Privacy Act of 1974, as Amended; Proposed System of Records and Routine Use Disclosures, 79065-79068 [2010-31700]
Download as PDF
Federal Register / Vol. 75, No. 242 / Friday, December 17, 2010 / Notices
SMALL BUSINESS ADMINISTRATION
Emergence Capital Partners SBIC, L.P.
License No. 09/79–0454; Notice
Seeking Exemption Under Section 312
of the Small Business Investment Act,
Conflicts of Interest
Notice is hereby given that Emergence
Capital Partners SBIC, L.P., 160 Bovet
Road, Suite 300, San Mateo, CA 94402,
a Federal Licensee under the Small
Business Investment Act of 1958, as
amended (‘‘the Act’’), in connection with
the financing of a small concern, has
sought an exemption under Section 312
of the Act and Section 107.730,
Financings which Constitute Conflicts
of Interest of the Small Business
Administration (‘‘SBA’’) Rules and
Regulations (13 CFR 107.730).
Emergence Capital Partners SBIC, L.P.
proposes to provide equity financing to
Intacct Corporation, 125 S. Market
Street, Suite 600, San Jose, California
95113. The financing is contemplated
for working capital and general
operating purposes.
The financing is brought within the
purview of § 107.730(a)(1) of the
Regulations because Emergence Capital
Partners, L.P. and Emergence Capital
Associates, L.P., Associates of
Emergence Capital Partners SBIC, L.P.,
own more than ten percent of Intacct
Corporation. Therefore, Intacct
Corporation is considered an Associate
of Emergence Capital Partners SBIC, L.P.
and this transaction is considered
Financing an Associate, requiring prior
SBA approval.
Notice is hereby given that any
interested person may submit written
comments on the transaction within 15
days of the date of this publication to
the Associate Administrator for
Investment, U.S. Small Business
Administration, 409 Third Street, SW.,
Washington, DC 20416.
Dated: December 3, 2010.
Sean J. Greene,
Associate Administrator for Investment.
[FR Doc. 2010–31675 Filed 12–16–10; 8:45 am]
BILLING CODE 8025–01–M
emcdonald on DSK2BSOYB1PROD with NOTICES
SOCIAL SECURITY ADMINISTRATION
SUPPLEMENTARY INFORMATION:
Privacy Act of 1974, as Amended;
Proposed System of Records and
Routine Use Disclosures
AGENCY:
I. Background and Purpose of the eAuthentication File
Social Security Administration
(SSA).
Proposed system of records and
routine uses.
ACTION:
In accordance with the
Privacy Act (5 U.S.C. 552a(e)(4) and
SUMMARY:
VerDate Mar<15>2010
16:45 Dec 16, 2010
Jkt 223001
(e)(11)), we are issuing public notice of
our intent to establish a system of
records, the Central Repository of
Electronic Authentication Data Master
File (hereinafter referred to as the eAuthentication File) and its applicable
routine uses. The e-Authentication File
will maintain personally identifiable
information (PII) we collect and use to
verify the identity of persons using our
electronic services. We discuss the eAuthentication File and its routine use
disclosures in the Supplementary
Information section below. We invite
public comments on the eAuthentication File.
DATES: We filed a report of the eAuthentication File and its applicable
routine use disclosures with the
Chairman of the Senate Committee on
Homeland Security and Governmental
Affairs, the Chairman of the House
Committee on Oversight and
Government Reform, and the
Administrator, Office of Information
and Regulatory Affairs, Office of
Management and Budget (OMB) on
December 8, 2010. The e-Authentication
File and applicable routine uses will
become effective on January 13, 2010,
unless we receive comments before that
date that require further consideration.
ADDRESSES: Interested persons may
comment on this publication by writing
to the Executive Director, Office of
Privacy and Disclosure, Office of the
General Counsel, Social Security
Administration, 3–A–6 Operations
Building, 6401 Security Boulevard,
Baltimore, Maryland 21235–6401 or
through the Federal e-Rulemaking Portal
at https://www.regulations.gov. All
comments we receive will be available
for public inspection at the above
address, and we will post them to
https://www.regulations.gov.
FOR FURTHER INFORMATION CONTACT: Neil
Etter, Social Insurance Specialist,
Disclosure Policy Development and
Services Division I, Office of Privacy
and Disclosure, Office of the General
Counsel, Social Security
Administration, 3–A–6 Operations
Building, 6401 Security Boulevard,
Baltimore, Maryland 21235–6401,
telephone: (410) 965–8028, e-mail:
neil.etter@ssa.gov.
A. General Background
We provide electronic services, such
as our automated telephone and Internet
applications, for persons doing business
with us. When users choose our
electronic services, they must provide
PO 00000
Frm 00101
Fmt 4703
Sfmt 4703
79065
their PII. We use their PII to verify their
identities. Upon successful verification,
we are able to recognize the users’
identities and authorize them to
conduct business with us electronically.
The e-Authentication File supports
our agency’s objectives to expand
electronic services and to provide strong
and secure authentication procedures.
For security reasons, we must be able to
determine, with confidence, persons are
who they claim to be each time they
choose our electronic services. The eAuthentication File will capture the
data we need to verify users’ identities.
B. Collection and Maintenance of the
Data Covered by the e-Authentication
File
We will collect and maintain the
users’ PII in the e-Authentication File.
The PII may include the users’ name,
address, date of birth, Social Security
number (SSN), phone number, and
other types of identity information (e.g.,
address information of persons from the
W–2 and Schedule Self Employed (SE)
forms we receive electronically for our
programmatic purposes as permitted by
26 U.S.C. 6103(l)(1)(A)). We may also
collect knowledge-based authentication
data, which is information users
establish with us or that we already
maintain in existing Privacy Act
systems of records.
We will maintain the data necessary
to administer and maintain our eAuthentication infrastructure. This
includes management and profile
information, such as blocked accounts,
failed access data, effective date of
passwords, and other data that allows us
to evaluate the system’s effectiveness.
The data we maintain also may include
archived transaction data and historical
data.
II. Routine Use Disclosures of Data
Covered by the e-Authentication File
A. Routine Use Disclosures
We propose to establish the following
routine use disclosures of information
from the e-Authentication File:
1. To the Office of the President in
response to a request the Office of the
President made at the request of the
subject of a record or a third party acting
on the subject’s behalf.
We will disclose information under
this routine use only when the Office of
the President indicates it is requesting
the record on behalf of the subject of the
record or a third party acting on the
subject’s behalf.
2. To a congressional office in
response to a request from that office
made at the request of the subject of the
record or a third party acting on the
subject’s behalf.
E:\FR\FM\17DEN1.SGM
17DEN1
emcdonald on DSK2BSOYB1PROD with NOTICES
79066
Federal Register / Vol. 75, No. 242 / Friday, December 17, 2010 / Notices
We will disclose information under
this routine use only when a member of
Congress, or member of his or her staff
indicates he or she is requesting the
record on behalf of the subject of the
record or a third party acting on the
subject’s behalf.
3. To the Department of Justice (DOJ),
a court or other tribunal, or another
party before such a court or other
tribunal when:
(a) SSA or any of our components; or
(b) Any SSA employee in his or her
official capacity; or
(c) Any SSA employee in his or her
individual capacity when DOJ (or SSA)
has agreed to represent the employee; or
(d) The United States or any agency
thereof when we determine that the
litigation is likely to affect the
operations of SSA or any of our
components,
is a party to litigation or has an interest
in such litigation, and we determine
that the use of such records by DOJ, a
court, other tribunal, or another party
before such tribunal is relevant and
necessary to the litigation. In each case,
however, we must determine that such
disclosure is compatible with the
purpose for which we collected the
records.
We will disclose information under
this routine use as necessary to enable
the DOJ to defend us, our components,
or our employees in litigation, when we
determine use of information covered by
the e-Authentication File is relevant and
necessary to the litigation and
compatible with the purpose for which
we collected the information. We will
also disclose information to ensure that
courts, other tribunals, and parties
before such courts or tribunals, have
appropriate information that we
determine is relevant and necessary.
4. To other Federal agencies and our
contractors, including external data
sources, to assist us in efficiently
administering our programs.
We will disclose information under
this routine use only in situations where
we have a contractual agreement or
similar agreement with a third party to
assist in accomplishing our work
relating to information covered by the eAuthentication File. Under this routine
use, we may disclose information to a
contractor to assist us in advancing,
testing, and evaluating our
authentication procedures for our
electronic services.
5. To student volunteers, persons
working under a personal services
contract, and others when they need
access to information in our records in
order to perform their assigned agency
duties.
VerDate Mar<15>2010
16:45 Dec 16, 2010
Jkt 223001
We will disclose information under
this routine use only when we use the
services of student volunteers, persons
working under a personal services
contract, and others in educational,
training, employment, and community
service programs when they need access
to information covered by the eAuthentication File to perform their
assigned agency duties.
6. To the Department of Justice for:
(a) Investigating and prosecuting
violations of the Social Security Act to
which criminal penalties attach; and
(b) Representing the Commissioner; or
(c) Investigating issues of fraud or
violation of civil rights by agency
officers or employees.
We will disclose information under
this routine use only as necessary to
enable DOJ to represent us in matters for
these purposes.
7. To the General Services
Administration (GSA) and the National
Archives and Records Administration
(NARA) under 44 U.S.C. 2904 and 2906,
as amended by the NARA Act of 1984,
when the information is for records
management purposes.
We will disclose information under
this routine use only when it is
necessary for GSA and NARA to have
access to the information covered by the
e-Authentication File. The
Administrator of GSA and the Archivist
of NARA are authorized by Title 44
U.S.C. 2904, as amended, to promulgate
standards, procedures, and guidelines
regarding records management and to
conduct records management studies.
Title 44 U.S.C. 2906, as amended,
provides that agencies are to cooperate
with GSA and NARA as GSA and NARA
are authorized to inspect Federal
agencies’ records for records
management purposes.
8. To appropriate Federal, State, and
local agencies, entities, and persons
when:
(a) We suspect or confirm a
compromise of security or
confidentiality of information;
(b) We determine that, as a result of
the suspected or confirmed
compromise, there is a risk of harm to
economic or property interests, risk of
identity theft or fraud, or risk of harm
to the security or integrity of this system
or other systems or programs that rely
upon the compromised information; and
(c) We determine that disclosing the
information to such agencies, entities,
and persons will assist us in our efforts
to respond to the suspected or
confirmed compromise and prevent,
minimize, or remedy any harm.
We will disclose information under
this routine use specifically in
connection with response and
PO 00000
Frm 00102
Fmt 4703
Sfmt 4703
remediation efforts in the event of an
unintentional release of agency
information (otherwise known as a data
breach). With this routine use, we can
protect the interests of the people whose
information is at risk by responding
timely and effectively to a data breach.
The routine use will also help us
improve our ability to prevent,
minimize, or remedy any harm that may
result from a data breach.
B. Compatibility of Routine Uses
We can disclose information for
routine uses one through six when it is
necessary to carry out our programs or
other programs similar to ours or when
the disclosure is supported by a
published routine use (20 CFR 401.150).
We can also disclose information when
the disclosure is required by law (20
CFR 401.120). Federal law requires the
disclosures that we make under routine
uses seven and eight to the extent
another Federal law does not prohibit
the disclosure. All routine uses in the eAuthentication File are compatible with
the relevant statutory and regulatory
criteria.
III. Records Storage Medium and
Safeguards for the Information Covered
by the e-Authentication File
We will maintain, in electronic form,
all information covered by the eAuthentication File. We will safeguard
the security of the electronic
information covered by the eAuthentication File by requiring the use
of access codes (personal identification
number (PIN) and password) to enter
the computer system that will house the
data. We will maintain audit trails of all
access to this information in accordance
with agency security policy and Federal
retention standards. We will permit
access to the information covered by the
e-Authentication File only to our
authorized employees and contractors
who require the information to perform
their official duties.
We annually provide all our
employees and contractors with security
awareness and training. This includes
the need to protect PII and the criminal
penalties that apply to an unauthorized
access to, or disclosure of, PII.
Employees and contractors with access
to databases maintaining PII must also
sign a sanction document annually,
acknowledging their accountability for
inappropriately accessing or disclosing
such information.
IV. Effects of the e-Authentication File
on the Rights of Persons
We will use safeguards to protect the
confidentiality of all PII in our
possession. We will ensure that all
E:\FR\FM\17DEN1.SGM
17DEN1
Federal Register / Vol. 75, No. 242 / Friday, December 17, 2010 / Notices
contractors or others acting on our
behalf are obliged to do the same. We
will adhere to the provisions of the
Privacy Act and other applicable
Federal statutes that govern our use and
disclosure of information that the eAuthentication File covers. We will
disclose information under the routine
uses only as necessary to accomplish
the stated purposes. We do not
anticipate that the e-Authentication File
or its applicable routine use disclosures
will have any unwarranted adverse
effect on the privacy or other rights of
persons.
Dated: November 30, 2010.
Michael J. Astrue,
Commissioner.
Social Security Administration
Notice of System of Records
Required by the Privacy Act of 1974, as
Amended
System number:
60–0373
SYSTEM NAME:
Central Repository of Electronic
Authentication Data Master File.
None.
SYSTEM LOCATION:
Social Security Administration (SSA),
Office of Systems, 6401 Security
Boulevard, Baltimore, Maryland 21235.
CATEGORIES OF PERSONS COVERED BY THE
SYSTEM:
Persons conducting business with us
through our electronic services.
emcdonald on DSK2BSOYB1PROD with NOTICES
CATEGORIES OF RECORDS IN THE SYSTEM:
We will collect and maintain the
users’ personally identifiable
information (PII) in this system of
records. The PII may include the users’
name, address, date of birth, Social
Security number (SSN), phone number,
and other types of identity information
(e.g., address information of persons
from the W–2 and Schedule Self
Employed (SE) forms we receive
electronically for our programmatic
purposes as permitted by 26 U.S.C.
6103(l)(1)(A)). We may also collect
knowledge-based authentication data,
which is information users establish
with us or that we already maintain in
existing Privacy Act systems of records.
We will maintain the data necessary
to administer and maintain our eAuthentication infrastructure. This
includes management and profile
information, such as blocked accounts,
failed access data, effective date of
passwords, and other data that allows us
19:12 Dec 16, 2010
Jkt 223001
AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
Section 205(a) of the Social Security
Act; the Government Paperwork
Elimination Act (Pub. L. 105–277); the
Internal Revenue Code (26 U.S.C.
6103(l)(1)(A)); and the Federal
Information Security Management Act
of 2002 (Title III) of the E-Government
Act of 2002 (Pub. L. 107–347).
PURPOSE(S):
This system of records supports our
agency’s objectives to expand electronic
services, such as our automated
telephone and Internet application. This
system of records also supports our
agency’s commitment to strong and
secure authentication procedures by
properly maintaining PII we collect
from persons to verify their identities.
For security reasons, we must be able to
determine, with confidence, persons are
who they claim to be each time they
choose our electronic services.
ROUTINE USES OF RECORDS COVERED BY THIS
SYSTEM OF RECORDS, INCLUDING CATEGORIES
OF USERS AND THE PURPOSES OF SUCH USES:
SECURITY CLASSIFICATION:
VerDate Mar<15>2010
to evaluate the system’s effectiveness.
The data we maintain also may include
archived transaction data and historical
data.
Routine use disclosures are indicated
below; however, we will not disclose
any information defined as ‘‘return or
return information’’ under 26 U.S.C.
6103 of the Internal Revenue Code
(IRC), unless the IRC, the Internal
Revenue Service (IRS), or IRS
regulations authorize us to do so.
1. To the Office of the President in
response to a request the Office of the
President made at the request of the
subject of the record or a third party
acting on the subject’s behalf.
2. To a congressional office in
response to a request from that office
made at the request of the subject of the
record or a third party acting on the
subject’s behalf.
3. To the Department of Justice (DOJ),
a court, other tribunal, or another party
before such court or tribunal when:
(a) SSA or any of our components; or
(b) Any SSA employee in his or her
official capacity; or
(c) Any SSA employee in his or her
individual capacity when DOJ (or SSA)
has agreed to represent the employee; or
(d) The United States or any agency
thereof when we determine that the
litigation is likely to affect the
operations of SSA or any of our
components, is a party to litigation or
has an interest in such litigation, and we
determine that the use of such records
by DOJ, a court, other tribunal, or
another party before such tribunal is
PO 00000
Frm 00103
Fmt 4703
Sfmt 4703
79067
relevant and necessary to the litigation.
In each case, we must determine that
such disclosures are compatible with
the purpose for which we collected the
records.
4. To other Federal agencies and our
contractors, including external data
sources, to assist us in administering
our programs.
5. To student volunteers, persons
working under a personal services
contract, and others when they need
access to information in our records in
order to perform their assigned agency
duties.
6. To the Department of Justice for:
(a) Investigating and prosecuting
violations of the Social Security Act to
which criminal penalties attach; and
(b) Representing the Commissioner; or
(c) Investigating issues of fraud or
violation of civil rights by agency
officers or employees.
7. To the General Services
Administration and the National
Archives and Records Administration
under 44 U.S.C. 2904 and 2906, as
amended by the NARA Act of 1984,
when the information is for records
management purposes.
8. To appropriate Federal, State, and
local agencies, entities, and persons
when:
(a) We suspect or confirm a
compromise of security or
confidentiality of information;
(b) We determine that as a result of
the suspected or confirmed compromise
there is a risk of harm to economic or
property interests, risk of identity theft
or fraud, or harm to the security or
integrity of this system or other systems
or programs that rely upon the
compromised information; and
(c) We determine that disclosing the
information to such agencies, entities,
and persons will assist us in our efforts
to respond to the suspected or
confirmed compromise and prevent,
minimize, or remedy such harm.
POLICIES AND PRACTICES FOR STORING,
RETRIEVING, ACCESSING, RETAINING, AND
DISPOSING OF RECORDS IN THIS SYSTEM OF
RECORDS:
STORAGE:
We will store records in this system
of records in electronic form.
RETRIEVABILITY:
We will retrieve records in this
system of records by a person’s name
and associated identifying information.
SAFEGUARDS:
We retain electronic files with
personal identifiers in secure storage
areas accessible only to our authorized
E:\FR\FM\17DEN1.SGM
17DEN1
79068
Federal Register / Vol. 75, No. 242 / Friday, December 17, 2010 / Notices
employees and contractors who have a
need for the information when
performing their official duties. Security
measures include the use of access
codes (personal identification number
(PIN) and password) to enter our
computer systems that house the data.
We annually provide all our
employees and contractors with security
awareness and training. This includes
the need to protect PII and the criminal
penalties that apply to an unauthorized
access to, or disclosure of, PII.
Employees and contractors with access
to databases maintaining PII must also
sign a sanction document annually,
acknowledging their accountability for
inappropriately accessing or disclosing
such information.
RETENTION AND DISPOSAL:
We maintain records in SSA
headquarters within the Office of Open
Government. We will maintain records
in this system of records until seven
years after the notification of the death
of the account holder. After that time,
we will delete the person’s records from
the database.
providing identifying information that
parallels the information in the record
about which they are requesting
notification. If we determine that the
identifying information the person
provides by telephone is insufficient,
we will require the person to submit a
request in writing or in person. If a
person requests information by
telephone on behalf of another person,
the subject person must be on the
telephone with the requesting person
and us in the same phone call. We will
establish the subject person’s identity
(his or her name, SSN, address, date of
birth, and place of birth, along with one
other piece of information such as
mother’s maiden name) and ask for his
or her consent to provide information to
the requesting person. These procedures
are in accordance with our regulations
at 20 CFR 401.40 and 401.45.
RECORD ACCESS PROCEDURES:
Same as notification procedures.
Persons also should reasonably specify
the record contents they are seeking.
These procedures are in accordance
with our regulations (20 CFR 401.40(c)).
SYSTEM MANAGER(S) AND ADDRESS:
CONTESTING RECORD PROCEDURES:
Office of the Chief Information
Officer, Office of Open Government,
Social Security Administration, 6401
Security Boulevard, Baltimore, MD
21235.
Same as notification procedures.
Persons also should reasonably identify
the record, specify the information they
are contesting, and state the corrective
action sought and the reasons for the
correction with supporting justification
showing how the record is incomplete,
untimely, inaccurate, or irrelevant.
These procedures are in accordance
with our regulations (20 CFR 401.65(a)).
emcdonald on DSK2BSOYB1PROD with NOTICES
NOTIFICATION PROCEDURES:
Persons can determine if this system
contains a record about them by writing
to the system manager at the above
address and providing their name, SSN,
or other information in this system of
records that will identify them. Persons
requesting notification by mail must
include a notarized statement to us to
verify their identity or must certify in
the request that they are the person they
claim to be and that they understand
that the knowing and willful request for,
or acquisition of, a record pertaining to
another person under false pretenses is
a criminal offense.
Persons requesting notification of
records in person must provide the
same information, as well as provide an
identity document, preferably with a
photograph, such as a driver’s license.
Persons lacking identification
documents sufficient to establish their
identity must certify in writing that they
are the person they claim to be and that
they understand that the knowing and
willful request for, or acquisition of, a
record pertaining to another person
under false pretenses is a criminal
offense.
Persons requesting notification by
telephone must verify their identity by
VerDate Mar<15>2010
16:45 Dec 16, 2010
Jkt 223001
RECORD SOURCE CATEGORIES:
We obtain information in this system
of records primarily from the person to
whom the record pertains. We may also
include information from electronic W–
2 and electronic Schedule SE forms for
members of the public.
SYSTEM EXEMPTED FROM CERTAIN PROVISIONS
OF THE PRIVACY ACT:
None.
[FR Doc. 2010–31700 Filed 12–16–10; 8:45 am]
BILLING CODE P
DEPARTMENT OF STATE
[Public Notice: 7270]
60-Day Notice of Proposed Information
Collection: Form- DS–1950,
Department of State Application for
Employment, OMB Control Number
1405–0139
Notice of request for public
comments.
ACTION:
PO 00000
Frm 00104
Fmt 4703
Sfmt 4703
The Department of State is
seeking Office of Management and
Budget (OMB) approval for the
information collection described below.
The purpose of this notice is to allow 60
days for public comment in the Federal
Register preceding submission to OMB.
We are conducting this process in
accordance with the Paperwork
Reduction Act of 1995.
• Title of Information Collection:
Department of State Application for
Employment.
• OMB Control Number: 1405–0139.
• Type of Request: Extension of a
currently approved collection.
• Originating Office: Bureau of
Human Resources, Office of
Recruitment, Examination, Employment
(HR/REE)
• Form Number: DS–1950.
• Respondents: U.S. Citizens seeking
entry into certain Department of State
Foreign Service positions.
• Estimated Number of Respondents:
3,000.
• Estimated Number of Responses:
3,000.
• Average Hours Per Response: 30
minutes.
• Total Estimated Burden: 1,500.
• Frequency: On Occasion.
• Obligation to Respond: Required to
Obtain a Benefit.
DATES: The Department will accept
comments from the public up to 60 days
from December 17, 2010.
ADDRESSES: You may submit comments
by any of the following methods:
• E-mail: mooreme1@state.gov.
• Mail (paper, disk, or CD–ROM
submissions): U.S. Department of
State—SA–1, HR/REE/REC Room 518H,
Attention: Marvin Moore, 2401 E Street,
NW., Washington DC 20522.
You must include the DS form
number (if applicable), information
collection title, and OMB control
number in any correspondence.
• If you have access to the Internet,
you may view and comment on this
notice by going to: https://
www.regulations.gov/search/Regs/
home.html#home.
FOR FURTHER INFORMATION CONTACT:
Direct requests for additional
information regarding the collection
listed in this notice, including requests
for copies of the proposed information
collection and supporting documents, to
Marvin E. Moore, Bureau of Human
Resources, Recruitment Division,
Student Programs, U.S. Department of
State, Washington, DC 20522, who may
be reached on 202–261–8885 or by email at MooreME1@state.gov.
SUPPLEMENTARY INFORMATION: We are
soliciting public comments to permit
the Department to:
SUMMARY:
E:\FR\FM\17DEN1.SGM
17DEN1
Agencies
[Federal Register Volume 75, Number 242 (Friday, December 17, 2010)]
[Notices]
[Pages 79065-79068]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2010-31700]
=======================================================================
-----------------------------------------------------------------------
SOCIAL SECURITY ADMINISTRATION
Privacy Act of 1974, as Amended; Proposed System of Records and
Routine Use Disclosures
AGENCY: Social Security Administration (SSA).
ACTION: Proposed system of records and routine uses.
-----------------------------------------------------------------------
SUMMARY: In accordance with the Privacy Act (5 U.S.C. 552a(e)(4) and
(e)(11)), we are issuing public notice of our intent to establish a
system of records, the Central Repository of Electronic Authentication
Data Master File (hereinafter referred to as the e-Authentication File)
and its applicable routine uses. The e-Authentication File will
maintain personally identifiable information (PII) we collect and use
to verify the identity of persons using our electronic services. We
discuss the e-Authentication File and its routine use disclosures in
the Supplementary Information section below. We invite public comments
on the e-Authentication File.
DATES: We filed a report of the e-Authentication File and its
applicable routine use disclosures with the Chairman of the Senate
Committee on Homeland Security and Governmental Affairs, the Chairman
of the House Committee on Oversight and Government Reform, and the
Administrator, Office of Information and Regulatory Affairs, Office of
Management and Budget (OMB) on December 8, 2010. The e-Authentication
File and applicable routine uses will become effective on January 13,
2010, unless we receive comments before that date that require further
consideration.
ADDRESSES: Interested persons may comment on this publication by
writing to the Executive Director, Office of Privacy and Disclosure,
Office of the General Counsel, Social Security Administration, 3-A-6
Operations Building, 6401 Security Boulevard, Baltimore, Maryland
21235-6401 or through the Federal e-Rulemaking Portal at https://www.regulations.gov. All comments we receive will be available for
public inspection at the above address, and we will post them to https://www.regulations.gov.
FOR FURTHER INFORMATION CONTACT: Neil Etter, Social Insurance
Specialist, Disclosure Policy Development and Services Division I,
Office of Privacy and Disclosure, Office of the General Counsel, Social
Security Administration, 3-A-6 Operations Building, 6401 Security
Boulevard, Baltimore, Maryland 21235-6401, telephone: (410) 965-8028,
e-mail: neil.etter@ssa.gov.
SUPPLEMENTARY INFORMATION:
I. Background and Purpose of the e-Authentication File
A. General Background
We provide electronic services, such as our automated telephone and
Internet applications, for persons doing business with us. When users
choose our electronic services, they must provide their PII. We use
their PII to verify their identities. Upon successful verification, we
are able to recognize the users' identities and authorize them to
conduct business with us electronically.
The e-Authentication File supports our agency's objectives to
expand electronic services and to provide strong and secure
authentication procedures. For security reasons, we must be able to
determine, with confidence, persons are who they claim to be each time
they choose our electronic services. The e-Authentication File will
capture the data we need to verify users' identities.
B. Collection and Maintenance of the Data Covered by the e-
Authentication File
We will collect and maintain the users' PII in the e-Authentication
File. The PII may include the users' name, address, date of birth,
Social Security number (SSN), phone number, and other types of identity
information (e.g., address information of persons from the W-2 and
Schedule Self Employed (SE) forms we receive electronically for our
programmatic purposes as permitted by 26 U.S.C. 6103(l)(1)(A)). We may
also collect knowledge-based authentication data, which is information
users establish with us or that we already maintain in existing Privacy
Act systems of records.
We will maintain the data necessary to administer and maintain our
e-Authentication infrastructure. This includes management and profile
information, such as blocked accounts, failed access data, effective
date of passwords, and other data that allows us to evaluate the
system's effectiveness. The data we maintain also may include archived
transaction data and historical data.
II. Routine Use Disclosures of Data Covered by the e-Authentication
File
A. Routine Use Disclosures
We propose to establish the following routine use disclosures of
information from the e-Authentication File:
1. To the Office of the President in response to a request the
Office of the President made at the request of the subject of a record
or a third party acting on the subject's behalf.
We will disclose information under this routine use only when the
Office of the President indicates it is requesting the record on behalf
of the subject of the record or a third party acting on the subject's
behalf.
2. To a congressional office in response to a request from that
office made at the request of the subject of the record or a third
party acting on the subject's behalf.
[[Page 79066]]
We will disclose information under this routine use only when a
member of Congress, or member of his or her staff indicates he or she
is requesting the record on behalf of the subject of the record or a
third party acting on the subject's behalf.
3. To the Department of Justice (DOJ), a court or other tribunal,
or another party before such a court or other tribunal when:
(a) SSA or any of our components; or
(b) Any SSA employee in his or her official capacity; or
(c) Any SSA employee in his or her individual capacity when DOJ (or
SSA) has agreed to represent the employee; or
(d) The United States or any agency thereof when we determine that
the litigation is likely to affect the operations of SSA or any of our
components,
is a party to litigation or has an interest in such litigation, and we
determine that the use of such records by DOJ, a court, other tribunal,
or another party before such tribunal is relevant and necessary to the
litigation. In each case, however, we must determine that such
disclosure is compatible with the purpose for which we collected the
records.
We will disclose information under this routine use as necessary to
enable the DOJ to defend us, our components, or our employees in
litigation, when we determine use of information covered by the e-
Authentication File is relevant and necessary to the litigation and
compatible with the purpose for which we collected the information. We
will also disclose information to ensure that courts, other tribunals,
and parties before such courts or tribunals, have appropriate
information that we determine is relevant and necessary.
4. To other Federal agencies and our contractors, including
external data sources, to assist us in efficiently administering our
programs.
We will disclose information under this routine use only in
situations where we have a contractual agreement or similar agreement
with a third party to assist in accomplishing our work relating to
information covered by the e-Authentication File. Under this routine
use, we may disclose information to a contractor to assist us in
advancing, testing, and evaluating our authentication procedures for
our electronic services.
5. To student volunteers, persons working under a personal services
contract, and others when they need access to information in our
records in order to perform their assigned agency duties.
We will disclose information under this routine use only when we
use the services of student volunteers, persons working under a
personal services contract, and others in educational, training,
employment, and community service programs when they need access to
information covered by the e-Authentication File to perform their
assigned agency duties.
6. To the Department of Justice for:
(a) Investigating and prosecuting violations of the Social Security
Act to which criminal penalties attach; and
(b) Representing the Commissioner; or
(c) Investigating issues of fraud or violation of civil rights by
agency officers or employees.
We will disclose information under this routine use only as
necessary to enable DOJ to represent us in matters for these purposes.
7. To the General Services Administration (GSA) and the National
Archives and Records Administration (NARA) under 44 U.S.C. 2904 and
2906, as amended by the NARA Act of 1984, when the information is for
records management purposes.
We will disclose information under this routine use only when it is
necessary for GSA and NARA to have access to the information covered by
the e-Authentication File. The Administrator of GSA and the Archivist
of NARA are authorized by Title 44 U.S.C. 2904, as amended, to
promulgate standards, procedures, and guidelines regarding records
management and to conduct records management studies. Title 44 U.S.C.
2906, as amended, provides that agencies are to cooperate with GSA and
NARA as GSA and NARA are authorized to inspect Federal agencies'
records for records management purposes.
8. To appropriate Federal, State, and local agencies, entities, and
persons when:
(a) We suspect or confirm a compromise of security or
confidentiality of information;
(b) We determine that, as a result of the suspected or confirmed
compromise, there is a risk of harm to economic or property interests,
risk of identity theft or fraud, or risk of harm to the security or
integrity of this system or other systems or programs that rely upon
the compromised information; and
(c) We determine that disclosing the information to such agencies,
entities, and persons will assist us in our efforts to respond to the
suspected or confirmed compromise and prevent, minimize, or remedy any
harm.
We will disclose information under this routine use specifically in
connection with response and remediation efforts in the event of an
unintentional release of agency information (otherwise known as a data
breach). With this routine use, we can protect the interests of the
people whose information is at risk by responding timely and
effectively to a data breach. The routine use will also help us improve
our ability to prevent, minimize, or remedy any harm that may result
from a data breach.
B. Compatibility of Routine Uses
We can disclose information for routine uses one through six when
it is necessary to carry out our programs or other programs similar to
ours or when the disclosure is supported by a published routine use (20
CFR 401.150). We can also disclose information when the disclosure is
required by law (20 CFR 401.120). Federal law requires the disclosures
that we make under routine uses seven and eight to the extent another
Federal law does not prohibit the disclosure. All routine uses in the
e-Authentication File are compatible with the relevant statutory and
regulatory criteria.
III. Records Storage Medium and Safeguards for the Information Covered
by the e-Authentication File
We will maintain, in electronic form, all information covered by
the e-Authentication File. We will safeguard the security of the
electronic information covered by the e-Authentication File by
requiring the use of access codes (personal identification number (PIN)
and password) to enter the computer system that will house the data. We
will maintain audit trails of all access to this information in
accordance with agency security policy and Federal retention standards.
We will permit access to the information covered by the e-
Authentication File only to our authorized employees and contractors
who require the information to perform their official duties.
We annually provide all our employees and contractors with security
awareness and training. This includes the need to protect PII and the
criminal penalties that apply to an unauthorized access to, or
disclosure of, PII. Employees and contractors with access to databases
maintaining PII must also sign a sanction document annually,
acknowledging their accountability for inappropriately accessing or
disclosing such information.
IV. Effects of the e-Authentication File on the Rights of Persons
We will use safeguards to protect the confidentiality of all PII in
our possession. We will ensure that all
[[Page 79067]]
contractors or others acting on our behalf are obliged to do the same.
We will adhere to the provisions of the Privacy Act and other
applicable Federal statutes that govern our use and disclosure of
information that the e-Authentication File covers. We will disclose
information under the routine uses only as necessary to accomplish the
stated purposes. We do not anticipate that the e-Authentication File or
its applicable routine use disclosures will have any unwarranted
adverse effect on the privacy or other rights of persons.
Dated: November 30, 2010.
Michael J. Astrue,
Commissioner.
Social Security Administration
Notice of System of Records
Required by the Privacy Act of 1974, as Amended
System number:
60-0373
System name:
Central Repository of Electronic Authentication Data Master File.
Security classification:
None.
System Location:
Social Security Administration (SSA), Office of Systems, 6401
Security Boulevard, Baltimore, Maryland 21235.
Categories of persons covered by the system:
Persons conducting business with us through our electronic
services.
Categories of records in the system:
We will collect and maintain the users' personally identifiable
information (PII) in this system of records. The PII may include the
users' name, address, date of birth, Social Security number (SSN),
phone number, and other types of identity information (e.g., address
information of persons from the W-2 and Schedule Self Employed (SE)
forms we receive electronically for our programmatic purposes as
permitted by 26 U.S.C. 6103(l)(1)(A)). We may also collect knowledge-
based authentication data, which is information users establish with us
or that we already maintain in existing Privacy Act systems of records.
We will maintain the data necessary to administer and maintain our
e-Authentication infrastructure. This includes management and profile
information, such as blocked accounts, failed access data, effective
date of passwords, and other data that allows us to evaluate the
system's effectiveness. The data we maintain also may include archived
transaction data and historical data.
Authority for maintenance of the system:
Section 205(a) of the Social Security Act; the Government Paperwork
Elimination Act (Pub. L. 105-277); the Internal Revenue Code (26 U.S.C.
6103(l)(1)(A)); and the Federal Information Security Management Act of
2002 (Title III) of the E-Government Act of 2002 (Pub. L. 107-347).
Purpose(s):
This system of records supports our agency's objectives to expand
electronic services, such as our automated telephone and Internet
application. This system of records also supports our agency's
commitment to strong and secure authentication procedures by properly
maintaining PII we collect from persons to verify their identities. For
security reasons, we must be able to determine, with confidence,
persons are who they claim to be each time they choose our electronic
services.
Routine uses of records covered by this system of records, including
categories of users and the purposes of such uses:
Routine use disclosures are indicated below; however, we will not
disclose any information defined as ``return or return information''
under 26 U.S.C. 6103 of the Internal Revenue Code (IRC), unless the
IRC, the Internal Revenue Service (IRS), or IRS regulations authorize
us to do so.
1. To the Office of the President in response to a request the
Office of the President made at the request of the subject of the
record or a third party acting on the subject's behalf.
2. To a congressional office in response to a request from that
office made at the request of the subject of the record or a third
party acting on the subject's behalf.
3. To the Department of Justice (DOJ), a court, other tribunal, or
another party before such court or tribunal when:
(a) SSA or any of our components; or
(b) Any SSA employee in his or her official capacity; or
(c) Any SSA employee in his or her individual capacity when DOJ (or
SSA) has agreed to represent the employee; or
(d) The United States or any agency thereof when we determine that
the litigation is likely to affect the operations of SSA or any of our
components, is a party to litigation or has an interest in such
litigation, and we determine that the use of such records by DOJ, a
court, other tribunal, or another party before such tribunal is
relevant and necessary to the litigation. In each case, we must
determine that such disclosures are compatible with the purpose for
which we collected the records.
4. To other Federal agencies and our contractors, including
external data sources, to assist us in administering our programs.
5. To student volunteers, persons working under a personal services
contract, and others when they need access to information in our
records in order to perform their assigned agency duties.
6. To the Department of Justice for:
(a) Investigating and prosecuting violations of the Social Security
Act to which criminal penalties attach; and
(b) Representing the Commissioner; or
(c) Investigating issues of fraud or violation of civil rights by
agency officers or employees.
7. To the General Services Administration and the National Archives
and Records Administration under 44 U.S.C. 2904 and 2906, as amended by
the NARA Act of 1984, when the information is for records management
purposes.
8. To appropriate Federal, State, and local agencies, entities, and
persons when:
(a) We suspect or confirm a compromise of security or
confidentiality of information;
(b) We determine that as a result of the suspected or confirmed
compromise there is a risk of harm to economic or property interests,
risk of identity theft or fraud, or harm to the security or integrity
of this system or other systems or programs that rely upon the
compromised information; and
(c) We determine that disclosing the information to such agencies,
entities, and persons will assist us in our efforts to respond to the
suspected or confirmed compromise and prevent, minimize, or remedy such
harm.
Policies and practices for storing, retrieving, accessing, retaining,
and disposing of records in this system of records:
Storage:
We will store records in this system of records in electronic form.
Retrievability:
We will retrieve records in this system of records by a person's
name and associated identifying information.
Safeguards:
We retain electronic files with personal identifiers in secure
storage areas accessible only to our authorized
[[Page 79068]]
employees and contractors who have a need for the information when
performing their official duties. Security measures include the use of
access codes (personal identification number (PIN) and password) to
enter our computer systems that house the data.
We annually provide all our employees and contractors with security
awareness and training. This includes the need to protect PII and the
criminal penalties that apply to an unauthorized access to, or
disclosure of, PII. Employees and contractors with access to databases
maintaining PII must also sign a sanction document annually,
acknowledging their accountability for inappropriately accessing or
disclosing such information.
Retention and disposal:
We maintain records in SSA headquarters within the Office of Open
Government. We will maintain records in this system of records until
seven years after the notification of the death of the account holder.
After that time, we will delete the person's records from the database.
System manager(s) and address:
Office of the Chief Information Officer, Office of Open Government,
Social Security Administration, 6401 Security Boulevard, Baltimore, MD
21235.
Notification procedures:
Persons can determine if this system contains a record about them
by writing to the system manager at the above address and providing
their name, SSN, or other information in this system of records that
will identify them. Persons requesting notification by mail must
include a notarized statement to us to verify their identity or must
certify in the request that they are the person they claim to be and
that they understand that the knowing and willful request for, or
acquisition of, a record pertaining to another person under false
pretenses is a criminal offense.
Persons requesting notification of records in person must provide
the same information, as well as provide an identity document,
preferably with a photograph, such as a driver's license. Persons
lacking identification documents sufficient to establish their identity
must certify in writing that they are the person they claim to be and
that they understand that the knowing and willful request for, or
acquisition of, a record pertaining to another person under false
pretenses is a criminal offense.
Persons requesting notification by telephone must verify their
identity by providing identifying information that parallels the
information in the record about which they are requesting notification.
If we determine that the identifying information the person provides by
telephone is insufficient, we will require the person to submit a
request in writing or in person. If a person requests information by
telephone on behalf of another person, the subject person must be on
the telephone with the requesting person and us in the same phone call.
We will establish the subject person's identity (his or her name, SSN,
address, date of birth, and place of birth, along with one other piece
of information such as mother's maiden name) and ask for his or her
consent to provide information to the requesting person. These
procedures are in accordance with our regulations at 20 CFR 401.40 and
401.45.
Record access procedures:
Same as notification procedures. Persons also should reasonably
specify the record contents they are seeking. These procedures are in
accordance with our regulations (20 CFR 401.40(c)).
Contesting record procedures:
Same as notification procedures. Persons also should reasonably
identify the record, specify the information they are contesting, and
state the corrective action sought and the reasons for the correction
with supporting justification showing how the record is incomplete,
untimely, inaccurate, or irrelevant. These procedures are in accordance
with our regulations (20 CFR 401.65(a)).
Record source categories:
We obtain information in this system of records primarily from the
person to whom the record pertains. We may also include information
from electronic W-2 and electronic Schedule SE forms for members of the
public.
System exempted from certain provisions of the Privacy Act:
None.
[FR Doc. 2010-31700 Filed 12-16-10; 8:45 am]
BILLING CODE P