Skip to content
https://rgearshop.com/

Resistance Kitty

The sassiest cat fighting fascism

  • Home
  • About
  • News
  • Comics
  • Survival Guides
  • EpsteinWiki
  • Resistance Directory
  • The Butterfly Bureau
  • Merch & Mayhem
  • Subscribe
  • Toggle search form

RSG #307: How To Trace Government Data Sharing Agreements

Posted on July 10, 2026July 10, 2026 Dr. Harmony By Dr. Harmony No Comments on RSG #307: How To Trace Government Data Sharing Agreements

Resistance Survival Guide #307

Government information does not always remain with the agency that originally collected it. A person may provide an address to receive health care, income information to pay taxes, identification records to obtain a license, or family details to apply for public assistance. That information may later be transferred, matched, searched, or accessed by another agency for an entirely different purpose.

Data sharing can happen through a formal memorandum, a vendor platform, a shared database, an automated programming connection, or a standing account that allows one agency to search another agency’s records. The arrangement may be legal and publicly disclosed. It may also be poorly documented, broader than officials admit, or implemented before meaningful public review.

In April 2025, the Electronic Frontier Foundation examined an information sharing agreement between the IRS and ICE. In February 2026, the Brennan Center for Justice published an analysis of confidential agreements connected to federal requests for state voter files. In January 2026, EFF also reported that an ICE targeting tool developed by Palantir was drawing from Medicaid and other government information, based on court testimony and reporting by independent technology outlet 404 Media. These cases demonstrate why the public must follow the records, not merely the official explanation.

This Resistance Survival Guide explains how to identify a suspected data exchange, locate the documents that authorize it, determine what information is moving, map every participating organization, and document whether the arrangement includes meaningful privacy protections.

Why Government Data Sharing Deserves Public Scrutiny

Information collected for one purpose can become more powerful when it is combined with information from another source. A database containing addresses may appear limited. When it is connected to employment records, vehicle information, health records, immigration files, utility accounts, voter records, or location data, it can produce a detailed profile of an individual or household.

The central question is not simply whether two agencies share information. Investigators must determine which data fields are shared, how often the exchange occurs, who can search the system, whether contractors have access, how long the information is retained, whether it can be passed to additional organizations, and what happens when the information is wrong.

Federal agencies are generally expected to conduct Privacy Impact Assessments when certain systems collect, maintain, or use personal information. These assessments are intended to explain how information is collected, stored, shared, and managed. Agencies that maintain qualifying systems of personal records may also publish System of Records Notices describing the categories of records, the people covered, the purposes of the system, and approved routine uses.

A published privacy document does not prove that the program is safe, lawful, accurate, or limited. It gives investigators a set of official claims that can be compared with agreements, contracts, technical documents, access logs, public statements, and actual practices.

Learn The Language Of Data Sharing

A memorandum of understanding often describes the broad relationship between participating organizations. A memorandum of agreement may contain more operational detail. A data use agreement can establish permitted uses, prohibited uses, security responsibilities, retention requirements, and procedures for reporting a breach.

An information sharing agreement may describe the legal authority for an exchange and the conditions under which records can be disclosed. An interconnection security agreement may explain how two computer systems connect. A service level agreement may describe system availability, maintenance, support, and performance obligations.

A Privacy Impact Assessment examines privacy risks associated with a program or system. A privacy threshold analysis is often used internally to determine whether a full assessment is necessary. A System of Records Notice describes a federal system containing records retrieved by a personal identifier. Its routine uses can reveal circumstances in which records may be disclosed outside the agency.

A records retention schedule states how long particular records should be preserved and when they may be destroyed. A data dictionary identifies the fields contained within a database. An access control policy explains which users may enter the system and what permissions they receive. An audit log records searches, downloads, account activity, or other system events.

Never assume that the agency uses the exact terminology you expect. Request memoranda, agreements, appendices, exhibits, amendments, policies, procedures, contracts, account forms, technical specifications, and records sufficient to explain the exchange.

Step by Step Guide

Step One: Define The Suspected Information Flow

Begin with a precise research question. Identify the agency that originally collected the information, the organization suspected of receiving it, the program involved, and the approximate period when the exchange may have started.

Write the suspected flow as one sentence. For example, a state health agency may be transferring applicant addresses to a federal enforcement agency through a contractor operated platform. This sentence is a working hypothesis, not a conclusion.

Record every known system name, program title, vendor, agency division, official, contract number, public statement, legislative reference, and date. Search for acronyms and alternate spellings. Government systems frequently have a public program name, an internal project name, and a separate contract title.

Step Two: Search Public Privacy Records Before Filing Requests

Search the agency website for Privacy Impact Assessments, privacy threshold analyses, System of Records Notices, data inventories, information sharing reports, records schedules, privacy policies, public notices, meeting materials, procurement files, and inspector general reports.

Search the Federal Register for the agency name, system name, program title, and phrases such as system of records, routine use, matching program, computer matching agreement, and modified system. System notices can identify data sources, recipient categories, disclosure purposes, retention rules, and contact information for the responsible office.

Recent Federal Register notices demonstrate that agencies continue to modify routine uses to permit new disclosures among government systems. A January 2026 notice, for example, described changes to general routine uses for certain CIA systems. A February 2026 Treasury notice described categories of users and purposes for external disclosure. These notices illustrate why investigators should search both current and superseded versions.

Save every relevant document immediately. Record the title, publication date, revision number, source address, and date accessed. Public pages and files can be replaced or removed.

Step Three: Identify Every Participating Organization

Do not limit the investigation to the two agencies named in a public announcement. Look for state agencies, county departments, city offices, federal components, contractors, subcontractors, cloud providers, data brokers, nonprofit partners, universities, fusion centers, task forces, and technology vendors.

A contractor may operate the platform even when the government owns the data. A local agency may contribute information to a state system that is searchable by federal users. A vendor may combine government records with commercially purchased data. Each participating organization creates another possible source of records.

Build a simple organization map. Place the source agency on one side and the apparent recipient on the other. Add every intermediary, platform, contractor, and oversight office between them.

Step Four: Locate The Claimed Legal Authority

Search laws, regulations, executive orders, agency policies, grant requirements, appropriations language, court orders, and program rules for the authority cited by officials.

Separate authority to collect information from authority to disclose it. An agency may have clear permission to collect data for administering benefits without having unlimited authority to transfer that data for enforcement, intelligence, election administration, or another unrelated purpose.

Look closely at phrases such as authorized by law, compatible purpose, routine use, program integrity, fraud prevention, national security, public safety, and administrative necessity. These phrases can conceal important disagreements about the limits of an agency’s authority.

Record the precise section of law cited in each agreement. Then read the actual provision instead of relying on the agency’s summary.

Step Five: Request The Agreement From Both Sides

Submit a public records request to every public organization that may possess the agreement. Requesting the same record from both the sender and recipient can produce different versions, attachments, redactions, emails, and processing notes.

Federal requests must be submitted to the agency or component likely to possess the records. A federal request must be in writing and reasonably describe the records sought. Federal FOIA does not require an agency to create a new record, answer questions, conduct research, or perform an analysis for the requester. Ask for existing records rather than explanations.

State and local requests must use the applicable state public records law. Requirements, response periods, exemptions, fees, and appeal procedures vary considerably. The nonprofit MuckRock public records guide provides state specific starting points and request tools without relying on a corporate news platform.

Step Six: Request The Full Agreement Family

Do not ask only for the memorandum of understanding. Request every related memorandum of agreement, data use agreement, computer matching agreement, interconnection security agreement, contract, purchase order, amendment, appendix, exhibit, statement of work, privacy review, security review, implementation plan, standard operating procedure, training document, and termination notice.

Agencies may produce a short agreement while withholding the attachment that contains the actual data fields and operational rules. Make clear that the request includes current, expired, superseded, draft, renewed, and amended versions.

Ask for records sufficient to identify the effective date, expiration date, renewal process, participating organizations, signatories, program managers, legal reviewers, privacy reviewers, security reviewers, and records officers.

Step Seven: Identify The Exact Data Fields

Request the data dictionary, database schema, file layout, field list, interface specification, query guide, user manual, sample report, template, and records sufficient to identify every category of data exchanged.

The difference between sharing a name and sharing a name, home address, Social Security number, medical identifier, vehicle plate, citizenship field, telephone number, family relationship, and geolocation history is enormous. Broad phrases such as identifying information or relevant records are not sufficient.

Determine whether the exchange includes complete records, selected fields, search results, confidence scores, alerts, links, images, documents, or derived assessments. Ask whether blank, unknown, disputed, or outdated values are included.

Step Eight: Determine How The Information Moves

Identify whether data is transferred through email, secure file transfer, a shared portal, a direct database connection, an automated programming interface, scheduled batch uploads, manual searches, or a contractor platform.

Request technical diagrams, interface descriptions, implementation guides, transmission schedules, connection approvals, account request forms, and records sufficient to show the frequency and method of transfer.

A system that provides occasional manual responses creates different risks from a system that allows thousands of automated searches. Record whether the exchange occurs in real time, daily, weekly, monthly, after a specific event, or whenever a user chooses to search.

Step Nine: Trace User Access And Search Authority

Request policies describing which employees, agencies, task forces, contractors, and external partners may receive accounts. Ask for records showing user roles, permission levels, approval requirements, training requirements, account reviews, suspension procedures, and rules governing bulk searches.

Request aggregate account totals by agency, division, contractor, and user category. Request records sufficient to show how many searches, matches, exports, alerts, downloads, and disclosures occurred during a defined period.

Detailed logs may contain private information or legitimate security material. Ask for segregable records and aggregate data that can be released without exposing personal information, passwords, credentials, or system vulnerabilities.

Step Ten: Follow The Contractors And Vendors

Search USAspending, SAM.gov, state procurement portals, local payment records, meeting agendas, contract registers, and vendor databases.

Request contracts, statements of work, invoices, payment records, performance reports, implementation schedules, subcontractor lists, licensing agreements, data processing terms, and vendor communications.

Determine whether the vendor can retain, analyze, combine, sell, reuse, or disclose government information. Look for language covering derivative data, analytics, artificial intelligence models, product improvement, aggregated information, subcontractors, and ownership.

EFF reported in January 2026 that ICE had expanded contracts involving location surveillance, social media surveillance, facial surveillance, spyware, and telephone surveillance. Its independent Homeland Security spending guide explains how to trace federal awards, solicitations, and vendors through public databases.

Step Eleven: Request The Communications That Created The Arrangement

Request communications among program officials, attorneys, privacy officers, records officers, contractors, agency leaders, and participating organizations.

Use a defined date range and identify likely custodians. Include email messages, attachments, calendar invitations, meeting agendas, notes, presentations, briefing papers, text messages on official systems, decision memoranda, approval records, and communications with vendors.

Search terms should include the system name, project name, vendor, agreement title, relevant acronym, contract number, and participating agency names. Avoid a request for every communication about data sharing. That language is likely to produce delays, high fees, or an objection that the request is too broad.

Step Twelve: Examine Retention, Deletion, And Correction Rules

Request records explaining how long transferred data remains available, when it is deleted, whether backups are included, and whether the recipient can create a permanent copy.

Determine what happens when the source agency corrects a record. Does the correction automatically reach the recipient? Can a person challenge inaccurate information? Is there an appeal process? Does the agency notify previous recipients that information was incorrect?

Request complaint records, correction requests, error reports, audit findings, compliance reviews, disciplinary records, and records showing unauthorized searches or disclosures. Ask for aggregate or redacted versions when individual privacy is involved.

Step Thirteen: Compare Official Claims With Operational Records

Create a verification table containing the official claim, the document supporting it, the document contradicting it, the date, the responsible organization, and the unresolved question.

A privacy assessment may claim that access is limited to trained users. Account records may show that outside contractors also received access. An agreement may prohibit downstream sharing. A routine use may permit broad disclosure. A public statement may describe occasional matching while a technical document describes daily automated transfers.

Treat each contradiction as a reporting lead. Do not assume that every inconsistency proves misconduct. It may reflect an outdated policy, poor record keeping, a program change, or different definitions used by separate offices. Seek another document before reaching a conclusion.

Step Fourteen: Appeal Incomplete Searches And Excessive Redactions

Read the agency response carefully. Check which offices were searched, which custodians were contacted, what date range was used, which search terms were applied, and whether attachments were included.

Appeal when the agency searched the wrong office, omitted obvious custodians, failed to include attachments, ignored part of the request, withheld entire documents without considering partial release, or cited an exemption without explaining how it applies.

Ask the agency to identify the volume of withheld material and release all reasonably segregable portions. Request a revised search when the response suggests that only one side of the agreement was examined.

For federal disputes, the Office of Government Information Services mediation program can help requesters and agencies address FOIA disagreements. An administrative appeal may still be necessary to preserve legal rights.

Step Fifteen: Publish The Data Flow, Not Just The Documents

A folder full of agreements is difficult for the public to understand. Convert the findings into a clear information flow map.

Show the source organization, recipient, intermediary, vendor, data categories, transfer method, frequency, access groups, legal authority, retention period, downstream recipients, oversight process, and correction procedure.

Distinguish documented facts from reasonable inferences. Link every major conclusion to the supporting record. Include unanswered questions and missing records.

Remove Social Security numbers, medical identifiers, home addresses, account credentials, information about minors, survivor information, and other sensitive personal details before publication. Accountability reporting should expose systems and decisions without exposing the people contained in the databases.

Public Records Request Template

Under the applicable public records law, I request electronic copies of all current, expired, superseded, proposed, and draft memoranda of understanding, memoranda of agreement, data use agreements, information sharing agreements, computer matching agreements, interconnection security agreements, contracts, appendices, exhibits, amendments, statements of work, and standard operating procedures governing the transfer, disclosure, query, matching, search, or access of records between [source organization] and [recipient organization] concerning [program or system] from [starting date] through the date this request is processed.

This request includes records sufficient to identify the categories and fields of information exchanged, the purpose of the exchange, the legal authority relied upon, the frequency and method of transfer, the organizations and user groups permitted to access the information, the approval process for access, the number of authorized accounts, the role of contractors or subcontractors, the retention period, deletion procedures, correction procedures, audit requirements, downstream sharing permissions, and procedures for reporting misuse or unauthorized disclosure.

This request also includes Privacy Impact Assessments, privacy threshold analyses, System of Records Notices, routine use notices, data dictionaries, database schemas, file layouts, technical diagrams, user guides, training materials, account request forms, access policies, aggregate search totals, compliance reviews, audit reports, complaint records, error reports, security incident summaries, and records management schedules associated with the program.

Please search the records of [identified offices and custodians]. Please include email messages and attachments, meeting invitations, agendas, notes, presentations, decision memoranda, legal reviews, privacy reviews, security reviews, approval records, and communications with participating agencies or contractors.

Please provide responsive records in their original electronic format when available. Spreadsheets and structured data should be provided in a machine readable format rather than converted to images. Please release all reasonably segregable portions of any partially exempt record. For each withholding or redaction, please identify the legal basis and explain how it applies.

I request a waiver of fees because disclosure will contribute to public understanding of government operations and is not primarily intended to further a commercial interest. I intend to analyze and publish the findings for public education. Please notify me before processing if anticipated fees will exceed [amount].

How To Read A Data Sharing Agreement

Begin with the definitions section. Agencies may define data, authorized user, recipient, program purpose, or confidential information more narrowly or broadly than ordinary readers would expect.

Read the permitted use language and compare it with the stated purpose of the original data collection. Then review every exception. Language allowing use for investigations, fraud prevention, public safety, legal compliance, program integrity, or any authorized governmental purpose may expand the arrangement far beyond its headline description.

Examine the access provisions. Identify who approves accounts, whether contractors qualify, whether shared credentials are prohibited, whether periodic account reviews are required, and whether users must document a reason for each search.

Read the retention and deletion provisions carefully. A rule requiring the source file to be deleted may not cover downloaded reports, screenshots, derived records, investigative files, backups, or data incorporated into another system.

Review the audit language. A promise that activity may be audited is weaker than a requirement for regular audits, written findings, corrective action, and suspension of organizations that misuse the system.

Finally, inspect the amendment and termination clauses. Agencies may be able to expand the program through an attachment or written approval without signing a completely new agreement.

Warning Signs That Require Deeper Investigation

  • A missing attachment is a major warning sign because operational details are often placed outside the main agreement.
  • An agreement signed after the program began may indicate that information was exchanged before the rules were finalized.
  • A Privacy Impact Assessment that predates a major program expansion may no longer describe the actual system.
  • A broad routine use may allow disclosure to more organizations than the named agreement suggests.
  • A contract that permits vendors to create analytics or derivative data may give the company rights not apparent in the agency’s public description.
  • An agency that claims it has no agreement may still provide access through a regional network, task force, shared vendor, statewide platform, grant condition, or informal account arrangement.
  • A system without a clear correction process can spread inaccurate information across multiple agencies without an effective way to repair the damage.

Independent Research Resources

MuckRock provides public records filing tools, state law guides, request examples, and a public archive of agency correspondence.

The Electronic Frontier Foundation publishes investigations, technical analysis, public records findings, and guides concerning surveillance, government technology, data brokers, and privacy.

The Electronic Privacy Information Center tracks privacy law, System of Records Notices, government databases, data broker practices, and agency compliance.

The Brennan Center for Justice publishes research on voter records, government databases, election administration, surveillance, and the use of personal information in election related programs.

The Federal Register provides official notices concerning federal systems, routine uses, computer matching programs, and proposed agency actions.

FOIA.gov provides federal request instructions, agency contacts, annual statistics, and information about appeals and fees.

Closing

Tracing a government data sharing agreement requires more than finding a single memorandum. The real investigation begins when the agreement is connected to the privacy notice, legal authority, data fields, technical connection, contractor records, user accounts, search logs, retention rules, correction procedures, and communications that created the program.

The objective is to reconstruct the complete life of the information. Determine where it originated, why it was collected, who received it, how it moved, what they did with it, how long they kept it, and whether the public was ever given a meaningful opportunity to object.

Government officials often describe data sharing as efficiency, modernization, fraud prevention, or improved coordination. Those goals do not eliminate the need for transparency. When government information systems can quietly combine the most sensitive details of a person’s life, public oversight must follow the data wherever it travels.

Source List

  • Freedom of Information Act: How To Make A Request
  • Freedom of Information Act Frequently Asked Questions
  • Office of Government Information Services Mediation Program
  • Government Accountability Office: Protecting Personal Privacy
  • Government Accountability Office: Privacy Leadership And Agency Programs
  • Electronic Privacy Information Center: The Privacy Act Of 1974
  • Electronic Frontier Foundation: IRS And ICE Data Sharing Agreement
  • Electronic Frontier Foundation: The Dangers Of Consolidating Government Information
  • Electronic Frontier Foundation: ICE Tool Using Medicaid Data
  • Electronic Frontier Foundation: Homeland Security Spending Guide
  • Brennan Center For Justice: Confidential Voter Data Agreements
  • MuckRock Public Records Law Guides
  • Federal Register System Of Records Search

Kitty’s Resistance Projects

  • Resistance Directory
  • EpsteinWiki
  • The Butterfly Bureau

Support Resistance Kitty’s Work

  • Merch & Mayhem
  • Buy Resistance Kitty a Treat

R – We Tread On Tyrants Light Style Unisex Long Sleeve Tee

Resistance Survival Guide Tags:agency data sharing, data use agreement, FOIA investigation, Government data sharing agreements, government databases, memorandum of understanding, Privacy Impact Assessment, public records investigation, System of Records Notice

Post navigation

Previous Post: Day 534 Resistance Update and Agenda
Next Post: Day 534 Branding

Related Posts

  • RSG #207 When NOT to Publish Information Resistance Survival Guide
  • #117 Paws Out, Claws In: How to Stay Safe and Peaceful at Protests Resistance Survival Guide
  • #191 How to Safely Help Someone During an ICE Stop or Detention Resistance Survival Guide
  • RSG#255: How to Prepare for Financial Disruption or Banking Instability Resistance Survival Guide
  • #76 Building a Protest Safety & Mutual Aid Squad Resistance Survival Guide
  • #33 How to Build a Safehouse Network (Without Screaming It’s a Safehouse) Resistance Survival Guide

More Related Articles

RSG #299: Using Court Dockets To Spot Political Pressure Campaigns Resistance Survival Guide
#98 Protecting Ourselves from the Loss of CDC Experts & the New Eugenics Program at HHS Resistance Survival Guide
#119 Holding the Line During a Shutdown Resistance Survival Guide
#27 How to Turn a Community Fridge into a Revolutionary Hub Resistance Survival Guide
RSG #268: How Journalists and Activists Track Private Jet Movements Resistance Survival Guide
#115 Fighting Shutdown Shenanigans Resistance Survival Guide

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

RSS FEED

Categories

  • Call to Action
  • Civic Mischief HQ
  • Executive Orders
  • Featured Resisters
  • Knives Out Activities
  • Resistance Kitty Comics
  • Resistance Survival Guide
  • Resistance Wins
Sign Up To Get Resistance Kitty in your inbox!

We don’t spam! Read our privacy policy for more info.

Check your inbox or spam folder to confirm your subscription.

Recent Posts

  • Day 535 Resistance Update and Agenda
  • Day 534 Branding
  • RSG #307: How To Trace Government Data Sharing Agreements
  • Day 534 Resistance Update and Agenda
  • Day 534 World Peace

Recent Comments

  1. Dr. Harmony on RSG#199 Creating a Personal Legal Emergency Card
  2. Dr. Harmony on RSG#199 Creating a Personal Legal Emergency Card
  3. Monica on RSG#199 Creating a Personal Legal Emergency Card
  4. Monica on How to Prepare for War-Related Disruption Without Panicking
  5. Dr. Harmony on Request for Emergency Medical and Constitutional Review of Presidential Fitness

Copyright © 2026 Resistance Kitty.