[Federal Register: January 18, 2008 (Volume 73, Number 13)]
[Proposed Rules]
[Page 3410-3411]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr18ja08-11]
========================================================================
Proposed Rules
Federal Register
________________________________________________________________________
This section of the FEDERAL REGISTER contains notices to the public of
the proposed issuance of rules and regulations. The purpose of these
notices is to give interested persons an opportunity to participate in
the rule making prior to the adoption of the final rules.
========================================================================
[[Page 3410]]
OFFICE OF PERSONNEL MANAGEMENT
5 CFR Part 293
RIN 3260-AL24
Personnel Records
AGENCY: Office of Personnel Management.
ACTION: Proposed rule with request for comments.
-----------------------------------------------------------------------
SUMMARY: The Office of Personnel Management is issuing proposed
regulations to achieve a consistent and effective policy for the use of
Social Security Numbers by Federal agencies to combat fraud and
identity theft. Federal agencies must reduce the threat of identity
theft by eliminating the unnecessary use and collection of Social
Security Numbers. This proposed regulation imposes significant
restrictions on the use of Social Security Numbers throughout the
Federal Government and is consistent with the recommendations made by
the President's Identity Theft Task Force.
DATES: Comments must be received on or before March 18, 2008.
ADDRESSES: Send or deliver written comments to the Deputy Associate
Director for Workforce Information and System Requirements, Strategic
Human Resources Policy Division, Office of Personnel Management, Room
7439, 1900 E Street, NW., Washington, DC 20415-8200; by fax at (202)
606-4891.
FOR FURTHER INFORMATION CONTACT: Leroy McKnight, by telephone at (202)
606-4054; by fax at (202) 606-1719; or by e-mail at
Leroy.Mcknight@opm.gov.
SUPPLEMENTARY INFORMATION: In an effort to better protect sensitive
personal information, particularly Social Security Numbers (SSNs),
Federal agencies must take immediate action to restrict the unnecessary
use of this important personal identifier. Continued exposure of
individuals' SSNs increases their vulnerability to identity theft and
other harmful situations. While some Federal agencies have taken steps
to reduce the use of SSNs in certain functions, inconsistencies in
approaches and standards for protecting the SSN creates a risk that can
lead to misuse. The Office of Personnel Management (OPM) has been
working with the President's Identity Theft Task Force and the agencies
on a number of identity theft protection initiatives, and was tasked
with issuing formal guidance to the agencies on the appropriate ways to
restrict the use, and conceal the SSNs in employee records and human
resources information systems. OPM issued formal guidance to the
Federal Chief Human Capital Officers on June 18, 2007, to help agencies
achieve a consistent and effective policy for safeguarding the Social
Security Numbers of Federal employees. A copy of the guidance package
can be obtained by going to http://www.chcoc.gov. These proposed
regulations are intended to update OPM's regulations governing
personnel records so they are consistent with that guidance. These
proposed regulations impose significant restrictions on the use of
SSNs, leading to enhanced protection of sensitive personal information.
Applying the guidance and regulations is a first step in protecting the
personal identity of Federal employees.
Efforts are underway to develop requirements for a new Government-
wide employee identifier which will replace the Social Security Number
as the primary employee identifier. Once this new employee identifier
is established, Federal agencies will have a viable alternative to the
use of SSNs in their business activities. The use of this new employee
identifier as a substitute for the SSN would diminish the risk of
identity theft by eliminating the unnecessary use of the SSN as an
employee identifier in many situations.
OPM is proposing the following specific changes, which we believe
will assist Federal agencies in their efforts to combat fraud and
identity theft:
In Sec. 293.102 we are proposing to add definitions of Exposure,
and Primary Key, which are new terms used in the proposed regulations.
In Sec. 293.105, which addresses restrictions on collection and
use of information, we propose to add paragraphs (b)(3) through (13).
These new paragraphs provide agencies with specific information on the
appropriate and inappropriate use of employee Social Security Numbers
in employee records and human resources information systems.
OPM also proposes to add paragraphs (a)(8) through (10) to Sec.
293.107, which requires special safeguards for automated records. The
additional paragraphs will ensure that agencies know what they must do
to improve their data security measures. These safeguards pertain
specifically to improving the protection of employee Social Security
Numbers.
E.O. 12866, Regulatory Review
This rule has been reviewed by the Office of Management and Budget
in accordance with E.O. 12866.
Regulatory Flexibility Act
I certify that these regulations would not have a significant
economic impact on a substantial number of small entities because they
would apply only to Federal agencies and employees.
List of Subjects in 5 CFR Part 293
Government employees, Privacy, Records.
Office of Personnel Management.
Linda M. Springer,
Director.
Accordingly, OPM proposes to amend 5 CFR part 293 as follows:
PART 293--PERSONNEL RECORDS
1. The authority citation for part 293 is revised to read as
follows:
Authority: 5 U.S.C. 552, 552a, 1103, 1104, 1302, 2951(2), 3301,
and 4315; E.O. 12107 (December 28, 1978), 3 CFR 1954-1958 Comp.; 5
CFR 7.2; E.O. 9830; 3 CFR 1943-1948 Comp.
Subpart A--Basic Policies on Maintenance of Personnel Records
2. In Sec. 293.102 the definitions of Exposure and Primary Key are
added in alphabetical order as follows:
Sec. 293.102 Definitions.
* * * * *
Exposure means the unprotected display, storage, and transmission
of personally identifiable information (PII), e.g., Social Security
Numbers;
* * * * *
Primary Key means a particular item chosen to uniquely identify a
specific individual or to associate information
[[Page 3411]]
with a specific individual in an automated environment;
* * * * *
3. In Sec. 293.105, paragraphs (b)(3) through (13) are added to
read as follows:
Sec. 293.105 Restrictions on collection and use of information.
* * * * *
(b) * * *
(3) If Social Security Numbers are collected, they will be
collected only at the time of the employee's appointment to be entered
into the human resources and payroll systems. The collection tool (if
paper-based) will be stored in a protected location to guard against
exposure until it is no longer required. The Guide to Personnel
Recordkeeping will be used to determine retention requirements for
certain paper-based collection tools. Disposal of all paper-based
collection tools (i.e., forms, letters, and other correspondence) will
be in accordance with the General Record Schedule issued by the
National Archives and Records Administration.
(4) Agencies may not use the Social Security Number as an
employee's primary key, i.e., unique identifier, in internal or
external data processing activities.
(5) Agencies must ensure that Social Security Numbers are not
printed, e.g., on forms, or reports, or displayed on computer display
screens.
(6) Access to Social Security Numbers must be restricted to those
individuals whose official duties require such access. A listing of all
individuals with access authorization based on legitimate business
needs must be maintained and reviewed for continued applicability.
(7) Agencies must ensure, through appropriate annual training and
educational programs, including training on Privacy Act and Freedom of
Information Act requirements, that those individuals who are authorized
to access Social Security Numbers understand their responsibility to
protect sensitive and personal information. This responsibility
includes securing this information when working from home or another
remote location.
(8) Agencies must use privacy and confidentiality statements that
describe accountability clearly and warn of possible disciplinary
action for unauthorized release of the Social Security Number and other
personally identifiable information. These statements must be signed by
all individuals who have access to Social Security Numbers.
(9) Agencies must ensure their telework policies and written
agreements are in compliance with Federal privacy protection policies,
including policies governing protection of personally identifiable
information, e.g., Social Security Numbers.
(10) Agencies must require supervisory approval before authorized
individuals may access, transport, or transmit information containing a
Social Security Number outside of the agencies' facilities. Electronic
records containing Social Security Numbers must be transported or
transmitted in an encrypted or protected format as prescribed in all
established guidance regarding the protection of sensitive agency
information. Paper-based records containing Social Security Numbers
must be transported in wheeled containers, portfolios, briefcases, or
similar devices that can be locked when not in use. In addition, these
containers must be identifiable by tag or decal with contact and
mailing address information.
(11) Agencies must ensure access to Social Security Numbers,
including access involving data entry, printing, and screen displays,
occurs in a protected location to guard against exposure.
(12) Agencies must ensure all security incidents involving
personally identifiable information, especially Social Security
Numbers, are reported in accordance with all established guidance
regarding the reporting of incidents involving personally identifiable
information. In addition, agencies must inform all employees of all
established incident reporting requirements annually.
(13) Agencies must ensure all authorized disclosures of information
containing Social Security Numbers and other personally identifiable
data are made in accordance with established regulations and
procedures.
4. In Sec. 293.107, paragraphs (a)(8) through (10) are added to
read as follows:
Sec. 293.107 Special safeguards for automated records.
(a) * * *
(8) Minimize the risk of unauthorized disclosure of Social Security
Numbers during data entry activities by concealing the Social Security
Number on the screens.
(9) Assure adequate internal control procedures to properly monitor
authorized and unauthorized access to Social Security Numbers and other
personally identifiable data.
(10) Assure all Social Security Number safeguards and protection
rules are enforced in both test and production environments.
* * * * *
[FR Doc. E8-858 Filed 1-17-08; 8:45 am]
BILLING CODE 6325-39-P