There’s a continuous stream of headlines about global regulations aimed at protecting data privacy for individuals, such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). Clearly, people are becoming aware of the impacts of government regulations and policies. But it’s a bit ingenuous to think that the scope of regulations affecting data management policies and procedures is limited to privacy protection laws. Numerous legislative actions can affect an organization’s data management protocols. In many cases, legislators aren’t fully aware of the scope of those impacts.
Double-dipping: A case in point
Let’s look at an example. In 2015, "The Social Security Disability Insurance and Unemployment Benefits Double Dip Elimination Act of 2015" bill was introduced in the US House of Representatives and the Senate. Without providing the full historical context, the US government provides certain types of benefits to individuals under certain circumstances. Generally:
- Individuals with disabilities – those who can’t work due to a medical condition expected to last over a year – are entitled to certain benefits.
- Alternatively, individuals who have been laid off from a job are entitled to unemployment insurance benefits. This is temporary financial assistance until the individual finds a new job.
You might immediately see the issue. A person collecting disability benefits (because he/she is unable to work) should not also collect benefits intended for someone who has been laid off from a job! The idea behind the proposed bill was to identify people receiving Social Security Disability and unemployment benefits at the same time. This is called "double dipping" because such individuals are receiving benefits from two programs presumed to be mutually exclusive. This article provides a good explanation of the motivation for the proposal.
You can read the full text of the Senate bill. It was intended to amend the text in Title II of the Social Security Act to state that an individual receiving one of these two benefits is ineligible to receive the other. But the most interesting part comes when you try to assess the impact on a company’s data management practices. This text is located near the end of the bill, in a line that says:
"(c) Data Matching. The Commissioner of Social Security shall implement the amendments made by this section using appropriate electronic data."
Data matching – The key to enforcement
In very broad terms, this punts the actual enforcement of the rule against double dipping over the wall to the data team. Indeed, this simple sentence hides a relatively complex data management issue. It implies that there must be some method for periodically (at least monthly) matching the list of disability insurance beneficiaries against the list of unemployment insurance beneficiaries to determine if any individual appears to be “double dipping.”
Fundamentally there are two cases where this might happen. The first is inadvertent – where individuals don't know about the restriction and mistakenly apply for both benefits at the same time. The second case is purposeful – where individuals are aware of the restriction and make a fraudulent attempt to receive both benefits.
Whether purposeful or not, the enforcement process has significant data management dependencies, such as:
- The availability of a system or data set containing identifying information (e.g., name, SSN, residential address) associated with unemployment insurance beneficiaries.
- The availability of a system or data set containing identifying information (e.g., name, SSN, residential address) associated with disability insurance beneficiaries.
- The ability to make a “time-synchronized” version of both of those data sets available.
- A system for identity resolution (matching entities in one data set against entities in the other data set) to identify individuals receiving both benefits at the same time.
- A reporting mechanism to alert a compliance official about individuals who appear on both lists.
Fraudulent behavior complicates data management efforts
With these capabilities, you could certainly identify double-dippers. But it’s complicated to implement the mechanism. Consider how hard it is to coordinate data management tasks across different groups, or different agencies – particularly in the context of government IT. And when fraudulent behavior is involved, people who are deliberately trying to get both benefits may tweak some of their identifying data. For example, people attempting to hide what they’re doing could use a nickname or a middle initial in one application but not in the other.
With fraudsters at work, the underlying data management challenge spirals. It means you'll need technical support for a record matching process. It also requires using approximate matching (fuzzy matching) to identify deliberate obfuscation.
Reflecting on this example, it’s clear that meeting the objectives of public policy is not always so straightforward. Directives in legislative proceedings can have a significant impact on data management practices. Training data management professionals to be aware of public policy procedures can help to streamline development and implementation of compliance processes.Learn about personal data protection from SAS