SOCIAL SECURITY ADMINISTRATION
PRIVACY IMPACT ASSESSMENT
· Name of Project
My Social Security (My SSA)
· Unique Project Identifier
· Privacy Impact Assessment Contact
Office of Electronic Services
Social Security Administration
6401 Security Boulevard
Baltimore, MD 21235
The MySSA project will provide a single point of access to users of our electronic services. Users will sign on to MySSA via the Internet and may choose to access one or more of our available electronic services. These electronic services may include benefit verification (iBEVE), Post Entitlement applications (e.g., Change of Address, Direct Deposit, and Check Your Benefits) and other future electronic services involving the ability of the user to view, update, and correct the users’ existing Social Security records.
· Describe the information we plan to collect, why we will collect the information, how we intend to use the information, and with whom we will share the information.
We will collect and maintain the user’s information necessary for each electronic service application. The information might include the user’s name, address, date of birth, Social Security number, phone number, and other types of financial information. For example, if a user elects to change their address on our records, we will collect the new address information and make the necessary change to their existing record. The data we maintain also may include archived transaction data and historical data.
We will disclose information collected and maintained in this system only to our employees and contractors who require the information to perform their official duties; to the subject of the record; and to other persons pursuant to an applicable routine use provision as authorized by the Privacy Act or as otherwise permitted by Federal law. For example, under a routine use, we can disclose information to contractors, as necessary, to assist us in efficiently administering our programs.
We will not disclose any information defined as “return or return information” under
26 U.S.C. § 6103 of the Internal Revenue Code (IRC) unless authorized by statute, the IRC, the Internal Revenue Service (IRS), or IRS regulations.
· Describe the administrative and technological controls we have in place or that we plan to use to secure the information we will collect.
Our security includes technical, management, and operational controls that permit access to our information only to persons with an official “need to know.” We maintain electronic files with personal identifiers in secure storage areas. Security measures include the use
of access codes (personal identification number and password) to enter our computer systems that house the data. Audit mechanisms are in place to record sensitive transactions as an additional measure to protect information from unauthorized disclosure or modification.
We annually provide appropriate security awareness training to all our employees and contractors that includes reminders about the need to protect personally identifiable information (PII) and the criminal penalties that apply to unauthorized access to, or disclosure of, PII. See 5 U.S.C. § 552a(i)(1). Furthermore, employees and contractors
with access to databases maintaining PII must annually sign a sanction document that acknowledges their accountability for inappropriately accessing or disclosing such information.
· Describe the impact on persons’ privacy rights. Do we afford people an opportunity to decline to provide information?
Yes. We have legal authority to collect this information to administer our responsibilities under the Social Security Act. When we collect information from users wishing to do business with us through our electronic services, we use our Privacy Act Statement to advise them of our legal authority for requesting the information and explain the possible effects if they choose not to provide the information. Users can then make an informed decision whether or not to provide the information.
· Do we afford people an opportunity to consent to only particular uses of the information?
No. When we collect a person’s information, we advise that person of the purposes for which we will use the information. We further advise the person that we will disclose the information without written prior consent only when we have specific legal authority to do so (e.g., the Privacy Act of 1974). We do not otherwise offer persons an opportunity to determine how and with whom we share their information.
· Does the collection of this information require a new system of records under the Privacy Act (5 U.S.C. § 552a) or an alteration to an existing system of records?
No. The Supplemental Security Income Record and Special Veterans Benefits (60-0103), Master Beneficiary Record (60-0090), and the Central Repository of Electronic Authentication Data Master File (60-0373) systems of records cover the information we collect for our electronic services applications.
PIA CONDUCTED BY SSA PRIVACY OFFICER:
/s/ Dawn S. Wiggins May 26, 2011
PIA REVIEWED BY SSA SENIOR AGENCY PRIVACY OFFICIAL:
/s/ David F. Black June 2, 2011