Skip to Content

Proposed Rule

Privacy and Disclosure of Official Records and Information

Document Details

Information about this document as published in the Federal Register.

Published Document

This document has been published in the Federal Register. Use the PDF linked in the document sidebar for the official electronic format.

Start Preamble Start Printed Page 53994

AGENCY:

Social Security Administration.

ACTION:

Proposed rules.

SUMMARY:

We are proposing to revise our privacy and disclosure rules to clarify certain provisions and to provide expanded regulatory support for new and existing responsibilities and functions. These changes in the regulations will increase Agency efficiency and ensure consistency in the implementation of the Social Security Administration's (SSA) policies and responsibilities under the Privacy Act and the Social Security Act.

DATES:

To be sure that your comments are considered, we must receive them no later than November 13, 2006.

ADDRESSES:

You may give us your comments by: the Federal eRulemaking Portal: http://www.regulations.gov;​ e-mail to regulations@ssa.gov; telefax to (410) 966-2830; or letter to the Commissioner of Social Security, P.O. Box 17703, Baltimore, MD 21235-7703. You may also deliver them to the Office of Regulations, Social Security Administration, 107 Altmeyer Building, 6401 Security Boulevard, Baltimore, MD 21235-6401, between 8 a.m. and 4:30 p.m. on regular business days. Comments are posted on our Internet site, or you may inspect them on regular business days by making arrangements with the contact person shown in this preamble.

Start Further Info

FOR FURTHER INFORMATION CONTACT:

Christine W. Johnson, Office of Public Disclosure, 3 A-6 Operations Building, 6401 Security Boulevard, Baltimore, MD 21235-6401, (410) 965-8563 or TTY (410) 965-5609. For information on eligibility or filing for benefits, call our national toll-free numbers, 1-800-772-1213 or TTY 1-800-325-0778, or visit our Internet Web site, Social Security Online, at http://www.socialsecurity.gov.

End Further Info End Preamble Start Supplemental Information

SUPPLEMENTARY INFORMATION:

Electronic Version

The electronic file of this document is available on the date of publication in the Federal Register at http://www.gpoaccess.gov/​FR/​index.html. It is also available on the Internet site for the Social Security Administration (e.g., Social Security Online) at http://policy.ssa.gov/​pnpublic.nsf.LawsRegs.

Background

We last revised the privacy and disclosure regulations in 1980 when the Social Security Administration (SSA) was a part of the Department of Health and Human Services (DHHS) (formerly the Department of Health, Education and Welfare) and subject to DHHS' disclosure policy oversight. Since 1980, significant changes have occurred in the procedures. We propose to codify these changes in the procedures governing access to, and disclosure of, personally identifiable information. We are also proposing to make minor housekeeping changes to further clarify our procedures. In general, the proposed changes reflect SSA's compliance with technological, legal and legislative changes that have occurred since 1980.

Thus, we propose to clarify the provisions regarding requests for access to information developed by medical sources for Social Security programs, fully describe the existing responsibilities and functions of the Privacy Officer position, establish the new senior agency official for privacy as required by the Office of Management and Budget (OMB) and explain the related responsibilities, and implement SSA's new Privacy Impact Assessment process in accordance with the E-Government Act of 2002, Pub. L. 107-347. Further, as required by OMB, we propose to require adequate safeguards against inappropriate disclosure of personal information by electronic means, e.g., over the Internet, and revise our procedures on notification of, or access to, medical records on behalf of another person, e.g., an adult or child.

These proposed rules would also clarify SSA's policy concerning an individual's access to, or notification of, program records, amend the language concerning appeal requests under the Privacy Act to include denial of access to the record, and amend the language to insert the word “written” prior to “consent” to clarify that the requirement means disclosure with written consent and expand the language to more clearly define what information we will disclose with written consent. Further, we propose to revise the language to show that SSA also has physical custody of personnel records, and revise the language under disclosure of personal information in nonprogram records to show the new name of the former General Accounting Office.

These proposed rules would also amend the language under disclosure of personal information in program records to make clear that we disclose information from program records only when there is a legitimate need for the information, and revise the language under disclosures required by law to show the current name for Aid to Families with Dependent Children. We also propose to amend the language under compatible purposes to clearly state how we implement the routine use provision of the Privacy Act (5 U.S.C. 552a(b)(3)) and what we mean by routine use in terms of the information we can disclose, and amend the language under law enforcement purposes to clarify that disclosures under 5 U.S.C. 552a(b)(7) also require a written request. Further, we propose to amend the language under statistical and research activities to reflect the language in the new routine use of data for research purposes, amend the language in the General Accounting Office section to correctly reflect the new name of the agency, and clarify certain matters related to our rules on disclosure under court order and other legal process.

Explanation of Changes

Section 401.20 Scope

We propose to amend the section heading in § 401.20(a) to read “Access” and to amend paragraph (a) to clarify the rules regarding the access provision as it pertains to information developed by medical sources that perform consultative examinations for us. We also propose to amend the heading in § 401.20(b)(1)(iii) to read “Records kept by medical sources,” and amend the language in that paragraph. Start Printed Page 53995

Section 401.30  Privacy Act Responsibilities

We propose to add new paragraphs (d), (e) and (f) to § 401.30.

Privacy Officer

New § 401.30(d) will fully describe the position of the SSA Privacy Officer and the responsibilities and functions of that position. SSA has always had a designated Privacy Officer since the enactment of the Privacy Act in 1974. Since that time, the Privacy Officer has overall responsibility for coordination of SSA privacy matters within the Agency. As such, the Privacy Officer advises the Agency on privacy policy matters and is responsible for developing and implementing privacy policies and related requirements, ensures compliance with the Privacy Act, and provides general oversight of privacy and disclosure policy involving privacy and disclosure matters. The Privacy Officer has other responsibilities including evaluating legislative proposals and other initiatives proposed by Congress, other agencies and the public, and reviewing multifunctional projects, studies and research activities involving personal information. The responsibilities also include facilitating the incorporation of privacy principles into information technology systems architectures and technical designs to ensure that privacy policies and practices are properly reflected in our business requirements.

We are proposing to provide an explanation of the Privacy Officer's responsibilities to emphasize SSA's long-standing commitment to the public that personal information maintained in SSA's Privacy Act systems of records is handled in full compliance with the law.

Senior Agency Official for Privacy

To help protect the privacy rights of Americans and to ensure that agencies continue to have effective information privacy management programs in place to carry out this important responsibility, OMB requires that each agency designate a senior agency official to serve as the person in charge of privacy issues.

The Senior Agency Official for Privacy will have overall responsibility and accountability for privacy issues at the national and agency-wide levels. The official will also have a central role in overseeing agency compliance efforts in privacy policy procedures as well as a key role in policy-making as it pertains to the development and evaluation of legislative, regulatory and other policy proposals that might implicate privacy issues.

New § 401.30(e) will establish SSA's Senior Agency Official for Privacy and fully describe the responsibilities of that position as prescribed by OMB. (See OMB Memorandum M-08-05, dated February 11, 2005).

Privacy Impact Assessments

In accordance with Section 208 of the E-Government Act of 2002 (Pub. L. 107-347, 44 U.S.C. Ch. 36), the Office of Management and Budget now requires that certain Information Technology (IT) projects receive a special privacy review called a Privacy Impact Assessment (PIA). The PIA review is in addition to the current SSA requirement that SSA's Privacy Officer certify Agency procurement requests for automated data processing resources and proposed contracts. The PIA review will strengthen the existing process by incorporating privacy involvement directly into the development of the IT system lifecycle and establishing a process that the entire Agency can understand in terms of privacy involvement in IT system development efforts.

New § 401.30(f) will describe the PIA requirements for ensuring that privacy considerations receive a standardized review. We will determine if adequate measures have been taken to protect the privacy of the personally identifiable information the IT project will affect and if the requirements of the Privacy Act and applicable SSA regulations and policy are properly addressed.

Section 401.45 Verifying Your Identity

We propose to add to § 401.45 new paragraphs (b)(3) and (b)(4) to emphasize that when SSA provides convenient service to you over open computer networks such as the Internet, we will adequately protect against improper disclosure of records. We will redesignate present paragraphs (b)(3), (b)(4) and (b)(5) as (b)(5), (b)(6) and (b)(7), respectively. We will also revise the language in redesignated (b)(5).

Increasingly, computer technology enables us to transact business with you as a taxpayer, Social Security beneficiary, employer or third-party organization. We will move cautiously to allow you to communicate with us securely over open networks such as the Internet. Such expanded services are dependent on our development of practices and mechanisms to ensure identity confirmation to protect you against improper disclosure of the personal information we maintain in our records, and to improve privacy protections.

Section 401.55 Special Procedures for Notification of or Access to Medical Records

We propose to revise the section heading to read “Access to medical records.” We also propose to revise the procedures for access to medical records to conform to the practices and systems of records that set out special procedures under which individuals may have direct access to their medical records.

Currently, when you request your medical records, § 401.55(b)(1)(ii) requires you to designate a representative to receive the records for you and gives the representative the discretion to inform you about the contents of your record. We propose to modify the special procedures in that paragraph to require the representative to release your record to you after the discussion of its contents. The representative no longer has the discretion to withhold any part of your record.

Section 401.55(c)(2)(iii) currently gives a designated representative (e.g., family physician or other health care professional) discretion about making the contents of a minor's medical record available to the parent or legal guardian. The proposed rule would modify this provision to require the representative to release the minor's records to the parent or legal guardian following the discussion of its contents. Additionally, we are redesignating present paragraph (d) concerning requests on behalf of incapacitated adults as paragraph (c)(3).

Section 401.60 Access or Notification of Program Records About Two or More Individuals

Currently, § 401.60 is entitled “Access or notification of program records about two or more individuals.” The first sentence in the section reads “When information about two or more individuals is in one record filed under your social security number, you may receive the information about you and the fact of entitlement and the amount of benefits payable to other persons based on your record.” We propose to amend § 401.60 by inserting the word “to” after the word “Access” in the heading and revising the language in both the heading and first sentence to read “about more than one individual.”

Section 401.70 Appeals of Refusals to Correct or Amend Records

Currently, § 401.70 is entitled “Appeals of refusals to correct or amend records.” We propose to amend the section heading to include appeals after denial of access. We also propose to Start Printed Page 53996clarify the policy in the section by revising the language in existing paragraphs (a), (b) and (c). Further, we propose to add a new paragraph (d) to clearly explain the process after you file your appeal.

Section 401.100 Disclosure of Records With the Consent of the Subject of the Record

We propose to amend the language in the section heading under § 401.100 to insert the word “written” before “consent.” We also propose to revise the language in paragraph (a) to clarify that the consent must be in writing and define what information we will disclose with written consent. To present the information in a more reader-friendly format, the second and third sentences of paragraph (a) will be designated as new paragraphs (b) “Disclosure with written consent”, and (c) “Disclosure of the entire record,” respectively. We propose to make conforming changes to existing paragraph (b) and redesignate it as paragraph (d).

Section 401.105 Disclosure of Personal Information Without the Consent of the Subject of the Record

We propose to revise the second sentence of paragraph (b) into two sentences to clarify that SSA also has physical custody of personnel records maintained as part of the Office of Personnel Management's (OPM) Privacy Act government-wide systems of records and that these records are subject to OPM's rules on access and disclosure at 5 CFR parts 293 and 297.

Section 401.110 Disclosure of Personal Information in Nonprogram Records Without the Consent of the Subject of the Record

We propose to amend the language in § 401.110 (j) to show the new name for the former General Accounting Office.

Section 401.115 Disclosure of Personal Information in Program Records Without the Consent of the Subject of the Record

We propose to amend the introductory language in § 401.115 to make clear that the information in program records will be disclosed only on a need-to-know basis.

Section 401.120 Disclosure Required by Law

Currently, the last sentence in § 401.120 reads “* * * and to Federal, State and local agencies administering Aid to Families with Dependent Children, Medicaid, unemployment compensation, food stamps, and other programs.” We propose to amend the language to reflect the current name of the AFDC program. The new name will read “* * * Temporary Assistance for Needy Families * * *.”

Section 401.150 Compatible Purposes

We propose to amend § 401.150 to clearly state how we implement the routine use provision. More specifically, the language in paragraphs (a) and (b) will be expanded to include what we mean by “routine use” in terms of the information we can disclose and how we give notice of routine use disclosures, respectively. We will amend paragraph (c) by adding new paragraphs (c)(1) and (c)(2) to clearly show the distinctions between disclosure in SSA programs and programs similar to SSA programs, for compatibility purposes.

Section 401.155 Law Enforcement Purposes

We propose to amend § 401.155 to make clear that the Privacy Act requires a written request for information from the head of the law enforcement agency in situations involving both serious crimes and criminal activity involving Social Security programs or other programs with the same purpose.

Section 401.165 Statistical and Research Activities

We propose to amend § 401.165 to make it consistent with the recently published new routine use of data for research purposes.

Section 401.175 General Accounting Office

We propose to amend the section heading in § 401.175 to reflect a name change. The new heading will read “Government Accountability Office.” We also propose to revise the language in the paragraph to read “* * * to the Government Accountability Office when that agency needs the information to carry out its duties.”

Section 401.180 Courts

We propose to revise the entire section of § 401.180 to clarify our policy on disclosure when we receive an order from a court of competent jurisdiction.

In 1980, when § 401.180 was initially published as a final rule, the status of subpoenas and other legal process under paragraph (b)(11) of the statute was unclear. Since then, SSA has not treated a subpoena or similar legal process as a court order unless a judge signs it. We believe that this position is now established as law as it is consistent with court decisions and OMB guidance interpreting the Privacy Act. See, e.g., Doe v. DiGenova, 779 F.2d 74 (D.C. Cir. 1985); Stiles v. Atlanta Gas Light Co., 453 F.Supp. 798 (N.D. Ga. 1978).

Therefore, we propose to revise § 401.180 as follows: In paragraph (a) we will make clear that when information disclosed from SSA records is used in court proceedings, it usually becomes part of the public record of the proceedings and its confidentiality often cannot be protected. Accordingly, we will follow the rules in new paragraph (d) of this section in deciding whether an order is from a court of competent jurisdiction.

We propose to change the heading in paragraph (b) to read “Court” and amend the language in the paragraph to state SSA's position that a court, for purposes of 5 U.S.C. § 552a(b)(11), is an institution of a judicial branch of government consisting of one or more judges who seek to adjudicate disputes and administer justice. The definition clarifies that other entities in other branches of government or not in the United States are not courts for purposes of the Privacy Act.

We propose to add a new paragraph (c) to explain that only a legal process, such as a summons or warrant, that is signed by a judge and that commands the disclosure of information by SSA will be considered to be a court order for purposes of the statutory exception in 5 U.S.C. § 552a(b)(11). References to subpoenas would be removed from this regulation.

When we receive legal process that is not an order of a court of competent jurisdiction, (such as a grand jury subpoena, a subpoena signed by the clerk of the court or the attorney representing a party to the proceeding), we may decide to disclose information if the conditions described in any other provision of this regulation would permit the disclosure (for example, for a compatible purpose under § 401.150). However, we will not disclose without an order from a court of competent jurisdiction if the Privacy Act or any other law would prohibit the disclosure without such an order. We will also add a new paragraph (d) to explain our view on court of competent jurisdiction.

In new paragraph (e) we propose to describe the conditions for disclosure under court order and clarify the rules on disclosure when a court order is involved.

We propose to add a new paragraph (f) to explain that in other circumstances we may attempt to satisfy the needs of a court of competent jurisdiction when the circumstances in paragraph (e) are not met. We will make these determinations in accordance with § 401.140. Start Printed Page 53997

We propose to add new paragraph (g) to explain that we will treat a state criminal court as a court of competent jurisdiction in the limited circumstance when a disclosure is necessary to preserve the rights of an accused individual to due process in a criminal proceeding. We view that extending this exception to a state court hearing criminal matters does not in any way waive sovereign immunity. We are including this provision to clarify SSA's position that SSA should balance an individual's constitutional right to due process while preserving the confidentiality of information. SSA will disclose information when it believes the due process right outweighs the need to preserve confidentiality. We expect the court order to include language articulating the due process need for the information.

Further, we propose to add a new paragraph (h) to provide a cross-reference to additional regulations contained in 20 CFR part 403 concerning testimony and production of records in legal proceedings.

Regulatory Procedures

Executive Order 12866

The Office of Management and Budget has reviewed these proposed rules in accordance with Executive Order 12866, as amended by Executive Order 13258.

Regulatory Flexibility Act

We certify that these proposed rules would not have a significant economic impact on a substantial number of small entities because they affect only individuals or entities acting on their behalf. Thus, a regulatory flexibility analysis as provided in the Regulatory Flexibility Act, as amended, is not required.

Paperwork Reduction Act

These proposed rules contain reporting requirements as shown in the table below. Where the public reporting burden is accounted for in Information Collection Requests for the various forms that the public uses to submit the information to SSA, a 1-hour placeholder burden is being assigned to the specific reporting requirement(s) contained in these rules.

SectionAnnual number of responsesFrequency of responseAverage burden per response (minutes)Estimated annual burden (hours)
401.45(b)20,0001103333
401.70(a), (b)1
401.100(b)1
Total20,0001103335

An Information Collection Request has been submitted to OMB for clearance. We are soliciting comments on the burden estimate; the need for the information; its practical utility; ways to enhance its quality, utility and clarity; and on ways to minimize the burden on respondents, including the use of automated collection techniques or other forms of information technology. Comments should be submitted and/or faxed to the Office of Management and Budget and the Social Security Administration at the following addresses/numbers:

Office of Management and Budget, Attn: Desk Officer for SSA, Fax Number: 202-395-6974.

Social Security Administration, Attn: SSA Reports Clearance Officer, Rm. 1338 Annex Building, 6401 Security Boulevard, Baltimore, MD 21235-6401, Fax Number: 410-965-6400.

Comments can be received for up to 60 days after publication of this notice and will be most useful if received within 30 days of publication. To receive a copy of the OMB clearance package, you may call the SSA Reports Clearance Officer on 410-965-0454.

(Catalog of Federal Domestic Assistance Program Nos. 96.001 Social Security—Disability Insurance; 96.002 Social Security—Retirement Insurance; 96.004 Social Security—Survivors Insurance; 96.006 Supplemental Security Income)

Start List of Subjects

List of Subjects in 20 CFR Part 401

End List of Subjects Start Signature

Dated: September 5, 2006.

Jo Anne B. Barnhart,

Commissioner of Social Security.

End Signature

For the reasons set out in the preamble, we are proposing to amend subparts A, B and C of part 401 of chapter III of title 20 of the Code of Federal Regulations as set forth below:

Start Part

PART 401—PRIVACY AND DISCLOSURE OF OFFICIAL RECORDS AND INFORMATION

1. The authority citation for part 401 continues to read as follows:

Start Authority

Authority: Secs. 205, 702(a)(5), 1106, and 1141 of the Social Security Act (42 U.S.C. 405, 902(a)(5), 1306, and 1320b-11); 5 U.S.C. 552 and 552a; 8 U.S.C. 1360; 26 U.S.C. 6103; 30 U.S.C. 923. 2. Section 401.20 is amended by revising paragraphs (a) and (b)(1)(iii) to read as follows:

End Authority
Scope.

(a) Access. Sections 401.30 through 401.95, which set out SSA's rules for implementing the Privacy Act, apply to records retrieved by an individual's name or personal identifier subject to the Privacy Act. The rules in §§ 401.30 through 401.95 also apply to information developed by medical sources for the Social Security program and shall not be accessed except as permitted by this part.

(b) * * *

(1) * * *

(iii) Records kept by medical sources. Information retained by medical sources pertaining to a consultative examination performed for the Social Security program shall not be disclosed except as permitted by this part.

* * * * *

3. Section 401.30 is amended by adding paragraphs (d), (e) and (f) to read as follows:

Privacy Act responsibilities.
* * * * *

(d) Privacy Officer. The Privacy Officer is an advisor to the Agency on all privacy policy and disclosure matters. The Privacy Officer coordinates the development and implementation of Agency privacy policies and related legal requirements to ensure Privacy Act compliance, and monitors the coordination, collection, maintenance, use and disclosure of personal information. The Privacy Officer also ensures the integration of privacy principles into information technology systems architecture and technical designs, and generally provides to Agency officials policy guidance and directives in carrying out the privacy and disclosure policy. Start Printed Page 53998

(e) Senior Agency Official for Privacy. The Senior Agency Official for Privacy assumes overall responsibility and accountability for ensuring the agency's implementation of information privacy protections as well as agency compliance with Federal laws, regulations, and policies relating to the privacy of information, such as the Privacy Act. The compliance efforts also include reviewing information privacy procedures to ensure that they are comprehensive and up-to-date and, where additional or revised procedures may be called for, working with the relevant agency offices in the consideration, adoption, and implementation of such procedures. The official also ensures that agency employees and contractors receive appropriate training and education programs regarding the information privacy laws, regulations, polices and procedures governing the agency's handling of personal information. In addition to the compliance role, the official will have a central policy-making role in the agency's development and evaluation of legislative, regulatory and other policy proposals which might implicate information privacy issues, including those relating to the collection, use, sharing, and disclosure of personal information.

(f) Privacy Impact Assessment. In our comprehensive Privacy Impact Assessment (PIA) review process, we incorporate the tenets of privacy law, SSA privacy regulations, and privacy policy directly into the development of certain Information Technology projects. Our review examines the risks and ramifications of collecting, maintaining and disseminating information in identifiable form in an electronic information system and identifies and evaluates protections and alternate processes to reduce the risk of unauthorized disclosures. As we accomplish the PIA review, we ask systems personnel and program personnel to resolve questions on data needs and data protection prior to the development of the electronic system.

4. Section 401.45 is amended by redesignating paragraphs (b)(3), (b)(4) and (b)(5) as (b)(5), (b)(6) and (b)(7), respectively, adding new paragraphs (b)(3) and (b)(4) and revising redesignated paragraph (b)(5) to read as follows:

Verifying your identity.
* * * * *

(b) * * *

(3) Electronic requests. If you make a request by computer or other electronic means, e.g., over the Internet, we require you to verify your identity by using identity confirmation procedures that are commensurate with the sensitivity of the information that you are requesting. If we cannot confirm your identity using our identity confirmation procedures, we will not process the electronic request. When you cannot verify your identity through our procedures, we will require you to submit your request in writing.

(4) Electronic disclosures. When we collect or provide personally identifiable information over open networks such as the Internet, we use encryption in all of our automated online transaction systems to protect the confidentiality of the information. When we provide an online access option, such as a standard e-mail comment form on our Web site, and encryption is not being used, we alert you that personally identifiable information (such as your social security number) should not be included in your message.

(5) Requests not made in person. Except as provided in paragraphs (b)(2) of this section, if you do not make a request in person, you must submit a written request to SSA to verify your identify or you must certify in your request that you are the individual you claim to be. You must also sign a statement that you understand that the knowing and willful request for or acquisition of a record pertaining to an individual under false pretenses is a criminal offense.

* * * * *

5. Section 401.55 is amended by revising paragraphs (a), (b)(1)(ii), (c)(1) and (c)(2)(iii) and by redesignating paragraph (d) as paragraph (c)(3) to read as follows:

Access to medical records.

(a) General. You have a right to access your medical records, including any psychological information that we maintain.

(b) * * *

(1) * * *

(ii) When you request medical information about yourself, you must also name a representative in writing. The representative may be a physician, other health professional, or other responsible individual who will be willing to review the record and inform you of its contents. Following the discussion, you are entitled to your records. The representative does not have the discretion to withhold any part of your record. If you do not designate a representative, we may decline to release the requested information. In some cases, it may be possible to release medical information directly to you rather than to your representative.

* * * * *

(c) Medical records of minors—(1) Request by the minor. You may request access to your own medical records in accordance with paragraph (b) of this section.

(2) Request on a minor/s behalf. * * *

(iii) Where a medical record on the minor exists, we will in all cases send it to the physician or health professional designated by the parent or guardian. The representative will review the record, discuss its contents with the parent or legal guardian, then release the entire record to the parent or legal guardian. The representative does not have the discretion to withhold any part of the minor's record. We will respond in the following similar manner to the parent or guardian making the request:

We have completed processing your request for notification of or access to ____'s (Name of minor) medical records. Please be informed that if any medical record was found pertaining to that individual, it has been sent to your designated physician or health professional.

* * * * *

6. Section 401.60 is amended by revising the section heading and first sentence of the paragraph to read as follows:

Access to or notification of program records about more than one individual.

When information about more than one individual is in one record filed under your social security number, you may receive the information about you and the fact of entitlement and the amount of benefits payable to other persons based on your record. * * *

7. Section 401.70 is revised to read as follows:

Appeals of refusals to correct records or refusals to allow access to records.

(a) General. This section describes how to appeal decisions made by SSA under the Privacy Act concerning your request for correction of or access to your records, those of your minor child or those of a person for whom you are the legal guardian. We generally handle a denial of your request for information about another person under the provisions of the Freedom of Information Act (see part 402 of this chapter). To appeal a decision under this section, your request must be in writing.

(b) Appeal of refusal to correct or amend records. If we deny your request Start Printed Page 53999to correct an SSA record, you may request a review of that decision. As discussed in § 401.65(e), our letter denying your request will tell you to whom to write.

(1) We will review your request within 30 working days from the date of the receipt. However, for a good reason and with the approval of the Executive Director for the Office of Public Disclosure, this time limit may be extended up to an additional 30 days. In that case, we will notify you about the delay, the reason for it and the date when the review is expected to be completed.

(2) If, after review, we determine that the record should be corrected, we will do so. However, if we refuse to amend the record as you requested, we will inform you that—

(i) Your request has been refused and the reason for refusing;

(ii) The refusal is SSA's final decision; and

(iii) You have a right to seek court review of SSA's final decision.

(3) We will also inform you that you have a right to file a statement of disagreement with the decision. Your statement should include the reason you disagree. We will make your statement available to anyone to whom the record is subsequently disclosed, together with a statement of our reasons for refusing to amend the record. Also, we will provide a copy of your statement to individuals whom we are aware received the record previously.

(c) Appeals after denial of access. If, under the Privacy Act, we deny your request for access to your own record, those of your minor child or those of a person to whom you are the legal guardian, we will advise you in writing of the reason for that denial, the name and title or position of the person responsible for the decision and your right to appeal that decision. You may appeal the denial decision to the Executive Director for the Office of Public Disclosure, 6401 Security Boulevard, Baltimore, MD 21235-6401, within 30 days after you receive notice denying all or part of your request, or, if later, within 30 days after you receive materials sent to you in partial compliance with your request.

(d) Filing your appeal. If you file an appeal, the Executive Director or his or her designee will review your request and any supporting information submitted and then send you a notice explaining the decision on your appeal. The time limit for making our decision after we receive your appeal is 30 working days. The Executive Director or his or her designee may extend this time limit up to 30 additional working days if one of the circumstances in 20 CFR 402.140 is met. We will notify you in writing of any extension, the reason for the extension and the date by which we will decide your appeal. The notice of the decision on your appeal will explain your right to have the matter reviewed in a Federal district court if you disagree with all or part of our decision.

8. Section 401.100 is revised to read as follows:

Disclosure of records with the written consent of the subject of the record.

(a) General. Except as permitted by the Privacy Act and the regulations in this chapter, or when required by the FOIA, we will not disclose your records without your written consent.

(b) Disclosure with written consent. The written consent must clearly specify to whom the information may be disclosed, the information you want us to disclose (e.g., social security number, date and place of birth, monthly Social Security benefit amount, date of entitlement), and, where applicable, during which time frame the information may be disclosed (e.g., during the school year, while the subject individual is out of the country, whenever the subject individual is receiving specific services).

(c) Disclosure of the entire record. We will not disclose your entire record. For example, we will not honor a blanket consent for all information in a system of records or any other record consisting of a variety of data elements. We will disclose only the information you specify in the consent. We will verify your identity and where applicable (e.g., where you consent to disclosure of a record to a specific individual), the identity of the individual to whom the record is to be disclosed.

(d) A parent or guardian of a minor is not authorized to give written consent to a disclosure of a minor's medical record. See § 401.55 (c)(2) for the procedures for disclosure of or access to medical records of minors.

9. Section 401.105 is amended by revising the second sentence of paragraph (b) to read as follows:

Disclosure of personal information without the consent of the subject of the record.
* * * * *

(b) * * * For administrative and personnel records, we apply the Privacy Act restrictions on disclosure. To the extent that SSA has physical custody of personnel records maintained as part of the Office of Personnel Management's (OPM) Privacy Act government-wide systems of records, these records are subject to OPM's rules on access and disclosure at 5 CFR parts 293 and 297. * * *

10. Paragraph (j) of § 401.110 is revised to read as follows:

Disclosure of personal information in nonprogram records without the consent of the subject of the record.
* * * * *

(j) To the Comptroller General, or any of his authorized representatives, in the course of the performance of duties of the Government Accountability Office.

* * * * *

11. Section 401.115 is amended by revising the introductory text to read as follows:

Disclosure of personal information in program records without the consent of the subject of the record.

This section describes how various laws control the disclosure or confidentiality of personal information that we keep. We disclose information in the program records only when a legitimate need exists. For example, we disclose information to officers and employees of SSA who have a need for the record in the performance of their duties. We also must consider the laws identified below in the respective order when we disclose program information:

* * * * *

12. Section 401.120 is amended by revising the last sentence in the paragraph to read as follows:

Disclosures required by law.

* * * These agencies include the Department of Veterans Affairs for its benefit programs, U.S. Citizenship and Immigration Services to carry out its duties regarding aliens, the Railroad Retirement Board for its benefit programs, and to Federal, State and local agencies administering Temporary Assistance for Needy Families, Medicaid, unemployment compensation, food stamps, and other programs.

13. Section 401.150 is revised to read as follows:

Compatible purposes.

(a) General. The Privacy Act allows us to disclose information without your consent to any other party for routine uses. “Routine use” means that your information can be disclosed for use in any program that is compatible with the purpose for which SSA collected the information.

(b) Notice of routine use disclosures. A list of permissible routine use disclosures is included in every system of records notice published in the Federal Register.

(c) Determining compatibility—(1) Disclosure to carry out SSA programs. Start Printed Page 54000We disclose information for routine uses where necessary to carry out SSA's programs.

(2) Disclosure to carry out programs similar to SSA programs. We disclose information for routine uses in the administration of other government programs that have the same purposes as SSA programs and meet the following conditions:

(i) The program is clearly identifiable as a Federal, State, or local government program.

(ii) The information requested concerns eligibility, benefit amounts, or other matters of benefit status in a Social Security program and is relevant to determining the same matters in the other program. For example, we disclose information to the Railroad Retirement Board for pension and unemployment compensation programs, to the Department of Veterans Affairs for its benefit programs, to worker's compensation programs, to State general assistance programs and to other income maintenance programs at all levels of government. We also disclose for health maintenance programs like Medicaid and Medicare.

(iii) In appropriate cases, we will disclose information for use in epidemiological and similar research.

14. Section 401.155 is amended by adding a sentence between the fourth and fifth sentences in paragraph (a) and by removing the last sentence of paragraph (b).

Law enforcement purposes.

(a) General. * * * The Privacy Act allows us to disclose information if the head of the law enforcement agency makes a written request giving enough information to show that the conditions in paragraphs (b) or (c) of this section are met, what information is needed, and why it is needed. * * *

* * * * *

15. Section 401.165 is amended by revising paragraph (b)(2) to read as follows:

Statistical and research activities.
* * * * *

(b) * * *

(2) The activity is designed to increase knowledge about present or alternative Social Security programs or other Federal or State income-maintenance or health-maintenance programs; or is used for research that is of importance to the Social Security program or the Social Security beneficiaries; or an epidemiological research project that relates to the Social Security program or beneficiaries; and

* * * * *

16. Section 401.175 is revised to read as follows:

Government Accountability Office.

We disclose information to the Government Accountability Office when that agency needs the information to carry out its duties.

17. Section 401.180 is revised to read as follows:

Disclosure under court order or other legal process.

(a) General. The Privacy Act permits us to disclose information when we are ordered to do so by a court of competent jurisdiction. When information is used in a court proceeding, it usually becomes part of the public record of the proceeding and its confidentiality often cannot be protected in that record. Much of the information that we collect and maintain in our records on individuals is especially sensitive. Therefore, we follow the rules in paragraph (d) of this section in deciding whether we may disclose information in response to an order from a court of competent jurisdiction. When we disclose pursuant to an order from a court of competent jurisdiction, and the order is a matter of public record, the Privacy Act requires us to send a notice of the disclosure to the last known address of the person whose record was disclosed.

(b) Court. For purposes of this section, a court is an institution of a judicial branch of government within the United States consisting of one or more judges who seek to adjudicate disputes and administer justice. Entities not in the judicial branch of government within the United States are not courts for purposes of this section.

(c) Court order. For purposes of this section, a court order is any legal process which satisfies all of the following conditions:

(1) It is issued under the authority of a court;

(2) A judge of that court signs it;

(3) It commands SSA to disclose information; and

(4) The court is a court of competent jurisdiction.

(d) Court of competent jurisdiction. It is the view of SSA that under the Privacy Act the Federal Government has not waived sovereign immunity, which precludes state court jurisdiction over a Federal agency or official. Therefore, SSA will not honor state court orders as an independent basis for disclosure except in the circumstances described in paragraph (g) of this section. Other state court orders will be treated in accordance with the other provisions of this part.

(e) Conditions for disclosure under a court order of competent jurisdiction. We disclose information in compliance with an order of a court of competent jurisdiction if —

(1) Another section of this part specifically allows such disclosure, or

(2) SSA, the Commissioner of Social Security, or any officer or employee of SSA in his or her official capacity is properly a party in the proceeding, or

(3) Disclosure of the information is necessary to ensure that an individual who is accused of criminal activity receives due process of law in a criminal proceeding.

(f) In other circumstances. We may disclose information to a court of competent jurisdiction in circumstances other than those stated in paragraph (e) of this section. We will make our decision regarding disclosure by balancing the needs of a court while preserving the confidentiality of information. For example, we may disclose information under a court order that restricts the use and redisclosure of the information by the participants in the proceeding; we may offer the information for inspection by the court in camera and under seal; or we may arrange for the court to exclude information identifying individuals from that portion of the record of the proceedings that is available to the public. We will make these determinations in accordance with section 401.140.

(g) Conditions for disclosure under state court orders. We may disclose information in compliance with a state court order only if the disclosure is necessary to preserve the rights of an accused to due process in a criminal proceeding. We will make our decision regarding disclosure by balancing the needs of a state court while preserving the confidentiality of information.

(h) Other regulations on request for testimony, subpoenas and production of records in legal proceedings. See 20 CFR part 403 of this chapter for additional rules covering disclosure of information and records governed by this part and requested in connection with legal proceedings.

End Part End Supplemental Information

[FR Doc. E6-15101 Filed 9-12-06; 8:45 am]

BILLING CODE 4191-02-P