AGENCY:
Social Security Administration (SSA).
ACTION:
Proposed New Routine Use for Existing Systems of Records.
SUMMARY:
As mandated by the Office of Management and Budget (OMB) in Memorandum M-07-16, recommended by the President's Identity Theft Task Force, and in accordance with the Privacy Act (5 U.S.C. 552a(e)(4) and (11)), we are issuing public notice of our intent to establish a new routine use disclosure applicable to SSA's systems of records listed below under section I of the Supplementary Information section. The proposed routine use specifically permits the disclosure of SSA information in connection with response and remediation efforts in the event of an unintentional release of Agency information, otherwise known as a “data security breach.” Such a routine use would serve to protect the interests of the people whose information is at risk by allowing us to take appropriate steps to facilitate a timely and effective response to a data breach. It would also help us to improve our ability to prevent, minimize, or remedy any harm that may result from a compromise of data maintained in our systems of records. We invite public comment on this proposal.
DATES:
We filed a report of the proposed new routine use disclosure with the Chairman of the Senate Committee on Homeland Security and Governmental Affairs, the Chairman of the House Committee on Oversight and Government Reform, and the Director, Office of Information and Regulatory Affairs, Office of Management and Budget (OMB) on November 19, 2007. The proposed routine use will become effective on December 24, 2007, unless we receive comments warranting it not to become effective.
ADDRESSES:
Interested individuals may comment on this publication by writing to the Executive Director, Office of Public Disclosure, Office of the General Counsel, Social Security Administration, Room 3-A-6 Operations Building, 6401 Security Boulevard, Baltimore, Maryland 21235-6401. All comments received will be available for public inspection at the above address.
FOR FURTHER INFORMATION CONTACT:
Ms. Margo Wagner, Social Insurance Specialist, Disclosure Policy Development and Services Division 2, Office of Public Disclosure, Office of the General Counsel, Social Security Administration, Room 3-A-6 Operations Building, 6401 Security Boulevard, Baltimore, Maryland 21235-6401, telephone: (410) 965-1482, e-mail: margo.wagner@ssa.gov or Mr. Neil Etter, Social Insurance Specialist, Disclosure Policy Development and Services Division 1, Office of Public Disclosure, Office of the General Counsel, Social Security Administration, Room 3-A-6 Operations Building, 6401 Security Boulevard, Baltimore, Maryland 21235-6401, telephone: (410) 965-8028, e-mail: neil.etter@ssa.gov.
SUPPLEMENTARY INFORMATION:
I. Discussion of the Proposed New Routine Use
OMB has mandated and the President's Identity Theft Task Force recommended that Federal agencies develop and publish a routine use for appropriate systems of records that allows for the disclosure of information in connection with the response and remedial efforts in the event of a data breach.
Subsection (b)(3) of the Privacy Act provides that information from an agency's system of records may be disclosed without a subject individual's consent if the disclosure is “for a routine use as defined in subsection (a)(7) of this section and described under subsection (e)(4)(D) of this section.” 5 U.S.C. 552a(b)(3). Subsection (a)(7) of the Act states that “the term `routine use' means, with respect to the disclosure of a record, the use of such record for a purpose which is compatible with the purpose for which it was collected.” 5 U.S.C. 552a(a)(7). Providing information to help respond to and remediate a breach of Federal data qualifies as a necessary and proper use of information. Such a use is in the best interest of both the individual whose record is at issue and the public.
The Privacy Act requires that agencies publish notification in the Federal Register of “each routine use of the records contained in the system, including the categories of users and the purpose of such use.” 5 U.S.C. 552a(e)(4)(D). Based on OMB's recommended language, we have developed the following routine use that we will apply to nearly all of our Privacy Act systems of records, and that will allow for disclosure to appropriate agencies, entities, and persons under the following circumstances:
Our Privacy Act systems of records that contain data protected under the Internal Revenue Code (IRC) will not contain this routine use as the IRC does not contain a provision that permits disclosure for this purpose.
We may disclose information to appropriate Federal, State, and local agencies, entities, and persons when (1) we suspect or confirm that the security or confidentiality of information in this system of records has been compromised; (2) we determine that as a result of the suspected or confirmed compromise there is a risk of harm to economic or property interests, identity theft or fraud, or harm to the security or integrity of this system or other systems or programs of SSA that rely upon the compromised information; and (3) we determine that disclosing the information to such agencies, entities, and persons is necessary to assist in our efforts to respond to the suspected or confirmed compromise and prevent, minimize, or remedy such harm. SSA will use this routine use to respond only to those incidents involving an unintentional release of its records.
In nearly all cases, we will immediately notify affected individuals before informing any other entity. In the rare event that law enforcement needs require us to delay consumer notification, this delay will be limited to the minimum amount of time needed. Timely notification allows individuals the opportunity to minimize or prevent the occurrence of harm.
SSA will establish a new routine use to be included in the following systems of records:
| System No. and name | New routine use | Federal Register publication date/citation No. |
|---|---|---|
| 60-0001—Assignment and Correspondence Tracking Act (ACT) | No. 7 | 71 FR 1800, 01/11/06. |
| 60-0002—Optical System for Correspondence Analysis and Response | No. 8 | 71 FR 1802, 01/11/06. |
| 60-0003—Attorney Fee File | No. 9 | 71 FR 1803, 01/11/06. |
| 60-0004—Working File of the Appeals Council | No. 6 | 70 FR 60383, 10/17/05. |
| 60-0005—Administrative Law Judge Working File on Claimant Cases | No. 8 | 70 FR 60383, 10/17/05. |
| 60-0006—Storage of Hearing Records: Tape Cassettes and Audiograph Discs | No. 8 | 71 FR 1805, 01/11/06. |
| 60-0009—Hearings and Appeals Case Control System | No. 4 | 65 FR 46997, 08/01/00. |
| 60-0010—Hearing Office Tracking System of Claimant Cases | No. 6 | 71 FR 1806, 01/11/06. |
| 60-0012—Listing and Alphabetical Name File (Folder) of Vocational Experts, Medical Experts, and Other Health Care/Non-Health Care Professionals Experts (Medicare) | No. 7 | 71 FR 1807, 01/11/06. |
| 60-0013—Records of Usage of Medical Experts, Vocational Experts, and Other Health Care/Non-Health Care Professionals Experts (Medicare) | No.7 | 71 FR 1809, 01/11/06. |
| 60-0014—Curriculum Vitae and Professional Qualifications of Medical Advisors, and Resumes of Vocational Experts | No. 8 | 59 FR 46439, 09/08/94. |
| 60-0038—Employee Building Pass Files | No. 7 | 59 FR 46439, 09/08/94. |
| 60-0040—Quality Review System | No. 14 | 65 FR 46997, 08/01/00. |
| 60-0042—Quality Review Case Files | No. 14 | 65 FR 46997, 08/01/00. |
| 60-0044—National Disability Determination Services | No. 11 | 71 FR 11810, 01/11/06. |
| 60-0045—Black Lung Payment System | No. 14 | 68 FR 15784, 04/01/03. |
| 60-0046—Disability Determination Service Consultant's File | No. 7 | 71 FR 1812, 01/11/06. |
| 60-0050—Completed Determination Record—Continuing Disability Determinations | No. 10 | 71 FR 1814, 01/11/06. |
| 60-0057—Quality Evaluation Data Records | No. 6 | 65 FR 46997, 08/01/00. |
| 60-0058—Master Files of Social Security Number Holders and SSN Applications | No. 42 | 71 FR 1818, 01/11/06. |
| 60-0063—Resource Accounting System | No. 6 | 59 FR 46439, 09/08/94. |
| 60-0077—Congressional Inquiry File | No. 7 | 71 FR 1823, 01/11/06. |
| 60-0078—Public Inquiry Correspondence File | No. 8 | 71 FR 1825, 01/11/06. |
| 60-0089—Claims Folders System | No. 36 | 71 FR 1829, 01/11/06. |
| 60-0090—Master Beneficiary Record | No. 38 | 71 FR 1829, 01/11/06. |
| 60-0094—Recovery of Overpayments, Accounting and Reporting | No. 9 | 70 FR 49354, 08/23/05. |
| 60-0103—Supplemental Security Income Record | No. 37 | 71 FR 1829, 01/11/06. |
| 60-0118—Non-Contributory Military Service Reimbursement System | No. 6 | 71 FR 18334, 01/11/06. |
| 60-0159—Continuous Work History Sample (Statistics) | No. 5 | 65 FR 46997, 08/01/00. |
| 60-0186—SSA Litigation Tracking System New Routine Use No. | No. 6 | 70 FR 60383, 10/17/05. |
| 60-0196—Disability Studies, Surveys, Records and Extracts (Statistics) | No. 4 | 65 FR 46997, 08/01/00. |
| 60-0199—Extramural Surveys (Statistics) | No. 4 | 71 FR 1835, 01/11/06. |
| 60-0200—Retirement and Survivors Studies, Surveys, Records and Extracts (Statistics) | No. 4 | 65 FR 46997, 08/01/00. |
| 60-0202—Old Age, Survivors and Disability Beneficiary and Worker Records and Extracts (Statistics) | No. 5 | 69 FR 11693, 03/11/04. |
| 60-0203—Supplemental Security Income Studies, Surveys, Records and Extracts (Statistics) | No. 5 | 65 FR 46997, 08/01/00. |
| 60-0210—Record of Individuals Authorized Entry to Secured Automated Data Processing Area | No. 7 | 59 FR 46439, 09/08/94. |
| 60-0211—Beneficiary, Family and Household Surveys, Records and Extracts System (Statistics) | No. 5 | 69 FR 11693, 03/11/04. |
| 60-0213—Quality Review of Hearing/Appellate Process | No. 7 | 65 FR 46997, 08/01/00. |
| 60-0214—Personal Identification Number File (PINFile) | No. 5 | 59 FR 46441, 09/08/94. |
| 60-0218—Disability Insurance and Supplemental Security Income Demonstration Projects and Experiments System | No. 7 | 71 FR 1837, 01/11/06. |
| 60-0219—Representative Disqualification/Suspension Information System | No. 8 | 71 FR 1839, 01/11/06. |
| 60-0220—Kentucky Birth Records System | No. 5 | 59 FR 46439, 09/08/94. |
| 60-0221—Vocational Rehabilitation Reimbursement Case Processing System | No. 10 | 71 FR 1841, 01/11/06. |
| 60-0222—Master Representative Payee File | No. 18 | 71 FR 5399, 02/01/06. |
| 60-0224—SSA-Initiated Personal Earnings and Benefit Estimate Statement (SIPEBES) History File | No. 7 | 59 FR 54004, 10/27/94. |
| 60-0225—SSA Initiated Personal Earnings and Benefit Estimate Statement Address System for Certain Territories | No. 6 | 59 FR 54004, 10/27/94. |
| 60-0228—Safety Management Information System (SSA Accident, Injury and Illness Reporting System) | No. 7 | 71 FR 1844, 01/11/06. |
| 60-0230—Social Security Administration Parking Management Record System | No. 5 | 71 FR 1846, 01/11/06. |
| 60-0231—Financial Transactions of SSA Accounting and Finance Offices | No. 19 | 71 FR 1847, 01/11/06. |
| 60-0232—Central Registry of Individuals Doing Business With SSA (Vendor File) | No. 11 | 71 FR 1849, 01/11/06. |
| 60-0234—Employee Assistance Program (EAP) Records | No. 7 | 71 FR 1850, 01/11/06. |
| 60-0236—Employee Development Program Records | No. 13 | 71 FR 1853, 01/11/06. |
| 60-0237—Employees' Medical Records | No. 8 | 71 FR 1854, 01/11/06. |
| 60-0238—Pay, Leave and Attendance Records | No. 25 | 71 FR 1856, 01/11/06. |
| 60-0239—Personnel Records in Operating Offices | No. 17 | 71 FR 1859, 01/11/06. |
| 60-0241—Employee Suggestion Program Records New Routine Uses | No. 6 | 71 FR 1861, 01/11/06. |
| 60-0244—Administrative Grievances Filed Under Part 771 of 5 CFR | No. 19 | 71 FR 1862, 01/11/06. |
| 60-0245—Negotiated Grievance Procedure Records | No. 21 | 71 FR 1864, 01/11/06. |
| 60-0250—Equal Employment Opportunity (EEO) Counselor and Investigator Personnel Records | No. 13 | 71 FR 1866, 01/11/06. |
| 60-0255—Plans for Achieving Self-Support (PASS) Management Information System | No. 19 | 71 FR 1867, 01/11/06. |
| 60-0259—Claims Under the Federal Tort Claims Act and Military Personnel and Civilian Employees' Claim Act | No. 8 | 71 FR 1869, 01/11/06. |
| 60-0262—Attorney Applicant Files | No. 7 | 71 FR 1871, 01/11/06. |
| 60-0268—Medicare Part B Buy-In Information System | No. 9 | 64 FR 10173, 03/02/99. |
| 60-0269—Prisoner Update Processing System (PUPS) | No. 12 | 64 FR 11076, 03/08/99. |
| 60-0270—Records of Individuals Authorized Entry into Secured Areas by Digital Lock Systems, Electronic Key Card Systems or Other Electronic Access Devices | No. 5 | 65 FR 77953, 12/13/00. |
| 60-0273—Social Security Title VIII Special Veterans Benefits Claims Development and Management Information System | No. 15 | 65 FR 13803, 03/14/00. |
| 60-0274—Litigation Docket and Tracking System | No. 11 | 71 FR 1872, 01/11/06. |
| 60-0275—Civil Rights Complaints Filed by Members of the Public | No. 9 | 71 FR 1874, 01/11/06. |
| 60-0276—Social Security Administration's (SSA's) Talking and Listening to Customers (TLC) | No. 6 | 65 FR 48272, 08/07/00. |
| 60-0279—Social Security Administration's (SSA's) Mandate Against Red Tape (SMART) | No. 7 | 65 FR 49047, 08/10/00. |
| 60-0280—SSA Administrative Sanctions | No. 6 | 65 FR 54595, 09/08/00. |
| 60-0290—Social Security Administration's Customer PIN/Password (PPW) Master File System | No. 7 | 71 FR 1874, 01/11/06. |
| 60-0295—Ticket-to-Work and Self-Sufficiency Program Payment Database | No. 8 | 66 FR 17985, 04/04/01. |
| 60-0300—Ticket-to-Work Program Manager (PM) Management Information System | No. 8 | 66 FR 32656, 06/15/01. |
| 60-0305—SSA Mass Transportation Subsidy Program System | No. 12 | 67 FR 44658, 07/03/02. |
| 60-0310—Medicare Savings Programs Information System | No. 8 | 69 FR 17019, 03/31/04. |
| 60-0315—Reasonable Accommodation for Persons with Disabilities (RAPD) | No. 11 | 70 FR 62157, 10/28/05. |
| 60-0318—Representative Payee/Misuse Restitution Control System (RP/MRCS) | No. 8 | 70 FR 12774, 3/15/05. |
| 60-0320—Electronic Disability Claim File (eDib) | No. 31 | 68 FR 71210, 12/22/03. |
| 60-0321—Medicare Part D and Part D Subsidy File | No. 17 | 69 FR 77816, 12/28/04. |
| 60-0328—National Docketing Management Information System (NDMIS) | No. 16 | 70 FR 34515, 06/14/05. |
| 60-0330—eWork | No. 10 | 68 FR 54037, 09/15/03. |
| 60-0340—eFOIA | No. 11 | 70 FR 3571, 01/25/03. |
| 60-0350—Visitor Intake Process/Customer Service Record (VIP/CSR) System | No. 9 | 70 FR 59795, 10/13/05. |
| 60-0355—The Non-Attorney Representative Prerequisites Process File (NARPPF) | No. 11 | 69 FR 77823, 12/28/04. |
| 60-0361—Identity Management System (IDMS) | No. 15 | 71 FR 213, 11/03/06. |
| 60-0370—The Representative Payee and Beneficiary Survey Data System | No. 6 | 71 FR 16399, 3/31/06. |
We are not republishing in their entirety the notices of the systems of records to which we are adding the proposed new routine use disclosures. Instead, we are republishing only the identification number, the name of the system of record, the number of the new routine use and the issue of the Federal Register in which the system notice was last published, including the publication date and page number.
II. Compatibility of Proposed Routine Use
As mandated by OMB, as recommended by the President's Identity Theft Task Force, and in accordance with the Privacy Act (5 U.S.C. 552a(a)(7) and (b)(3)) and our disclosure regulation (20 CFR part 401), we are permitted to release information under a published routine use for a purpose that is compatible with the purpose for which we collected the information. Section 401.120 of our regulations provides that we will disclose information required by law. Since OMB has mandated the publication of this routine use, the proposed routine use is appropriate and meets the relevant statutory and regulatory criteria. In addition, disclosures to other agencies, entities and persons when needed to respond to an unintentional release are compatible with the reasons we collect the information, as helping to prevent and minimize the potential for harm is consistent with taking appropriate steps to protect information entrusted to us. See 5 U.S.C. 552a(e)(10).
III. Effect of the Proposed Routine Use Disclosure on the Rights of Individuals
The proposed routine use would serve to protect the interests of the people whose information is at risk. We would achieve this protection by taking appropriate steps to facilitate a timely and effective response to a security breach of our data, thereby improving our ability to prevent, minimize, or remedy any harm that may result from a compromise of data maintained in our systems of records. We do not anticipate that the proposed new routine use will have any unwarranted adverse effect on the rights of individuals about whom data will be disclosed.
Dated: November 13, 2007.
Michael J. Astrue,
Commissioner.
[FR Doc. E7-23875 Filed 12-7-07; 8:45 am]
BILLING CODE 4191-02-P