Effective Dates: 12/09/1998 - Present Previous | Next

TN 5 (02-20)

GN 03301.020 Privacy Act

A. Introduction

The Privacy Act (PA) lists specific situations in which an agency:

  • must disclose information to individuals who are the subject of agency records, and

  • may disclose information to certain third parties.

It seeks to give individuals a degree of control over records kept about them and the uses made of the records. It gives agencies the responsibility of ensuring that individuals' rights to privacy are protected.

B. Policy - PA

1. Scope

The PA does not nullify section 1106(a) of the Social Security Act because it does not extend to all personal information in SSA records.

The PA applies only to personal information contained in a “system of records, i.e., information retrieved by the use of a personal identifier.” Examples of such records are the Master Beneficiary Record or the Supplemental Security Income Record, in which information is retrieved by the beneficiary's SSN.

The PA does not apply to:

  • records not contained in a systems of records and retrieved by a personal identifier (such as records maintained by subject matter, date, or administrative codes),

  • deceased individuals, or

  • business entities.

2. Individual Rights

Individuals have the right to:

  • know what records are collected about them by the agency,

  • access their own records (see GN 03340.000), and

  • request that their own records be amended (see GN 03345.000).

3. SSA's Responsibilities

The following are SSA's responsibilities.

a. Acquiring and Collecting Information

SSA is required to:

  • Collect necessary information directly from the individual to the maximum extent possible.

  • Collect only information needed for the equitable and efficient administration of the Social Security Act. Information must be relevant to the purpose for which it is collected.

  • Tell the individual the legal authority for requesting information, and whether a response is mandatory or voluntary. (A response is mandatory only if there is a specific penalty under the law for failure to provide the information.)

  • Tell the individual why the information is needed, what routine use may be made of the information, and about the effects of failure to provide the information.

    • Tell the individual that information about entitlement may be verified by using computer matching, or be shared with other Federal and State agencies to determine or verify eligibility for their programs.

b. Disclosure

SSA will disclose information without the individual's consent only if permitted under one of the exceptions listed in GN 03301.020B.4., below.

c. Documentation

SSA is required to:

  • Publish notices in the Federal Register to inform individuals about systems of records maintained by the agency that may include personal information about them. (See AIMS, Chapter 14.05.)

  • Keep an accounting of disclosures unless the disclosures are within the agency on a need-to-know basis, required by the FOIA or made with the individual's written consent (See GN 03360.035).

4. Exceptions to the PA

There are twelve exceptions for which the PA allows an agency to disclose personal information without the individual's consent. The following is a list of the nine exceptions which commonly apply to SSA. A complete list of all exceptions is in GN 03301.099D., Exhibit 3.

Disclosure is permitted:

  • Within SSA on a need-to-know basis, i.e. when SSA employees need the information in order to perform their duties.

  • When required under the FOIA, as explained in GN 03301.015.

  • For a routine use. Routine uses are those which are published in the Social Security Administration Privacy Act Notices of Systems of Records. The most important routine uses are also listed in GN 03316.000.

  • For research and statistical purposes (see GN 03316.130).

  • For law enforcement purposes. Information may be disclosed to another agency or instrumentality of any governmental jurisdiction within or under control of the U.S. for a civil or criminal law enforcement activity. The activity must be authorized by law and an official of the agency or instrumentality must make a written request.

    SSA's Regulation No. 1 is more restrictive on disclosures for law enforcement than is the PA (see GN 03312.000).

  • For health and safety reasons (see GN 03316.135).

  • Pursuant to the order of a court of competent jurisdiction (see GN 03330.000).

  • To either House of Congress, or to the extent of matter within its jurisdiction, any committee or subcommittee thereof, any joint committee of Congress or subcommittee of any such joint committee.

  • To the Comptroller General, or any of his authorized representatives, in the course of the performance of the duties of the General Accounting Office.

C. Policy - Computer Matching Act Of 1988

1. Purpose

The purpose of the Computer Matching and Privacy Protection Act is to ensure that computer matching by Federal agencies meets the requirements for use of Federal records under the Privacy Act of 1974.

Computer matching is the computerized comparison of records for the purpose of:

  • establishing or verifying eligibility for a Federal benefit program, or

  • recouping payments or delinquent debts under such a program.

2. Notification Requirement

The Act requires SSA to explain to title II and title XVI beneficiaries and applicants that information about their initial or continued entitlement may be:

  • verified by using computer matching, or

  • shared with other Federal and State agencies to determine initial or continuing eligibility in their programs.

This explanation appears on most forms used to collect information from the public. It also appears on Form SSA-3157 (Facts About Computer Matching). (See the exhibit in

GN 03360.999.)

To Link to this section - Use this URL:
http://policy.ssa.gov/poms.nsf/lnx/0203301020
GN 03301.020 - Privacy Act - 12/09/1998
Batch run: 02/19/2020
Rev:12/09/1998