Archives

Guidance on Protecting Federal Employee Social Security Numbers and Combating Identify Theft

Most privacy legislation and executive orders dealing with privacy concern protecting the common citizen’s right to privacy. While Government employees are not always afforded the same privacy and civil liberties rights, the government has taken some steps to safeguard their information.

In June 2007, the Office of Personnel Management published the “Guidance on Protecting Federal Employee Social Security Numbers and Combating Identity Theft.” The memorandum recognized that the use of a social security number as an employee identifier placed government employees at greater risk for identify theft should unauthorized access or disclosure occur. The memorandum required agencies to limit the unnecessary use of Social Security Numbers as the main identifier for government employees.

Social Security Numbers and Identify Theft

Social Security Numbers were originally issued in 1936 for taxation purposes. Since that time, SSNs have become something of a national identifier for individuals. It is used on everything from job applications to financial accounts and medical records. As such the importance of protecting the secrecy of one’s Social Security Number has grown. With the move to electronic record keeping systems, identity theft has become a widespread concern. With just an individual’s name, address and social security number, a criminal can open credit accounts, take out loans, buy property and wreak havoc with a person’s   financial standing. Employers used to use Social Security Numbers to avoid developing their own employee identification system, however with the increased risk of identify theft, the use of SSN as the main identifier in the work place and with other institutions has been phased out.

Protection of Federal Employee Social Security Numbers

The memorandum made several recommendations based on the findings of the Presidential Identity Theft Task Force:

  • Employees with authorization to access SSN should be trained annually on their privacy and security responsibilities. They should also be issued privacy and confidentiality statements that specify the disciplinary action that may be taken should abuse of such information occur.
  • All agency telework policies and written agreements should comply with Federal privacy protection policies
  • Supervisory approval should be necessary prior to accessing or transporting information or equipment containing SSN outside of the agency facilities
  • Encryption should be used during transportation or transmission of electronic data containing SSN
  • Paper records containing SSN should be adequately protected with physical safeguards and labeled with the agency’s contact information
  • When access is required to SSN, it should occur in a secure location
  • All incidents involved with SSN must be reported
  • Any disclosure of SSN along with other personally identifiable information must be made in accordance with Federal privacy protection laws
  • Employees must be familiar with the procedures for labeling, storing and destroying printed material containing Social Security Numbers and other personally identifiable information
  • On a records retrieval screen a Social Security Number must be masked with asterisks or special characters
  • Internal control procedures must be in place to control authorized and unauthorized use of SSN and personally identifiable information by employees

A number of official regulations already enforce protection of Social Security Numbers including:

  • 5 CFR 293 which allows individuals asked voluntarily to provide their SSN to refuse without threat of penalty or denial of benefits; protects agencies from requiring the disclosure of SSN unless required by Federal law; requires agencies to ensure the proper administrative, physical and technical safeguards are put into place to protect personally identifiable information
  • 5 CFR 1001.102- All employees and contractors must protect SSN and other personally identifiable information in order to comply with the Privacy Act

Summary

Social Security Numbers have an immense hold over an individual’s privacy and security. Unauthorized disclosure and use of SSN costs millions of dollars in damages. The OPM Memorandum regarding the protection of Federal Employee’s Social Security Numbers was important not only for protecting the privacy of Federal Employees but also signaling to other institutions that the use of Social Security Numbers is no longer safe or acceptable.

CIPP/G Candidate Preparation

In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including:

  • Federal Agency Responsibilities including OPM Memorandum: Guidance on Protecting Federal Employee Social Security Numbers and Combating Identify Theft (II.A.c.ii)
Share

Leave a Reply

 

 

 

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>