Privacy and Disclosure of Official Records and Information (United States)

Privacy and Disclosure of Official Records and Information

Published: 2007-04-27

Subscribe to a Global-Regulation Premium Membership Today!

Key Benefits:

Unlimited Searches
Weekly Updates on New Laws
Access to 5,345,848 Global Laws from 110 Countries
View the Original Law Side-by-Side with the Translation

Subscribe Now for only USD$40 per month.

ACTION:
Final rules.
SUMMARY:
These final rules revise our privacy and disclosure rules to clarify certain provisions and to provide expanded regulatory support for new and existing responsibilities and functions. These changes in the regulations will increase Agency efficiency and ensure consistency in the implementation of the Social Security Administration's (SSA) policies and responsibilities under the Privacy Act and the Social Security Act.
DATES:
These rules are effective May 29, 2007.
FOR FURTHER INFORMATION CONTACT:
Christine W. Johnson, Office of Public Disclosure, 3-A-6 Operations Building, 6401 Security Boulevard, Baltimore, MD 21235-6401, (410) 965-8563 or TTY (410) 965-5609. For information on eligibility or filing for benefits, call our national toll-free numbers, 1-800-772-1213 or TTY 1-800-325-0778, or visit our Internet Web site, Social Security Online, at http://www.socialsecurity.gov.
SUPPLEMENTARY INFORMATION:
Electronic Version
The electronic file of this document is available on the date of publication in the Federal Register at http://www.gpoaccess.gov/FR/index.html.
Background
We last revised the privacy and disclosure regulations in 1980 when the Social Security Administration (SSA) was a part of the Department of Health and Human Services (DHHS) (formerly the Department of Health, Education and Welfare) and subject to DHHS' disclosure policy oversight. Since 1980, significant changes have occurred in the procedures. We are codifying these changes in the procedures governing access to, and disclosure of, personally identifiable information. We are also making minor housekeeping changes to further clarify our procedures. In general, these final rules reflect SSA's compliance with technological, legal and legislative changes that have occurred since 1980.
We are clarifying the provisions regarding requests for access to information developed by medical sources for Social Security programs, fully describing the existing responsibilities and functions of the Privacy Officer position, establishing the new senior agency official for privacy as required by the Office of Management and Budget (OMB) and explaining the related responsibilities, and implementing SSA's new Privacy Impact Assessment process in accordance with the E-Government Act of 2002, Pub. L. 107-347. As required by OMB, we are requiring adequate safeguards against inappropriate disclosure of personal information by electronic means, e.g., over the Internet, and revising our procedures on notification of, or access to, medical records on behalf of another person, e.g., an adult or child.
These final rules also clarify SSA policy concerning an individual's access to, or notification of, program records, amend the language concerning appeal requests under the Privacy Act to include denial of access to the record, and amend the language to insert the word “written” prior to “consent” to clarify that the requirement means disclosure with written consent and expands the language to more clearly define what information we will disclose with written consent. We are revising the language to show that SSA also has physical custody of personnel records, and revising the language under disclosure of personal information in nonprogram records to show the new name of the former General Accounting Office.
These final rules amend the language under disclosure of personal information in program records to make clear that we disclose information from program records only when there is a legitimate need for the information, and revise the language under disclosures required by law to show the current name for Aid to Families with Dependent Children. We are amending the language under compatible purposes to clearly state how we implement the routine use provision of the Privacy Act (5 U.S.C. 552a(b)(3)) and what we mean by routine use in terms of the information we can disclose, and amending the language under law enforcement purposes to clarify that disclosures under 5 U.S.C. 552a(b)(7) also require a written request. We are amending the language under statistical and research activities to reflect the language in the new routine use of data for research purposes, amending the language in the General Accounting Office section to correctly reflect the new name of the agency, and clarifying certain matters related to our rules on disclosure under court order and other legal process.
Comments on the Notice of Proposed Rulemaking
We published the Notice of Proposed Rulemaking (NPRM) in the Federal Register on September 13, 2006 (71 FR at 53994). The 60-day comment period ended on November 13, 2006. We received no public comments on the proposed rule. Accordingly, we are adopting the proposed rules as final rules. However, we made one substantive change to proposed § 401.180, which we discuss below in connection with the explanation of how these final rules change the current rules. We also made a few minor revisions to the text of the proposed rules for clarity. The changes are all non-substantive.
Explanation of Changes
Section 401.20Scope
We are amending the section heading in § 401.20(a) to read “Access” and amending paragraph (a) to clarify the rules regarding the access provision as it pertains to information developed by medical sources that perform consultative examinations for us. We are amending the heading in § 401.20(b)(1)(iii) to read “Records kept by medical sources,” and amending the language in that paragraph.
Section 401.30Privacy Act and Other Responsibilities
We are adding new paragraphs (d), (e) and (f) to § 401.30.
Privacy Officer
New paragraph § 401.30(d) fully describes the position of the SSA Privacy Officer and the responsibilities and functions of that position. SSA has always had a designated Privacy Officer since the enactment of the Privacy Act in 1974. Since that time, the Privacy Officer has overall responsibility for coordination of SSA privacy matters within the Agency. As such, the Privacy Officer advises the Agency on privacy policy matters and is responsible for developing and implementing privacy policies and related requirements, ensures compliance with the Privacy Act, and provides general oversight of privacy and disclosure policy involving privacy and disclosure matters. The Privacy Officer has other responsibilities including evaluating legislative proposals and other initiatives proposed by Congress, other agencies and the public, and reviewing multifunctional projects, studies and research activities involving personal information. The responsibilities also include facilitating the incorporation of privacy principles into information technology systems architectures and technical designs to ensure that privacy policies and practices are properly reflected in our business requirements.
We are providing an explanation of the Privacy Officer's responsibilities to emphasize SSA's long-standing commitment to the public that personal information maintained in SSA's Privacy Act systems of records is handled in full compliance with the law.
Senior Agency Official for Privacy
To help protect the privacy rights of Americans and to ensure that agencies continue to have effective information privacy management programs in place to carry out this important responsibility, OMB requires that each agency designate a senior agency official to serve as the person in charge of privacy issues.
The Senior Agency Official for Privacy will have overall responsibility and accountability for privacy issues at the national and agency-wide levels. The official will also have a central role in overseeing agency compliance efforts in privacy policy procedures as well as a key role in policy-making as it pertains to the development and evaluation of legislative, regulatory and other policy proposals that might implicate privacy issues.
New paragraph § 401.30(e) establishes SSA's Senior Agency Official for Privacy and fully describe the responsibilities of that position as prescribed by OMB. (See OMB Memorandum M-08-05, dated February 11, 2005).
Privacy Impact Assessments
In accordance with Section 208 of the E-Government Act of 2002 (Pub. L. 107-347, 44 U.S.C. 3501 note), the Office of Management and Budget now requires that certain Information Technology (IT) projects receive a special privacy review called a Privacy Impact Assessment (PIA). The PIA review is in addition to the current SSA requirement that SSA's Privacy Officer certify Agency procurement requests for automated data processing resources and proposed contracts. The PIA review will strengthen the existing process by incorporating privacy involvement directly into the development of the IT system lifecycle and establishing a process that the entire Agency can understand in terms of privacy involvement in IT system development efforts.
New paragraph § 401.30(f) describes the PIA requirements for ensuring that privacy considerations receive a standardized review. We will determine if adequate measures have been taken to protect the privacy of the personally identifiable information the IT project will affect and if the requirements of the Privacy Act and applicable SSA regulations and policy are properly addressed.
Section 401.45Verifying Your Identity
We are adding to § 401.45 new paragraphs (b)(3) and (b)(4) to emphasize that when SSA provides convenient service to you over open computer networks such as the Internet, we will adequately protect against improper disclosure of records. We are redesignating present paragraphs (b)(3), (b)(4) and (b)(5) as (b)(5), (b)(6) and (b)(7), respectively. We are also revising the language in redesignated (b)(5).
Increasingly, computer technology enables us to transact business with you as a taxpayer, Social Security beneficiary, employer or third-party organization. We are moving cautiously to allow you to communicate with us securely over open networks such as the Internet. Such expanded services are dependent on our development of practices and mechanisms to ensure identity confirmation to protect you against improper disclosure of the personal information we maintain in our records, and to improve privacy protections.
Section 401.55Special Procedures for Notification of or Access to Medical Records
We are revising the section heading to read “Access to medical records.” We are revising the procedures for access to medical records to conform to the practices and systems of records that set out special procedures under which individuals may have direct access to their medical records.
Currently, when you request your medical records, § 401.55(b)(1)(ii) requires you to designate a representative to receive the records for you and gives the representative the discretion to inform you about the contents of your record. We are modifying the special procedures in that paragraph to require the representative to release your record to you after the discussion of its contents. The representative no longer has the discretion to withhold any part of your record.
Section 401.55(c)(2)(iii) currently gives a designated representative (e.g., family physician or other health care professional) discretion about making the contents of a minor's medical record available to the parent or legal guardian. These final rules modify this provision to require the representative to release the minor's records to the parent or legal guardian following the discussion of its contents. Additionally, we are redesignating present paragraph (d) concerning requests on behalf of incapacitated adults as paragraph (c)(3).
Section 401.60Access or Notification of Program Records About Two or More Individuals
Currently, § 401.60 is entitled “Access or notification of program records about two or more individuals.” The first sentence in the section reads “When information about two or more individuals is in one record filed under your social security number, you may receive the information about you and the fact of entitlement and the amount of benefits payable to other persons based on your record.” We are amending § 401.60 by inserting the word “to” after the word “Access” in the heading and revising the language in both the heading and first sentence to read “about more than one individual.”
Section 401.70Appeals of Refusals To Correct or Amend Records
Currently, § 401.70 is entitled “Appeals of refusals to correct or amend records.” We are amending the section heading to include appeals after denial of access. We are clarifying the policy in the section by revising the language in existing paragraphs (a), (b) and (c). We are adding a new paragraph (d) to clearly explain the process after you file your appeal.
Section 401.100Disclosure of Records With the Consent of the Subject of the Record
We are amending the language in the section heading under § 401.100 to insert the word “written” before “consent.” We are revising the language in paragraph (a) to clarify that the consent must be in writing and define what information we will disclose with written consent. To present the information in a more reader-friendly format, the second and third sentences of paragraph (a) are designated as new paragraphs (b) “Disclosure with written consent”, and (c) “Disclosure of the entire record,” respectively. We are making conforming changes to existing paragraph (b) and redesignating it as paragraph (d).
Section 401.105Disclosure of Personal Information Without the Consent of the Subject of the Record
We are revising the second sentence of paragraph (b) into two sentences to clarify that SSA also has physical custody of personnel records maintained as part of the Office of Personnel Management's (OPM) Privacy Act government-wide systems of records and that these records are subject to OPM's rules on access and disclosure at 5 CFR parts 293 and 297.
Section 401.110Disclosure of Personal Information in Nonprogram Records Without the Consent of the Subject of the Record
We are amending the language in § 401.110(j) to show the new name for the former General Accounting Office.
Section 401.115Disclosure of Personal Information in Program Records Without the Consent of the Subject of the Record
We are amending the introductory language in § 401.115 to make clear that the information in program records will be disclosed only on a need-to-know basis.
Section 401.120Disclosure Required by Law
Currently, the last sentence in § 401.120 reads “* * * and to Federal, State and local agencies administering Aid to Families with Dependent Children, Medicaid, unemployment compensation, food stamps, and other programs.” We are amending the language to reflect the current name of the AFDC program. The new name will read “* * * Temporary Assistance for Needy Families * * *”
Section 401.150Compatible Purposes
We are amending § 401.150 to clearly state how we implement the routine use provision. More specifically, the language in paragraphs (a) and (b) is expanded to include what we mean by “routine use” in terms of the information we can disclose and how we give notice of routine use disclosures, respectively. We are amending paragraph (c) by adding new paragraphs (c)(1) and (c)(2) to clearly show the distinctions between disclosure in SSA programs and programs similar to SSA programs, for compatibility purposes.
Section 401.155Law Enforcement Purposes
We are amending § 401.155 to make clear that the Privacy Act requires a written request for information from the head of the law enforcement agency in situations involving both serious crimes and criminal activity involving Social Security programs or other programs with the same purpose.
Section 401.165Statistical and Research Activities
We are amending § 401.165 to make it consistent with the recently published new routine use of data for research purposes.
Section 401.175General Accounting Office
We are amending the section heading in § 401.175 to reflect a name change. The new heading will read “Government Accountability Office.” We are also revising the language in the paragraph to read “* * * to the Government Accountability Office when that agency needs the information to carry out its duties.”
Section 401.180Courts
We are revising the entire section of § 401.180 to clarify our policy on disclosure when we receive an order from a court of competent jurisdiction.
In 1980, when § 401.180 was initially published as a final rule, the status of subpoenas and other legal process under paragraph (b)(11) of the statute was unclear. Since then, SSA has not treated a subpoena or similar legal process as a court order unless a judge signs it. We believe that this position is now established as law as it is consistent with court decisions and OMB guidance interpreting the Privacy Act. See, e.g., Doe v. DiGenova , 779 F.2d 74 (D.C. Cir. 1985); Stiles v. Atlanta Gas Light Co. , 453 F.Supp. 798 (N.D. Ga. 1978).
The Privacy Act (5 U.S.C. 552a(b)(11)) permits disclosure by an agency pursuant to the order of a court of competent jurisdiction. Under this provision, we consider only a Federal court of the United States to be a court of competent jurisdiction. However, the proposed rules provided that we may disclose information in compliance with a state court order if the disclosure was necessary to preserve the rights of an accused to due process in a criminal proceeding (71 FR at 54000). This provision of the proposed rules could have been misconstrued to be inconsistent with the Privacy Act and proposed (and final) § 401.180(d). Final § 401.180(d) states our view that, under the Privacy Act, the Federal Government has not waived its sovereign immunity, which would preclude state court jurisdiction over a Federal agency or official. Since a state court does not have jurisdiction over a Federal agency or official in the absence of a waiver of the Federal Government's sovereign immunity, we have deleted the exception for certain state court orders set out in proposed § 401.180(g).
The final rules are consistent with our position that state court orders do not provide an independent basis for disclosure. Consequently, under the final rules, we may disclose information in response to a state court order only if another provision of this part permits disclosure (such as law enforcement or consent). If we find an independent basis for disclosure, we may honor the request for information sought in the state court order under the authority of the other provision. As a result, in these final rules, we revised the second sentence of proposed § 401.180(d) to state that “* * * state court orders will be treated in accordance with other provisions of this part.”
We also amended the language as appropriate to make clear that, for purposes of this section, a court is a judicial branch of the Federal government. In a conforming change, we redesignated proposed § 401.180(h) as final § 401.180(g).
In paragraph 401.180(a) we make clear that when information disclosed from SSA records is used in court proceedings, it usually becomes part of the public record of the proceedings and its confidentiality often cannot be protected. Accordingly, we will follow the rules in new paragraph (d) of this section in deciding whether an order is from a court of competent jurisdiction.
We are changing the heading in paragraph (b) to read “Court” and amending the language in the paragraph to state SSA's position that a court, for purposes of 5 U.S.C. 552a(b)(11), is an institution of a judicial branch of the Federal government consisting of one or more judges who seek to adjudicate disputes and administer justice. The definition clarifies that other entities in other branches of the Federal government or not in the United States are not courts for purposes of the Privacy Act.
We are adding a new paragraph (c) to explain that only a legal process, such as a summons or warrant, that is signed by a judge and that commands the disclosure of information by SSA will be considered to be a court order for purposes of the statutory exception in 5 U.S.C. 552a(b)(11). References to subpoenas have been removed from this regulation.
When we receive legal process that is not an order of a court of competent jurisdiction, (such as a grand jury subpoena, a subpoena signed by the clerk of the court or the attorney representing a party to the proceeding), we may decide to disclose information if the conditions described in any other provision of this regulation would permit the disclosure (for example, for a compatible purpose under § 401.150). However, we will not disclose without an order from a court of competent jurisdiction if the Privacy Act or any other law would prohibit the disclosure without such an order. We are adding a new paragraph (d) to explain our view on court of competent jurisdiction.
In new paragraph (e) of this section we describe the conditions for disclosure under court order and clarify the rules on disclosure when a court order is involved.
We are adding a new paragraph (f) to explain that in other circumstances we may attempt to satisfy the needs of a court of competent jurisdiction when the circumstances in paragraph (e) are not met. We will make these determinations in accordance with 401.140.
We are removing existing paragraph (g) and redesignating paragraph (h) as paragraph (g). New paragraph (g) provides a cross-reference to additional regulations contained in 20 CFR part 403 concerning testimony and production of records in legal proceedings.
Regulatory Procedures
Executive Order 12866
The Office of Management and Budget has reviewed these final rules in accordance with Executive Order 12866, as amended by Executive Order 13258.
Regulatory Flexibility Act
We certify that these final rules would not have a significant economic impact on a substantial number of small entities because they affect only individuals or entities acting on their behalf. Thus, a regulatory flexibility analysis as provided in the Regulatory Flexibility Act, as amended, is not required.
Paperwork Reduction Act
These final rules contain reporting requirements as shown in the table below. Where the public reporting burden is accounted for in Information Collection Requests for the various forms that the public uses to submit the information to SSA, a 1-hour placeholder burden is being assigned to the specific reporting requirement(s) contained in these rules.
Section
Annual number of
responses
Frequency of response
Average burden per
response
(min.)
Estimated annual burden
(hours)
401.45(b)
20,000
1
10
3333
401.70(a)(b)
1
401.100(b)
1
Total
20,000
1
10
3335
An Information Collection Request has been submitted to OMB for clearance. To receive a copy of the OMB clearance package, you may call the SSA Reports Clearance Officer on 410-965-0454.
(Catalog of Federal Domestic Assistance Program Nos. 96.001 Social Security—Disability Insurance; 96.002 Social Security—Retirement Insurance; 96.004 Social Security—Survivors Insurance; 96.006 Supplemental Security Income).
List of Subjects in 20 CFR Part 401
Information, Records, Administrative practice and procedure, Archives and records.
Dated: January 17, 2007.
Jo Anne B. Barnhart,
Commissioner of Social Security.
Editorial Note:
This document was received at the Office of the Federal Register on April 20, 2007.
For the reasons set out in the preamble, we are amending subparts A, B and C of part 401 of chapter III of title 20 of the Code of Federal Regulations as set forth below:
PART 401—PRIVACY AND DISCLOSURE OF OFFICIAL RECORDS AND INFORMATION
1. The authority citation for part 401 continues to read as follows:
Authority:
Secs. 205, 702(a)(5), 1106, and 1141 of the Social Security Act (42 U.S.C. 405, 902(a)(5), 1306, and 1320b-11); 5 U.S.C. 552 and 552a; 8 U.S.C. 1360; 26 U.S.C. 6103; 30 U.S.C. 923.
2. Section 401.20 is amended by revising paragraphs (a) and (b)(1)(iii) to read as follows:
§ 401.20
(a) Access. Sections 401.30 through 401.95, which set out SSA's rules for implementing the Privacy Act, apply to records retrieved by an individual's name or personal identifier subject to the Privacy Act. The rules in §§ 401.30 through 401.95 also apply to information developed by medical sources for the Social Security program and shall not be accessed except as permitted by this part.
(b) * * *
(1) * * *
(iii) Information retained by medical sources pertaining to a consultative examination performed for the Social Security program shall not be disclosed except as permitted by this part.
3. Section 401.30 is amended by revising the heading and adding paragraphs (d), (e) and (f) to read as follows:
§ 401.30
(d) Privacy Officer. The Privacy Officer is an advisor to the Agency on all privacy policy and disclosure matters. The Privacy Officer coordinates the development and implementation of Agency privacy policies and related legal requirements to ensure Privacy Act compliance, and monitors the coordination, collection, maintenance, use and disclosure of personal information. The Privacy Officer also ensures the integration of privacy principles into information technology systems architecture and technical designs, and generally provides to Agency officials policy guidance and directives in carrying out the privacy and disclosure policy.
(e) Senior Agency Official for Privacy. The Senior Agency Official for Privacy assumes overall responsibility and accountability for ensuring the agency's implementation of information privacy protections as well as agency compliance with federal laws, regulations, and policies relating to the privacy of information, such as the Privacy Act. The compliance efforts also include reviewing information privacy procedures to ensure that they are comprehensive and up-to-date and, where additional or revised procedures may be called for, working with the relevant agency offices in the consideration, adoption, and implementation of such procedures. The official also ensures that agency employees and contractors receive appropriate training and education programs regarding the information privacy laws, regulations, polices and procedures governing the agency's handling of personal information. In addition to the compliance role, the official has a central policy-making role in the agency's development and evaluation of legislative, regulatory and other policy proposals which might implicate information privacy issues, including those relating to the collection, use, sharing, and disclosure of personal information.
(f) Privacy Impact Assessment. In our comprehensive Privacy Impact Assessment (PIA) review process, we incorporate the tenets of privacy law, SSA privacy regulations, and privacy policy directly into the development of certain Information Technology projects. Our review examines the risks and ramifications of collecting, maintaining and disseminating information in identifiable form in an electronic information system and identifies and evaluates protections and alternate processes to reduce the risk of unauthorized disclosures. As we accomplish the PIA review, we ask systems personnel and program personnel to resolve questions on data needs and data protection prior to the development of the electronic system.
4. Section 401.45 is amended by redesignating paragraphs (b)(3), (b)(4) and (b)(5) as (b)(5), (b)(6) and (b)(7), respectively, adding new paragraphs (b)(3) and (b)(4) and revising redesignated paragraph (b)(5) to read as follows:
§ 401.45
(b) * * *
(3) Electronic requests. If you make a request by computer or other electronic means, e.g., over the Internet, we require you to verify your identity by using identity confirmation procedures that are commensurate with the sensitivity of the information that you are requesting. If we cannot confirm your identity using our identity confirmation procedures, we will not process the electronic request. When you cannot verify your identity through our procedures, we will require you to submit your request in writing.
(4) Electronic disclosures. When we collect or provide personally identifiable information over open networks such as the Internet, we use encryption in all of our automated online transaction systems to protect the confidentiality of the information. When we provide an online access option, such as a standard e-mail comment form on our Web site, and encryption is not being used, we alert you that personally identifiable information (such as your social security number) should not be included in your message.
(5) Requests not made in person. Except as provided in paragraphs (b)(2) of this section, if you do not make a request in person, you must submit a written request to SSA to verify your identify or you must certify in your request that you are the individual you claim to be. You must also sign a statement that you understand that the knowing and willful request for or acquisition of a record pertaining to an individual under false pretenses is a criminal offense.
5. Section 401.55 is amended by revising the heading and paragraphs (a), (b)(1)(ii), (c)(1) and (c)(2)(iii) and by redesignating paragraph (d) as paragraph (c)(3) to read as follows:
§ 401.55
(a) General. You have a right to access your medical records, including any psychological information that we maintain.
(b) * * *
(1) * * *
(ii) When you request medical information about yourself, you must also name a representative in writing. The representative may be a physician, other health professional, or other responsible individual who will be willing to review the record and inform you of its contents. Following the discussion, you are entitled to your records. The representative does not have the discretion to withhold any part of your record. If you do not designate a representative, we may decline to release the requested information. In some cases, it may be possible to release medical information directly to you rather than to your representative.
(c) Medical records of minors.
(1) Request by the minor. You may request access to your own medical records in accordance with paragraph (b) of this section.
(2) Request on a minor's behalf. * * *
(iii) Where a medical record on the minor exists, we will in all cases send it to the physician or health professional designated by the parent or guardian. The representative will review the record, discuss its contents with the parent or legal guardian, then release the entire record to the parent or legal guardian. The representative does not have the discretion to withhold any part of the minor's record. We will respond in the following similar manner to the parent or guardian making the request: “We have completed processing your request for notification of or access to _____'s (Name of minor) medical records. Please be informed that if any medical record was found pertaining to that individual, it has been sent to your designated physician or health professional.”
6. Section 401.60 is amended by revising the section heading and first sentence of the paragraph to read as follows:
§ 401.60
When information about more than one individual is in one record filed under your social security number, you may receive the information about you and the fact of entitlement and the amount of benefits payable to other persons based on your record. * * *
7. Section 401.70 is revised to read as follows:
§ 401.70
(a) General. This section describes how to appeal decisions made by SSA under the Privacy Act concerning your request for correction of or access to your records, those of your minor child, or those of a person for whom you are the legal guardian. We generally handle a denial of your request for information about another person under the provisions of the Freedom of Information Act (see part 402 of this chapter). To appeal a decision under this section, your request must be in writing.
(b) Appeal of refusal to correct or amend records. If we deny your request to correct an SSA record, you may request a review of that decision. As discussed in § 401.65(e), our letter denying your request will tell you to whom to write.
(1) We will review your request within 30 working days from the date of the receipt. However, for a good reason and with the approval of the Executive Director for the Office of Public Disclosure, this time limit may be extended up to an additional 30 days. In that case, we will notify you about the delay, the reason for it and the date when the review is expected to be completed.
(2) If, after review, we determine that the record should be corrected, we will do so. However, if we refuse to amend the record as you requested, we will inform you that—
(i) Your request has been refused and the reason for refusing;
(ii) The refusal is SSA's final decision; and
(iii) You have a right to seek court review of SSA's final decision.
(3) We will also inform you that you have a right to file a statement of disagreement with the decision. Your statement should include the reason you disagree. We will make your statement available to anyone to whom the record is subsequently disclosed, together with a statement of our reasons for refusing to amend the record. Also, we will provide a copy of your statement to individuals whom we are aware received the record previously.
(c) Appeals after denial of access. If, under the Privacy Act, we deny your request for access to your own record, those of your minor child or those of a person to whom you are the legal guardian, we will advise you in writing of the reason for that denial, the name and title or position of the person responsible for the decision and your right to appeal that decision. You may appeal the denial decision to the Executive Director for the Office of Public Disclosure, 6401 Security Boulevard, Baltimore, MD 21235-6401, within 30 days after you receive notice denying all or part of your request, or, if later, within 30 days after you receive materials sent to you in partial compliance with your request.
(d) Filing your appeal. If you file an appeal, the Executive Director or his or her designee will review your request and any supporting information submitted and then send you a notice explaining the decision on your appeal. The time limit for making our decision after we receive your appeal is 30 working days. The Executive Director or his or her designee may extend this time limit up to 30 additional working days if one of the circumstances in 20 CFR 402.140 is met. We will notify you in writing of any extension, the reason for the extension and the date by which we will decide your appeal. The notice of the decision on your appeal will explain your right to have the matter reviewed in a Federal district court if you disagree with all or part of our decision.
8. Section 401.100 is revised to read as follows:
§ 401.100
(a) General. Except as permitted by the Privacy Act and the regulations in this part, or when required by the FOIA, we will not disclose your records without your written consent.
(b) Disclosure with written consent. The written consent must clearly specify to whom the information may be disclosed, the information you want us to disclose (e.g., social security number, date and place of birth, monthly Social Security benefit amount, date of entitlement), and, where applicable, during which timeframe the information may be disclosed (e.g., during the school year, while the subject individual is out of the country, whenever the subject individual is receiving specific services).
(c) Disclosure of the entire record. We will not disclose your entire record. For example, we will not honor a blanket consent for all information in a system of records or any other record consisting of a variety of data elements. We will disclose only the information you specify in the consent. We will verify your identity and where applicable (e.g., where you consent to disclosure of a record to a specific individual), the identity of the individual to whom the record is to be disclosed.
(d) A parent or guardian of a minor is not authorized to give written consent to a disclosure of a minor's medical record. See § 401.55(c)(2) for the procedures for disclosure of or access to medical records of minors.
9. Section 401.105 is amended by revising the second sentence of paragraph (b) to read as follows:
§ 401.105
(b) * * * For administrative and personnel records, the Privacy Act applies. To the extent that SSA has physical custody of personnel records maintained as part of the Office of Personnel Management's (OPM) Privacy Act government-wide systems of records, these records are subject to OPM's rules on access and disclosure at 5 CFR parts 293 and 297. * * *
10. Paragraph (j) of § 401.110 is revised to read as follows:
§ 401.110
(j) To the Comptroller General, or any of his authorized representatives, in the course of the performance of duties of the Government Accountability Office.
11. Section 401.115 is amended by revising the introductory text to read as follows:
§ 401.115
This section describes how various laws control the disclosure of personal information that we keep. We disclose information in the program records only when a legitimate need exists. For example, we disclose information to officers and employees of SSA who have a need for the record in the performance of their duties. We also must consider the laws identified below in the respective order when we disclose program information:
12. Section 401.120 is amended by revising the last sentence in the paragraph to read as follows:
§ 401.120
* * * These agencies include the Department of Veterans Affairs for its benefit programs, U.S. Citizenship and Immigration Services to carry out its duties regarding aliens, the Railroad Retirement Board for its benefit programs, and to Federal, State and local agencies administering Temporary Assistance for Needy Families, Medicaid, unemployment compensation, food stamps, and other programs.
13. Section 401.150 is revised to read as follows:
§ 401.150
(a) General. The Privacy Act allows us to disclose information maintained in a system of records without your consent to any other party if such disclosure is pursuant to a routine use published in the system's notice of system of records. A “Routine use” must be compatible with the purpose for which SSA collected the information.
(b) Notice of routine use disclosures. A list of permissible routine use disclosures is included in every system of records notice published in the Federal Register .
(c) Determining compatibility.
(1) Disclosure to carry out SSA programs. We disclose information for published routine uses necessary to carry out SSA's programs.
(2) Disclosure to carry out programs similar to SSA programs. We may disclose information for the administration of other government programs. These disclosures are pursuant to published routine uses where the use is compatible with the purpose for which the information was collected. These programs generally meet the following conditions:
(i) The program is clearly identifiable as a Federal, State, or local government program.
(ii) The information requested concerns eligibility, benefit amounts, or other matters of benefit status in a Social Security program and is relevant to determining the same matters in the other program. For example, we disclose information to the Railroad Retirement Board for pension and unemployment compensation programs, to the Department of Veterans Affairs for its benefit programs, to worker's compensation programs, to State general assistance programs and to other income maintenance programs at all levels of government. We also disclose for health maintenance programs like Medicaid and Medicare.
(iii) The information will be used for appropriate epidemiological or similar research purposes.
14. Section 401.155 is amended by adding the following language between the fourth and fifth sentences in paragraph (a) and by removing the last sentence of paragraph (b).
§ 401.155
(a) General. * * * The Privacy Act allows us to disclose information if the head of the law enforcement agency makes a written request giving enough information to show that the conditions in paragraphs (b) or (c) of this section are met, what information is needed, and why it is needed. * * *
15. Section 401.165 is amended by revising paragraph (b)(2) to read as follows:
§ 401.165
(b) * * *
(2) The activity is designed to increase knowledge about present or alternative Social Security programs or other Federal or State income-maintenance or health-maintenance programs; or is used for research that is of importance to the Social Security program or the Social Security beneficiaries; or an epidemiological research project that relates to the Social Security program or beneficiaries; and
16. Section 401.175 is revised to read as follows:
§ 401.175
We disclose information to the Government Accountability Office when that agency needs the information to carry out its duties.
17. Section 401.180 is revised to read as follows:
§ 401.180
(a) General. The Privacy Act permits us to disclose information when we are ordered to do so by a court of competent jurisdiction. When information is used in a court proceeding, it usually becomes part of the public record of the proceeding and its confidentiality often cannot be protected in that record. Much of the information that we collect and maintain in our records on individuals is especially sensitive. Therefore, we follow the rules in paragraph (d) of this section in deciding whether we may disclose information in response to an order from a court of competent jurisdiction. When we disclose pursuant to an order from a court of competent jurisdiction, and the order is a matter of public record, the Privacy Act requires us to send a notice of the disclosure to the last known address of the person whose record was disclosed.
(b) Court. For purposes of this section, a court is an institution of the judicial branch of the U.S. Federal government consisting of one or more judges who seek to adjudicate disputes and administer justice. (See 404.2(c)(6) of this chapter). Entities not in the judicial branch of the Federal government are not courts for purposes of this section.
(c) Court order. For purposes of this section, a court order is any legal process which satisfies all of the following conditions:
(1) It is issued under the authority of a Federal court;
(2) A judge or a magistrate judge of that court signs it;
(3) It commands SSA to disclose information; and
(4) The court is a court of competent jurisdiction.
(d) Court of competent jurisdiction. It is the view of SSA that under the Privacy Act the Federal Government has not waived sovereign immunity, which precludes state court jurisdiction over a Federal agency or official. Therefore, SSA will not honor state court orders as a basis for disclosure. State court orders will be treated in accordance with the other provisions of this part.
(e) Conditions for disclosure under a court order of competent jurisdiction. We disclose information in compliance with an order of a court of competent jurisdiction if—
(1) another section of this part specifically allows such disclosure, or
(2) SSA, the Commissioner of Social Security, or any officer or employee of SSA in his or her official capacity is properly a party in the proceeding, or
(3) disclosure of the information is necessary to ensure that an individual who is accused of criminal activity receives due process of law in a criminal proceeding under the jurisdiction of the judicial branch of the Federal government.
(f) In other circumstances. We may disclose information to a court of competent jurisdiction in circumstances other than those stated in paragraph (e) of this section. We will make our decision regarding disclosure by balancing the needs of a court while preserving the confidentiality of information. For example, we may disclose information under a court order that restricts the use and redisclosure of the information by the participants in the proceeding; we may offer the information for inspection by the court in camera and under seal; or we may arrange for the court to exclude information identifying individuals from that portion of the record of the proceedings that is available to the public. We will make these determinations in accordance with § 401.140.
(g) Other regulations on request for testimony, subpoenas and production of records in legal proceedings. See 20 CFR part 403 of this chapter for additional rules covering disclosure of information and records governed by this part and requested in connection with legal proceedings.
[FR Doc. E7-7940 Filed 4-26-07; 8:45 am]
BILLING CODE 4191-02-P