Subpart B—The Privacy Act
§ 401.30. Privacy Act and other responsibilities.
(a) Policy. Our policy is to protect the privacy of individuals to the fullest extent possible while nonetheless permitting the exchange of records required to fulfill our administrative and program responsibilities, and responsibilities for disclosing records which the general public is entitled to have under the Freedom of Information Act, 5 U.S.C. 552, and 20 CFR part 402.
(b) Maintenance of records. We will maintain no record unless:
(1) It is relevant and necessary to accomplish an SSA function which is required to be accomplished by statute or Executive Order;
(2) We obtain the information in the record, as much as it is practicable, from the subject individual if we may use the record to determine an individual's rights, benefits or privileges under Federal programs;
(3) We inform the individual providing the record to us of the authority for our asking him or her to provide the record (including whether providing the record is mandatory or voluntary, the principal purpose for maintaining the record, the routine uses for the record, and what effect his or her refusal to provide the record may have on him or her). Further, the individual agrees to provide the record, if the individual is not required by statute or Executive Order to do so.
(c) First Amendment rights. We will keep no record which describes how an individual exercises rights guaranteed by the First Amendment unless we are expressly authorized:
(2) By the subject individual, or
(3) Unless pertinent to and within the scope of an authorized law enforcement activity.
(d) Privacy Officer. The Privacy Officer is an advisor to the Agency on all privacy policy and disclosure matters. The Privacy Officer coordinates the development and implementation of Agency privacy policies and related legal requirements to ensure Privacy Act compliance, and monitors the coordination, collection, maintenance, use and disclosure of personal information. The Privacy Officer also ensures the integration of privacy principles into information technology systems architecture and technical designs, and generally provides to Agency officials policy guidance and directives in carrying out the privacy and disclosure policy.
(e) Senior Agency Official for Privacy. The Senior Agency Official for Privacy assumes overall responsibility and accountability for ensuring the agency's implementation of information privacy protections as well as agency compliance with federal laws, regulations, and policies relating to the privacy of information, such as the Privacy Act. The compliance efforts also include reviewing information privacy procedures to ensure that they are comprehensive and up-to-date and, where additional or revised procedures may be called for, working with the relevant agency offices in the consideration, adoption, and implementation of such procedures. The official also ensures that agency employees and contractors receive appropriate training and education programs regarding the information privacy laws, regulations, polices and procedures governing the agency's handling of personal information. In addition to the compliance role, the official has a central policy-making role in the agency's development and evaluation of legislative, regulatory and other policy proposals which might implicate information privacy issues, including those relating to the collection, use, sharing, and disclosure of personal information.
(f) Privacy Impact Assessment. In our comprehensive Privacy Impact Assessment (PIA) review process, we incorporate the tenets of privacy law, SSA privacy regulations, and privacy policy directly into the development of certain Information Technology projects. Our review examines the risks and ramifications of collecting, maintaining and disseminating information in identifiable form in an electronic information system and identifies and evaluates protections and alternate processes to reduce the risk of unauthorized disclosures. As we accomplish the PIA review, we ask systems personnel and program personnel to resolve questions on data needs and data protection prior to the development of the electronic system.
[62 FR 4143, Jan. 29, 1997, as amended at 72 FR 20939, Apr. 27, 2007]