TN 3 (11-98)

GN 03301.020 Privacy Act

A. Introduction

The Privacy Act (PA) lists specific situations in which an agency:

  • must disclose information to individuals who are the subject of agency records, and

  • may disclose information to certain third parties.

It seeks to give individuals a degree of control over records kept about them and the uses made of the records. It gives agencies the responsibility of ensuring that individuals' rights to privacy are protected.

B. Policy - PA

1. Scope

The PA does not nullify section 1106(a) of the Social Security Act because it does not extend to all personal information in SSA records.

The PA applies only to personal information contained in a “system of records, i.e., information retrieved by the use of a personal identifier.” Examples of such records are the Master Beneficiary Record or the Supplemental Security Income Record, in which information is retrieved by the beneficiary's SSN.

The PA does not apply to:

  • records not contained in a systems of records and retrieved by a personal identifier (such as records maintained by subject matter, date, or administrative codes),

  • deceased individuals, or

  • business entities.

2. Individual Rights

Individuals have the right to:

  • know what records are collected about them by the agency,

  • access their own records (see GN 03340.000), and

  • request that their own records be amended (see GN 03345.000).

3. SSA's Responsibilities

The following are SSA's responsibilities.

a. Acquiring and Collecting Information

SSA is required to:

  • Collect necessary information directly from the individual to the maximum extent possible.

  • Collect only information needed for the equitable and efficient administration of the Social Security Act. Information must be relevant to the purpose for which it is collected.

  • Tell the individual the legal authority for requesting information, and whether a response is mandatory or voluntary. (A response is mandatory only if there is a specific penalty under the law for failure to provide the information.)

  • Tell the individual why the information is needed, what routine use may be made of the information, and about the effects of failure to provide the information.

    • Tell the individual that information about entitlement may be verified by using computer matching, or be shared with other Federal and State agencies to determine or verify eligibility for their programs.

b. Disclosure

SSA will disclose information without the individual's consent only if permitted under one of the exceptions listed in GN 03301.020B.4., below.

c. Documentation

SSA is required to:

  • Publish notices in the Federal Register to inform individuals about systems of records maintained by the agency that may include personal information about them. (See AIMS, Chapter 14.05.)

  • Keep an accounting of disclosures unless the disclosures are within the agency on a need-to-know basis, required by the FOIA or made with the individual's written consent (See GN 03360.035).

4. Exceptions to the PA

There are twelve exceptions for which the PA allows an agency to disclose personal information without the individual's consent. The following is a list of the nine exceptions which commonly apply to SSA. A complete list of all exceptions is in GN 03301.099D., Exhibit 3.

Disclosure is permitted:

  • Within SSA on a need-to-know basis, i.e. when SSA employees need the information in order to perform their duties.

  • When required under the FOIA, as explained in GN 03301.015.

  • For a routine use. Routine uses are those which are published in the Social Security Administration Privacy Act Notices of Systems of Records (the Blue Book), a manual distributed to all SSA components. The most important routine uses are also listed in GN 03316.000.

  • For research and statistical purposes (see GN 03316.130).

  • For law enforcement purposes. Information may be disclosed to another agency or instrumentality of any governmental jurisdiction within or under control o