Central Repository of Electronic Authentication Data Master File (e-Authentication File)

Name of Project

Central Repository of Electronic Authentication Data Master File (e-Authentication File)

Unique Project Identifier

33415958

Privacy Impact Assessment Contact

Office of the Chief Information Officer

Office of Open Government

Social Security Administration

6401 Security Boulevard

Baltimore, MD 21235

Background

We provide electronic services, such as our automated telephone and Internet applications, for persons doing business with us.  For security reasons, we must be able to determine with confidence that users are who they claim to be each time they use our electronic services.  When users access our electronic services, they provide their personally identifiable information (PII).  Through the e-Authentication File, we will use the PII provided by the users to verify their identities.  Upon successful verification, we are able to recognize the users’ identities and authorize them to conduct business with us electronically. 

The e-Authentication File supports our agency’s objectives to expand electronic services and to provide stronger and more secure authentication procedures. 

Describe the information we plan to collect, why we will collect the information, how we intend to use the information, and with whom we will share the information.

We collect and maintain the users’ PII in the e-Authentication File to verify the identities of persons using our electronic services.  The PII may include the user name, address, date of birth, Social Security number, phone number, and other types of identity information.  We also may collect knowledge-based authentication data, which is information users establish with us or that we already maintain in existing Privacy Act systems of records. 

We will use the information to administer and maintain our e-Authentication infrastructure.  This includes management and profile information, such as blocked accounts, failed access data, effective date of passwords, and other data that allows us to evaluate the system’s effectiveness.  The data we maintain also may include archived transaction data and historical data.

We will disclose information collected and maintained in this system only to our employees and contractors who require the information to perform their official duties; to the subject of the record; and to other persons pursuant to an applicable routine use provision as authorized by the Privacy Act or as otherwise permitted by Federal law.  For example, under a routine use, we can disclose information to contractors, as necessary, to assist us in efficiently administering our programs.

We will not disclose any information defined as “return or return information” under 26 U.S.C. § 6103 of the Internal Revenue Code (IRC) unless authorized by statute, the IRC, the Internal Revenue Service (IRS), or IRS regulations.

Describe the administrative and technological controls we have in place or that we plan to use to secure the information we will collect.

Our security includes technical, management, and operational controls that permit access to our information only to persons with an official “need to know.”  We maintain electronic files with personal identifiers in secure storage areas.  Security measures include the use of access codes (personal identification number and password) to enter our computer systems that house the data.  Audit mechanisms are in place to record sensitive transactions as an additional measure to protect information from unauthorized disclosure or modification.

We annually provide appropriate security awareness training to all our employees and contractors that includes reminders about the need to protect PII and the criminal penalties that apply to unauthorized access to, or disclosure of, PII.  See 5 U.S.C. § 552a(i)(1).  Furthermore, employees and contractors with access to databases maintaining PII must annually sign a sanction document that acknowledges their accountability for inappropriately accessing or disclosing such information.

Describe the impact on persons’ privacy rights.  Do we afford people an opportunity to decline to provide information?

Yes.  We have legal authority to collect this information to administer our responsibilities under the Social Security Act.  When we collect information from persons wishing to do business with us through our electronic services, we use our Privacy Act Statement to advise them of our legal authority for requesting the information and explain the possible effects if they choose not to provide the information.  Persons can then make an informed decision whether or not to provide the information.

Do we afford people an opportunity to consent to only particular uses of the information?

No.  When we collect a person’s information, we advise that person of the purposes for which we will use the information. We further advise the person that we will disclose the information without written prior consent only when we have specific legal authority to do so (e.g., the Privacy Act).  We do not otherwise offer persons an opportunity to determine how and with whom we share their information.

Does the collection of this information require a new system of records under the Privacy Act (5 U.S.C. § 552a) or an alteration to an existing system of records?

Yes.  This project did require a new Privacy Act system of records.  We created and published theCentral Repository of Electronic Authentication Data Master File (60-0373) system of records in the Federal Register on December 17, 2010.

PIA CONDUCTED BY SSA PRIVACY OFFICER:

/s/ Dawn S. Wiggins                                          May 26, 2011

SIGNATURE                                                          DATE

PIA REVIEWED BY SSA SENIOR AGENCY PRIVACY OFFICIAL:

/s/ David F. Black                                                    June 2, 2011             

SIGNATURE                                                          DATE