Privacy and Disclosure of Official Records and Information, 20935-20942 [E7-7940]

Download as PDF Federal Register / Vol. 72, No. 81 / Friday April 27, 2007 / Rules and Regulations general applicability and affects only the applicant which applied to the FAA for approval of these design features on the airplane. The substance of the special conditions for these airplanes has been subjected to the notice and comment procedure in several prior instances and has been derived without substantive change from those previously issued. Because a delay would significantly affect the certification of the airplane, which is imminent, the FAA has determined that prior public notice and comment are unnecessary and impracticable, and good cause exists for adopting these special conditions immediately. The FAA is requesting comments to allow interested people to submit views that may not have been submitted in response to the prior opportunities for comment. List of Subjects in 14 CFR Part 25 Aircraft, Aviation safety, Reporting and recordkeeping requirements. The authority citation for these special conditions is as follows: Authority: 49 U.S.C. 106(g), 40113, 44701, 44702, 44704. The Special Conditions cprice-sewell on PROD1PC66 with RULES Accordingly, pursuant to the authority delegated to me by the Administrator, the following special conditions are issued as part of the supplemental type certification basis for the Dassault Falcon Fan Jet, Fan Jet Series D, Series E, Series F, MystereFalcon 20–C5, 20–D5, 20–E5, 20–F5, and Mystere-Falcon 200 airplanes modified by 3S Certification, LLC. 1. Protection From Unwanted Effects of High-Intensity Radiated Fields (HIRF). Each electrical and electronic system that performs critical functions must be designed and installed to ensure that the operation and operational capability of these systems to perform critical functions are not adversely affected when the airplane is exposed to highintensity radiated fields. 2. For the purpose of these special conditions, the following definition applies: Critical Functions: Functions whose failure would contribute to or cause a failure condition that would prevent continued safe flight and landing of the airplane. Issued in Renton, Washington, on April 20, 2007. Ali Bahrami, Manager, Transport Airplane Directorate, Aircraft Certification Service. [FR Doc. E7–8112 Filed 4–26–07; 8:45 am] BILLING CODE 4910–13–P VerDate Aug<31>2005 15:13 Apr 26, 2007 Jkt 211001 SOCIAL SECURITY ADMINISTRATION 20 CFR Part 401 [Docket No. SSA 2006–0074] RIN 0960–AE88 Privacy and Disclosure of Official Records and Information Social Security Administration. Final rules. AGENCY: ACTION: SUMMARY: These final rules revise our privacy and disclosure rules to clarify certain provisions and to provide expanded regulatory support for new and existing responsibilities and functions. These changes in the regulations will increase Agency efficiency and ensure consistency in the implementation of the Social Security Administration’s (SSA) policies and responsibilities under the Privacy Act and the Social Security Act. DATES: These rules are effective May 29, 2007. FOR FURTHER INFORMATION CONTACT: Christine W. Johnson, Office of Public Disclosure, 3–A–6 Operations Building, 6401 Security Boulevard, Baltimore, MD 21235–6401, (410) 965–8563 or TTY (410) 965–5609. For information on eligibility or filing for benefits, call our national toll-free numbers, 1–800–772– 1213 or TTY 1–800–325–0778, or visit our Internet Web site, Social Security Online, at http:// www.socialsecurity.gov. SUPPLEMENTARY INFORMATION: Electronic Version The electronic file of this document is available on the date of publication in the Federal Register at http:// www.gpoaccess.gov/FR/index.html. Background We last revised the privacy and disclosure regulations in 1980 when the Social Security Administration (SSA) was a part of the Department of Health and Human Services (DHHS) (formerly the Department of Health, Education and Welfare) and subject to DHHS’ disclosure policy oversight. Since 1980, significant changes have occurred in the procedures. We are codifying these changes in the procedures governing access to, and disclosure of, personally identifiable information. We are also making minor housekeeping changes to further clarify our procedures. In general, these final rules reflect SSA’s compliance with technological, legal and legislative changes that have occurred since 1980. We are clarifying the provisions regarding requests for access to PO 00000 Frm 00003 Fmt 4700 Sfmt 4700 20935 information developed by medical sources for Social Security programs, fully describing the existing responsibilities and functions of the Privacy Officer position, establishing the new senior agency official for privacy as required by the Office of Management and Budget (OMB) and explaining the related responsibilities, and implementing SSA’s new Privacy Impact Assessment process in accordance with the E-Government Act of 2002, Pub. L. 107–347. As required by OMB, we are requiring adequate safeguards against inappropriate disclosure of personal information by electronic means, e.g., over the Internet, and revising our procedures on notification of, or access to, medical records on behalf of another person, e.g., an adult or child. These final rules also clarify SSA policy concerning an individual’s access to, or notification of, program records, amend the language concerning appeal requests under the Privacy Act to include denial of access to the record, and amend the language to insert the word ‘‘written’’ prior to ‘‘consent’’ to clarify that the requirement means disclosure with written consent and expands the language to more clearly define what information we will disclose with written consent. We are revising the language to show that SSA also has physical custody of personnel records, and revising the language under disclosure of personal information in nonprogram records to show the new name of the former General Accounting Office. These final rules amend the language under disclosure of personal information in program records to make clear that we disclose information from program records only when there is a legitimate need for the information, and revise the language under disclosures required by law to show the current name for Aid to Families with Dependent Children. We are amending the language under compatible purposes to clearly state how we implement the routine use provision of the Privacy Act (5 U.S.C. 552a(b)(3)) and what we mean by routine use in terms of the information we can disclose, and amending the language under law enforcement purposes to clarify that disclosures under 5 U.S.C. 552a(b)(7) also require a written request. We are amending the language under statistical and research activities to reflect the language in the new routine use of data for research purposes, amending the language in the General Accounting Office section to correctly reflect the new name of the agency, and clarifying certain matters related to our rules on E:\FR\FM\27APR1.SGM 27APR1 20936 Federal Register / Vol. 72, No. 81 / Friday April 27, 2007 / Rules and Regulations disclosure under court order and other legal process. Comments on the Notice of Proposed Rulemaking We published the Notice of Proposed Rulemaking (NPRM) in the Federal Register on September 13, 2006 (71 FR at 53994). The 60-day comment period ended on November 13, 2006. We received no public comments on the proposed rule. Accordingly, we are adopting the proposed rules as final rules. However, we made one substantive change to proposed § 401.180, which we discuss below in connection with the explanation of how these final rules change the current rules. We also made a few minor revisions to the text of the proposed rules for clarity. The changes are all non-substantive. Explanation of Changes Section 401.20 Scope We are amending the section heading in § 401.20(a) to read ‘‘Access’’ and amending paragraph (a) to clarify the rules regarding the access provision as it pertains to information developed by medical sources that perform consultative examinations for us. We are amending the heading in § 401.20(b)(1)(iii) to read ‘‘Records kept by medical sources,’’ and amending the language in that paragraph. cprice-sewell on PROD1PC66 with RULES Section 401.30 Privacy Act and Other Responsibilities We are adding new paragraphs (d), (e) and (f) to § 401.30. Privacy Officer New paragraph § 401.30(d) fully describes the position of the SSA Privacy Officer and the responsibilities and functions of that position. SSA has always had a designated Privacy Officer since the enactment of the Privacy Act in 1974. Since that time, the Privacy Officer has overall responsibility for coordination of SSA privacy matters within the Agency. As such, the Privacy Officer advises the Agency on privacy policy matters and is responsible for developing and implementing privacy policies and related requirements, ensures compliance with the Privacy Act, and provides general oversight of privacy and disclosure policy involving privacy and disclosure matters. The Privacy Officer has other responsibilities including evaluating legislative proposals and other initiatives proposed by Congress, other agencies and the public, and reviewing multifunctional projects, studies and research activities involving personal information. The responsibilities also VerDate Aug<31>2005 15:13 Apr 26, 2007 Jkt 211001 include facilitating the incorporation of privacy principles into information technology systems architectures and technical designs to ensure that privacy policies and practices are properly reflected in our business requirements. We are providing an explanation of the Privacy Officer’s responsibilities to emphasize SSA’s long-standing commitment to the public that personal information maintained in SSA’s Privacy Act systems of records is handled in full compliance with the law. Senior Agency Official for Privacy To help protect the privacy rights of Americans and to ensure that agencies continue to have effective information privacy management programs in place to carry out this important responsibility, OMB requires that each agency designate a senior agency official to serve as the person in charge of privacy issues. The Senior Agency Official for Privacy will have overall responsibility and accountability for privacy issues at the national and agency-wide levels. The official will also have a central role in overseeing agency compliance efforts in privacy policy procedures as well as a key role in policy-making as it pertains to the development and evaluation of legislative, regulatory and other policy proposals that might implicate privacy issues. New paragraph § 401.30(e) establishes SSA’s Senior Agency Official for Privacy and fully describe the responsibilities of that position as prescribed by OMB. (See OMB Memorandum M–08–05, dated February 11, 2005). Privacy Impact Assessments In accordance with Section 208 of the E–Government Act of 2002 (Pub. L. 107–347, 44 U.S.C. 3501 note), the Office of Management and Budget now requires that certain Information Technology (IT) projects receive a special privacy review called a Privacy Impact Assessment (PIA). The PIA review is in addition to the current SSA requirement that SSA’s Privacy Officer certify Agency procurement requests for automated data processing resources and proposed contracts. The PIA review will strengthen the existing process by incorporating privacy involvement directly into the development of the IT system lifecycle and establishing a process that the entire Agency can understand in terms of privacy involvement in IT system development efforts. New paragraph § 401.30(f) describes the PIA requirements for ensuring that PO 00000 Frm 00004 Fmt 4700 Sfmt 4700 privacy considerations receive a standardized review. We will determine if adequate measures have been taken to protect the privacy of the personally identifiable information the IT project will affect and if the requirements of the Privacy Act and applicable SSA regulations and policy are properly addressed. Section 401.45 Verifying Your Identity We are adding to § 401.45 new paragraphs (b)(3) and (b)(4) to emphasize that when SSA provides convenient service to you over open computer networks such as the Internet, we will adequately protect against improper disclosure of records. We are redesignating present paragraphs (b)(3), (b)(4) and (b)(5) as (b)(5), (b)(6) and (b)(7), respectively. We are also revising the language in redesignated (b)(5). Increasingly, computer technology enables us to transact business with you as a taxpayer, Social Security beneficiary, employer or third-party organization. We are moving cautiously to allow you to communicate with us securely over open networks such as the Internet. Such expanded services are dependent on our development of practices and mechanisms to ensure identity confirmation to protect you against improper disclosure of the personal information we maintain in our records, and to improve privacy protections. Section 401.55 Special Procedures for Notification of or Access to Medical Records We are revising the section heading to read ‘‘Access to medical records.’’ We are revising the procedures for access to medical records to conform to the practices and systems of records that set out special procedures under which individuals may have direct access to their medical records. Currently, when you request your medical records, § 401.55(b)(1)(ii) requires you to designate a representative to receive the records for you and gives the representative the discretion to inform you about the contents of your record. We are modifying the special procedures in that paragraph to require the representative to release your record to you after the discussion of its contents. The representative no longer has the discretion to withhold any part of your record. Section 401.55(c)(2)(iii) currently gives a designated representative (e.g., family physician or other health care professional) discretion about making the contents of a minor’s medical record available to the parent or legal guardian. E:\FR\FM\27APR1.SGM 27APR1 Federal Register / Vol. 72, No. 81 / Friday April 27, 2007 / Rules and Regulations These final rules modify this provision to require the representative to release the minor’s records to the parent or legal guardian following the discussion of its contents. Additionally, we are redesignating present paragraph (d) concerning requests on behalf of incapacitated adults as paragraph (c)(3). Section 401.60 Access or Notification of Program Records About Two or More Individuals Currently, § 401.60 is entitled ‘‘Access or notification of program records about two or more individuals.’’ The first sentence in the section reads ‘‘When information about two or more individuals is in one record filed under your social security number, you may receive the information about you and the fact of entitlement and the amount of benefits payable to other persons based on your record.’’ We are amending § 401.60 by inserting the word ‘‘to’’ after the word ‘‘Access’’ in the heading and revising the language in both the heading and first sentence to read ‘‘about more than one individual.’’ Section 401.70 Appeals of Refusals To Correct or Amend Records Currently, § 401.70 is entitled ‘‘Appeals of refusals to correct or amend records.’’ We are amending the section heading to include appeals after denial of access. We are clarifying the policy in the section by revising the language in existing paragraphs (a), (b) and (c). We are adding a new paragraph (d) to clearly explain the process after you file your appeal. cprice-sewell on PROD1PC66 with RULES Section 401.100 Disclosure of Records With the Consent of the Subject of the Record We are amending the language in the section heading under § 401.100 to insert the word ‘‘written’’ before ‘‘consent.’’ We are revising the language in paragraph (a) to clarify that the consent must be in writing and define what information we will disclose with written consent. To present the information in a more reader-friendly format, the second and third sentences of paragraph (a) are designated as new paragraphs (b) ‘‘Disclosure with written consent’’, and (c) ‘‘Disclosure of the entire record,’’ respectively. We are making conforming changes to existing paragraph (b) and redesignating it as paragraph (d). Section 401.105 Disclosure of Personal Information Without the Consent of the Subject of the Record We are revising the second sentence of paragraph (b) into two sentences to clarify that SSA also has physical VerDate Aug<31>2005 15:13 Apr 26, 2007 Jkt 211001 custody of personnel records maintained as part of the Office of Personnel Management’s (OPM) Privacy Act government-wide systems of records and that these records are subject to OPM’s rules on access and disclosure at 5 CFR parts 293 and 297. Section 401.110 Disclosure of Personal Information in Nonprogram Records Without the Consent of the Subject of the Record We are amending the language in § 401.110(j) to show the new name for the former General Accounting Office. Section 401.115 Disclosure of Personal Information in Program Records Without the Consent of the Subject of the Record We are amending the introductory language in § 401.115 to make clear that the information in program records will be disclosed only on a need-to-know basis. Section 401.120 by Law Disclosure Required Currently, the last sentence in § 401.120 reads ‘‘* * * and to Federal, State and local agencies administering Aid to Families with Dependent Children, Medicaid, unemployment compensation, food stamps, and other programs.’’ We are amending the language to reflect the current name of the AFDC program. The new name will read ‘‘* * * Temporary Assistance for Needy Families * * *’’ Section 401.150 Compatible Purposes We are amending § 401.150 to clearly state how we implement the routine use provision. More specifically, the language in paragraphs (a) and (b) is expanded to include what we mean by ‘‘routine use’’ in terms of the information we can disclose and how we give notice of routine use disclosures, respectively. We are amending paragraph (c) by adding new paragraphs (c)(1) and (c)(2) to clearly show the distinctions between disclosure in SSA programs and programs similar to SSA programs, for compatibility purposes. Section 401.155 Purposes Law Enforcement We are amending § 401.155 to make clear that the Privacy Act requires a written request for information from the head of the law enforcement agency in situations involving both serious crimes and criminal activity involving Social Security programs or other programs with the same purpose. PO 00000 Frm 00005 Fmt 4700 Sfmt 4700 20937 Section 401.165 Statistical and Research Activities We are amending § 401.165 to make it consistent with the recently published new routine use of data for research purposes. Section 401.175 General Accounting Office We are amending the section heading in § 401.175 to reflect a name change. The new heading will read ‘‘Government Accountability Office.’’ We are also revising the language in the paragraph to read ‘‘* * * to the Government Accountability Office when that agency needs the information to carry out its duties.’’ Section 401.180 Courts We are revising the entire section of § 401.180 to clarify our policy on disclosure when we receive an order from a court of competent jurisdiction. In 1980, when § 401.180 was initially published as a final rule, the status of subpoenas and other legal process under paragraph (b)(11) of the statute was unclear. Since then, SSA has not treated a subpoena or similar legal process as a court order unless a judge signs it. We believe that this position is now established as law as it is consistent with court decisions and OMB guidance interpreting the Privacy Act. See, e.g., Doe v. DiGenova, 779 F.2d 74 (D.C. Cir. 1985); Stiles v. Atlanta Gas Light Co., 453 F.Supp. 798 (N.D. Ga. 1978). The Privacy Act (5 U.S.C. 552a(b)(11)) permits disclosure by an agency pursuant to the order of a court of competent jurisdiction. Under this provision, we consider only a Federal court of the United States to be a court of competent jurisdiction. However, the proposed rules provided that we may disclose information in compliance with a state court order if the disclosure was necessary to preserve the rights of an accused to due process in a criminal proceeding (71 FR at 54000). This provision of the proposed rules could have been misconstrued to be inconsistent with the Privacy Act and proposed (and final) § 401.180(d). Final § 401.180(d) states our view that, under the Privacy Act, the Federal Government has not waived its sovereign immunity, which would preclude state court jurisdiction over a Federal agency or official. Since a state court does not have jurisdiction over a Federal agency or official in the absence of a waiver of the Federal Government’s sovereign immunity, we have deleted the exception for certain state court orders set out in proposed § 401.180(g). The final rules are consistent with our position that state court orders do not E:\FR\FM\27APR1.SGM 27APR1 20938 Federal Register / Vol. 72, No. 81 / Friday April 27, 2007 / Rules and Regulations provide an independent basis for disclosure. Consequently, under the final rules, we may disclose information in response to a state court order only if another provision of this part permits disclosure (such as law enforcement or consent). If we find an independent basis for disclosure, we may honor the request for information sought in the state court order under the authority of the other provision. As a result, in these final rules, we revised the second sentence of proposed § 401.180(d) to state that ‘‘* * * state court orders will be treated in accordance with other provisions of this part.’’ We also amended the language as appropriate to make clear that, for purposes of this section, a court is a judicial branch of the Federal government. In a conforming change, we redesignated proposed § 401.180(h) as final § 401.180(g). In paragraph 401.180(a) we make clear that when information disclosed from SSA records is used in court proceedings, it usually becomes part of the public record of the proceedings and its confidentiality often cannot be protected. Accordingly, we will follow the rules in new paragraph (d) of this section in deciding whether an order is from a court of competent jurisdiction. We are changing the heading in paragraph (b) to read ‘‘Court’’ and amending the language in the paragraph to state SSA’s position that a court, for purposes of 5 U.S.C. 552a(b)(11), is an institution of a judicial branch of the Federal government consisting of one or more judges who seek to adjudicate disputes and administer justice. The definition clarifies that other entities in other branches of the Federal government or not in the United States are not courts for purposes of the Privacy Act. We are adding a new paragraph (c) to explain that only a legal process, such as a summons or warrant, that is signed by a judge and that commands the disclosure of information by SSA will be considered to be a court order for purposes of the statutory exception in 5 U.S.C. 552a(b)(11). References to subpoenas have been removed from this regulation. When we receive legal process that is not an order of a court of competent jurisdiction, (such as a grand jury subpoena, a subpoena signed by the clerk of the court or the attorney representing a party to the proceeding), we may decide to disclose information if the conditions described in any other provision of this regulation would permit the disclosure (for example, for a compatible purpose under § 401.150). However, we will not disclose without an order from a court of competent jurisdiction if the Privacy Act or any other law would prohibit the disclosure without such an order. We are adding a new paragraph (d) to explain our view on court of competent jurisdiction. In new paragraph (e) of this section we describe the conditions for disclosure under court order and clarify the rules on disclosure when a court order is involved. We are adding a new paragraph (f) to explain that in other circumstances we may attempt to satisfy the needs of a court of competent jurisdiction when the circumstances in paragraph (e) are not met. We will make these determinations in accordance with 401.140. We are removing existing paragraph (g) and redesignating paragraph (h) as paragraph (g). New paragraph (g) provides a cross-reference to additional regulations contained in 20 CFR part 403 concerning testimony and production of records in legal proceedings. Regulatory Procedures Executive Order 12866 The Office of Management and Budget has reviewed these final rules in accordance with Executive Order 12866, as amended by Executive Order 13258. Regulatory Flexibility Act We certify that these final rules would not have a significant economic impact on a substantial number of small entities because they affect only individuals or entities acting on their behalf. Thus, a regulatory flexibility analysis as provided in the Regulatory Flexibility Act, as amended, is not required. Paperwork Reduction Act These final rules contain reporting requirements as shown in the table below. Where the public reporting burden is accounted for in Information Collection Requests for the various forms that the public uses to submit the information to SSA, a 1-hour placeholder burden is being assigned to the specific reporting requirement(s) contained in these rules. Section Annual number of responses Frequency of response Average burden per response (min.) 401.45(b) .......................................................................................................... 401.70(a)(b) ..................................................................................................... 401.100(b) ........................................................................................................ 20,000 ........................ ........................ 1 ........................ ........................ 10 ........................ ........................ 3333 1 1 Total .......................................................................................................... 20,000 1 10 3335 cprice-sewell on PROD1PC66 with RULES An Information Collection Request has been submitted to OMB for clearance. To receive a copy of the OMB clearance package, you may call the SSA Reports Clearance Officer on 410– 965–0454. (Catalog of Federal Domestic Assistance Program Nos. 96.001 Social Security— Disability Insurance; 96.002 Social Security—Retirement Insurance; 96.004 Social Security—Survivors Insurance; 96.006 Supplemental Security Income). VerDate Aug<31>2005 15:13 Apr 26, 2007 Jkt 211001 List of Subjects in 20 CFR Part 401 Information, Records, Administrative practice and procedure, Archives and records. Dated: January 17, 2007. Jo Anne B. Barnhart, Commissioner of Social Security. For the reasons set out in the preamble, we are amending subparts A, B and C of part 401 of chapter III of title PO 00000 Frm 00006 Fmt 4700 Sfmt 4700 20 of the Code of Federal Regulations as set forth below: PART 401—PRIVACY AND DISCLOSURE OF OFFICIAL RECORDS AND INFORMATION 1. The authority citation for part 401 continues to read as follows: I Editorial Note: This document was received at the Office of the Federal Register on April 20, 2007. I Estimated annual burden (hours) Authority: Secs. 205, 702(a)(5), 1106, and 1141 of the Social Security Act (42 U.S.C. 405, 902(a)(5), 1306, and 1320b–11); 5 U.S.C. 552 and 552a; 8 U.S.C. 1360; 26 U.S.C. 6103; 30 U.S.C. 923. E:\FR\FM\27APR1.SGM 27APR1 Federal Register / Vol. 72, No. 81 / Friday April 27, 2007 / Rules and Regulations 2. Section 401.20 is amended by revising paragraphs (a) and (b)(1)(iii) to read as follows: I § 401.20 Scope. (a) Access. Sections 401.30 through 401.95, which set out SSA’s rules for implementing the Privacy Act, apply to records retrieved by an individual’s name or personal identifier subject to the Privacy Act. The rules in §§ 401.30 through 401.95 also apply to information developed by medical sources for the Social Security program and shall not be accessed except as permitted by this part. (b) * * * (1) * * * (iii) Information retained by medical sources pertaining to a consultative examination performed for the Social Security program shall not be disclosed except as permitted by this part. * * * * * I 3. Section 401.30 is amended by revising the heading and adding paragraphs (d), (e) and (f) to read as follows: § 401.30 Privacy Act and other responsibilities. cprice-sewell on PROD1PC66 with RULES * * * * * (d) Privacy Officer. The Privacy Officer is an advisor to the Agency on all privacy policy and disclosure matters. The Privacy Officer coordinates the development and implementation of Agency privacy policies and related legal requirements to ensure Privacy Act compliance, and monitors the coordination, collection, maintenance, use and disclosure of personal information. The Privacy Officer also ensures the integration of privacy principles into information technology systems architecture and technical designs, and generally provides to Agency officials policy guidance and directives in carrying out the privacy and disclosure policy. (e) Senior Agency Official for Privacy. The Senior Agency Official for Privacy assumes overall responsibility and accountability for ensuring the agency’s implementation of information privacy protections as well as agency compliance with federal laws, regulations, and policies relating to the privacy of information, such as the Privacy Act. The compliance efforts also include reviewing information privacy procedures to ensure that they are comprehensive and up-to-date and, where additional or revised procedures may be called for, working with the relevant agency offices in the consideration, adoption, and implementation of such procedures. The official also ensures that agency VerDate Aug<31>2005 15:13 Apr 26, 2007 Jkt 211001 employees and contractors receive appropriate training and education programs regarding the information privacy laws, regulations, polices and procedures governing the agency’s handling of personal information. In addition to the compliance role, the official has a central policy-making role in the agency’s development and evaluation of legislative, regulatory and other policy proposals which might implicate information privacy issues, including those relating to the collection, use, sharing, and disclosure of personal information. (f) Privacy Impact Assessment. In our comprehensive Privacy Impact Assessment (PIA) review process, we incorporate the tenets of privacy law, SSA privacy regulations, and privacy policy directly into the development of certain Information Technology projects. Our review examines the risks and ramifications of collecting, maintaining and disseminating information in identifiable form in an electronic information system and identifies and evaluates protections and alternate processes to reduce the risk of unauthorized disclosures. As we accomplish the PIA review, we ask systems personnel and program personnel to resolve questions on data needs and data protection prior to the development of the electronic system. I 4. Section 401.45 is amended by redesignating paragraphs (b)(3), (b)(4) and (b)(5) as (b)(5), (b)(6) and (b)(7), respectively, adding new paragraphs (b)(3) and (b)(4) and revising redesignated paragraph (b)(5) to read as follows: § 401.45 Verifying your identity. * * * * * (b) * * * (3) Electronic requests. If you make a request by computer or other electronic means, e.g., over the Internet, we require you to verify your identity by using identity confirmation procedures that are commensurate with the sensitivity of the information that you are requesting. If we cannot confirm your identity using our identity confirmation procedures, we will not process the electronic request. When you cannot verify your identity through our procedures, we will require you to submit your request in writing. (4) Electronic disclosures. When we collect or provide personally identifiable information over open networks such as the Internet, we use encryption in all of our automated online transaction systems to protect the confidentiality of the information. When we provide an online access option, such as a standard e-mail comment form PO 00000 Frm 00007 Fmt 4700 Sfmt 4700 20939 on our Web site, and encryption is not being used, we alert you that personally identifiable information (such as your social security number) should not be included in your message. (5) Requests not made in person. Except as provided in paragraphs (b)(2) of this section, if you do not make a request in person, you must submit a written request to SSA to verify your identify or you must certify in your request that you are the individual you claim to be. You must also sign a statement that you understand that the knowing and willful request for or acquisition of a record pertaining to an individual under false pretenses is a criminal offense. * * * * * I 5. Section 401.55 is amended by revising the heading and paragraphs (a), (b)(1)(ii), (c)(1) and (c)(2)(iii) and by redesignating paragraph (d) as paragraph (c)(3) to read as follows: § 401.55 Access to medical records. (a) General. You have a right to access your medical records, including any psychological information that we maintain. (b) * * * (1) * * * (ii) When you request medical information about yourself, you must also name a representative in writing. The representative may be a physician, other health professional, or other responsible individual who will be willing to review the record and inform you of its contents. Following the discussion, you are entitled to your records. The representative does not have the discretion to withhold any part of your record. If you do not designate a representative, we may decline to release the requested information. In some cases, it may be possible to release medical information directly to you rather than to your representative. * * * * * (c) Medical records of minors. (1) Request by the minor. You may request access to your own medical records in accordance with paragraph (b) of this section. (2) Request on a minor’s behalf. * * * (iii) Where a medical record on the minor exists, we will in all cases send it to the physician or health professional designated by the parent or guardian. The representative will review the record, discuss its contents with the parent or legal guardian, then release the entire record to the parent or legal guardian. The representative does not have the discretion to withhold any part of the minor’s record. We will respond in the following similar manner to the E:\FR\FM\27APR1.SGM 27APR1 20940 Federal Register / Vol. 72, No. 81 / Friday April 27, 2007 / Rules and Regulations parent or guardian making the request: ‘‘We have completed processing your request for notification of or access to lllll’s (Name of minor) medical records. Please be informed that if any medical record was found pertaining to that individual, it has been sent to your designated physician or health professional.’’ * * * * * I 6. Section 401.60 is amended by revising the section heading and first sentence of the paragraph to read as follows: § 401.60 Access to or notification of program records about more than one individual. When information about more than one individual is in one record filed under your social security number, you may receive the information about you and the fact of entitlement and the amount of benefits payable to other persons based on your record. * * * I 7. Section 401.70 is revised to read as follows: cprice-sewell on PROD1PC66 with RULES § 401.70 Appeals of refusals to correct records or refusals to allow access to records. (a) General. This section describes how to appeal decisions made by SSA under the Privacy Act concerning your request for correction of or access to your records, those of your minor child, or those of a person for whom you are the legal guardian. We generally handle a denial of your request for information about another person under the provisions of the Freedom of Information Act (see part 402 of this chapter). To appeal a decision under this section, your request must be in writing. (b) Appeal of refusal to correct or amend records. If we deny your request to correct an SSA record, you may request a review of that decision. As discussed in § 401.65(e), our letter denying your request will tell you to whom to write. (1) We will review your request within 30 working days from the date of the receipt. However, for a good reason and with the approval of the Executive Director for the Office of Public Disclosure, this time limit may be extended up to an additional 30 days. In that case, we will notify you about the delay, the reason for it and the date when the review is expected to be completed. (2) If, after review, we determine that the record should be corrected, we will do so. However, if we refuse to amend the record as you requested, we will inform you that— VerDate Aug<31>2005 15:13 Apr 26, 2007 Jkt 211001 (i) Your request has been refused and the reason for refusing; (ii) The refusal is SSA’s final decision; and (iii) You have a right to seek court review of SSA’s final decision. (3) We will also inform you that you have a right to file a statement of disagreement with the decision. Your statement should include the reason you disagree. We will make your statement available to anyone to whom the record is subsequently disclosed, together with a statement of our reasons for refusing to amend the record. Also, we will provide a copy of your statement to individuals whom we are aware received the record previously. (c) Appeals after denial of access. If, under the Privacy Act, we deny your request for access to your own record, those of your minor child or those of a person to whom you are the legal guardian, we will advise you in writing of the reason for that denial, the name and title or position of the person responsible for the decision and your right to appeal that decision. You may appeal the denial decision to the Executive Director for the Office of Public Disclosure, 6401 Security Boulevard, Baltimore, MD 21235–6401, within 30 days after you receive notice denying all or part of your request, or, if later, within 30 days after you receive materials sent to you in partial compliance with your request. (d) Filing your appeal. If you file an appeal, the Executive Director or his or her designee will review your request and any supporting information submitted and then send you a notice explaining the decision on your appeal. The time limit for making our decision after we receive your appeal is 30 working days. The Executive Director or his or her designee may extend this time limit up to 30 additional working days if one of the circumstances in 20 CFR 402.140 is met. We will notify you in writing of any extension, the reason for the extension and the date by which we will decide your appeal. The notice of the decision on your appeal will explain your right to have the matter reviewed in a Federal district court if you disagree with all or part of our decision. I 8. Section 401.100 is revised to read as follows: § 401.100 Disclosure of records with the written consent of the subject of the record. (a) General. Except as permitted by the Privacy Act and the regulations in this part, or when required by the FOIA, we will not disclose your records without your written consent. (b) Disclosure with written consent. The written consent must clearly PO 00000 Frm 00008 Fmt 4700 Sfmt 4700 specify to whom the information may be disclosed, the information you want us to disclose (e.g., social security number, date and place of birth, monthly Social Security benefit amount, date of entitlement), and, where applicable, during which timeframe the information may be disclosed (e.g., during the school year, while the subject individual is out of the country, whenever the subject individual is receiving specific services). (c) Disclosure of the entire record. We will not disclose your entire record. For example, we will not honor a blanket consent for all information in a system of records or any other record consisting of a variety of data elements. We will disclose only the information you specify in the consent. We will verify your identity and where applicable (e.g., where you consent to disclosure of a record to a specific individual), the identity of the individual to whom the record is to be disclosed. (d) A parent or guardian of a minor is not authorized to give written consent to a disclosure of a minor’s medical record. See § 401.55(c)(2) for the procedures for disclosure of or access to medical records of minors. 9. Section 401.105 is amended by revising the second sentence of paragraph (b) to read as follows: I § 401.105 Disclosure of personal information without the consent of the subject of the record. * * * * * (b) * * * For administrative and personnel records, the Privacy Act applies. To the extent that SSA has physical custody of personnel records maintained as part of the Office of Personnel Management’s (OPM) Privacy Act government-wide systems of records, these records are subject to OPM’s rules on access and disclosure at 5 CFR parts 293 and 297. * * * 10. Paragraph (j) of § 401.110 is revised to read as follows: I § 401.110 Disclosure of personal information in nonprogram records without the consent of the subject of the record. * * * * * (j) To the Comptroller General, or any of his authorized representatives, in the course of the performance of duties of the Government Accountability Office. * * * * * 11. Section 401.115 is amended by revising the introductory text to read as follows: I E:\FR\FM\27APR1.SGM 27APR1 Federal Register / Vol. 72, No. 81 / Friday April 27, 2007 / Rules and Regulations § 401.115 Disclosure of personal information in program records without the consent of the subject of the record. This section describes how various laws control the disclosure of personal information that we keep. We disclose information in the program records only when a legitimate need exists. For example, we disclose information to officers and employees of SSA who have a need for the record in the performance of their duties. We also must consider the laws identified below in the respective order when we disclose program information: * * * * * I 12. Section 401.120 is amended by revising the last sentence in the paragraph to read as follows: § 401.120 Disclosures required by law. * * * These agencies include the Department of Veterans Affairs for its benefit programs, U.S. Citizenship and Immigration Services to carry out its duties regarding aliens, the Railroad Retirement Board for its benefit programs, and to Federal, State and local agencies administering Temporary Assistance for Needy Families, Medicaid, unemployment compensation, food stamps, and other programs. I 13. Section 401.150 is revised to read as follows: cprice-sewell on PROD1PC66 with RULES § 401.150 Compatible purposes. (a) General. The Privacy Act allows us to disclose information maintained in a system of records without your consent to any other party if such disclosure is pursuant to a routine use published in the system’s notice of system of records. A ‘‘Routine use’’ must be compatible with the purpose for which SSA collected the information. (b) Notice of routine use disclosures. A list of permissible routine use disclosures is included in every system of records notice published in the Federal Register. (c) Determining compatibility. (1) Disclosure to carry out SSA programs. We disclose information for published routine uses necessary to carry out SSA’s programs. (2) Disclosure to carry out programs similar to SSA programs. We may disclose information for the administration of other government programs. These disclosures are pursuant to published routine uses where the use is compatible with the purpose for which the information was collected. These programs generally meet the following conditions: (i) The program is clearly identifiable as a Federal, State, or local government program. VerDate Aug<31>2005 15:13 Apr 26, 2007 Jkt 211001 (ii) The information requested concerns eligibility, benefit amounts, or other matters of benefit status in a Social Security program and is relevant to determining the same matters in the other program. For example, we disclose information to the Railroad Retirement Board for pension and unemployment compensation programs, to the Department of Veterans Affairs for its benefit programs, to worker’s compensation programs, to State general assistance programs and to other income maintenance programs at all levels of government. We also disclose for health maintenance programs like Medicaid and Medicare. (iii) The information will be used for appropriate epidemiological or similar research purposes. I 14. Section 401.155 is amended by adding the following language between the fourth and fifth sentences in paragraph (a) and by removing the last sentence of paragraph (b). § 401.155 Law enforcement purposes. (a) General. * * * The Privacy Act allows us to disclose information if the head of the law enforcement agency makes a written request giving enough information to show that the conditions in paragraphs (b) or (c) of this section are met, what information is needed, and why it is needed. * * * * * * * * I 15. Section 401.165 is amended by revising paragraph (b)(2) to read as follows: § 401.165 Statistical and research activities. * * * * * (b) * * * (2) The activity is designed to increase knowledge about present or alternative Social Security programs or other Federal or State income-maintenance or health-maintenance programs; or is used for research that is of importance to the Social Security program or the Social Security beneficiaries; or an epidemiological research project that relates to the Social Security program or beneficiaries; and * * * * * I 16. Section 401.175 is revised to read as follows: § 401.175 Office. Government Accountability We disclose information to the Government Accountability Office when that agency needs the information to carry out its duties. I 17. Section 401.180 is revised to read as follows: PO 00000 Frm 00009 Fmt 4700 Sfmt 4700 20941 § 401.180 Disclosure under court order or other legal process. (a) General. The Privacy Act permits us to disclose information when we are ordered to do so by a court of competent jurisdiction. When information is used in a court proceeding, it usually becomes part of the public record of the proceeding and its confidentiality often cannot be protected in that record. Much of the information that we collect and maintain in our records on individuals is especially sensitive. Therefore, we follow the rules in paragraph (d) of this section in deciding whether we may disclose information in response to an order from a court of competent jurisdiction. When we disclose pursuant to an order from a court of competent jurisdiction, and the order is a matter of public record, the Privacy Act requires us to send a notice of the disclosure to the last known address of the person whose record was disclosed. (b) Court. For purposes of this section, a court is an institution of the judicial branch of the U.S. Federal government consisting of one or more judges who seek to adjudicate disputes and administer justice. (See 404.2(c)(6) of this chapter). Entities not in the judicial branch of the Federal government are not courts for purposes of this section. (c) Court order. For purposes of this section, a court order is any legal process which satisfies all of the following conditions: (1) It is issued under the authority of a Federal court; (2) A judge or a magistrate judge of that court signs it; (3) It commands SSA to disclose information; and (4) The court is a court of competent jurisdiction. (d) Court of competent jurisdiction. It is the view of SSA that under the Privacy Act the Federal Government has not waived sovereign immunity, which precludes state court jurisdiction over a Federal agency or official. Therefore, SSA will not honor state court orders as a basis for disclosure. State court orders will be treated in accordance with the other provisions of this part. (e) Conditions for disclosure under a court order of competent jurisdiction. We disclose information in compliance with an order of a court of competent jurisdiction if— (1) another section of this part specifically allows such disclosure, or (2) SSA, the Commissioner of Social Security, or any officer or employee of SSA in his or her official capacity is properly a party in the proceeding, or (3) disclosure of the information is necessary to ensure that an individual E:\FR\FM\27APR1.SGM 27APR1 20942 Federal Register / Vol. 72, No. 81 / Friday April 27, 2007 / Rules and Regulations who is accused of criminal activity receives due process of law in a criminal proceeding under the jurisdiction of the judicial branch of the Federal government. (f) In other circumstances. We may disclose information to a court of competent jurisdiction in circumstances other than those stated in paragraph (e) of this section. We will make our decision regarding disclosure by balancing the needs of a court while preserving the confidentiality of information. For example, we may disclose information under a court order that restricts the use and redisclosure of the information by the participants in the proceeding; we may offer the information for inspection by the court in camera and under seal; or we may arrange for the court to exclude information identifying individuals from that portion of the record of the proceedings that is available to the public. We will make these determinations in accordance with § 401.140. (g) Other regulations on request for testimony, subpoenas and production of records in legal proceedings. See 20 CFR part 403 of this chapter for additional rules covering disclosure of information and records governed by this part and requested in connection with legal proceedings. [FR Doc. E7–7940 Filed 4–26–07; 8:45 am] BILLING CODE 4191–02–P DEPARTMENT OF HEALTH AND HUMAN SERVICES Food and Drug Administration 21 CFR Part 2 [Docket No. 2006N–0416] Use of Ozone-Depleting Substances; Removal of Essential Use Designations; Confirmation of Effective Date AGENCY: Food and Drug Administration, HHS. metered-dose inhalers, from the list of essential uses of ozone-depleting substances. None of these products is currently being marketed. This document confirms the effective date of the direct final rule. DATES: Effective date confirmed: April 23, 2007, except for the removal of § 2.125(e)(4)(v) (21 CFR 2.125(e)(4)(v)), which is effective August 1, 2007. FOR FURTHER INFORMATION CONTACT: Martha Nguyen or Wayne H. Mitchell, Center for Drug Evaluation and Research (HFD–7), Food and Drug Administration, 5600 Fishers Lane, Rockville, MD 20857, 301–594–2041. SUPPLEMENTARY INFORMATION: In the Federal Register of December 7, 2006 (71 FR 70870), FDA solicited comments concerning the direct final rule for a 75day period ending February 20, 2007. FDA stated that the effective date of the direct final rule would be on April 23, 2007, 60 days after the end of the comment period, unless any significant adverse comment was submitted to FDA during the comment period. FDA received no significant adverse comments within the comment period. Therefore, under the Federal Food, Drug, and Cosmetic Act, the Clean Air Act, and under authority delegated to the Commissioner of Food and Drugs, after consultation with the Administrator of the Environmental Protection Agency, notice is given that no objections or requests for a hearing were filed in response to the December 7, 2006, direct final rule. Accordingly, FDA is confirming that the amendment issued thereby is effective April 23, 2007, except for the removal of § 2.125(e)(4)(v), which is effective August 1, 2007. Dated: April 17, 2007. Jeffrey Shuren, Assistant Commissioner for Policy. [FR Doc. E7–8043 Filed 4–26–07; 8:45 am] BILLING CODE 4160–01–S DEPARTMENT OF HEALTH AND HUMAN SERVICES Direct final rule; confirmation of effective date. Food and Drug Administration The Food and Drug Administration (FDA) is confirming the effective date of April 23, 2007, for the direct final rule that appeared in the Federal Register of December 7, 2006 (71 FR 70870). The direct final rule amends the regulation to remove beclomethasone, dexamethasone, fluticasone, bitolterol, salmeterol, ergotamine tartrate, and ipratropium bromide, used in oral pressurized 21 CFR Part 520 ACTION: cprice-sewell on PROD1PC66 with RULES SUMMARY: VerDate Aug<31>2005 15:13 Apr 26, 2007 Jkt 211001 Oral Dosage Form New Animal Drugs; Diclazuril AGENCY: Food and Drug Administration, HHS. ACTION: Final rule. Frm 00010 Fmt 4700 DATES: This rule is effective April 27, 2007. FOR FURTHER INFORMATION CONTACT: Melanie R. Berson, Center for Veterinary Medicine (HFV–110), Food and Drug Administration, 7500 Standish Pl., Rockville, MD 20855, 301–827–7540, email: melanie.berson@fda.hhs.gov. SUPPLEMENTARY INFORMATION: ScheringPlough Animal Health Corp., 556 Morris Ave., Summit, NJ 07901, filed NADA 141–268 for the veterinary prescription use of PROTAZIL (1.56% diclazuril) Antiprotozoal Pellets in horses for the treatment of equine protozoal myeloencephalitis (EPM) caused by Sarcocystis neurona. The NADA is approved as of March 29, 2007, and the regulations in 21 CFR part 520 are amended by adding new § 520.606 to reflect the approval. In accordance with the freedom of information provisions of 21 CFR part 20 and 21 CFR 514.11(e)(2)(ii), a summary of safety and effectiveness data and information submitted to support approval of this application may be seen in the Division of Dockets Management (HFA–305), Food and Drug Administration, 5630 Fishers Lane, rm. 1061, Rockville, MD 20852, between 9 a.m. and 4 p.m., Monday through Friday. Under section 512(c)(2)(F)(ii) of the Federal Food, Drug, and Cosmetic Act (21 U.S.C. 360b(c)(2)(F)(ii)), this approval qualifies for 3 years of marketing exclusivity beginning March 29, 2007. The agency has determined under 21 CFR 25.33(d)(1) that this action is of a type that does not individually or cumulatively have a significant effect on the human environment. Therefore, neither an environmental assessment nor an environmental impact statement is required. This rule does not meet the definition of ‘‘rule’’ in 5 U.S.C. 804(3)(A) because it is a rule of ‘‘particular applicability.’’ Therefore, it is not subject to the congressional review requirements in 5 U.S.C. 801–808. List of Subjects in 21 CFR Part 520 Animal drugs. Therefore, under the Federal Food, Drug, and Cosmetic Act and under authority delegated to the Commissioner of Food and Drugs and redelegated to I SUMMARY: The Food and Drug Administration (FDA) is amending the animal drug regulations to reflect PO 00000 approval of a new animal drug application (NADA) filed by ScheringPlough Animal Health Corp. The NADA provides for the veterinary prescription use of diclazuril oral pellets in horses for the treatment of equine protozoal myeloencephalitis. Sfmt 4700 E:\FR\FM\27APR1.SGM 27APR1

Agencies

[Federal Register Volume 72, Number 81 (Friday, April 27, 2007)]
[Rules and Regulations]
[Pages 20935-20942]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: E7-7940]


=======================================================================
-----------------------------------------------------------------------

SOCIAL SECURITY ADMINISTRATION

20 CFR Part 401

[Docket No. SSA 2006-0074]
RIN 0960-AE88


Privacy and Disclosure of Official Records and Information

AGENCY: Social Security Administration.

ACTION: Final rules.

-----------------------------------------------------------------------

SUMMARY: These final rules revise our privacy and disclosure rules to 
clarify certain provisions and to provide expanded regulatory support 
for new and existing responsibilities and functions. These changes in 
the regulations will increase Agency efficiency and ensure consistency 
in the implementation of the Social Security Administration's (SSA) 
policies and responsibilities under the Privacy Act and the Social 
Security Act.

DATES: These rules are effective May 29, 2007.

FOR FURTHER INFORMATION CONTACT: Christine W. Johnson, Office of Public 
Disclosure, 3-A-6 Operations Building, 6401 Security Boulevard, 
Baltimore, MD 21235-6401, (410) 965-8563 or TTY (410) 965-5609. For 
information on eligibility or filing for benefits, call our national 
toll-free numbers, 1-800-772-1213 or TTY 1-800-325-0778, or visit our 
Internet Web site, Social Security Online, at http://
www.socialsecurity.gov.

SUPPLEMENTARY INFORMATION:

Electronic Version

    The electronic file of this document is available on the date of 
publication in the Federal Register at http://www.gpoaccess.gov/FR/
index.html.

Background

    We last revised the privacy and disclosure regulations in 1980 when 
the Social Security Administration (SSA) was a part of the Department 
of Health and Human Services (DHHS) (formerly the Department of Health, 
Education and Welfare) and subject to DHHS' disclosure policy 
oversight. Since 1980, significant changes have occurred in the 
procedures. We are codifying these changes in the procedures governing 
access to, and disclosure of, personally identifiable information. We 
are also making minor housekeeping changes to further clarify our 
procedures. In general, these final rules reflect SSA's compliance with 
technological, legal and legislative changes that have occurred since 
1980.
    We are clarifying the provisions regarding requests for access to 
information developed by medical sources for Social Security programs, 
fully describing the existing responsibilities and functions of the 
Privacy Officer position, establishing the new senior agency official 
for privacy as required by the Office of Management and Budget (OMB) 
and explaining the related responsibilities, and implementing SSA's new 
Privacy Impact Assessment process in accordance with the E-Government 
Act of 2002, Pub. L. 107-347. As required by OMB, we are requiring 
adequate safeguards against inappropriate disclosure of personal 
information by electronic means, e.g., over the Internet, and revising 
our procedures on notification of, or access to, medical records on 
behalf of another person, e.g., an adult or child.
    These final rules also clarify SSA policy concerning an 
individual's access to, or notification of, program records, amend the 
language concerning appeal requests under the Privacy Act to include 
denial of access to the record, and amend the language to insert the 
word ``written'' prior to ``consent'' to clarify that the requirement 
means disclosure with written consent and expands the language to more 
clearly define what information we will disclose with written consent. 
We are revising the language to show that SSA also has physical custody 
of personnel records, and revising the language under disclosure of 
personal information in nonprogram records to show the new name of the 
former General Accounting Office.
    These final rules amend the language under disclosure of personal 
information in program records to make clear that we disclose 
information from program records only when there is a legitimate need 
for the information, and revise the language under disclosures required 
by law to show the current name for Aid to Families with Dependent 
Children. We are amending the language under compatible purposes to 
clearly state how we implement the routine use provision of the Privacy 
Act (5 U.S.C. 552a(b)(3)) and what we mean by routine use in terms of 
the information we can disclose, and amending the language under law 
enforcement purposes to clarify that disclosures under 5 U.S.C. 
552a(b)(7) also require a written request. We are amending the language 
under statistical and research activities to reflect the language in 
the new routine use of data for research purposes, amending the 
language in the General Accounting Office section to correctly reflect 
the new name of the agency, and clarifying certain matters related to 
our rules on

[[Page 20936]]

disclosure under court order and other legal process.

Comments on the Notice of Proposed Rulemaking

    We published the Notice of Proposed Rulemaking (NPRM) in the 
Federal Register on September 13, 2006 (71 FR at 53994). The 60-day 
comment period ended on November 13, 2006. We received no public 
comments on the proposed rule. Accordingly, we are adopting the 
proposed rules as final rules. However, we made one substantive change 
to proposed Sec.  401.180, which we discuss below in connection with 
the explanation of how these final rules change the current rules. We 
also made a few minor revisions to the text of the proposed rules for 
clarity. The changes are all non-substantive.

Explanation of Changes

Section 401.20 Scope

    We are amending the section heading in Sec.  401.20(a) to read 
``Access'' and amending paragraph (a) to clarify the rules regarding 
the access provision as it pertains to information developed by medical 
sources that perform consultative examinations for us. We are amending 
the heading in Sec.  401.20(b)(1)(iii) to read ``Records kept by 
medical sources,'' and amending the language in that paragraph.

Section 401.30 Privacy Act and Other Responsibilities

    We are adding new paragraphs (d), (e) and (f) to Sec.  401.30.

Privacy Officer

    New paragraph Sec.  401.30(d) fully describes the position of the 
SSA Privacy Officer and the responsibilities and functions of that 
position. SSA has always had a designated Privacy Officer since the 
enactment of the Privacy Act in 1974. Since that time, the Privacy 
Officer has overall responsibility for coordination of SSA privacy 
matters within the Agency. As such, the Privacy Officer advises the 
Agency on privacy policy matters and is responsible for developing and 
implementing privacy policies and related requirements, ensures 
compliance with the Privacy Act, and provides general oversight of 
privacy and disclosure policy involving privacy and disclosure matters. 
The Privacy Officer has other responsibilities including evaluating 
legislative proposals and other initiatives proposed by Congress, other 
agencies and the public, and reviewing multifunctional projects, 
studies and research activities involving personal information. The 
responsibilities also include facilitating the incorporation of privacy 
principles into information technology systems architectures and 
technical designs to ensure that privacy policies and practices are 
properly reflected in our business requirements.
    We are providing an explanation of the Privacy Officer's 
responsibilities to emphasize SSA's long-standing commitment to the 
public that personal information maintained in SSA's Privacy Act 
systems of records is handled in full compliance with the law.

Senior Agency Official for Privacy

    To help protect the privacy rights of Americans and to ensure that 
agencies continue to have effective information privacy management 
programs in place to carry out this important responsibility, OMB 
requires that each agency designate a senior agency official to serve 
as the person in charge of privacy issues.
    The Senior Agency Official for Privacy will have overall 
responsibility and accountability for privacy issues at the national 
and agency-wide levels. The official will also have a central role in 
overseeing agency compliance efforts in privacy policy procedures as 
well as a key role in policy-making as it pertains to the development 
and evaluation of legislative, regulatory and other policy proposals 
that might implicate privacy issues.
    New paragraph Sec.  401.30(e) establishes SSA's Senior Agency 
Official for Privacy and fully describe the responsibilities of that 
position as prescribed by OMB. (See OMB Memorandum M-08-05, dated 
February 11, 2005).

Privacy Impact Assessments

    In accordance with Section 208 of the E-Government Act of 2002 
(Pub. L. 107-347, 44 U.S.C. 3501 note), the Office of Management and 
Budget now requires that certain Information Technology (IT) projects 
receive a special privacy review called a Privacy Impact Assessment 
(PIA). The PIA review is in addition to the current SSA requirement 
that SSA's Privacy Officer certify Agency procurement requests for 
automated data processing resources and proposed contracts. The PIA 
review will strengthen the existing process by incorporating privacy 
involvement directly into the development of the IT system lifecycle 
and establishing a process that the entire Agency can understand in 
terms of privacy involvement in IT system development efforts.
    New paragraph Sec.  401.30(f) describes the PIA requirements for 
ensuring that privacy considerations receive a standardized review. We 
will determine if adequate measures have been taken to protect the 
privacy of the personally identifiable information the IT project will 
affect and if the requirements of the Privacy Act and applicable SSA 
regulations and policy are properly addressed.

Section 401.45 Verifying Your Identity

    We are adding to Sec.  401.45 new paragraphs (b)(3) and (b)(4) to 
emphasize that when SSA provides convenient service to you over open 
computer networks such as the Internet, we will adequately protect 
against improper disclosure of records. We are redesignating present 
paragraphs (b)(3), (b)(4) and (b)(5) as (b)(5), (b)(6) and (b)(7), 
respectively. We are also revising the language in redesignated (b)(5).
    Increasingly, computer technology enables us to transact business 
with you as a taxpayer, Social Security beneficiary, employer or third-
party organization. We are moving cautiously to allow you to 
communicate with us securely over open networks such as the Internet. 
Such expanded services are dependent on our development of practices 
and mechanisms to ensure identity confirmation to protect you against 
improper disclosure of the personal information we maintain in our 
records, and to improve privacy protections.

Section 401.55 Special Procedures for Notification of or Access to 
Medical Records

    We are revising the section heading to read ``Access to medical 
records.'' We are revising the procedures for access to medical records 
to conform to the practices and systems of records that set out special 
procedures under which individuals may have direct access to their 
medical records.
    Currently, when you request your medical records, Sec.  
401.55(b)(1)(ii) requires you to designate a representative to receive 
the records for you and gives the representative the discretion to 
inform you about the contents of your record. We are modifying the 
special procedures in that paragraph to require the representative to 
release your record to you after the discussion of its contents. The 
representative no longer has the discretion to withhold any part of 
your record.
    Section 401.55(c)(2)(iii) currently gives a designated 
representative (e.g., family physician or other health care 
professional) discretion about making the contents of a minor's medical 
record available to the parent or legal guardian.

[[Page 20937]]

These final rules modify this provision to require the representative 
to release the minor's records to the parent or legal guardian 
following the discussion of its contents. Additionally, we are 
redesignating present paragraph (d) concerning requests on behalf of 
incapacitated adults as paragraph (c)(3).

Section 401.60 Access or Notification of Program Records About Two or 
More Individuals

    Currently, Sec.  401.60 is entitled ``Access or notification of 
program records about two or more individuals.'' The first sentence in 
the section reads ``When information about two or more individuals is 
in one record filed under your social security number, you may receive 
the information about you and the fact of entitlement and the amount of 
benefits payable to other persons based on your record.'' We are 
amending Sec.  401.60 by inserting the word ``to'' after the word 
``Access'' in the heading and revising the language in both the heading 
and first sentence to read ``about more than one individual.''

Section 401.70 Appeals of Refusals To Correct or Amend Records

    Currently, Sec.  401.70 is entitled ``Appeals of refusals to 
correct or amend records.'' We are amending the section heading to 
include appeals after denial of access. We are clarifying the policy in 
the section by revising the language in existing paragraphs (a), (b) 
and (c). We are adding a new paragraph (d) to clearly explain the 
process after you file your appeal.

Section 401.100 Disclosure of Records With the Consent of the Subject 
of the Record

    We are amending the language in the section heading under Sec.  
401.100 to insert the word ``written'' before ``consent.'' We are 
revising the language in paragraph (a) to clarify that the consent must 
be in writing and define what information we will disclose with written 
consent. To present the information in a more reader-friendly format, 
the second and third sentences of paragraph (a) are designated as new 
paragraphs (b) ``Disclosure with written consent'', and (c) 
``Disclosure of the entire record,'' respectively. We are making 
conforming changes to existing paragraph (b) and redesignating it as 
paragraph (d).

Section 401.105 Disclosure of Personal Information Without the Consent 
of the Subject of the Record

    We are revising the second sentence of paragraph (b) into two 
sentences to clarify that SSA also has physical custody of personnel 
records maintained as part of the Office of Personnel Management's 
(OPM) Privacy Act government-wide systems of records and that these 
records are subject to OPM's rules on access and disclosure at 5 CFR 
parts 293 and 297.

Section 401.110 Disclosure of Personal Information in Nonprogram 
Records Without the Consent of the Subject of the Record

    We are amending the language in Sec.  401.110(j) to show the new 
name for the former General Accounting Office.

Section 401.115 Disclosure of Personal Information in Program Records 
Without the Consent of the Subject of the Record

    We are amending the introductory language in Sec.  401.115 to make 
clear that the information in program records will be disclosed only on 
a need-to-know basis.

Section 401.120 Disclosure Required by Law

    Currently, the last sentence in Sec.  401.120 reads ``* * * and to 
Federal, State and local agencies administering Aid to Families with 
Dependent Children, Medicaid, unemployment compensation, food stamps, 
and other programs.'' We are amending the language to reflect the 
current name of the AFDC program. The new name will read ``* * * 
Temporary Assistance for Needy Families * * *''

Section 401.150 Compatible Purposes

    We are amending Sec.  401.150 to clearly state how we implement the 
routine use provision. More specifically, the language in paragraphs 
(a) and (b) is expanded to include what we mean by ``routine use'' in 
terms of the information we can disclose and how we give notice of 
routine use disclosures, respectively. We are amending paragraph (c) by 
adding new paragraphs (c)(1) and (c)(2) to clearly show the 
distinctions between disclosure in SSA programs and programs similar to 
SSA programs, for compatibility purposes.

Section 401.155 Law Enforcement Purposes

    We are amending Sec.  401.155 to make clear that the Privacy Act 
requires a written request for information from the head of the law 
enforcement agency in situations involving both serious crimes and 
criminal activity involving Social Security programs or other programs 
with the same purpose.

Section 401.165 Statistical and Research Activities

    We are amending Sec.  401.165 to make it consistent with the 
recently published new routine use of data for research purposes.

Section 401.175 General Accounting Office

    We are amending the section heading in Sec.  401.175 to reflect a 
name change. The new heading will read ``Government Accountability 
Office.'' We are also revising the language in the paragraph to read 
``* * * to the Government Accountability Office when that agency needs 
the information to carry out its duties.''

Section 401.180 Courts

    We are revising the entire section of Sec.  401.180 to clarify our 
policy on disclosure when we receive an order from a court of competent 
jurisdiction.
    In 1980, when Sec.  401.180 was initially published as a final 
rule, the status of subpoenas and other legal process under paragraph 
(b)(11) of the statute was unclear. Since then, SSA has not treated a 
subpoena or similar legal process as a court order unless a judge signs 
it. We believe that this position is now established as law as it is 
consistent with court decisions and OMB guidance interpreting the 
Privacy Act. See, e.g., Doe v. DiGenova, 779 F.2d 74 (D.C. Cir. 1985); 
Stiles v. Atlanta Gas Light Co., 453 F.Supp. 798 (N.D. Ga. 1978).
    The Privacy Act (5 U.S.C. 552a(b)(11)) permits disclosure by an 
agency pursuant to the order of a court of competent jurisdiction. 
Under this provision, we consider only a Federal court of the United 
States to be a court of competent jurisdiction. However, the proposed 
rules provided that we may disclose information in compliance with a 
state court order if the disclosure was necessary to preserve the 
rights of an accused to due process in a criminal proceeding (71 FR at 
54000). This provision of the proposed rules could have been 
misconstrued to be inconsistent with the Privacy Act and proposed (and 
final) Sec.  401.180(d). Final Sec.  401.180(d) states our view that, 
under the Privacy Act, the Federal Government has not waived its 
sovereign immunity, which would preclude state court jurisdiction over 
a Federal agency or official. Since a state court does not have 
jurisdiction over a Federal agency or official in the absence of a 
waiver of the Federal Government's sovereign immunity, we have deleted 
the exception for certain state court orders set out in proposed Sec.  
401.180(g).
    The final rules are consistent with our position that state court 
orders do not

[[Page 20938]]

provide an independent basis for disclosure. Consequently, under the 
final rules, we may disclose information in response to a state court 
order only if another provision of this part permits disclosure (such 
as law enforcement or consent). If we find an independent basis for 
disclosure, we may honor the request for information sought in the 
state court order under the authority of the other provision. As a 
result, in these final rules, we revised the second sentence of 
proposed Sec.  401.180(d) to state that ``* * * state court orders will 
be treated in accordance with other provisions of this part.''
    We also amended the language as appropriate to make clear that, for 
purposes of this section, a court is a judicial branch of the Federal 
government. In a conforming change, we redesignated proposed Sec.  
401.180(h) as final Sec.  401.180(g).
    In paragraph 401.180(a) we make clear that when information 
disclosed from SSA records is used in court proceedings, it usually 
becomes part of the public record of the proceedings and its 
confidentiality often cannot be protected. Accordingly, we will follow 
the rules in new paragraph (d) of this section in deciding whether an 
order is from a court of competent jurisdiction.
    We are changing the heading in paragraph (b) to read ``Court'' and 
amending the language in the paragraph to state SSA's position that a 
court, for purposes of 5 U.S.C. 552a(b)(11), is an institution of a 
judicial branch of the Federal government consisting of one or more 
judges who seek to adjudicate disputes and administer justice. The 
definition clarifies that other entities in other branches of the 
Federal government or not in the United States are not courts for 
purposes of the Privacy Act.
    We are adding a new paragraph (c) to explain that only a legal 
process, such as a summons or warrant, that is signed by a judge and 
that commands the disclosure of information by SSA will be considered 
to be a court order for purposes of the statutory exception in 5 U.S.C. 
552a(b)(11). References to subpoenas have been removed from this 
regulation.
    When we receive legal process that is not an order of a court of 
competent jurisdiction, (such as a grand jury subpoena, a subpoena 
signed by the clerk of the court or the attorney representing a party 
to the proceeding), we may decide to disclose information if the 
conditions described in any other provision of this regulation would 
permit the disclosure (for example, for a compatible purpose under 
Sec.  401.150). However, we will not disclose without an order from a 
court of competent jurisdiction if the Privacy Act or any other law 
would prohibit the disclosure without such an order. We are adding a 
new paragraph (d) to explain our view on court of competent 
jurisdiction.
    In new paragraph (e) of this section we describe the conditions for 
disclosure under court order and clarify the rules on disclosure when a 
court order is involved.
    We are adding a new paragraph (f) to explain that in other 
circumstances we may attempt to satisfy the needs of a court of 
competent jurisdiction when the circumstances in paragraph (e) are not 
met. We will make these determinations in accordance with 401.140.
    We are removing existing paragraph (g) and redesignating paragraph 
(h) as paragraph (g). New paragraph (g) provides a cross-reference to 
additional regulations contained in 20 CFR part 403 concerning 
testimony and production of records in legal proceedings.

Regulatory Procedures

Executive Order 12866

    The Office of Management and Budget has reviewed these final rules 
in accordance with Executive Order 12866, as amended by Executive Order 
13258.

Regulatory Flexibility Act

    We certify that these final rules would not have a significant 
economic impact on a substantial number of small entities because they 
affect only individuals or entities acting on their behalf. Thus, a 
regulatory flexibility analysis as provided in the Regulatory 
Flexibility Act, as amended, is not required.

Paperwork Reduction Act

    These final rules contain reporting requirements as shown in the 
table below. Where the public reporting burden is accounted for in 
Information Collection Requests for the various forms that the public 
uses to submit the information to SSA, a 1-hour placeholder burden is 
being assigned to the specific reporting requirement(s) contained in 
these rules.

----------------------------------------------------------------------------------------------------------------
                                                                                      Average
                                                  Annual  number   Frequency of     burden per       Estimated
                     Section                       of  responses     response        response      annual burden
                                                                                      (min.)          (hours)
----------------------------------------------------------------------------------------------------------------
401.45(b).......................................          20,000               1              10            3333
401.70(a)(b)....................................  ..............  ..............  ..............               1
401.100(b)......................................  ..............  ..............  ..............               1
                                                 ---------------------------------------------------------------
    Total.......................................          20,000               1              10            3335
----------------------------------------------------------------------------------------------------------------

    An Information Collection Request has been submitted to OMB for 
clearance. To receive a copy of the OMB clearance package, you may call 
the SSA Reports Clearance Officer on 410-965-0454.

(Catalog of Federal Domestic Assistance Program Nos. 96.001 Social 
Security--Disability Insurance; 96.002 Social Security--Retirement 
Insurance; 96.004 Social Security--Survivors Insurance; 96.006 
Supplemental Security Income).

List of Subjects in 20 CFR Part 401

    Information, Records, Administrative practice and procedure, 
Archives and records.

    Dated: January 17, 2007.
Jo Anne B. Barnhart,
Commissioner of Social Security.

    Editorial Note: This document was received at the Office of the 
Federal Register on April 20, 2007.

0
For the reasons set out in the preamble, we are amending subparts A, B 
and C of part 401 of chapter III of title 20 of the Code of Federal 
Regulations as set forth below:

PART 401--PRIVACY AND DISCLOSURE OF OFFICIAL RECORDS AND 
INFORMATION

0
1. The authority citation for part 401 continues to read as follows:

    Authority: Secs. 205, 702(a)(5), 1106, and 1141 of the Social 
Security Act (42 U.S.C. 405, 902(a)(5), 1306, and 1320b-11); 5 
U.S.C. 552 and 552a; 8 U.S.C. 1360; 26 U.S.C. 6103; 30 U.S.C. 923.

[[Page 20939]]


0
2. Section 401.20 is amended by revising paragraphs (a) and (b)(1)(iii) 
to read as follows:


Sec.  401.20  Scope.

    (a) Access. Sections 401.30 through 401.95, which set out SSA's 
rules for implementing the Privacy Act, apply to records retrieved by 
an individual's name or personal identifier subject to the Privacy Act. 
The rules in Sec. Sec.  401.30 through 401.95 also apply to information 
developed by medical sources for the Social Security program and shall 
not be accessed except as permitted by this part.
    (b) * * *
    (1) * * *
    (iii) Information retained by medical sources pertaining to a 
consultative examination performed for the Social Security program 
shall not be disclosed except as permitted by this part.
* * * * *

0
3. Section 401.30 is amended by revising the heading and adding 
paragraphs (d), (e) and (f) to read as follows:


Sec.  401.30  Privacy Act and other responsibilities.

* * * * *
    (d) Privacy Officer. The Privacy Officer is an advisor to the 
Agency on all privacy policy and disclosure matters. The Privacy 
Officer coordinates the development and implementation of Agency 
privacy policies and related legal requirements to ensure Privacy Act 
compliance, and monitors the coordination, collection, maintenance, use 
and disclosure of personal information. The Privacy Officer also 
ensures the integration of privacy principles into information 
technology systems architecture and technical designs, and generally 
provides to Agency officials policy guidance and directives in carrying 
out the privacy and disclosure policy.
    (e) Senior Agency Official for Privacy. The Senior Agency Official 
for Privacy assumes overall responsibility and accountability for 
ensuring the agency's implementation of information privacy protections 
as well as agency compliance with federal laws, regulations, and 
policies relating to the privacy of information, such as the Privacy 
Act. The compliance efforts also include reviewing information privacy 
procedures to ensure that they are comprehensive and up-to-date and, 
where additional or revised procedures may be called for, working with 
the relevant agency offices in the consideration, adoption, and 
implementation of such procedures. The official also ensures that 
agency employees and contractors receive appropriate training and 
education programs regarding the information privacy laws, regulations, 
polices and procedures governing the agency's handling of personal 
information. In addition to the compliance role, the official has a 
central policy-making role in the agency's development and evaluation 
of legislative, regulatory and other policy proposals which might 
implicate information privacy issues, including those relating to the 
collection, use, sharing, and disclosure of personal information.
    (f) Privacy Impact Assessment. In our comprehensive Privacy Impact 
Assessment (PIA) review process, we incorporate the tenets of privacy 
law, SSA privacy regulations, and privacy policy directly into the 
development of certain Information Technology projects. Our review 
examines the risks and ramifications of collecting, maintaining and 
disseminating information in identifiable form in an electronic 
information system and identifies and evaluates protections and 
alternate processes to reduce the risk of unauthorized disclosures. As 
we accomplish the PIA review, we ask systems personnel and program 
personnel to resolve questions on data needs and data protection prior 
to the development of the electronic system.

0
4. Section 401.45 is amended by redesignating paragraphs (b)(3), (b)(4) 
and (b)(5) as (b)(5), (b)(6) and (b)(7), respectively, adding new 
paragraphs (b)(3) and (b)(4) and revising redesignated paragraph (b)(5) 
to read as follows:


Sec.  401.45  Verifying your identity.

* * * * *
    (b) * * *
    (3) Electronic requests. If you make a request by computer or other 
electronic means, e.g., over the Internet, we require you to verify 
your identity by using identity confirmation procedures that are 
commensurate with the sensitivity of the information that you are 
requesting. If we cannot confirm your identity using our identity 
confirmation procedures, we will not process the electronic request. 
When you cannot verify your identity through our procedures, we will 
require you to submit your request in writing.
    (4) Electronic disclosures. When we collect or provide personally 
identifiable information over open networks such as the Internet, we 
use encryption in all of our automated online transaction systems to 
protect the confidentiality of the information. When we provide an 
online access option, such as a standard e-mail comment form on our Web 
site, and encryption is not being used, we alert you that personally 
identifiable information (such as your social security number) should 
not be included in your message.
    (5) Requests not made in person. Except as provided in paragraphs 
(b)(2) of this section, if you do not make a request in person, you 
must submit a written request to SSA to verify your identify or you 
must certify in your request that you are the individual you claim to 
be. You must also sign a statement that you understand that the knowing 
and willful request for or acquisition of a record pertaining to an 
individual under false pretenses is a criminal offense.
* * * * *

0
5. Section 401.55 is amended by revising the heading and paragraphs 
(a), (b)(1)(ii), (c)(1) and (c)(2)(iii) and by redesignating paragraph 
(d) as paragraph (c)(3) to read as follows:


Sec.  401.55  Access to medical records.

    (a) General. You have a right to access your medical records, 
including any psychological information that we maintain.
    (b) * * *
    (1) * * *
    (ii) When you request medical information about yourself, you must 
also name a representative in writing. The representative may be a 
physician, other health professional, or other responsible individual 
who will be willing to review the record and inform you of its 
contents. Following the discussion, you are entitled to your records. 
The representative does not have the discretion to withhold any part of 
your record. If you do not designate a representative, we may decline 
to release the requested information. In some cases, it may be possible 
to release medical information directly to you rather than to your 
representative.
* * * * *
    (c) Medical records of minors.
    (1) Request by the minor. You may request access to your own 
medical records in accordance with paragraph (b) of this section.
    (2) Request on a minor's behalf. * * *
    (iii) Where a medical record on the minor exists, we will in all 
cases send it to the physician or health professional designated by the 
parent or guardian. The representative will review the record, discuss 
its contents with the parent or legal guardian, then release the entire 
record to the parent or legal guardian. The representative does not 
have the discretion to withhold any part of the minor's record. We will 
respond in the following similar manner to the

[[Page 20940]]

parent or guardian making the request: ``We have completed processing 
your request for notification of or access to ----------'s (Name of 
minor) medical records. Please be informed that if any medical record 
was found pertaining to that individual, it has been sent to your 
designated physician or health professional.''
* * * * *

0
6. Section 401.60 is amended by revising the section heading and first 
sentence of the paragraph to read as follows:


Sec.  401.60  Access to or notification of program records about more 
than one individual.

    When information about more than one individual is in one record 
filed under your social security number, you may receive the 
information about you and the fact of entitlement and the amount of 
benefits payable to other persons based on your record. * * *

0
7. Section 401.70 is revised to read as follows:


Sec.  401.70  Appeals of refusals to correct records or refusals to 
allow access to records.

    (a) General. This section describes how to appeal decisions made by 
SSA under the Privacy Act concerning your request for correction of or 
access to your records, those of your minor child, or those of a person 
for whom you are the legal guardian. We generally handle a denial of 
your request for information about another person under the provisions 
of the Freedom of Information Act (see part 402 of this chapter). To 
appeal a decision under this section, your request must be in writing.
    (b) Appeal of refusal to correct or amend records. If we deny your 
request to correct an SSA record, you may request a review of that 
decision. As discussed in Sec.  401.65(e), our letter denying your 
request will tell you to whom to write.
    (1) We will review your request within 30 working days from the 
date of the receipt. However, for a good reason and with the approval 
of the Executive Director for the Office of Public Disclosure, this 
time limit may be extended up to an additional 30 days. In that case, 
we will notify you about the delay, the reason for it and the date when 
the review is expected to be completed.
    (2) If, after review, we determine that the record should be 
corrected, we will do so. However, if we refuse to amend the record as 
you requested, we will inform you that--
    (i) Your request has been refused and the reason for refusing;
    (ii) The refusal is SSA's final decision; and
    (iii) You have a right to seek court review of SSA's final 
decision.
    (3) We will also inform you that you have a right to file a 
statement of disagreement with the decision. Your statement should 
include the reason you disagree. We will make your statement available 
to anyone to whom the record is subsequently disclosed, together with a 
statement of our reasons for refusing to amend the record. Also, we 
will provide a copy of your statement to individuals whom we are aware 
received the record previously.
    (c) Appeals after denial of access. If, under the Privacy Act, we 
deny your request for access to your own record, those of your minor 
child or those of a person to whom you are the legal guardian, we will 
advise you in writing of the reason for that denial, the name and title 
or position of the person responsible for the decision and your right 
to appeal that decision. You may appeal the denial decision to the 
Executive Director for the Office of Public Disclosure, 6401 Security 
Boulevard, Baltimore, MD 21235-6401, within 30 days after you receive 
notice denying all or part of your request, or, if later, within 30 
days after you receive materials sent to you in partial compliance with 
your request.
    (d) Filing your appeal. If you file an appeal, the Executive 
Director or his or her designee will review your request and any 
supporting information submitted and then send you a notice explaining 
the decision on your appeal. The time limit for making our decision 
after we receive your appeal is 30 working days. The Executive Director 
or his or her designee may extend this time limit up to 30 additional 
working days if one of the circumstances in 20 CFR 402.140 is met. We 
will notify you in writing of any extension, the reason for the 
extension and the date by which we will decide your appeal. The notice 
of the decision on your appeal will explain your right to have the 
matter reviewed in a Federal district court if you disagree with all or 
part of our decision.

0
8. Section 401.100 is revised to read as follows:


Sec.  401.100  Disclosure of records with the written consent of the 
subject of the record.

    (a) General. Except as permitted by the Privacy Act and the 
regulations in this part, or when required by the FOIA, we will not 
disclose your records without your written consent.
    (b) Disclosure with written consent. The written consent must 
clearly specify to whom the information may be disclosed, the 
information you want us to disclose (e.g., social security number, date 
and place of birth, monthly Social Security benefit amount, date of 
entitlement), and, where applicable, during which timeframe the 
information may be disclosed (e.g., during the school year, while the 
subject individual is out of the country, whenever the subject 
individual is receiving specific services).
    (c) Disclosure of the entire record. We will not disclose your 
entire record. For example, we will not honor a blanket consent for all 
information in a system of records or any other record consisting of a 
variety of data elements. We will disclose only the information you 
specify in the consent. We will verify your identity and where 
applicable (e.g., where you consent to disclosure of a record to a 
specific individual), the identity of the individual to whom the record 
is to be disclosed.
    (d) A parent or guardian of a minor is not authorized to give 
written consent to a disclosure of a minor's medical record. See Sec.  
401.55(c)(2) for the procedures for disclosure of or access to medical 
records of minors.

0
9. Section 401.105 is amended by revising the second sentence of 
paragraph (b) to read as follows:


Sec.  401.105  Disclosure of personal information without the consent 
of the subject of the record.

* * * * *
    (b) * * * For administrative and personnel records, the Privacy Act 
applies. To the extent that SSA has physical custody of personnel 
records maintained as part of the Office of Personnel Management's 
(OPM) Privacy Act government-wide systems of records, these records are 
subject to OPM's rules on access and disclosure at 5 CFR parts 293 and 
297. * * *

0
10. Paragraph (j) of Sec.  401.110 is revised to read as follows:


Sec.  401.110  Disclosure of personal information in nonprogram records 
without the consent of the subject of the record.

* * * * *
    (j) To the Comptroller General, or any of his authorized 
representatives, in the course of the performance of duties of the 
Government Accountability Office.
* * * * *

0
11. Section 401.115 is amended by revising the introductory text to 
read as follows:

[[Page 20941]]

Sec.  401.115  Disclosure of personal information in program records 
without the consent of the subject of the record.

    This section describes how various laws control the disclosure of 
personal information that we keep. We disclose information in the 
program records only when a legitimate need exists. For example, we 
disclose information to officers and employees of SSA who have a need 
for the record in the performance of their duties. We also must 
consider the laws identified below in the respective order when we 
disclose program information:
* * * * *

0
12. Section 401.120 is amended by revising the last sentence in the 
paragraph to read as follows:


Sec.  401.120  Disclosures required by law.

    * * * These agencies include the Department of Veterans Affairs for 
its benefit programs, U.S. Citizenship and Immigration Services to 
carry out its duties regarding aliens, the Railroad Retirement Board 
for its benefit programs, and to Federal, State and local agencies 
administering Temporary Assistance for Needy Families, Medicaid, 
unemployment compensation, food stamps, and other programs.

0
13. Section 401.150 is revised to read as follows:


Sec.  401.150  Compatible purposes.

    (a) General. The Privacy Act allows us to disclose information 
maintained in a system of records without your consent to any other 
party if such disclosure is pursuant to a routine use published in the 
system's notice of system of records. A ``Routine use'' must be 
compatible with the purpose for which SSA collected the information.
    (b) Notice of routine use disclosures. A list of permissible 
routine use disclosures is included in every system of records notice 
published in the Federal Register.
    (c) Determining compatibility.
    (1) Disclosure to carry out SSA programs. We disclose information 
for published routine uses necessary to carry out SSA's programs.
    (2) Disclosure to carry out programs similar to SSA programs. We 
may disclose information for the administration of other government 
programs. These disclosures are pursuant to published routine uses 
where the use is compatible with the purpose for which the information 
was collected. These programs generally meet the following conditions:
    (i) The program is clearly identifiable as a Federal, State, or 
local government program.
    (ii) The information requested concerns eligibility, benefit 
amounts, or other matters of benefit status in a Social Security 
program and is relevant to determining the same matters in the other 
program. For example, we disclose information to the Railroad 
Retirement Board for pension and unemployment compensation programs, to 
the Department of Veterans Affairs for its benefit programs, to 
worker's compensation programs, to State general assistance programs 
and to other income maintenance programs at all levels of government. 
We also disclose for health maintenance programs like Medicaid and 
Medicare.
    (iii) The information will be used for appropriate epidemiological 
or similar research purposes.

0
14. Section 401.155 is amended by adding the following language between 
the fourth and fifth sentences in paragraph (a) and by removing the 
last sentence of paragraph (b).


Sec.  401.155  Law enforcement purposes.

    (a) General. * * * The Privacy Act allows us to disclose 
information if the head of the law enforcement agency makes a written 
request giving enough information to show that the conditions in 
paragraphs (b) or (c) of this section are met, what information is 
needed, and why it is needed. * * *
* * * * *

0
15. Section 401.165 is amended by revising paragraph (b)(2) to read as 
follows:


Sec.  401.165  Statistical and research activities.

* * * * *
    (b) * * *
    (2) The activity is designed to increase knowledge about present or 
alternative Social Security programs or other Federal or State income-
maintenance or health-maintenance programs; or is used for research 
that is of importance to the Social Security program or the Social 
Security beneficiaries; or an epidemiological research project that 
relates to the Social Security program or beneficiaries; and
* * * * *

0
16. Section 401.175 is revised to read as follows:


Sec.  401.175  Government Accountability Office.

    We disclose information to the Government Accountability Office 
when that agency needs the information to carry out its duties.

0
17. Section 401.180 is revised to read as follows:


Sec.  401.180  Disclosure under court order or other legal process.

    (a) General. The Privacy Act permits us to disclose information 
when we are ordered to do so by a court of competent jurisdiction. When 
information is used in a court proceeding, it usually becomes part of 
the public record of the proceeding and its confidentiality often 
cannot be protected in that record. Much of the information that we 
collect and maintain in our records on individuals is especially 
sensitive. Therefore, we follow the rules in paragraph (d) of this 
section in deciding whether we may disclose information in response to 
an order from a court of competent jurisdiction. When we disclose 
pursuant to an order from a court of competent jurisdiction, and the 
order is a matter of public record, the Privacy Act requires us to send 
a notice of the disclosure to the last known address of the person 
whose record was disclosed.
    (b) Court. For purposes of this section, a court is an institution 
of the judicial branch of the U.S. Federal government consisting of one 
or more judges who seek to adjudicate disputes and administer justice. 
(See 404.2(c)(6) of this chapter). Entities not in the judicial branch 
of the Federal government are not courts for purposes of this section.
    (c) Court order. For purposes of this section, a court order is any 
legal process which satisfies all of the following conditions:
    (1) It is issued under the authority of a Federal court;
    (2) A judge or a magistrate judge of that court signs it;
    (3) It commands SSA to disclose information; and
    (4) The court is a court of competent jurisdiction.
    (d) Court of competent jurisdiction. It is the view of SSA that 
under the Privacy Act the Federal Government has not waived sovereign 
immunity, which precludes state court jurisdiction over a Federal 
agency or official. Therefore, SSA will not honor state court orders as 
a basis for disclosure. State court orders will be treated in 
accordance with the other provisions of this part.
    (e) Conditions for disclosure under a court order of competent 
jurisdiction. We disclose information in compliance with an order of a 
court of competent jurisdiction if--
    (1) another section of this part specifically allows such 
disclosure, or
    (2) SSA, the Commissioner of Social Security, or any officer or 
employee of SSA in his or her official capacity is properly a party in 
the proceeding, or
    (3) disclosure of the information is necessary to ensure that an 
individual

[[Page 20942]]

who is accused of criminal activity receives due process of law in a 
criminal proceeding under the jurisdiction of the judicial branch of 
the Federal government.
    (f) In other circumstances. We may disclose information to a court 
of competent jurisdiction in circumstances other than those stated in 
paragraph (e) of this section. We will make our decision regarding 
disclosure by balancing the needs of a court while preserving the 
confidentiality of information. For example, we may disclose 
information under a court order that restricts the use and redisclosure 
of the information by the participants in the proceeding; we may offer 
the information for inspection by the court in camera and under seal; 
or we may arrange for the court to exclude information identifying 
individuals from that portion of the record of the proceedings that is 
available to the public. We will make these determinations in 
accordance with Sec.  401.140.
    (g) Other regulations on request for testimony, subpoenas and 
production of records in legal proceedings. See 20 CFR part 403 of this 
chapter for additional rules covering disclosure of information and 
records governed by this part and requested in connection with legal 
proceedings.

[FR Doc. E7-7940 Filed 4-26-07; 8:45 am]
BILLING CODE 4191-02-P