[Federal Register: December 10, 2007 (Volume 72, Number 236)]
[Notices]
[Page 69723-69725]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr10de07-114]
=======================================================================
-----------------------------------------------------------------------
SOCIAL SECURITY ADMINISTRATION
Privacy Act of 1974, as Amended; Alteration to Existing Systems
of Records
AGENCY: Social Security Administration (SSA).
ACTION: Proposed New Routine Use for Existing Systems of Records.
-----------------------------------------------------------------------
SUMMARY: As mandated by the Office of Management and Budget (OMB) in
Memorandum M-07-16, recommended by the President's Identity Theft Task
Force, and in accordance with the Privacy Act (5 U.S.C. 552a(e)(4) and
(11)), we are issuing public notice of our intent to establish a new
routine use disclosure applicable to SSA's systems of records listed
below under section I of the Supplementary Information section. The
proposed routine use specifically permits the disclosure of SSA
information in connection with response and remediation efforts in the
event of an unintentional release of Agency information, otherwise
known as a ``data security breach.'' Such a routine use would serve to
protect the interests of the people whose information is at risk by
allowing us to take appropriate steps to facilitate a timely and
effective response to a data breach. It would also help us to improve
our ability to prevent, minimize, or remedy any harm that may result
from a compromise of data maintained in our systems of records. We
invite public comment on this proposal.
DATES: We filed a report of the proposed new routine use disclosure
with the Chairman of the Senate Committee on Homeland Security and
Governmental Affairs, the Chairman of the House Committee on Oversight
and Government Reform, and the Director, Office of Information and
Regulatory Affairs, Office of Management and Budget (OMB) on November
19, 2007. The proposed routine use will become effective on December
24, 2007, unless we receive comments warranting it not to become
effective.
ADDRESSES: Interested individuals may comment on this publication by
writing to the Executive Director, Office of Public Disclosure, Office
of the General Counsel, Social Security Administration, Room 3-A-6
Operations Building, 6401 Security Boulevard, Baltimore, Maryland
21235-6401. All comments received will be available for public
inspection at the above address.
FOR FURTHER INFORMATION CONTACT: Ms. Margo Wagner, Social Insurance
Specialist, Disclosure Policy Development and Services Division 2,
Office of Public Disclosure, Office of the General Counsel, Social
Security Administration, Room 3-A-6 Operations Building, 6401 Security
Boulevard, Baltimore, Maryland 21235-6401, telephone: (410) 965-1482,
e-mail: margo.wagner@ssa.gov or Mr. Neil Etter, Social Insurance
Specialist, Disclosure Policy Development and Services Division 1,
Office of Public Disclosure, Office of the General Counsel, Social
Security Administration, Room 3-A-6 Operations Building, 6401 Security
Boulevard, Baltimore, Maryland 21235-6401, telephone: (410) 965-8028,
e-mail: neil.etter@ssa.gov.
SUPPLEMENTARY INFORMATION:
I. Discussion of the Proposed New Routine Use
OMB has mandated and the President's Identity Theft Task Force
recommended that Federal agencies develop and publish a routine use for
appropriate systems of records that allows for the disclosure of
information in connection with the response and remedial efforts in the
event of a data breach.
Subsection (b)(3) of the Privacy Act provides that information from
an agency's system of records may be disclosed without a subject
individual's consent if the disclosure is ``for a routine use as
defined in subsection (a)(7) of this section and described under
subsection (e)(4)(D) of this section.'' 5 U.S.C. 552a(b)(3). Subsection
(a)(7) of the Act states that ``the term `routine use' means, with
respect to the disclosure of a record, the use of such record for a
purpose which is compatible with the purpose for which it was
collected.'' 5 U.S.C. 552a(a)(7). Providing information to help respond
to and remediate a breach of Federal data qualifies as a necessary and
proper use of information. Such a use is in the best interest of both
the individual whose record is at issue and the public.
The Privacy Act requires that agencies publish notification in the
Federal Register of ``each routine use of the records contained in the
system, including the categories of users and the purpose of such
use.'' 5 U.S.C. 552a(e)(4)(D). Based on OMB's recommended language, we
have developed the following routine use that we will apply to nearly
all of our Privacy Act systems of records,\1\ and that will allow for
disclosure to appropriate agencies, entities, and persons under the
following circumstances:
---------------------------------------------------------------------------
\1\ Our Privacy Act systems of records that contain data
protected under the Internal Revenue Code (IRC) will not contain
this routine use as the IRC does not contain a provision that
permits disclosure for this purpose.
We may disclose information to appropriate Federal, State, and
local agencies, entities, and persons when (1) we suspect or confirm
that the security or confidentiality of information in this system
of records has been compromised; (2) we determine that as a result
of the suspected or confirmed compromise there is a risk of harm to
economic or property interests, identity theft or fraud, or harm to
the security or integrity of this system or other systems or
programs of SSA that rely upon the compromised information; and (3)
we determine that disclosing the information to such agencies,
entities, and persons is necessary to assist in our efforts to
respond to the suspected or confirmed compromise and prevent,
minimize, or remedy such harm. SSA will use this routine use to
respond only to those incidents involving an unintentional release
---------------------------------------------------------------------------
of its records.
In nearly all cases, we will immediately notify affected
individuals before informing any other entity. In the rare event that
law enforcement needs require us to delay consumer notification, this
delay will be limited to the minimum amount of time needed. Timely
notification allows individuals the opportunity to minimize or prevent
the occurrence of harm.
SSA will establish a new routine use to be included in the
following systems of records:
[[Page 69724]]
----------------------------------------------------------------------------------------------------------------
Federal Register publication date/
System No. and name New routine use citation No.
----------------------------------------------------------------------------------------------------------------
60-0001--Assignment and Correspondence No. 7...................... 71 FR 1800, 01/11/06.
Tracking Act (ACT).
60-0002--Optical System for No. 8...................... 71 FR 1802, 01/11/06.
Correspondence Analysis and Response.
60-0003--Attorney Fee File.............. No. 9...................... 71 FR 1803, 01/11/06.
60-0004--Working File of the Appeals No. 6...................... 70 FR 60383, 10/17/05.
Council.
60-0005--Administrative Law Judge No. 8...................... 70 FR 60383, 10/17/05.
Working File on Claimant Cases.
60-0006--Storage of Hearing Records: No. 8...................... 71 FR 1805, 01/11/06.
Tape Cassettes and Audiograph Discs.
60-0009--Hearings and Appeals Case No. 4...................... 65 FR 46997, 08/01/00.
Control System.
60-0010--Hearing Office Tracking System No. 6...................... 71 FR 1806, 01/11/06.
of Claimant Cases.
60-0012--Listing and Alphabetical Name No. 7...................... 71 FR 1807, 01/11/06.
File (Folder) of Vocational Experts,
Medical Experts, and Other Health Care/
Non-Health Care Professionals Experts
(Medicare).
60-0013--Records of Usage of Medical No.7....................... 71 FR 1809, 01/11/06.
Experts, Vocational Experts, and Other
Health Care/Non-Health Care
Professionals Experts (Medicare).
60-0014--Curriculum Vitae and No. 8...................... 59 FR 46439, 09/08/94.
Professional Qualifications of Medical
Advisors, and Resumes of Vocational
Experts.
60-0038--Employee Building Pass Files... No. 7...................... 59 FR 46439, 09/08/94.
60-0040--Quality Review System.......... No. 14..................... 65 FR 46997, 08/01/00.
60-0042--Quality Review Case Files...... No. 14..................... 65 FR 46997, 08/01/00.
60-0044--National Disability No. 11..................... 71 FR 11810, 01/11/06.
Determination Services.
60-0045--Black Lung Payment System...... No. 14..................... 68 FR 15784, 04/01/03.
60-0046--Disability Determination No. 7...................... 71 FR 1812, 01/11/06.
Service Consultant's File.
60-0050--Completed Determination Record-- No. 10..................... 71 FR 1814, 01/11/06.
Continuing Disability Determinations.
60-0057--Quality Evaluation Data Records No. 6...................... 65 FR 46997, 08/01/00.
60-0058--Master Files of Social Security No. 42..................... 71 FR 1818, 01/11/06.
Number Holders and SSN Applications.
60-0063--Resource Accounting System..... No. 6...................... 59 FR 46439, 09/08/94.
60-0077--Congressional Inquiry File..... No. 7...................... 71 FR 1823, 01/11/06.
60-0078--Public Inquiry Correspondence No. 8...................... 71 FR 1825, 01/11/06.
File.
60-0089--Claims Folders System.......... No. 36..................... 71 FR 1829, 01/11/06.
60-0090--Master Beneficiary Record...... No. 38..................... 71 FR 1829, 01/11/06.
60-0094--Recovery of Overpayments, No. 9...................... 70 FR 49354, 08/23/05.
Accounting and Reporting.
60-0103--Supplemental Security Income No. 37..................... 71 FR 1829, 01/11/06.
Record.
60-0118--Non-Contributory Military No. 6...................... 71 FR 18334, 01/11/06.
Service Reimbursement System.
60-0159--Continuous Work History Sample No. 5...................... 65 FR 46997, 08/01/00.
(Statistics).
60-0186--SSA Litigation Tracking System No. 6...................... 70 FR 60383, 10/17/05.
New Routine Use No..
60-0196--Disability Studies, Surveys, No. 4...................... 65 FR 46997, 08/01/00.
Records and Extracts (Statistics).
60-0199--Extramural Surveys (Statistics) No. 4...................... 71 FR 1835, 01/11/06.
60-0200--Retirement and Survivors No. 4...................... 65 FR 46997, 08/01/00.
Studies, Surveys, Records and Extracts
(Statistics).
60-0202--Old Age, Survivors and No. 5...................... 69 FR 11693, 03/11/04.
Disability Beneficiary and Worker
Records and Extracts (Statistics).
60-0203--Supplemental Security Income No. 5...................... 65 FR 46997, 08/01/00.
Studies, Surveys, Records and Extracts
(Statistics).
60-0210--Record of Individuals No. 7...................... 59 FR 46439, 09/08/94.
Authorized Entry to Secured Automated
Data Processing Area.
60-0211--Beneficiary, Family and No. 5...................... 69 FR 11693, 03/11/04.
Household Surveys, Records and Extracts
System (Statistics).
60-0213--Quality Review of Hearing/ No. 7...................... 65 FR 46997, 08/01/00.
Appellate Process.
60-0214--Personal Identification Number No. 5...................... 59 FR 46441, 09/08/94.
File (PINFile).
60-0218--Disability Insurance and No. 7...................... 71 FR 1837, 01/11/06.
Supplemental Security Income
Demonstration Projects and Experiments
System.
60-0219--Representative Disqualification/ No. 8...................... 71 FR 1839, 01/11/06.
Suspension Information System.
60-0220--Kentucky Birth Records System.. No. 5...................... 59 FR 46439, 09/08/94.
60-0221--Vocational Rehabilitation No. 10..................... 71 FR 1841, 01/11/06.
Reimbursement Case Processing System.
60-0222--Master Representative Payee No. 18..................... 71 FR 5399, 02/01/06.
File.
60-0224--SSA-Initiated Personal Earnings No. 7...................... 59 FR 54004, 10/27/94.
and Benefit Estimate Statement
(SIPEBES) History File.
60-0225--SSA Initiated Personal Earnings No. 6...................... 59 FR 54004, 10/27/94.
and Benefit Estimate Statement Address
System for Certain Territories.
60-0228--Safety Management Information No. 7...................... 71 FR 1844, 01/11/06.
System (SSA Accident, Injury and
Illness Reporting System).
60-0230--Social Security Administration No. 5...................... 71 FR 1846, 01/11/06.
Parking Management Record System.
60-0231--Financial Transactions of SSA No. 19..................... 71 FR 1847, 01/11/06.
Accounting and Finance Offices.
60-0232--Central Registry of Individuals No. 11..................... 71 FR 1849, 01/11/06.
Doing Business With SSA (Vendor File).
60-0234--Employee Assistance Program No. 7...................... 71 FR 1850, 01/11/06.
(EAP) Records.
60-0236--Employee Development Program No. 13..................... 71 FR 1853, 01/11/06.
Records.
60-0237--Employees' Medical Records..... No. 8...................... 71 FR 1854, 01/11/06.
60-0238--Pay, Leave and Attendance No. 25..................... 71 FR 1856, 01/11/06.
Records.
60-0239--Personnel Records in Operating No. 17..................... 71 FR 1859, 01/11/06.
Offices.
60-0241--Employee Suggestion Program No. 6...................... 71 FR 1861, 01/11/06.
Records New Routine Uses.
60-0244--Administrative Grievances Filed No. 19..................... 71 FR 1862, 01/11/06.
Under Part 771 of 5 CFR.
60-0245--Negotiated Grievance Procedure No. 21..................... 71 FR 1864, 01/11/06.
Records.
60-0250--Equal Employment Opportunity No. 13..................... 71 FR 1866, 01/11/06.
(EEO) Counselor and Investigator
Personnel Records.
60-0255--Plans for Achieving Self- No. 19..................... 71 FR 1867, 01/11/06.
Support (PASS) Management Information
System.
60-0259--Claims Under the Federal Tort No. 8...................... 71 FR 1869, 01/11/06.
Claims Act and Military Personnel and
Civilian Employees' Claim Act.
60-0262--Attorney Applicant Files....... No. 7...................... 71 FR 1871, 01/11/06.
60-0268--Medicare Part B Buy-In No. 9...................... 64 FR 10173, 03/02/99.
Information System.
60-0269--Prisoner Update Processing No. 12..................... 64 FR 11076, 03/08/99.
System (PUPS).
60-0270--Records of Individuals No. 5...................... 65 FR 77953, 12/13/00.
Authorized Entry into Secured Areas by
Digital Lock Systems, Electronic Key
Card Systems or Other Electronic Access
Devices.
[[Page 69725]]
60-0273--Social Security Title VIII No. 15..................... 65 FR 13803, 03/14/00.
Special Veterans Benefits Claims
Development and Management Information
System.
60-0274--Litigation Docket and Tracking No. 11..................... 71 FR 1872, 01/11/06.
System.
60-0275--Civil Rights Complaints Filed No. 9...................... 71 FR 1874, 01/11/06.
by Members of the Public.
60-0276--Social Security No. 6...................... 65 FR 48272, 08/07/00.
Administration's (SSA's) Talking and
Listening to Customers (TLC).
60-0279--Social Security No. 7...................... 65 FR 49047, 08/10/00.
Administration's (SSA's) Mandate
Against Red Tape (SMART).
60-0280--SSA Administrative Sanctions... No. 6...................... 65 FR 54595, 09/08/00.
60-0290--Social Security No. 7...................... 71 FR 1874, 01/11/06.
Administration's Customer PIN/Password
(PPW) Master File System.
60-0295--Ticket-to-Work and Self- No. 8...................... 66 FR 17985, 04/04/01.
Sufficiency Program Payment Database.
60-0300--Ticket-to-Work Program Manager No. 8...................... 66 FR 32656, 06/15/01.
(PM) Management Information System.
60-0305--SSA Mass Transportation Subsidy No. 12..................... 67 FR 44658, 07/03/02.
Program System.
60-0310--Medicare Savings Programs No. 8...................... 69 FR 17019, 03/31/04.
Information System.
60-0315--Reasonable Accommodation for No. 11..................... 70 FR 62157, 10/28/05.
Persons with Disabilities (RAPD).
60-0318--Representative Payee/Misuse No. 8...................... 70 FR 12774, 3/15/05.
Restitution Control System (RP/MRCS).
60-0320--Electronic Disability Claim No. 31..................... 68 FR 71210, 12/22/03.
File (eDib).
60-0321--Medicare Part D and Part D No. 17..................... 69 FR 77816, 12/28/04.
Subsidy File.
60-0328--National Docketing Management No. 16..................... 70 FR 34515, 06/14/05.
Information System (NDMIS).
60-0330--eWork.......................... No. 10..................... 68 FR 54037, 09/15/03.
60-0340--eFOIA.......................... No. 11..................... 70 FR 3571, 01/25/03.
60-0350--Visitor Intake Process/Customer No. 9...................... 70 FR 59795, 10/13/05.
Service Record (VIP/CSR) System.
60-0355--The Non-Attorney Representative No. 11..................... 69 FR 77823, 12/28/04.
Prerequisites Process File (NARPPF).
60-0361--Identity Management System No. 15..................... 71 FR 213, 11/03/06.
(IDMS).
60-0370--The Representative Payee and No. 6...................... 71 FR 16399, 3/31/06.
Beneficiary Survey Data System.
----------------------------------------------------------------------------------------------------------------
We are not republishing in their entirety the notices of the
systems of records to which we are adding the proposed new routine use
disclosures. Instead, we are republishing only the identification
number, the name of the system of record, the number of the new routine
use and the issue of the Federal Register in which the system notice
was last published, including the publication date and page number.
II. Compatibility of Proposed Routine Use
As mandated by OMB, as recommended by the President's Identity
Theft Task Force, and in accordance with the Privacy Act (5 U.S.C.
552a(a)(7) and (b)(3)) and our disclosure regulation (20 CFR part 401),
we are permitted to release information under a published routine use
for a purpose that is compatible with the purpose for which we
collected the information. Section 401.120 of our regulations provides
that we will disclose information required by law. Since OMB has
mandated the publication of this routine use, the proposed routine use
is appropriate and meets the relevant statutory and regulatory
criteria. In addition, disclosures to other agencies, entities and
persons when needed to respond to an unintentional release are
compatible with the reasons we collect the information, as helping to
prevent and minimize the potential for harm is consistent with taking
appropriate steps to protect information entrusted to us. See 5 U.S.C.
552a(e)(10).
III. Effect of the Proposed Routine Use Disclosure on the Rights of
Individuals
The proposed routine use would serve to protect the interests of
the people whose information is at risk. We would achieve this
protection by taking appropriate steps to facilitate a timely and
effective response to a security breach of our data, thereby improving
our ability to prevent, minimize, or remedy any harm that may result
from a compromise of data maintained in our systems of records. We do
not anticipate that the proposed new routine use will have any
unwarranted adverse effect on the rights of individuals about whom data
will be disclosed.
Dated: November 13, 2007.
Michael J. Astrue,
Commissioner.
[FR Doc. E7-23875 Filed 12-7-07; 8:45 am]
BILLING CODE 4191-02-P