The Privacy Act governs federal agencies’ collection and use of individuals’ personally identifying information (PII) in records they maintain. This law prohibits the disclosure of these records without an individual’s consent unless certain exceptions apply. This section and the other sections of this subchapter provide detailed guidance about SSA’s privacy and disclosure policies pertaining to consent based on the requirements of the Privacy Act and our related disclosure regulations (20 CFR 401.100).

In accordance with the Privacy Act, the Freedom of Information Act (FOIA), and section 1106 of the Social Security Act, fees may apply for processing consent-based requests for information for non-program purposes.

The following links provide the full text of the laws referenced above:

• •

  The Privacy Act - 5 USC 552a

• •

  The Freedom of Information Act - 5 USC 552

• •

  Section 1106 of the Social Security Act - 1106 Social Security Act

SSA may not disclose information from living individuals’ records to any person or third party without the prior written consent of the individual to whom the information pertains, unless one or more of the 12 Privacy Act exceptions apply. For more information about the Privacy Act exceptions, see GN 03305.003A.

The Privacy Act provides legal remedies, both criminal and civil, for violations of the Act. It also requires federal agencies to have adequate safeguards to protect records from unauthorized access and disclosure. Employees may incur criminal penalties for knowingly making improper disclosures of information from agency records. All SSA and DDS employees and contractors should be aware of and adhere to agency policies for safeguarding PII. For more information about safeguarding PII, visit the PII Portal Website.

Under the Privacy Act, an individual may give us written consent to disclose his or her personal information to a third party. Individuals may present Form SSA-3288 (Social Security Administration Consent for Release of Information) or its equivalent if it meets all of the consent requirements listed in GN 03305.003D. If the consenting individual’s identifying information (name, date of birth, and Social Security Number (SSN)) matches information contained in our records and we locate records responsive to the request, we will release the requested information to the third party named in the consent.

An individual must give us his or her SSN in order to consent to the release of information in our records to a third party. We use the SSN along with the name and date of birth the individual provides only as a means of locating records responsive to the request. If we locate records responsive to a request, we release the SSN only as part of the responsive records.

We verify and disclose SSNs only when the law requires it, when we receive a consent-based request from the individual to whom we assigned the SSN, or from someone who, by law, can act on behalf of that individual. The SSN card is the only document that SSA recognizes as an official verification of the SSN.

If an individual provides consent to verify his or her SSN by only checking the SSN box on the SSA-3288, or by using any other consent document, follow these steps:

1. 1. 

   Review the SSA-3288 (or other consent document) to ensure that all required fields are complete and include the necessary third party information;

2. 2. 

   Stamp the field office (FO) address on the original and annotate “Information provided matches our records” or “Information provided did not match our records.”

3. 3. 

   Retain a copy of the signed SSA-3288 to ensure a record of the individual’s consent. For retention and storage requirements, see GN 03305.010B; and

4. 4. 

   Return the original SSA-3288 (containing the FO address and annotated information) to the requester.

NOTE: If the consent document also requests other information, you do not need to annotate the SSA-3288 or other valid consent document if we provide another record in our response that displays the SSN.

When appropriate, direct third party requesters to our online SSN verification services, such as:

• •

  Consent-Based SSN Verification (CBSV) for enrolled private companies and government agencies for a fee;

• •

  Department of Homeland Security E-Verify Service (e-Verify) for employers to obtain verification of work authorization; and

• •

  Social Security Number Verification Service (SSNVS) for employers.

If these services are not suitable, advise the third party that the number holder must make his or her own request to the servicing FO.

For information about:

• •

  processing requests for a replacement SSN card, see RM 10205.025, RM 10210.015, and RM 10210.420;

• •

  processing requests for SSN printouts, see RM 10225.005; and

• •

  about SSN verifications and disclosures, see GN 03325.002.