SOCIAL SECURITY ADMINISTRATION

PRIVACY IMPACT ASSESSMENT

·         Name of project.

Consent Based Social Security Number Verification System (CBSV)

·         Unique project identifier.

4294-R501

·         Contact name and telephone number.

CBSV Project Leader

Office of Public Service and Operations Support

Social Security Administration

6401 Security Blvd.

Baltimore, MD 21235

410-965-5969

·         Describe the information to be collected, why the information is being collected, the intended use of the information and with whom the information will be shared.

In recent years, entities other than government agencies and employers who report wages to us to whom we can disclose information without consent have requested record data such as Social Security Number (SSN) verifications.  In such cases, we have honored these requests based on the subject of the record’s written consent.  Due to the increasing demand for such services, the work associated with handling these requests has grown and presents us with ongoing resource challenges.  The CBSV initiative is one phase of our long term strategy to satisfy high volume requests by developing a centralized and automated process for providing SSN verifications. The process requires written consent of the number holder and we will charge applicable fees to the Requesting Party, whether a business or government agency, for providing this information.  We are developing two Internet application interfaces and a webservice interface to automate the CBSV service for third party requesters whether business-based or governmental.  We will provide access to CBSV through our Business Services Online (BSO) service.  BSO is a suite of Internet services for businesses and employers who exchange information with us.

For individuals who register to use the system and request verifications:

The Internet applications and webservice for CBSV will automate significant parts of the process.  We are automating the registration process, the data submittal of the SSNs to be verified, and the retrieval of the verification results.  Such a process requires a reliable registration and authentication protocol. 

To begin the CBSV registration process, the authorized employee users of the Requesting Party log into the BSO website and complete a registration screen with their personal information (specified below) and company affiliation.  After we verify this information with our records, we will assign each CBSV user a BSO User ID and the user will self-select a password.  SSA’s Office of Central Operations (OCO) personnel search the BSO Registration database for the User ID and match it to an already-submitted Form SSA-88.  The Form SSA-88 is a form completed and signed by a company official authorizing the specific employee to use CBSV. Once OCO personnel verify that the Requesting Party has completed the CBSV user agreement process with SSA, a unique activation code will be mailed to the designated company official to distribute to the authorized CBSV user.  After the company official provides the CBSV user the activation code, the users will return to BSO and enter their User IDs, passwords, and access codes to finalize the registration process.  Thereafter, each authorized CBSV Internet application user will enter the User ID and password to submit requests in either batch mode format or up to 10 requests for real-time response. Requesting Parties will also be given the option to build a compatible webservice platform for submitting requests to us that will return real-time responses.  The webservice platform will have equivalent authentication and security standards. 

We will collect and maintain personally identifying information (PII) from each authorized employee registering to use the CBSV application.  This information includes data such as name, SSN, date of birth, and the associated User ID and password used to access the CBSV application.  This information will be part of a larger database of registered employee users associated with the BSO suite of services and will be used primarily for management and audit information purposes in order to effectively administer the CBSV application and ensure the authorized and appropriate use of the application.   We generally will use this information only as necessary for these administrative purposes or as authorized by routine uses or other Privacy Act disclosure exceptions that allow the disclosure of the information in the applicable Privacy Act system of records.

For individuals who authorize the verification of their SSNs:

Individuals authorizing the verification of their SSNs sign a SSA-89 standardized consent form which requests name, SSN, and date of birth.  We use this information to verify for the Requesting Party whether the data matches or does not match our records.  As specified in the language of the consent, the verified SSN information may only be used for the purpose delineated on the form.  The CBSV user agreement also prohibits the Requesting Party’s resale and/or redisclosure of the verified SSN information. The only other authorized use of the information is for audit review purposes to ensure the Requesting Party’s compliance with our consent requirements and other obligations as outlined in the CBSV user agreement. 

·         Describe the administrative and technological controls that are in place or that are planned to secure the information being collected.

Reducing Potential Risks to Individuals’ Privacy and Protecting Information Being Collected

The Requesting Party must protect the confidentiality of the consent forms and the information contained on them and protect the associated record of SSN verifications. This mandate includes requiring the Requesting Party to retain the consent form either on paper or electronically for a period of seven years from the date of verification.  We also require the Requesting Party to protect the consent forms from loss or destruction by taking certain security measures specified in the user agreement.

CBSV users should only request data from us if the Requesting Party has authorized them to act on the Requesting Party’s behalf and the users have secured signed consent forms from the individuals whose SSNs are being submitted for verification.  There is the possibility that individuals who are not authorized to use the CBSV application might try to gain access to it to get SSN verifications under false pretenses.  It is also conceivable that someone having personal knowledge of the authorized CBSV user or someone attempting to steal his/her User ID and password could fraudulently obtain verifications of SSNs.  However, any effort to obtain personal information about another individual from us under false pretenses, or without the express consent of the subject of the record, is an unauthorized access and violates the criminal provisions of the Privacy Act of 1974. 

We make an earnest effort to protect access to, and prevent unauthorized disclosure of, records.  CBSV returns only the last four digits of the submitted SSN in the response to help mitigate these risks.  To further reduce those vulnerabilities and discourage individuals from getting an unauthorized disclosure from the CBSV application, (i.e., under false pretenses), the Requesting Party’s designated company official must sign an attestation statement indicating he/she understands the Privacy Act restrictions relating to the use of this service and must complete a pre-approval form providing the names and SSNs of any employees authorized to use the CBSV service.  Any individual who misuses the CBSV service could be punished by a fine, imprisonment, or both.

Administrative and Technological Controls that are in Place

As outlined in the CBSV user agreement, the Requesting Party must comply with our system security guidelines to ensure the technical security of the data being received.  The Requesting Party will also be subject to a periodic audit conducted by an independent private sector Certified Public Accountant who will report findings to us.  We may also make onsite inspections of the Requesting Party’s place of business to ensure compliance with all of these requirements.  

The CBSV application, and the BSO system in which it resides, have undergone authentication and security risk analyses.  The latter includes an evaluation of security and audit controls proven to be effective in protecting the information collected, stored, processed, and transmitted by Agency information systems.  These include technical, management, and operational controls that permit access to our information only to our employees with a “need to know,” and the minimum amount of access that allows them to perform their job functions.  Audit mechanisms are in place to record sensitive transactions as an additional measure to protect information from unauthorized disclosure or modification.

We will protect the information in the CBSV application by requiring our employees who are authorized to access the information system that produces the CBSV application to use a unique User ID.  In addition, we store the computerized records in secure areas that are accessible only to employees who require the information to perform their official duties.  Furthermore, all our employees who have access to our information systems that maintain personal information must sign a sanction document annually that acknowledges penalties for unauthorized access to, or disclosure of, such information.

·         Describe the impact on individuals’ privacy rights.

Are individuals afforded an opportunity to decline to provide information?

For individuals who register to use the system:

We collect information only when we have specific legal authority to do so to administer our responsibilities under the Social Security Act.  When we collect information from CBSV users, we advise them of our legal authority for requesting the information, the purpose(s) for which we will use and disclose the information, and the consequences to them of not providing any or all of the requested information.  The CBSV users can then make an informed decision whether or not to provide the information. 

CBSV users who elect not to provide this information will not be able to register to use the CBSV application for their respective companies because the system is designed in such a way to associate a unique PIN and password to each registrant.  This notification concerning the voluntary nature of providing personal information is provided during the online registration process.

For individuals who authorize the verification of their SSNs:

Individuals may elect not to sign the consent authorizing the verification of their SSNs.

Are individuals afforded an opportunity to consent to only particular uses of the information?

For individuals who register to use the system:

When we collect information from users who register for the CBSV application, we advise them of the purposes for which we will use the information.  We further advise them that we will disclose this information without their prior written consent only when we have specific authority in Federal statute (e.g., the Privacy Act) to do so.

For individuals who authorize the verification of their SSNs:

As noted above, individuals whose SSNs are verified must consent to the verification.  The use of this verified SSN information by the Requesting Party is limited to the purpose specified on the consent form.  The consent is only valid for ninety days, unless indicated otherwise by the authorizing individual.

·         Does the collection of this information require a new system of records under the Privacy Act (5 U.S.C. § 552a) or an alteration to an existing system of records?

Yes, a new system of records is required for the BSO system that will register CBSV users and maintain associated PII about them. Development of this system of records is underway. 

A new system of records is not required for those individuals authorizing the verification of their SSNs since the information captured on the consent is not maintained in a manner that constitutes a system of records under the Privacy Act. 

 

 

Privacy Officer SignaturePIA CONDUCTED BY PRIVACY OFFICER, SSA:

_______________________                                                                                      

_________________________                                                                      _______11/05/08_____      

SIGNATURE                                                                                                        DATE

 

 

 

PIA REVIEWED BY SENIOR AGENCY PRIVACY OFFICIAL, SSA:

       /s/ David Black                                                                                        _______11/05/08_____

SIGNATURE                                                                                                        DATE

 

 


Privacy Policy