized by
existing requirements of 22 CFR 226, which is quite explicit about information collection
requirements as it relates to both applications (22 CFR 226.12) and post award performance and
financial reports (22 CFR 226.51-52).

We find that there is no requirement to make this departure. There is no specific statutory
requirement to take this comprehensive action in law that affects USAID exclusively. Neither is
there such a requirement in law that is more broadly based, such as the USA PATRIOT Act.
Further, Executive Order 13324 does not explicitly require such a step. If such a requirement were
present in the latter two sources, “Partner Vetting” would be an activity that every federal award
making agency would be taking.

3. Absence of Office of Management and Budget Clearances—The USAID assistance

administration regulation cited above also contains several provisions that require USAID to
obtain Office of Management and Budget permission or clearance before adding more stringent or
burdensome requirements on grantees than those that are authorized by OMB Circular A-110. We
see no evidence that any of these clearances have either been considered or obtained. They
include:

--Class Deviations (22 CFR 226.4)—The relevant section of the regulation states, “The
Office of Management and Budget (OMB) may grant exceptions for classes of grants or
recipients subject to the requirements of this part when exceptions are not prohibited by
statute. However, in the interest of maximum uniformity, exceptions from the requirements
of this part shall be permitted only in unusual circumstances. USAID may apply more
restrictive requirements to a class of recipients when approved by OMB (emphasis
added). Such approval is to be obtained from OMB’s Office of Federal Financial
Management (OFFM).

--Forms for Applying for Federal Assistance (22 CFR 226.12)—USAID is required to
comply with the applicable report clearance requirements of 5 CFR 1320, entitled
“Controlling Paperwork Burdens on the Public” when it imposes information collection
requirements on ten or more organizations or individuals in the general
public that go beyond those authorized in OMB Circular A-110. These regulations were
issued pursuant to the Paperwork Reduction Act (as amended). The Standard Form 424
series contains no information collection requirements related to data about individual staff
members. We strongly assert that to require such submission in the level of detail (e.g.,
individual social security numbers, etc.) outlined in the July 17 proposal requires a
clearance by the OMB’s Office of Information and Regulatory Affairs (OIRA) that has not
been obtained.
Mr. Philip M. Heneghan
August 16, 2007
Page 3

--Performance and Financial Reporting Requirements (22 CFR 226.51-2)—These

regulatory sections, which impose requirements for assistance recipients to submit periodic
reports to USAID, mirror the application requirements cited above with their specific
reference to the Paperwork Reduction Act regulations. Accordingly, any effort to collect
such information from recipients in a post-award setting, such as those related to prior
issued awards or where updating of information submitted at the application stage is
deemed necessary would require a similar OIRA clearance, which has not been obtained.

4. Absence of GAO Recommendations Concerning Expansion of Vetting Beyond the West

Bank and Gaza—The announcement concerning the proposed Vetting System makes reference to
the statutory requirement for extraordinary procedures that applies to the West Bank and Gaza. In
so doing, it mentions a report issued by the Government Accountability Office (GAO) concerning
its review of that activity. The announcement states that GAO “identified processes and
procedures that could be improved and streamlined with the use of additional information
technology.” We believe USAID mentioned this as a means of suggesting that GAO was
recommending the development of similar procedures and systems worldwide. A complete review
of the GAO report (GAO-06-1062R, September 29, 2006) shows that GAO confined its work and
its recommendations exclusively to the West Bank and Gaza and made no comments on the need
for vetting elsewhere.

5. Adequacy of Governmentwide Certification Systems related to Employer Identification,

Central Contractor Registration, Suspension and Debarment and Terrorist Financing—The
systems maintained by the General Services Administration, related to suspension and debarment,
and the Treasury Department’s Office of Foreign Assets Control, regarding terrorist financing,
appear to have been fully adequate for pre-award screening as demonstrated by such conclusions
as those of the USAID inspector general cited above. Also, information required to be submitted
by grantees and contractors who are individuals, through use of the DUNS number and the Central
Contractor Registration (CCR) process does not need to be duplicated in this proposed system of
records. The current procedures related to terrorist financing have been in place government-wide
for over five years with no apparent need for expansion or modification.

6 Data Security Under the proposed system, paper records would be generated and maintained at
USAID regional locations. It has not been demonstrated that data security at these locations has
been considered and can be maintained. GAO was critical of this aspect of the operation of the
program in West Bank and Gaza and while improvements have apparently been instituted, follow-
up assessment of their adequacy has not occurred.

Another potentially faulty security feature of the system is that “authorized USAID contractors”
would have access to the data involving other contractors and all grantees. That raises a question
as to whether a function that should be performed only by federal employees is being delegated to
certain contractors. The adequacy of the controls instituted over their activities (use of security
clearances and certifications) is also subject to question. Highly publicized breaches in data
security in agencies that have considerably more experience than USAID in collecting personal
Mr. Philip M. Heneghan
August 16, 2007
Page 4

information about those with government business (for example, the Departments of Veterans
Affairs and Education) suggest that any system used in a highly decentralized environment like
that involving USAID must do more than is apparently contemplated to protect personal
information.

7 Chilling Effect---Knowing that sensitive personal information as that proposed will be stored
within a system that is decentralized and to which unknown contractors and agencies will have
access, could well have a chilling effect on individuals choosing to be on NGO Boards of
Directors, individuals choosing to work in the NGO sector, and companies wanting to do business
with the NGO community.

Since NGOs are the most effective way USAID has to implement its foreign policy agenda, it is
especially disconcerting to see it propose processes and systems that can well discourage NGOs,
universities and colleges and for-profit firms from engaging in international work.

8 Lack of due process—The system proposed is one in which neither employers nor employees
would know their status. That USAID would not “confirm or deny that an individual ‘passed’ or
’failed’ screening” (Federal Register July 20, 2007 (pp. 39769-10) puts applicants in an untenable
position. NGOs can expend upwards of $100,000 to respond to RFAs or RFPs. To incur such an
expense for a process in which the organization may not even qualify is wasteful, unfair, and
prone to abuse without any means for accountability.

9 Flow-through—Current clearance procedures related to suspension and debarment and terrorist

financing are imposed by prime grantees and contractors on subgrantees and subcontractors. Many
programs administered by organizations at the first tier involve partnering with such lower tier
organizations. The degree to which information collection related to the employees of these
organizations should have to be effectuated by prime grantees and contractors for inclusion in a
federal government developed and maintained data base raises numerous operational questions
that have clearly not been considered or addressed. It raises a further major legal question, under
the Federal Reports Act and the Paperwork Reduction Act, as to whether federal assistance
recipients can be required to do so as a condition for applying for federal funds.

10 Burden—Organizations receiving or applying for funding from USAID would find providing
information such as that indicated in the notice extremely burdensome. The number of hours
required to compile and keep up to date such information would require an enormous amount of
effort as that information is not currently compiled. In an era when USAID and other funders are
wanting organizations to reduce non programmatic expenses, the Partner Vetting System as
currently described would add significantly to such costs both within the government and at the
implementing agencies. The proposed vetting system, as currently conceived, has not adequately
assessed the cost of collecting and maintaining the information or the benefit of doing so.

Further, organization policies at many agencies expressly prohibit their organization from
providing personal information to outside parties. Laws in countries in which our members and
employees work may also prohibit the giving out of such information.
Mr. Philip M. Heneghan
August 16, 2007
Page 5

11 Lack of consultation--We find it especially troublesome that USAID would collect and maintain
information about individuals from the USAID Partner community without full consultation with
those Partners, or follow the appropriate rule-making process that would allow for such
consultation. This approach directly contradicts commitments voiced by the Administrator-
designate Henrietta H. Fore in her June 12, 2007 testimony to the Senate foreign Relations
Committee, to consult with the affected community on matters of importance.

Further, USAID established a Partners Day Forum four years ago during which USAID meets
with its partners to update and discuss issues of importance. At no time during any of our past
meetings, including one on June 6, did the mention of a partner vetting system get raised or
discussed. It was only by reading the Federal Register Notice that our community learned of this
proposal. No effort was made to alert the Partner community about the notice.

We strongly urge USAID to withdraw the Partner Vetting System proposal. This Association will closely
monitor all aspects of policymaking and implementation and will, at every juncture, do everything we can
to pursue privacy protection, burden reduction, and administrative realism.

Sincerely,
Alison N. Smith
Executive Director