Skip to Content


Privacy Act of 1974, as Amended; Alteration to Existing Systems of Records

Document Details

Information about this document as published in the Federal Register.

Published Document

This document has been published in the Federal Register. Use the PDF linked in the document sidebar for the official electronic format.

Start Preamble


Social Security Administration (SSA).


Proposed New Routine Use for Existing Systems of Records.


As mandated by the Office of Management and Budget (OMB) in Memorandum M-07-16, recommended by the President's Identity Theft Task Force, and in accordance with the Privacy Act (5 U.S.C. 552a(e)(4) and (11)), we are issuing public notice of our intent to establish a new routine use disclosure applicable to SSA's systems of records listed below under section I of the Supplementary Information section. The proposed routine use specifically permits the disclosure of SSA information in connection with response and remediation efforts in the event of an unintentional release of Agency information, otherwise known as a “data security breach.” Such a routine use would serve to protect the interests of the people whose information is at risk by allowing us to take appropriate steps to facilitate a timely and effective response to a data breach. It would also help us to improve our ability to prevent, minimize, or remedy any harm that may result from a compromise of data maintained in our systems of records. We invite public comment on this proposal.


We filed a report of the proposed new routine use disclosure with the Chairman of the Senate Committee on Homeland Security and Governmental Affairs, the Chairman of the House Committee on Oversight and Government Reform, and the Director, Office of Information and Regulatory Affairs, Office of Management and Budget (OMB) on November 19, 2007. The proposed routine use will become effective on December 24, 2007, unless we receive comments warranting it not to become effective.


Interested individuals may comment on this publication by writing to the Executive Director, Office of Public Disclosure, Office of the General Counsel, Social Security Administration, Room 3-A-6 Operations Building, 6401 Security Boulevard, Baltimore, Maryland 21235-6401. All comments received will be available for public inspection at the above address.

Start Further Info


Ms. Margo Wagner, Social Insurance Specialist, Disclosure Policy Development and Services Division 2, Office of Public Disclosure, Office of the General Counsel, Social Security Administration, Room 3-A-6 Operations Building, 6401 Security Boulevard, Baltimore, Maryland 21235-6401, telephone: (410) 965-1482, e-mail: or Mr. Neil Etter, Social Insurance Specialist, Disclosure Policy Development and Services Division 1, Office of Public Disclosure, Office of the General Counsel, Social Security Administration, Room 3-A-6 Operations Building, 6401 Security Boulevard, Baltimore, Maryland 21235-6401, telephone: (410) 965-8028, e-mail:

End Further Info End Preamble Start Supplemental Information


I. Discussion of the Proposed New Routine Use

OMB has mandated and the President's Identity Theft Task Force recommended that Federal agencies develop and publish a routine use for appropriate systems of records that allows for the disclosure of information in connection with the response and remedial efforts in the event of a data breach.

Subsection (b)(3) of the Privacy Act provides that information from an agency's system of records may be disclosed without a subject individual's consent if the disclosure is “for a routine use as defined in subsection (a)(7) of this section and described under subsection (e)(4)(D) of this section.” 5 U.S.C. 552a(b)(3). Subsection (a)(7) of the Act states that “the term `routine use' means, with respect to the disclosure of a record, the use of such record for a purpose which is compatible with the purpose for which it was collected.” 5 U.S.C. 552a(a)(7). Providing information to help respond to and remediate a breach of Federal data qualifies as a necessary and proper use of information. Such a use is in the best interest of both the individual whose record is at issue and the public.

The Privacy Act requires that agencies publish notification in the Federal Register of “each routine use of the records contained in the system, including the categories of users and the purpose of such use.” 5 U.S.C. 552a(e)(4)(D). Based on OMB's recommended language, we have developed the following routine use that we will apply to nearly all of our Privacy Act systems of records,[1] and that will allow for disclosure to appropriate agencies, entities, and persons under the following circumstances:

We may disclose information to appropriate Federal, State, and local agencies, entities, and persons when (1) we suspect or confirm that the security or confidentiality of information in this system of records has been compromised; (2) we determine that as a result of the suspected or confirmed compromise there is a risk of harm to economic or property interests, identity theft or fraud, or harm to the security or integrity of this system or other systems or programs of SSA that rely upon the compromised information; and (3) we determine that disclosing the information to such agencies, entities, and persons is necessary to assist in our efforts to respond to the suspected or confirmed compromise and prevent, minimize, or remedy such harm. SSA will use this routine use to respond only to those incidents involving an unintentional release of its records.

In nearly all cases, we will immediately notify affected individuals before informing any other entity. In the rare event that law enforcement needs require us to delay consumer notification, this delay will be limited to the minimum amount of time needed. Timely notification allows individuals the opportunity to minimize or prevent the occurrence of harm.

SSA will establish a new routine use to be included in the following systems of records: Start Printed Page 69724

System No. and nameNew routine useFederal Register publication date/citation No.
60-0001—Assignment and Correspondence Tracking Act (ACT)No. 771 FR 1800, 01/11/06.
60-0002—Optical System for Correspondence Analysis and ResponseNo. 871 FR 1802, 01/11/06.
60-0003—Attorney Fee FileNo. 971 FR 1803, 01/11/06.
60-0004—Working File of the Appeals CouncilNo. 670 FR 60383, 10/17/05.
60-0005—Administrative Law Judge Working File on Claimant CasesNo. 870 FR 60383, 10/17/05.
60-0006—Storage of Hearing Records: Tape Cassettes and Audiograph DiscsNo. 871 FR 1805, 01/11/06.
60-0009—Hearings and Appeals Case Control SystemNo. 465 FR 46997, 08/01/00.
60-0010—Hearing Office Tracking System of Claimant CasesNo. 671 FR 1806, 01/11/06.
60-0012—Listing and Alphabetical Name File (Folder) of Vocational Experts, Medical Experts, and Other Health Care/Non-Health Care Professionals Experts (Medicare)No. 771 FR 1807, 01/11/06.
60-0013—Records of Usage of Medical Experts, Vocational Experts, and Other Health Care/Non-Health Care Professionals Experts (Medicare)No.771 FR 1809, 01/11/06.
60-0014—Curriculum Vitae and Professional Qualifications of Medical Advisors, and Resumes of Vocational ExpertsNo. 859 FR 46439, 09/08/94.
60-0038—Employee Building Pass FilesNo. 759 FR 46439, 09/08/94.
60-0040—Quality Review SystemNo. 1465 FR 46997, 08/01/00.
60-0042—Quality Review Case FilesNo. 1465 FR 46997, 08/01/00.
60-0044—National Disability Determination ServicesNo. 1171 FR 11810, 01/11/06.
60-0045—Black Lung Payment SystemNo. 1468 FR 15784, 04/01/03.
60-0046—Disability Determination Service Consultant's FileNo. 771 FR 1812, 01/11/06.
60-0050—Completed Determination Record—Continuing Disability DeterminationsNo. 1071 FR 1814, 01/11/06.
60-0057—Quality Evaluation Data RecordsNo. 665 FR 46997, 08/01/00.
60-0058—Master Files of Social Security Number Holders and SSN ApplicationsNo. 4271 FR 1818, 01/11/06.
60-0063—Resource Accounting SystemNo. 659 FR 46439, 09/08/94.
60-0077—Congressional Inquiry FileNo. 771 FR 1823, 01/11/06.
60-0078—Public Inquiry Correspondence FileNo. 871 FR 1825, 01/11/06.
60-0089—Claims Folders SystemNo. 3671 FR 1829, 01/11/06.
60-0090—Master Beneficiary RecordNo. 3871 FR 1829, 01/11/06.
60-0094—Recovery of Overpayments, Accounting and ReportingNo. 970 FR 49354, 08/23/05.
60-0103—Supplemental Security Income RecordNo. 3771 FR 1829, 01/11/06.
60-0118—Non-Contributory Military Service Reimbursement SystemNo. 671 FR 18334, 01/11/06.
60-0159—Continuous Work History Sample (Statistics)No. 565 FR 46997, 08/01/00.
60-0186—SSA Litigation Tracking System New Routine Use No.No. 670 FR 60383, 10/17/05.
60-0196—Disability Studies, Surveys, Records and Extracts (Statistics)No. 465 FR 46997, 08/01/00.
60-0199—Extramural Surveys (Statistics)No. 471 FR 1835, 01/11/06.
60-0200—Retirement and Survivors Studies, Surveys, Records and Extracts (Statistics)No. 465 FR 46997, 08/01/00.
60-0202—Old Age, Survivors and Disability Beneficiary and Worker Records and Extracts (Statistics)No. 569 FR 11693, 03/11/04.
60-0203—Supplemental Security Income Studies, Surveys, Records and Extracts (Statistics)No. 565 FR 46997, 08/01/00.
60-0210—Record of Individuals Authorized Entry to Secured Automated Data Processing AreaNo. 759 FR 46439, 09/08/94.
60-0211—Beneficiary, Family and Household Surveys, Records and Extracts System (Statistics)No. 569 FR 11693, 03/11/04.
60-0213—Quality Review of Hearing/Appellate ProcessNo. 765 FR 46997, 08/01/00.
60-0214—Personal Identification Number File (PINFile)No. 559 FR 46441, 09/08/94.
60-0218—Disability Insurance and Supplemental Security Income Demonstration Projects and Experiments SystemNo. 771 FR 1837, 01/11/06.
60-0219—Representative Disqualification/Suspension Information SystemNo. 871 FR 1839, 01/11/06.
60-0220—Kentucky Birth Records SystemNo. 559 FR 46439, 09/08/94.
60-0221—Vocational Rehabilitation Reimbursement Case Processing SystemNo. 1071 FR 1841, 01/11/06.
60-0222—Master Representative Payee FileNo. 1871 FR 5399, 02/01/06.
60-0224—SSA-Initiated Personal Earnings and Benefit Estimate Statement (SIPEBES) History FileNo. 759 FR 54004, 10/27/94.
60-0225—SSA Initiated Personal Earnings and Benefit Estimate Statement Address System for Certain TerritoriesNo. 659 FR 54004, 10/27/94.
60-0228—Safety Management Information System (SSA Accident, Injury and Illness Reporting System)No. 771 FR 1844, 01/11/06.
60-0230—Social Security Administration Parking Management Record SystemNo. 571 FR 1846, 01/11/06.
60-0231—Financial Transactions of SSA Accounting and Finance OfficesNo. 1971 FR 1847, 01/11/06.
60-0232—Central Registry of Individuals Doing Business With SSA (Vendor File)No. 1171 FR 1849, 01/11/06.
60-0234—Employee Assistance Program (EAP) RecordsNo. 771 FR 1850, 01/11/06.
60-0236—Employee Development Program RecordsNo. 1371 FR 1853, 01/11/06.
60-0237—Employees' Medical RecordsNo. 871 FR 1854, 01/11/06.
60-0238—Pay, Leave and Attendance RecordsNo. 2571 FR 1856, 01/11/06.
60-0239—Personnel Records in Operating OfficesNo. 1771 FR 1859, 01/11/06.
60-0241—Employee Suggestion Program Records New Routine UsesNo. 671 FR 1861, 01/11/06.
60-0244—Administrative Grievances Filed Under Part 771 of 5 CFRNo. 1971 FR 1862, 01/11/06.
60-0245—Negotiated Grievance Procedure RecordsNo. 2171 FR 1864, 01/11/06.
60-0250—Equal Employment Opportunity (EEO) Counselor and Investigator Personnel RecordsNo. 1371 FR 1866, 01/11/06.
60-0255—Plans for Achieving Self-Support (PASS) Management Information SystemNo. 1971 FR 1867, 01/11/06.
60-0259—Claims Under the Federal Tort Claims Act and Military Personnel and Civilian Employees' Claim ActNo. 871 FR 1869, 01/11/06.
60-0262—Attorney Applicant FilesNo. 771 FR 1871, 01/11/06.
60-0268—Medicare Part B Buy-In Information SystemNo. 964 FR 10173, 03/02/99.
60-0269—Prisoner Update Processing System (PUPS)No. 1264 FR 11076, 03/08/99.
60-0270—Records of Individuals Authorized Entry into Secured Areas by Digital Lock Systems, Electronic Key Card Systems or Other Electronic Access DevicesNo. 565 FR 77953, 12/13/00.
Start Printed Page 69725
60-0273—Social Security Title VIII Special Veterans Benefits Claims Development and Management Information SystemNo. 1565 FR 13803, 03/14/00.
60-0274—Litigation Docket and Tracking SystemNo. 1171 FR 1872, 01/11/06.
60-0275—Civil Rights Complaints Filed by Members of the PublicNo. 971 FR 1874, 01/11/06.
60-0276—Social Security Administration's (SSA's) Talking and Listening to Customers (TLC)No. 665 FR 48272, 08/07/00.
60-0279—Social Security Administration's (SSA's) Mandate Against Red Tape (SMART)No. 765 FR 49047, 08/10/00.
60-0280—SSA Administrative SanctionsNo. 665 FR 54595, 09/08/00.
60-0290—Social Security Administration's Customer PIN/Password (PPW) Master File SystemNo. 771 FR 1874, 01/11/06.
60-0295—Ticket-to-Work and Self-Sufficiency Program Payment DatabaseNo. 866 FR 17985, 04/04/01.
60-0300—Ticket-to-Work Program Manager (PM) Management Information SystemNo. 866 FR 32656, 06/15/01.
60-0305—SSA Mass Transportation Subsidy Program SystemNo. 1267 FR 44658, 07/03/02.
60-0310—Medicare Savings Programs Information SystemNo. 869 FR 17019, 03/31/04.
60-0315—Reasonable Accommodation for Persons with Disabilities (RAPD)No. 1170 FR 62157, 10/28/05.
60-0318—Representative Payee/Misuse Restitution Control System (RP/MRCS)No. 870 FR 12774, 3/15/05.
60-0320—Electronic Disability Claim File (eDib)No. 3168 FR 71210, 12/22/03.
60-0321—Medicare Part D and Part D Subsidy FileNo. 1769 FR 77816, 12/28/04.
60-0328—National Docketing Management Information System (NDMIS)No. 1670 FR 34515, 06/14/05.
60-0330—eWorkNo. 1068 FR 54037, 09/15/03.
60-0340—eFOIANo. 1170 FR 3571, 01/25/03.
60-0350—Visitor Intake Process/Customer Service Record (VIP/CSR) SystemNo. 970 FR 59795, 10/13/05.
60-0355—The Non-Attorney Representative Prerequisites Process File (NARPPF)No. 1169 FR 77823, 12/28/04.
60-0361—Identity Management System (IDMS)No. 1571 FR 213, 11/03/06.
60-0370—The Representative Payee and Beneficiary Survey Data SystemNo. 671 FR 16399, 3/31/06.

We are not republishing in their entirety the notices of the systems of records to which we are adding the proposed new routine use disclosures. Instead, we are republishing only the identification number, the name of the system of record, the number of the new routine use and the issue of the Federal Register in which the system notice was last published, including the publication date and page number.

II. Compatibility of Proposed Routine Use

As mandated by OMB, as recommended by the President's Identity Theft Task Force, and in accordance with the Privacy Act (5 U.S.C. 552a(a)(7) and (b)(3)) and our disclosure regulation (20 CFR part 401), we are permitted to release information under a published routine use for a purpose that is compatible with the purpose for which we collected the information. Section 401.120 of our regulations provides that we will disclose information required by law. Since OMB has mandated the publication of this routine use, the proposed routine use is appropriate and meets the relevant statutory and regulatory criteria. In addition, disclosures to other agencies, entities and persons when needed to respond to an unintentional release are compatible with the reasons we collect the information, as helping to prevent and minimize the potential for harm is consistent with taking appropriate steps to protect information entrusted to us. See 5 U.S.C. 552a(e)(10).

III. Effect of the Proposed Routine Use Disclosure on the Rights of Individuals

The proposed routine use would serve to protect the interests of the people whose information is at risk. We would achieve this protection by taking appropriate steps to facilitate a timely and effective response to a security breach of our data, thereby improving our ability to prevent, minimize, or remedy any harm that may result from a compromise of data maintained in our systems of records. We do not anticipate that the proposed new routine use will have any unwarranted adverse effect on the rights of individuals about whom data will be disclosed.

Start Signature

Dated: November 13, 2007.

Michael J. Astrue,


End Signature End Supplemental Information


1.  Our Privacy Act systems of records that contain data protected under the Internal Revenue Code (IRC) will not contain this routine use as the IRC does not contain a provision that permits disclosure for this purpose.

Back to Citation

[FR Doc. E7-23875 Filed 12-7-07; 8:45 am]