TN 2 (01-17)
GN 03314.001 Disclosure Without Consent to State and Local Agencies and Native American Tribal Entities
This section provides policy and procedures concerning disclosures without consent that the Social Security Administration (SSA) makes to State and local agencies, including Native American Tribal Entities (hereinafter referred to as Tribal Entities). State and local agencies may request disclosure via email, telephone, field office (FO) visit, or electronic data exchange. However, the majority of the disclosures we make to State agencies for their administration of health maintenance and income maintenance programs occur via electronic data exchanges. For more information about how to direct state and local agencies to use these data exchanges, see GN 03314.001E.6. in this section.
The primary authorities for disclosures to State and local agencies are:
In limited cases, disclosure may also be required under the Freedom of Information Act (5 U.S.C. § 552) or other Federal laws.
NOTE: Any reference to a State or local agency throughout this section and the remaining sections in GN 03314.000 includes Tribal Entities. We process a request from a Tribal Entity in the same manner as a request from a State or local agency.
A. Terms applicable to disclosure to State and local agencies
1. Agent of a State or local government agency
A third party entity, authorized by a State or local government agency, to act on its behalf under certain conditions. (For information about these disclosures, see GN 03314.001F in this section.) An agent is also known as a contractor.
The release or showing of personal information about an individual to a third party. Individuals who have access rights to a number holder’s records are not considered third parties for purposes of disclosure. For example, a parent of a minor child or the court-appointed guardian of an incompetent adult may make an access request.
3. Health maintenance program
Any non-commercial program, such as Medicare and Medicaid, administered by a government agency that is designed to provide an individual with health care (both prevention and treatment), or to subsidize the cost of such care.
4. Income maintenance program
Any non-commercial program administered by a government agency that is designed to provide an individual with basic necessities of life, such as food, clothing, shelter, and utilities, or supplement the individual’s income to permit the purchase of such necessities. Loan programs of any type, even if subsidized by a government, such as the Department of Housing and Urban Development or another government agency, are not income-maintenance programs for disclosure purposes. Examples of State income-maintenance programs include:
Supplemental Nutritional Assistance Program;
Temporary Assistance for Needy Families;
Title XX services;
government pension programs; and
The principle of disclosing only the minimum information that is relevant and necessary to accomplish the purpose for which information is requested.
6. Non-tax return information
For the definition and examples of non-tax return information, see GN 03320.001D.2.
Any item, collection, or grouping of information about an individual an agency maintains, including, but not limited to: education, financial transactions, medical history, and criminal or employment history. A record contains the individual’s name, Social Security Number (SSN), or other identifying particulars assigned to the individual, such as a finger or voice print, or a photograph. 5 U.S.C. § 552a(a)(4).
8. Routine use
The disclosure of a record, without the consent of the individual to whom the record pertains, for a purpose that is compatible with the purpose for which we collected the record. 5 U.S.C. § 552a(a)(7).
Our statements of routine uses can be reviewed in the “routine use” section of each of our systems of records. New routine uses must be published in the Federal Register.
9. System of records
A group of records, under our control, from which we retrieve information by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual. 5 U.S.C. § 552a(a)(5).
You can find a listing of all of our systems of records and their routine uses here: http://www.socialsecurity.gov/foia/bluebook/bluebook.htm.
10. Tax return information
For the definition and examples of tax return information, see GN 03320.001D.1.
B. Authorities for disclosure to State and local agencies
The Privacy Act is the primary legal authority for disclosures without consent to State and local agencies. However, when the disclosure concerns tax return information, the scope of allowable disclosures is controlled by disclosure regulations and the IRC. We may disclose an individual’s personal information to State and local agencies without consent under the following situations:
disclosure under a routine use (to administer a health maintenance or income maintenance program similar to an SSA program);
disclosure for a law enforcement purpose (consistent with the law enforcement regulations at § 401.155);
disclosure pursuant to compelling circumstances affecting the health and safety of an individual (consistent with the health and safety regulation at § 401.160); and
disclosure required by Federal law.
C. Data minimization policy
When making a disclosure of our data to State and local agencies, we must ensure that we disclose only the minimal amount of information that is relevant and necessary to satisfy the purpose of the request. Consider the following before making a disclosure:
if it is not necessary to disclose certain information, do not disclose it. Consider what uses the requesting entity might make of any information we disclose. For example, if there is no indication that the requesting entity maintains information by SSN or otherwise needs to know the SSN, do not disclose it.
when deciding how much information to disclose, consider whether the requester can obtain the information elsewhere.
D. Requirements for a request for disclosure
A disclosure request from a State or local agency must meet certain requirements.
be from an employee or official of the requesting agency, who is authorized by the head of the agency to request information from us. (If the request is in writing, it must be on that agency’s letterhead. The agency submitting the request is responsible for ensuring the individual making the request has the authority to do so);
contain sufficient justification to enable us to determine whether we can disclose the requested information;
contain a description of the information being sought; and
contain sufficient identifying information to enable us to locate the requested information in our systems.
E. Procedures for handling requests
1. Guidance for handling requests
If a procedure for handling a request is discussed in any section of GN 03314.000, follow that procedure.
If a request for information from a State or local agency does not meet our criteria for disclosure as discussed in subchapter GN 03314.000 or any other chapter in GN 03300.000, handle the request as a potential Freedom of Information Act (FOIA) denial and follow the procedures in GN 03350.005B.3.
FOs or other components should consult with regional the Privacy Act Coordinators (PAC) for questions concerning the appropriateness of a disclosure. As necessary, PACs should consult with the Office of Privacy and Disclosure (OPD).
2. Analyzing the State or local agency’s request for disclosure
Upon receipt of a disclosure request from a State or local agency, take these actions to analyze the request:
ensure the requester identifies the specific information the State or local agency is requesting;
identify the system(s) of records that controls the collection and disclosure of the requested information; and
determine if the applicable system(s) of records contains a routine use that permits the disclosure of the information, without consent, to the requesting agency.
A large majority of disclosures to State and local agencies are permissible under our health maintenance and income maintenance routine use (disclosure of our data to State and local agencies that administer health maintenance and income maintenance programs that are similar to the programs that we administer). For more information on these programs, see GN 03314.005.
3. Requests for information via telephone
When we receive disclosure requests from State and local agencies via telephone, follow the requirements in GN 03360.005A.8. When the caller does not know the SSN of the number holder whose record they are requesting, do not provide the SSNs or any other personal information over the telephone, via fax, or by email. See guidance in GN 03360.005A.1.b.
4. Releasing personal information via email
Our policy on the use of email conforms to the National Institute of Standards and Technology’s Special Publication 800-45, “Guidelines on Electronic Mail Security.” We are not permitted to transmit personally identifiable information (PII) outside of our firewall unless the email is encrypted. We have established secured network connections with some agencies that enable us to use encrypted email that includes PII to conduct agency business.
We maintain a full, updated list of our secure partner agencies at http://ois.ssahost.ba.ssa.gov/dto/data_loss_prevention/secure_partners.htm. Sending PII via email must be done in accordance with SSA policies and procedures. For more information regarding the use of encrypted email for business purposes, refer to the Information Security Policy (ISP).
5. Field office (FO) handling of disclosure requests
State or local agencies may submit requests to FOs for a variety of reasons:
there is no formal data exchange arrangement in place with the requesting agency;
it is a singular request;
the request is for an emergency situation or a law enforcement purpose; or
the information the agency is requesting is available only manually.
FOs are staffed to assist the local population base. Each FO services a certain number of zip codes and assists individuals and third party requesters in the office’s designated service area. While a beneficiary may visit any FO and receive service, a third-party requester (public or private) should seek service from the FO servicing the inquired-about individual’s mailing zip code. For more information on determining appropriate servicing offices, see GN 00904.010. For sample language to use when a third party requests information from an FO outside of its servicing area, see GN 03305.020.
When handling a disclosure request, FOs should determine how the request impacts their resources and normal operations and, as necessary, seek guidance from the regional office, through the regional PAC.
6. Disclosure via electronic data exchanges
We have established electronic data exchanges to facilitate routine use disclosures of information to State and local agencies. For example, we have a number of data exchange agreements in effect with State agencies that administer health maintenance and income maintenance programs. These data exchanges are the most efficient and cost-effective means of providing information to State and local agencies that need our information on an ongoing basis. We should direct State and local agencies requesting information from FOs to these data exchanges. As necessary, FOs may consult with the regional Data Exchange Coordinator or PAC to determine if we have a data exchange in effect with a particular State or local agency. Central offices components should contact the Office of Data Exchange and Policy Publications. For information on the data exchange systems through which we exchange data with State and local agencies, see GN 03314.155.
F. Disclosure to an agent of the State or local agency
Many State and local agencies use a third party as an agent or contractor to administer, or assist in administering, its health maintenance or income maintenance programs. Agents or contractors of a State or local agency may only have access to the information we provide to the State or local agencies under all of the following conditions:
the agent/contractor is in a contractual or similar arrangement with the State or local agency to act on the State or local agency’s behalf to administer, or assist in administering, the health maintenance or income maintenance program(s) noted within the State or local agency’s data exchange agreement with SSA;
we have proof of the relationship from the State or local agency (a copy of its contract or other formal agreement with the agent/contractor or a written communication on the agency’s letterhead stating that the agent/contractor is acting as its agent in the matter at hand);
the purpose of the disclosure and use of the data by the agent/contractor is consistent with the written data exchange agreement we have with the State or local agency;
we have a routine use that allows the disclosure (see GN 03314.001A.7. in this section for the definition of routine use); and
the agent/contractor agrees in writing to abide by all of the use, redisclosure restrictions, and security requirements in the data exchange agreement.
As needed, consult with OPD for assistance in determining if a State or local agency’s agent/contractor meets the conditions in this section.