·
Name of
project.
Consent
Based Social Security Number Verification (CBSV) Process
·
Unique project
identifier.
TBD
·
Privacy Impact Assessment Contact.
Director
Division of Program Policy and Operations
Office of Public Service and
Operations Support
Social
Security Administration
·
Describe the
information to be collected, why the information is being collected, the
intended use of the information and with whom the information will be shared.
In recent years, entities other than government
agencies and employers reporting wages to the Social Security Administration (SSA)
have sought Social Security Number (SSN) verifications and other types of SSA
record data. SSA has honored these
requests based on the Number Holder’s written consent. The work associated with handling these
requests has grown and presented SSA with ongoing resource challenges in
responding to these requests. The CBSV
initiative is the first phase of the Agency’s long term strategy to satisfy these
high volume requests by offering a centralized process that is consent based
and charges applicable fees for providing this information. SSA is developing an Internet application, which
will be incorporated into its existing Business Services Online (BSO), to
automate the CBSV service for business-based, third party requesters. (BSO is a suite of Internet services for
businesses and employers who exchange information with SSA.)
For
individuals who register to use the system:
The Internet application for CBSV will automate
significant parts of the process. These
include the registration process, the file submittal of the SSNs to be verified,
and the retrieval of the verification results.
The registration portion of the process will first use manual
interactions between SSA Operations personnel and the prospective business
requester (also known as the “Requesting Party”) to execute manual submission
of the registration documents associated with the use of this service. These include the signed user agreement, the signed
reimbursable agreement, and a pre-approval document that authorizes the use of
the CBSV service by individuals representing the Requesting Party.
Once this step is complete, Operations personnel
will enter information from the pre-approval form into the registration
database and while on the telephone with the CBSV registrant, activate and inform
the registrant of his/her Personal Identification Number (PIN). To complete the registration process, the
newly registered CBSV participant must use the PIN to login to the BSO suite
and self-select a password. Once this
step is completed, the individual may use the CBSV application to begin
submitting files requesting SSN verifications.
SSA will collect and maintain personally identifying
information from each individual registering to use the CBSV application. This includes information such as: name, SSN, date of birth, and the associated
PIN and password used to access the application. This information will be part of a larger database
of registered users associated with the BSO suite of services and will be used
primarily for management and audit information purposes in order to effectively
administer the CBSV application and ensure the authorized and appropriate use
of the application. We generally will use this information only as
necessary for these administrative purposes or as authorized by routine uses or
other Privacy Act disclosure exceptions that allow the disclosure of the
information in the applicable Privacy Act system of records.
For individuals who authorize the
verification of their SSNs:
Individuals
authorizing the verification of their SSNs sign a standardized consent form
which requests name, SSN and date of birth.
SSA uses this information to verify for the Requesting Party whether the
data matches or does not match SSA’s records.
As specified in the language of the consent, the verified SSN
information is only used for the purpose delineated on the form. The user agreement also prohibits the Requesting
Party’s resale and/or redisclosure of the verified SSN information. The only
other use of the information is for audit review purposes to ensure the Requesting
Party’s compliance with SSA’s consent requirements and other obligations as
outlined in the user agreement.
·
Describe the
administrative and technological controls that are in place or that are planned
to secure the information being collected.
Only authorized SSA personnel who have a need for
the information in the performance of their official duties will be permitted
access to the information. We will
safeguard the security of the information by requiring the use of access codes
to enter the computer systems that will maintain the data and will store
computerized records in secured areas that are accessible only to employees who
require the information to perform their official duties. Any manually maintained records will be kept
in locked cabinets or in otherwise secure areas. Furthermore, SSA employees having access to
SSA databases maintaining personal information must sign a sanction document
annually, acknowledging their accountability for making unauthorized access to
or disclosure of such information.
The Requesting Party must protect the
confidentiality of the consent forms and the information contained on them and protect the associated record
of SSN verifications. This includes the requirement that the consent form be
retained either on paper or electronically for a period of six years from the
date of verification. The Requesting
Party is also required to protect the consent forms from loss or destruction by taking certain security measures
specified in the user agreement.
Additionally, as outlined in the user agreement, the
Requesting Party must comply with SSA’s system security guidelines to ensure
the technical security of the data being received. The Requesting Party will also be subject to
a periodic audit conducted by an independent private sector Certified Public
Accountant who will report findings to SSA.
Finally, SSA may make onsite inspections of the Requesting Party’s place
of business to ensure compliance with all of these requirements.
·
Describe the
impact on individuals’ privacy rights.
Are
individuals afforded an opportunity to decline to provide information?
For
individuals who register to use the system:
We collect information only where we have specific
legal authority to do so and this information is collected primarily to
administer our responsibilities under the Social Security Act. When we collect information from individuals,
we advise them of our legal authority for requesting the information and
explain the effect(s) on them if they choose not to provide the
information. The individual can then
make an informed decision as to whether to provide the information or not.
Individuals who elect not to provide this
information will not be able to register to use the CBSV application for their
respective companies since the system is designed in such a way to associate a
unique PIN and password to each registrant.
This notification concerning the voluntary nature of providing personal
information is provided on the online registration process and on the paper pre-approval
form.
For
individuals who authorize the verification of their SSNs:
Individuals may elect not to sign the consent
authorizing the verification of their SSNs.
Are
individuals afforded an opportunity to consent to only particular uses of the
information?
For
individuals who register to use the system:
When we collect information from individuals who
register to use the CBSV application, we advise them of the purposes for which
we will use the information. We further
advise them that we will disclose this information without their prior written
consent only when we have specific authority in Federal statute (e.g., the
Privacy Act) to do so.
For
individuals who authorize the verification of their SSNs:
As noted above, individuals whose SSNs are verified
must consent to the verification. The
use of this verified SSN information by the Requesting Party is limited to the
purpose specified on the consent form.
·
Does the
collection of this information require a new system of records under the
Privacy Act (5 U.S.C. § 552a) or an alteration to an existing system of
records?
Yes,
a new system of records is required for the Internet application which will
register CBSV users. Development of this system of records is underway.
A
new system of records is not required for those individuals authorizing the
verification of their SSNs since the information captured on the consent is
already covered by SSA’s system of records entitled, The Master Files of
Social Security Number (SSN) Holders and SSN Applications.
__/s/ Jonathan R. Cantor ___12/06/05___
SIGNATURE DATE
/s/ Thomas W. Crawley___ _ 12/06/05 __
SIGNATURE DATE