SOCIAL SECURITY ADMINISTRATION

PRIVACY IMPACT ASSESSMENT

 

·         Name of project.

National 800 Number Employer Verification Automated Telephone Application

·         Unique project identifier.

Project #2093NEMP

·         Privacy Impact Assessment Contact

Center Director, Field Network and Planning

Office of Telephone Services

Social Security Administration

6401 Security Boulevard

Baltimore, MD 21235

·         Describe the information to be collected, why the information is being collected, the intended use of the information and with whom the information will be shared.

National 800 Number Employer Verification (TNEV) Automated Application

The TNEV automated telephone application will allow employers or authorized third-party submitters (e.g., a payroll provider) to verify employee Social Security numbers (SSN) using the automated telephone portion of the Social Security Administration’s (SSA) National 800 Number Network (N8NN).  Only users who have successfully registered to use the SSA’s Social Security Number Verification Service (SSNVS) online application will be able to use the automated TNEV application.  Additional information about SSNVS may be found at www.socialsecurity.gov/employer/ssnv.htm.  Employers and third-party submitters will be able to verify up to 10 employee SSNs using speech recognition technology through this automated telephone application. 

Collection of Information

The TNEV application requires the use of the user ID and self-selected password acquired at the time of registration with SSA’s Integrated Registration Services (IRES) Access Control Utility.  The IRES user ID and password will be used to authenticate the identity of a user who chooses to verify employee SSNs using the TNEV application.    

Users will be prompted to speak their user ID and password and will only have a single attempt to pass authentication.  If we successfully authenticate the user’s credential in our records, the user will be prompted to speak the Employer Identification Number (EIN) of the company for which the names and SSNs are being verified.  If the correct EIN is provided, the user will then be prompted to speak the employee’s data elements (SSN, first and last name, date of birth (optional) and gender (optional)). 

SSA’s telecommunications vendor will match the user’s spoken user ID against a standard alpha/numeric 2.8 trillion grammar database.  The vendor will subsequently collect and transmit the user’s information (user ID and self-selected password) and the employees’ data elements to our computer systems to provide the appropriate response code for each SSN verification request. 

We will match the data elements of the employees for which the names and SSNs are being verified with information in our Privacy Act system of records entitled, Master Files of Social Security Number (SSN) Holders and SSN Applications, (60-0058).  We will match the EIN of the company of the employees for which the names and SSNs are being verified with information in our Privacy Act system of records entitled, Earnings Recording and Self-Employment Income System, (60-0059).  If the information provided by the user matches information in our records, the user will be provided the SSN verification.  If the information provided by the user fails to match information in our records, the user will be advised to contact our Employer Reporting Service Center or the call will be transferred to a N8NN agent, as appropriate. 

The information provided by TNEV will be shared only with users of the application.  The TNEV application will not retain any of the information spoken by the user.  All of the information collected by the telecommunications vendor and transmitted to and used by the TNEV application will be dropped at the end of the call. 

·         Describe the administrative and technological controls that are in place or that are planned to secure the information being collected.

Reducing Potential Risks to Individuals’ Privacy and Protecting Information Being Collected

In order to mitigate risks, users of the TNEV application may only verify SSNs of current employees or individuals they have made a commitment to hire.  Current or former employers and third-party submitters who wish to verify between 11-49 SSNs will be directed to either the SSNVS internet site or the automated field office (FO) locator application to contact a local FO for assistance.  Users who fail authentication after one attempt, or who fail authorization after being authenticated (employer has not approved their use of the application), or whose requests are improperly translated or are made while the application is unavailable will be offered the option to use the SSNVS internet site, or to contact their employers, or the appropriate Operations personnel (i.e., N8NN agent or Employer Reporting Technician) for assistance.

SSA also has trust agreements with the telecommunications vendor to ensure that all communications between the vendor and SSA will be transferred within a secure, virus worm-free environment.    

Administrative and Technological Controls that are in Place

The automated telephone system that houses the TNEV application has undergone authentication and security risk analyses.  The latter includes an evaluation of security and audit controls proven to be effective in protecting the information collected, stored, processed, and transmitted by our information systems.  These include technical, management, and operational controls that permit access only to those users who have an official “need to know.”  Audit mechanisms are in place to record sensitive transactions as an additional measure to protect information from unauthorized disclosure or modification.

We protect the information in the TNEV by requiring authorized employees to use a unique user ID to access the information system that houses the application.  In addition, we store the computerized records in secure areas accessible only to users who require the information to perform their official duties.  Also, all employees having access to information systems that maintain personal information must sign a sanction document annually acknowledging penalties for unauthorized access to, or disclosure of, such information.  At no time does the TNEV application repeat personally identifiable information.   

·         Describe the impact on individuals’ privacy rights.

Are individuals afforded an opportunity to decline to provide information? 

We collect information only where we have specific legal authority to do so to administer our responsibilities under the Social Security Act.  When we collect telephone information from users, we advise them of our legal authority for requesting the information, the purpose(s) for which we will use and disclose the information, and the consequences for him or her of not providing any or all of the requested information.  The users can then make an informed decision whether or not to provide the information.

Use of the TNEV automated application is voluntary.  Users who choose to use this service must provide all the requested data elements necessary to authenticate their identity in order to verify employee SSNs.  Employers may choose not to use the application or authorize employee use.

Are individuals afforded an opportunity to consent only to particular uses of the information?

When we collect information from users, we advise them of the purposes for which we will use the information.  We further advise them that we will disclose this information without their prior written consent only when we have specific authority in Federal statute (e.g., the Privacy Act) to do so. 

The personally identifiable information that we will request from TNEV users will be verified against corresponding information already maintained in our records that was collected at the time the user registered to use our SSN verification services.  We will not use the information provided by the users of this automated application for any other purpose, or retain any of the information once the call is ended.

·         Does the collection of this information require a new system of records under the Privacy Act (5 U.S.C. § 552a) or an alteration to an existing system of records?

The TNEV automated application does not require a new Privacy Act system of records or an alteration to an existing system of records because there is no new and permanent collection of identifiable data in this application process.  The TNEV application uses information that is collected and maintained for purposes related to other business processes for which there are currently Privacy Act systems of records (60-0058 and 60-0059).  The authentication information that the user will provide in order to use the TNEV automated application will not be retained by the application.

Privacy Officer Vince Dormarunno SignaturePIA CONDUCTED BY PRIVACY OFFICER, SSA:

 

______________________________            June 2, 2008 ___

SIGNATURE                                                            DATE

PIA REVIEWED BY SENIOR AGENCY PRIVACY OFFICIAL, SSA:

_/s/ David F. Black______________             June 9, 2008_____

SIGNATURE                                                             DATE


Privacy Policy