SOCIAL SECURITY ADMINISTRATION
PRIVACY IMPACT ASSESSMENT
·
Name of Project
Personal Identity Verification /Homeland
Security Presidential Directive 12
·
Unique Project
Identifier
016-00-SSA/PSS-G-003
·
Privacy Impact
Assessment Contact
Office of Physical Security Services
Office of Facilities Management
Office of Budget, Finance, and Management
Social Security Administration
6401 Security Boulevard
Baltimore, MD 21235
·
Background
Homeland Security Presidential Directive 12 (HSPD-12) requires
us to establish a common identification standard for Federal employees and
contractors. HSPD-12 directs the use of
a mandatory common
Federal identification credential for access to all federally controlled
facilities and information systems.
HSPD-12 requires us to
establish a Federal credential that is secure and reliable and that meets the
following criteria:
o
Is issued based on sound criteria for verifying an individual's
identity;
o
Is strongly resistant to identity fraud, tampering,
counterfeiting, and terrorist
exploitation;
o
Can be rapidly authenticated electronically; and
o
Is issued only by providers whose reliability has been
established by an
official
accreditation process.
In response to HSPD-12, the National Institute of Standards and Technology (NIST) created
the Federal Information Processing Standard (FIPS) 201, entitled, Personal Identity Verification of Federal
Employees and Contractors. FIPS 201 satisfies
the requirements of HSPD-12 by improving the identification and authentication
of Federal employees and contractors for access to federally controlled facilities
and information systems.
The FIPS 201 Personal Identity
Verification (PlV) credential is for both physical (e.g., entry into building)
and logical access (e.g., interconnecting networks known as Virtual Private
Networks), and other applications as determined by the individual agencies. Our Office
of Facilities Management/Office of Protective Security Services handles
identity management pursuant to HSPD-12 and FIPS 201 and issues our PIV cards.
We issue the PIV identification
cards to the following persons:
o
Employees who work in any Agency facilities;
o
Contractors requiring access to Agency facilities and systems;
o
Volunteers and temporary employees; and
o
Other persons who are visiting Agency facilities who possess PIV cards
issued from other Federal agencies.
We do not issue the PIV identification cards
to occasional visitors or short-term guests.
·
Describe the
information we plan to collect, why we will collect the information, how we
intend to use the information, and with whom we will share the information.
We will collect
and maintain the following personally identifiable information (PII), as
required by FIPS 201, Form 1-9 (OMB No. 115-0316, Employment Eligibility Verification
http://www.uscis.gov/files/form/i-9.pdf), and for completing the PIV card registration and issuance
process that is necessary for obtaining a PIV card:
o
Name (Last, First,
and middle initial)
o
Date of birth
o
Social Security
Number
o
Place of birth
o
Organizational
affiliation
o
Employee affiliation
(e.g., Contractor, Active Duty, Civilian)
o
Biometric
identifiers (e.g., fingerprint, voiceprint)
o
Electronic signature
o
Digital photograph
o
Personal
Identification Number
o
PIV authentication
key
o
Cardholder unique
identifier
o
Signed PIV requests
o
Signed Standard Form
86a (or equivalent) http://www.fbijobs.gov/employment/SF86A.pdf
o
Results of background
check
o
PIV Registrar
approval (digital signature)
o
PIV card expiration
date
o
Agency card serial
number
o
Copies of identity
source documents
We
will disclose information, which we collect and maintain relating to the
registering and issuance of PIV cards, only to our employees and contractors
who require the information to perform their official duties; to the subject of
the record; and to other persons pursuant to an applicable routine use
provision as authorized by the Privacy Act of 1974, or as otherwise permitted
by Federal law. For
example, under a routine use, we can disclose information to contractors, as
necessary, to assist us in efficiently administering our programs.
We
will not disclose any information defined as “return or return information”
under
26
U.S.C. § 6103 of the Internal Revenue Code (IRC) unless authorized by statute,
the IRC, the Internal Revenue Service (IRS), or IRS regulations.
·
Describe the administrative and technological controls we have
in place or that we plan to use to secure the information we will collect.
Our security includes technical, management, and
operational controls that permit access to our information only to persons with
an official “need to know.” For example,
we enforce the use of access codes (personal identification number and
password) to enter our computer systems that house the data. We maintain
electronic files with personal identifiers in secure storage areas. We utilize audit mechanisms to record
sensitive transactions as an additional measure to protect information from
unauthorized disclosure or modification.
We annually provide appropriate
security awareness training to all our employees and contractors that includes
reminders about the need to protect PII and the criminal penalties that apply
to unauthorized access to, or disclosure of, PII. See 5 U.S.C. § 552a(i)(1). Furthermore, employees and contractors with access to databases maintaining
PII must annually sign a sanction document that acknowledges their
accountability for inappropriately accessing or disclosing such information.
·
Describe the impact on
persons’ privacy rights. Do we afford
people an opportunity to decline to provide information?
Yes. We have legal authority to collect this
information to administer our responsibilities under the Social Security
Act. When we collect information from users wishing to conduct business
with us through our electronic services, we use our Privacy Act Statement to
advise them of our legal authority for requesting the information and explain
the possible effects if they choose not to provide the information. Users can then make an informed decision
whether or not to provide the information.
·
Do we afford people an
opportunity to consent to only particular uses of the information?
No. When we collect a person’s
information, we advise that person of the purposes for which we will use the
information. We further advise the person that we will disclose the
information without written prior consent only when we have specific legal
authority to do so (e.g., the Privacy Act of 1974). We do not otherwise offer persons an
opportunity to determine how and with whom we share their information.
·
Does the collection of
this information require a new system of records under the Privacy Act (5
U.S.C. § 552a) or an alteration to an existing system of records?
No. We have an established Privacy Act system of
records entitled, the Identity Management System (60-0361), that
explains how we store, manage, and maintain
information related to issuing and maintaining PIV credentials to Federal
employees and contractors, and to verify and authenticate their access to
Federal resources.
PIA CONDUCTED BY ACTING SSA PRIVACY OFFICER:
/S/ Mary Ann Zimmerman 7/31/2012
SIGNATURE DATE
PIA REVIEWED BY
SSA SENIOR AGENCY PRIVACY OFFICIAL:
/S/ David F. Black 8/01/2012
SIGNATURE DATE