Social Security Administration
Disclosure Policy for Law Enforcement Allows Information Sharing, but SSA Needs to Ensure Consistent Application Gao ID: GAO-03-919 September 30, 2003Law enforcement agencies' efforts to investigate the events of September 11th increased awareness that federal agencies collect and maintain personal information on individuals such as name, social security number, and date of birth that could be useful to law enforcement. The Social Security Administration (SSA) is one of the country's primary custodians of personal information. Although the Privacy Act protects much of this information, generally, federal agencies can disclose information to law enforcement. However, determining when the need for disclosure takes priority over an individual's privacy is not clear. GAO was asked to describe (1) SSA's disclosure policy for law enforcement and how it compares with the Privacy Act and those of other federal agencies, (2) SSA's experience sharing information with law enforcement, and (3) law enforcement's experience obtaining information under SSA's policy.
Although SSA's disclosure policy permits the sharing of information with law enforcement entities, it is more restrictive than the Privacy Act and the disclosure policies of most federal agencies. While the Privacy Act permits disclosures to law enforcement for any type of crime, SSA only allows disclosures under certain conditions. For example, for serious and violent crimes, SSA will disclose information to law enforcement if the individual whose information is sought has been indicted or convicted of that crime. Even when information is disclosed, it might be limited to results obtained from verifying a social security number and name unless the investigation concerns fraud in SSA or other federal benefit programs, then the agency can work with law enforcement officials as part of a task force or joint investigation. However, the disclosure policies for law enforcement of the Internal Revenue Service (IRS) and the Census Bureau, both of which have requirements prescribed in their statutes, are also more restrictive than the Privacy Act and the policies of most federal agencies. SSA officials consider SSA's disclosure policy integral to carrying out the agency's mission. The various restrictions in SSA's disclosure policy create a complex policy that is confusing and could cause inconsistent application across the agency's more than 1,300 field offices. This could result in uneven treatment of law enforcement requests. Because aggregated data were not available, GAO was unable to assess the extent to which SSA does not consistently apply its policy. However, GAO was told of instances in which SSA officials in some field offices did not give law enforcement information that appeared to be permitted under the policy as well as instances in which they gave them more than what appeared to be allowed. Generally, law enforcement officials find the limited information SSA shares useful to their investigation, but many law enforcement officials, particularly state and local law enforcement officials, are not familiar with the policy or the process for requesting information from SSA. Most law enforcement officials expressed a desire for more information than is currently permitted under SSA's policy, but SSA maintains that providing more information would hurt its ability to carry out its primary mission.
RecommendationsOur recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director: Team: Phone:GAO-03-919, Social Security Administration: Disclosure Policy for Law Enforcement Allows Information Sharing, but SSA Needs to Ensure Consistent Application
This is the accessible text file for GAO report number GAO-03-919
entitled 'Social Security Administration: Disclosure Policy for Law
Enforcement Allows Information Sharing, but SSA Needs to Ensure
Consistent Application' which was released on September 30, 2003.
This text file was formatted by the U.S. General Accounting Office
(GAO) to be accessible to users with visual impairments, as part of a
longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Report to Congressional Requesters:
United States General Accounting Office:
GAO:
September 2003:
Social Security Administration:
Disclosure Policy for Law Enforcement Allows Information Sharing, but
SSA Needs to Ensure Consistent Application:
GAO-03-919:
GAO Highlights:
Highlights of GAO-03-000GAO-03-919, a report to congressional
requesters
Why GAO Did This Study:
Law enforcement agencies‘ efforts to investigate the events of
September 11th increased awareness that federal agencies collect and
maintain personal information on individuals such as name, social
security number, and date of birth that could be useful to law
enforcement. The Social Security Administration (SSA) is one of the
country‘s primary custodians of personal information. Although the
Privacy Act protects much of this information, generally, federal
agencies can disclose information to law enforcement. However,
determining when the need for disclosure takes priority over an
individual‘s privacy is not clear. GAO was asked to describe (1) SSA‘s
disclosure policy for law enforcement and how it compares with the
Privacy Act and those of other federal agencies, (2) SSA‘s experience
sharing information with law enforcement, and (3) law enforcement‘s
experience obtaining information under SSA‘s policy.
What GAO Found:
Although SSA‘s disclosure policy permits the sharing of information
with law enforcement entities, it is more restrictive than the Privacy
Act and the disclosure policies of most federal agencies. While the
Privacy Act permits disclosures to law enforcement for any type of
crime, SSA only allows disclosures under certain conditions. For
example, for serious and violent crimes, SSA will disclose information
to law enforcement if the individual whose information is sought has
been indicted or convicted of that crime. Even when information is
disclosed, it might be limited to results obtained from verifying a
social security number and name unless the investigation concerns
fraud in SSA or other federal benefit programs, then the agency can
work with law enforcement officials as part of a task force or joint
investigation. However, the disclosure policies for law enforcement of
the Internal Revenue Service (IRS) and the Census Bureau, both of
which have requirements prescribed in their statutes, are also more
restrictive than the Privacy Act and the policies of most federal
agencies. SSA officials consider SSA‘s disclosure policy integral to
carrying out the agency‘s mission.
The various restrictions in SSA‘s disclosure policy create a complex
policy that is confusing and could cause inconsistent application
across the agency‘s more than 1,300 field offices. This could result
in uneven treatment of law enforcement requests. Because aggregated
data were not available, GAO was unable to assess the extent to which
SSA does not consistently apply its policy. However, GAO was told of
instances in which SSA officials in some field offices did not give
law enforcement information that appeared to be permitted under the
policy as well as instances in which they gave them more than what
appeared to be allowed.
Generally, law enforcement officials find the limited information SSA
shares useful to their investigation, but many law enforcement
officials, particularly state and local law enforcement officials, are
not familiar with the policy or the process for requesting information
from SSA. Most law enforcement officials expressed a desire for more
information than is currently permitted under SSA‘s policy, but SSA
maintains that providing more information would hurt its ability to
carry out its primary mission.
What GAO Recommends:
GAO recommends that the SSA Commissioner take steps (1) to ensure that
its policy is consistently applied across all offices and (2) to
provide information on the disclosure policy and procedures to law
enforcement entities at all levels of government. SSA raised some
concerns but generally agreed with GAO‘s recommendations.
www.gao.gov/cgi-bin/getrpt?GAO-03-000GAO-03-919.
To view the full report, including the scope and methodology, click on
the link above. For more information, contact Barbara Bovbjerg,
202-512-7215, bovbjergb@gao.gov.
[End of section]
Contents:
Letter:
Results in Brief:
Background:
SSA's Disclosure Policy Allows Information Sharing with Law Enforcement
under Certain Conditions, but is More Restrictive than the Privacy Act:
SSA Has Provided Information to Law Enforcement Officials, but
Confusion about the Disclosure Policy May Cause Inconsistent
Application:
While Some Law Enforcement Officers Were Unfamiliar with the Policy,
Most Were Generally Satisfied with the Information Shared:
Conclusions:
Recommendations:
Agency Comments and Our Evaluation:
Appendix I: Scope and Methodology:
Appendix II: Chief Financial Officers' Act Agencies' Rules on
Disclosure of Records to Law Enforcement:
Appendix III: Comments from the Social Security Administration:
Appendix IV: GAO Contacts and Staff Acknowledgments:
GAO Contacts:
Staff Acknowledgments:
Tables:
Table 1: Exceptions Permitted under the Privacy Act for Disclosing
Information:
Table 2: Number of Information Requests Granted to Law Enforcement by
OIG Field Divisions and Headquarters in Fiscal Years 2000 through 2002:
Figure:
Figure 1: SSA's Disclosure Policy for Law Enforcement:
Abbreviations:
CD-ROM: Compact Disc-Read-Only Memory:
CFO: Chief Financial Officer:
CFR: Code of Federal Regulations:
FBI: Federal Bureau of Investigation:
FOIA: Freedom of Information Act:
FR: Federal Register:
ICE DHS: Immigration and Customs Enforcement Department of Homeland
Security:
INS: Immigration and Naturalization Service:
IRC: Internal Revenue Code:
IRS: Internal Revenue Service:
MOU: memorandum of understanding:
OIG: Office of the Inspector General:
OMB: Office of Management and Budget:
POMS: Program Operations Manual System:
SSA: Social Security Administration:
SSI: Supplemental Security Income
SSN: Social Security number:
USC: United States Code:
United States General Accounting Office:
Washington, DC 20548:
September 30, 2003:
The Honorable F. James Sensenbrenner, Jr.
Chairman
Committee on the Judiciary
House of Representatives:
The Honorable E. Clay Shaw, Jr.
Chairman
Subcommittee on Social Security
Committee on Ways and Means
House of Representatives:
Law enforcement agencies' efforts to investigate the events of
September 11th increased awareness that federal agencies collect and
maintain personal information on individuals that could be useful to
law enforcement in helping them locate and prosecute individuals
responsible for crimes. Federal agencies maintain personal information
such as name, social security number (SSN), and address in their
databases. For example, the Social Security Administration (SSA), the
federal agency responsible for administering three major benefit
programs and issuing SSNs, is one of the country's primary custodians
of personal information, maintaining records on 290 million living
individuals. To protect personal information collected by all federal
agencies, including SSA, the Congress passed the Privacy Act in 1974.
The Privacy Act generally requires the individual affected to give
consent before a federal agency discloses personal information the
agency maintains in certain records and retrieves using the
individual's name or other identifying information. However, there are
12 exceptions to the restrictions placed on federal agencies for
disclosing this personal information, one of which permits disclosure
to law enforcement agencies as long as certain criteria are met.
The Privacy Act protects individuals' privacy while, at the same time,
allowing individuals' personal information to be disclosed for
appropriate purposes, such as assisting law enforcement. Determining
when the need for disclosure takes priority over an individual's
privacy is not always clear. With an eye toward finding an appropriate
balance between protection and disclosure of personal information, the
Congress asked us to describe: (1) SSA's disclosure policy for law
enforcement purposes and how it compares to the Privacy Act and other
federal agencies, (2) SSA's experience sharing information with law
enforcement agencies, and (3) law enforcement's experience in obtaining
information under SSA's disclosure policy.
To provide information on these issues, we compared SSA's disclosure
policy for law enforcement with the Privacy Act and with disclosure
policies of the other 23 federal agencies covered by the Chief
Financial Officers' Act. Because the Internal Revenue Service (IRS) and
the Bureau of the Census, like SSA, are similar in size and scope of
data maintained on individuals, we also compared SSA's disclosure
policy with those of IRS and Census. We also made site visits and
interviewed officials about their experiences with SSA's disclosure
policy at SSA headquarters; SSA regional and field offices; SSA's
Office of the Inspector General (OIG); and federal, state, and local
law enforcement agencies. In addition, we surveyed a random sample of
SSA field offices and all SSA OIG field offices for investigations to
obtain information on law enforcement requests and disclosures between
fiscal years 1999 and 2002. The information provided by all entities
was self-reported. We conducted our work between August 2002 and July
2003 in accordance with generally accepted government auditing
standards. For additional information on our scope and methodology, see
appendix I.
Results in Brief:
While SSA's policy permits the sharing of information with law
enforcement under certain conditions, it is more restrictive than the
law enforcement exception specified under the Privacy Act and the
policies of most federal agencies. SSA's disclosure policy requires SSA
officials to consider several factors such as the nature of the alleged
criminal activity of the individual on whom information is requested,
what information has been requested, and which agency has made the
request. These requirements stem from a confidentiality policy
established in 1937 that prohibited most disclosures. SSA is also the
custodian of tax information, which can only be disclosed as permitted
in the Internal Revenue Code (IRC). With regard to nontax information,
SSA modified its policy subsequent to the enactment of the Privacy Act,
to permit disclosures, but only for certain types of crimes or under
certain conditions. For example, the Privacy Act allows the sharing of
information on individuals who are the subjects of criminal
investigations regardless of the type of crimes but under SSA's policy,
if the type of crime is considered violent and serious, individuals
must have been indicted or convicted of the crime before information is
shared. SSA maintains that it must have a restrictive disclosure policy
because much of the information the agency maintains was initially
obtained under a pledge of confidentiality. Unlike SSA, the policies of
most major federal agencies allow the disclosure of information to law
enforcement if the requests for information meet the requirements
outlined in the Privacy Act. However, the disclosure policies of IRS
and Census--two agencies that also maintain information on millions of
individuals--have disclosure requirements prescribed in their statutes
that are also more restrictive than the Privacy Act and the policies of
most federal agencies. The IRS statute prohibits disclosing certain
taxpayer information to other federal departments and agencies without
specific statutory authorization. The Census Bureau's statute does not
authorize any disclosures of individual census data to law enforcement.
Although SSA's policy supports sharing tax information as permitted by
the IRC and limited nontax information with law enforcement under
certain conditions, some SSA field office staff appear confused about
the policy and may be applying it inconsistently. Law enforcement can
request information from any SSA field office, including OIG offices.
On the basis of our random sample of field offices, we estimate that 82
percent of these offices received requests for personal information
from law enforcement agencies. The information most frequently shared
was the result of name and SSN verification. Through our site visits
and survey results, we were told about both instances in which it
appeared that SSA field offices denied law enforcement requests when
they could have provided information and instances in which it seemed
that offices provided more information than was permitted under SSA's
policy.
While some law enforcement officials were unfamiliar with SSA's
disclosure policies, most were generally satisfied with the information
provided by SSA, though most wanted more. Some law enforcement agencies
at the state and local level were unfamiliar with the process for
obtaining information and expressed frustration. These law enforcement
agencies frequently were unfamiliar with the process for obtaining
information until after making initial requests to SSA field offices
and, in some instances, they told us that they had their requests
turned down because they did not follow procedures. Federal law
enforcement agencies, on the other hand, were more familiar with the
procedures for obtaining information from SSA. Law enforcement
officials at all levels indicated that the SSN and name verification
SSA provided was often helpful to their investigations. However, most
wanted SSA to provide additional information such as address, date of
birth, and employer or family information. Some law enforcement
officers told us that they wanted SSA to expand the circumstances under
which disclosures could be made. However, SSA officials expressed
concern that expanding SSA's disclosure policy would hamper the
agency's ability to ensure that individuals' personal information is
protected and that resources are not diverted from administering Social
Security benefit programs.
We make recommendations in this report that the Commissioner of SSA
take steps to ensure consistent application of the disclosure policy
for law enforcement in all of the agency's offices and better assist
law enforcement agencies making requests, so that they understand the
procedures for making requests.
In its comments on a draft of this report, SSA raised some concerns,
but generally agreed with our recommendations and believed in some
instances, the agency was already taking steps to address the issues we
raised. However, SSA expressed concern that our draft report did not
completely describe the statutory basis and rationale behind SSA's
disclosure policy, and therefore our findings and recommendations are
"overbroad". We believe our findings and recommendations are well
grounded; however, we have made some clarifications in this report in
response to SSA's comments.
Background:
With virtually billions of records, the federal government is the
largest single producer, collector, and user of information in the
United States. In order to carry out the various missions of the
federal government, federal agencies collect and maintain personal
information such as name, date of birth, address, and SSNs to
distinguish among individuals and ensure that people receive the
services or benefits they are entitled to under the law. SSA is
responsible for issuing SSNs as part of its responsibility for
administering three major income support programs for the elderly,
disabled, and their dependents: the Old-Age and Survivors Insurance;
Disability Insurance; and Supplemental Security Income. SSA is also the
repository of information on individuals' wages and earnings. This
information is used in tax administration and is reported by
individuals on their federal income tax returns. Tax return information
may only be disclosed as permitted by the IRC.
Information transmitted to SSA has been protected from disclosure by
statute and regulation since the inception of the Social Security
program. To maintain the confidentiality of the personal information
the agency collects to carry out its mission, in June 1937, SSA adopted
its first regulation, known as "Regulation No. 1," to protect the
privacy of individuals' records and to include a pledge of
confidentiality. The regulation was reinforced by amendments to the
Social Security Act in 1939, which became the statutory basis for
maintaining the confidentiality of SSA's records. For decades, the act,
along with Regulation No. 1, formed the basis for SSA's disclosure
policy.[Footnote 1] However, the enactment of subsequent legislation--
the Freedom of Information Act (FOIA) in 1966[Footnote 2] and
Government in the Sunshine Act in 1976--caused SSA to reexamine its
disclosure and confidentiality policy. This legislation placed the
burden on SSA, as well as other federal agencies, to justify
withholding information requested. Still, SSA's policy is designed to
protect the privacy rights of individuals to the fullest extent
possible while permitting the exchange of records required to fulfill
its administrative and program responsibilities. Over the years, SSA's
disclosure policy has been revised to comply with about 25 statutes,
including the Privacy Act.
The Privacy Act of 1974 is the primary law governing the protection of
personal privacy by agencies of the federal government.[Footnote 3] The
Privacy Act regulates the collection, maintenance, use, and disclosure
of personal information that federal agencies maintain in a system of
records.[Footnote 4] The act requires that, at the time the information
is collected, agencies inform an individual of the following: (1)
authority for the collection and whether it is mandatory or voluntary,
(2) the principal purpose for the collection of information, (3) what
the routine uses for the information may be, and (4) what the
consequences are of not providing the information.[Footnote 5] The act
applies to systems of records maintained by federal agencies, and with
certain exceptions, prohibits agencies from disclosing such records
without the consent of the individual whose records are being sought.
The act authorizes 12 exceptions under which a federal agency may
disclose information in its records without consent, as shown in table
1. The Privacy Act requires that the Office of Management and Budget
(OMB) issue guidance and oversee agency implementation of the act. The
act does not generally apply to state and local government records;
state laws vary widely regarding disclosure of personal information in
state government agencies' control.
Table 1: Exceptions Permitted under the Privacy Act for Disclosing
Information:
Activity or agency warranting exception: 1. Internal use within federal
agency; Conditions under which disclosure is permitted: If an employee
or officer of the agency maintaining the record needs the information
to perform official duties.
Activity or agency warranting exception: 2. FOIA; Conditions under
which disclosure is permitted: If the provisions of the FOIA require
the disclosure.
Activity or agency warranting exception: 3. Routine use[A]; Conditions
under which disclosure is permitted: If the use has been determined to
be compatible with the purpose for which the data were originally
collected.[B].
Activity or agency warranting exception: 4. Census Bureau; Conditions
under which disclosure is permitted: For planning or conducting a
census, survey, or related activity authorized by the Census statute.
Activity or agency warranting exception: 5. Statistical research;
Conditions under which disclosure is permitted: If written assurance is
provided that the record would be used solely as a statistical record
and it is transferred in a form that personal information will not be
individually identifiable.
Activity or agency warranting exception: 6. National Archives;
Conditions under which disclosure is permitted: If the record has
sufficient historical or other value to warrant its evaluation for
preservation by the Archivist of the United States or a designee.
Activity or agency warranting exception: 7. Civil or criminal law
enforcement; Conditions under which disclosure is permitted: If used
for the purpose of a civil or criminal law enforcement activity within
the United States.
Activity or agency warranting exception: 8. Health or safety;
Conditions under which disclosure is permitted: If compelling
circumstances affect the health or safety of an individual.[C].
Activity or agency warranting exception: 9. Congress; Conditions under
which disclosure is permitted: If either house of the Congress or
committees or subcommittees with jurisdiction over the subject requests
disclosure.
Activity or agency warranting exception: 10. Comptroller General;
Conditions under which disclosure is permitted: If disclosure is for
use in the performance of the duties of the General Accounting Office.
Activity or agency warranting exception: 11. Court order; Conditions
under which disclosure is permitted: If pursuant to the order of a
court of competent jurisdiction.
Activity or agency warranting exception: 12. Consumer reporting agency;
Conditions under which disclosure is permitted: If disclosure is
relevant to collection of a claim of the United States Government (31
USC 3711(e)).
Source: GAO review of the Privacy Act.
[A] Agencies must keep an accounting of disclosures made under
exceptions 3-12.
[B] The routine use must have been publicly identified (in the Federal
Register) as such prior to disclosure.
[C] The Privacy Act requires that the individual be notified after the
disclosure is made.
[End of table]
The Privacy Act, under the law enforcement exception, outlines the
minimum criteria that must be met by a law enforcement agency to obtain
personal information without an individual's consent. The act requires
that the request specify the information being sought and the law
enforcement activity being carried out. The request must be in writing,
and signed by the agency head.[Footnote 6] In addition, OMB guidance
permits agencies to disclose a personal record covered by the Privacy
Act to law enforcement at the agencies' own initiative, when a
violation of law is suspected; provided that such disclosure has been
established in advance as a "routine use" and misconduct is related to
the purposes for which the records are maintained. The routine use
exception of the Privacy Act permits disclosure of individuals'
personal information if the requested use is compatible with the
purpose for which the information was initially collected.
Under the act, agencies are required to keep an accurate accounting
regarding each disclosure of a record to any person or to another
agency and to retain the accounting for at least 5 years or the life of
the record, whichever is longer. Under OMB guidance, an agency need not
keep track of every disclosure at the time it is made, but the agency
must be able to reconstruct an accurate and complete accounting of
disclosures.
SSA's Disclosure Policy Allows Information Sharing with Law Enforcement
under Certain Conditions, but is More Restrictive than the Privacy Act:
While SSA's policy permits the sharing of nontax information with law
enforcement, it does so only under certain conditions and is more
restrictive than both the law enforcement exception specified under the
Privacy Act and the disclosure policies of most federal agencies.
Before allowing the disclosure of information, SSA's disclosure policy
requires SSA officials to consider several factors such as the nature
of the alleged criminal activity, what information has been requested,
and which agency has made the request. Such considerations are above
and beyond what is included in the law enforcement exception to the
Privacy Act. SSA maintains that it must have a restrictive disclosure
policy because much of the information the agency collects is
especially personal. In addition, SSA officials believe that the agency
must uphold the pledge it made to the public to keep this information
confidential when SSA first began collecting it. Unlike SSA, the
policies of most major federal agencies allow the disclosure of
information to law enforcement if the requests for information meet the
requirements outlined in the Privacy Act. However, like SSA's
disclosure policy, the disclosure policies of the IRS and the Bureau of
the Census, which have disclosure requirements prescribed in their
statutes, are more restrictive than the Privacy Act and the disclosure
policies of most federal agencies.
SSA Discloses Information to Law Enforcement under Certain Conditions:
While SSA has a long history of protecting individuals' privacy, the
agency's disclosure policy allows the disclosure of information to law
enforcement under certain conditions. These conditions require that SSA
officials consider several factors before they release individuals'
personal information. For example, they must examine the nature of the
alleged criminal activity, what information has been requested, and
which agency has made the request. SSA will share information if the
criminal activity involves one of the following:
* Fraud or other criminal activity in Social Security programs. SSA
will provide information necessary to investigate or prosecute fraud or
other criminal activity in Social Security programs.
* Nonviolent crimes and criminal activity in other government programs
that are similar to Social Security programs. SSA may also disclose
information to investigate and prosecute fraud and other criminal
activity in similar benefit programs, including state welfare/social
services programs such as Medicare or Medicaid, unemployment
compensation, food stamps, and general assistance and federal
entitlement programs administered by the Department of Veterans
Affairs, Office of Personnel Management, and the Railroad Retirement
Board.[Footnote 7]
* Violent and serious crimes. SSA may disclose information when a
violent crime has been committed and the individual who is the subject
of the information requested has been (1) indicted or convicted of the
crime and (2) the penalty for conviction is incarceration for at least
1 year and a day regardless of the sentence imposed. SSA might also
disclose information when a person violates parole and the violent
crime provisions of the original conviction have been met. SSA defines
violent and serious crimes as those characterized by the use of
physical force or by the threat of physical force causing actual
injury, or coercing the victim to act for fear of suffering serious
bodily harm. Such crimes include but are not limited to: murder; rape;
kidnapping; armed robbery; burglary of a dwelling; arson; drug
trafficking or drug possession with intent to manufacture, import,
export, distribute or dispense; hijacking; car-jacking; and terrorism.
* Provisions of other federal statutes that require that SSA disclose
its records such as in connection with civil or criminal violations
involving federal income tax or the location of aliens. SSA will
disclose information when another federal statute requires disclosure,
such as the IRS statute for tax purposes or the Immigration and
Naturalization statute for locating aliens.
* The jeopardy or potential jeopardy of the security and safety of
SSA's clients, personnel, or facilities. SSA will disclose information
about an individual if that individual is involved in an activity that
places the health, safety or security of SSA clients, personnel, or
facilities in jeopardy or potential jeopardy. After the disclosure, SSA
must send a notice of the disclosure to the individual whose record was
disclosed.
SSA's disclosure policy is contained in 20 C.F.R. Part 401 and is
promulgated through regulations outlined in its "Program Operations
Manual System" (POMS) and Emergency Messages. POMS is the primary tool
the field offices use to assist them in making appropriate disclosure
decisions when they receive requests from law enforcement agencies.
POMS provides detailed guidance and incorporates references to
disclosures covered by 25 different statutes, which are located in at
least 15 different sections of the POMS. SSA uses Emergency Messages,
usually limited to a one-time only emergency situation, to provide
implementing guidance in emergency situations. For example, on
September 19, 2001, SSA issued an emergency message to field offices
instructing them to direct all law enforcement requests related to the
terrorists' attacks of September 11, 2001, to SSA's OIG's Office.
SSA's regulations are designed for implementation at all levels of the
agency, including SSA's field offices, regions, and headquarters
offices. SSA can make disclosures through its headquarters, 1,336 field
offices, or 10 regional offices. Disclosures can also be made through
SSA's OIG, the law enforcement component of SSA that is responsible for
conducting audits and investigations of agency programs and activities.
The OIG is authorized to handle disclosures through a memorandum of
understanding (MOU) with SSA. The OIG investigations staff conducts and
coordinates activity related to fraud, waste, abuse, and mismanagement
of SSA programs and operations. The OIG investigations staff also
conducts joint investigations with other federal, state, and local law
enforcement agencies. The OIG investigations staff is located in 60
locations that comprise 31 field offices and 10 field divisions.
SSA's OIG is authorized to disclose individuals' personal information
to law enforcement agencies as agreed with SSA under a MOU. In July
2000, SSA's OIG and the Commissioner of SSA signed an MOU, which
outlines the conditions under which the OIG can disclose to law
enforcement agencies certain limited information from SSA's records in
cases involving fraud of a Social Security program or misuse of an SSN.
Under the MOU, the OIG can disclose whether a given name and SSN match
the name and SSN in records at SSA, referred to as SSN verification.
The MOU delegates authority to OIG employees at all levels. SSA
requires that the OIG ensure that law enforcement requests meet the
same requirements outlined in the Privacy Act as well as those outlined
in SSA's POMS and other guidance. In addition, law enforcement requests
must include the name and SSN to be reviewed and a certification that
the individual about whom information is sought is suspected of
misusing an SSN or of committing another crime against a Social
Security program. Under the MOU, the OIG is permitted to open an
investigation and participate in joint investigations with law
enforcement officials, if the OIG determines that further investigation
is warranted.
SSA requires that the OIG submit an annual report to the Commissioner
of SSA, no later than 30 days after the end of the fiscal year. The
annual report must reflect the total number of SSN verification
requests received and responses made, if the number is different,
broken down by OIG field division. SSA also requires that the OIG
maintain records from each fiscal year for 1 year. The Commissioner of
SSA can revoke the delegation of authority to the OIG described in the
MOU at any time by providing a 30-day notice.
While any SSA office can make disclosures, the Privacy Officer within
SSA's Office of Disclosure Policy, located in the Office of General
Counsel, has overall responsibility for overseeing the agency's
implementation of the disclosure policy. Except for requests involving
national security issues, which are referred to the Privacy Officer at
SSA headquarters and ultimately to the Commissioner of SSA, field
locations handle requests for disclosing information because the
offices are at the local level where information is frequently needed.
Privacy Coordinators are located in the regional offices and are
available to assist the field offices on questions about disclosures.
The Privacy Coordinators report to the Privacy Officer.
When SSA receives a request from law enforcement agencies, SSA
officials must first determine whether the request is valid, that is,
in writing on the agency's letterhead, specifies the records being
requested, and is signed by an official of the requesting office. SSA
field office officials are instructed to rely on their knowledge of
local law enforcement agencies to determine whether a request is from
the proper person. For valid requests, SSA officials must also
determine whether the agency requesting the information has
jurisdiction in the particular case. Other specific criteria considered
in determining whether SSA will disclose individuals' personal
information to law enforcement agencies are outlined in figure 1. Tax
information is disclosed consistent with IRC 6103. SSA officials told
us that in all cases, the agency's practice is to provide only the
minimum amount of information necessary to assist law enforcement.
Figure 1: SSA's Disclosure Policy for Law Enforcement:
[See PDF for image]
[End of figure]
Figure 2: SSA's Disclosure Policy for Law Enforcement (continued):
[See PDF for image]
[End of figure]
Figure 3: SSA's Disclosure Policy for Law Enforcement (continued):
[See PDF for image]
[A] State officials do not have jurisdiction in welfare fraud cases in
Native American Territories; therefore, SSA does not disclose
information to state officials.
[B] The Bureau of Immigration and Customs Enforcement of the Department
of Homeland Security (ICE DHS) was created with the merger of the
former Immigration and Naturalization Service (INS) and Customs
Service.
[C] SSA has specific procedures for processing Immigration requests for
personal information through its field offices and the Immigration
District located in Baltimore, Maryland.
[D] State and local agencies may obtain this information from SSA under
automated data exchange.
[E] All requests concerning these crimes are processed at SSA
headquarters through the Privacy Officer, who refers the cases to the
Commissioner for a decision under the Commissioner's ad hoc authority.
[F] SSA advises staff to consider whether the possible violations are
of significant value to the other agency and whether excessive use of
SSA's resources would be required to help the other agency in its
investigation.
[End of figure]
For law enforcement requests that do not fit neatly in the categories
described or do not meet the specific criteria outlined in SSA's
policy, SSA's Commissioner decides whether or not the agency will share
the requested information using the Commissioner's ad hoc authority.
The Commissioner's ad hoc authority is generally reserved for
exceptional cases approved on a case-by-case basis. For example,
following the September 11th, 2001, terrorist attacks, the
Commissioner's ad hoc authority was invoked to disclose to the FBI and
other law enforcement agencies information in SSA's files concerning
suspects or other persons who may have had information on the attacks
and to help identify and locate victims and members of their
families.[Footnote 8] Certain requirements must be met in order to
invoke the Commissioner's ad hoc authority. The request must be deemed
appropriate and necessary, SSA's regulations cannot specify what is to
be done in the circumstance in question, and no provision of law can
specifically prohibit the disclosure. SSA policy prohibits the
disclosure of tax return information under the Commissioner's ad hoc
authority. SSA officials told us that the Commissioner invokes this
authority infrequently and had rendered decisions to disclose
information to law enforcement agencies 35 times between April 1981 and
October 2002.
SSA's Disclosure Policy for Law Enforcement Is More Restrictive than
the Privacy Act:
Unlike SSA's disclosure policy, the Privacy Act requires that fewer
criteria be met before a disclosure is made. However, SSA officials
state that the agency must protect tax information and maintain the
pledge of confidentiality that the agency made long before the Privacy
Act was enacted. Therefore, SSA's policy imposes additional
requirements as a condition for disclosure. Over the years, SSA has
modified its disclosure policy to incorporate legislative requirements,
but where it had discretion, SSA has continued to focus its policy on
protecting individuals' privacy and upholding the pledge of
confidentiality.
The law enforcement exception of the Privacy Act permits disclosure of
individuals' personal information when a law enforcement agency (1)
requests the information for an authorized law enforcement activity,
(2) makes the request through the agency head, (3) submits the request
in writing, and (4) specifies the information requested and the law
enforcement activity involved. Under the Privacy Act, a law enforcement
agency investigating a person suspected of embezzlement or shoplifting
could submit a request to most federal agencies, including SSA, for
information seeking or verifying the person's name, SSN, date of birth,
last known address, and other data. Most federal agencies would
probably provide that information from their records covered by the
Privacy Act. However, under SSA's policy, no information would be given
to the law enforcement agency because SSA has determined that these are
not crimes that warrant any disclosure of individuals' personal
information. Additionally, the Privacy Act includes a routine use
exception, which allows personal information to be disclosed on the
initiative of the custodian agency. To qualify for a routine use, the
proposed use of the information must be compatible with the purpose for
which the information was obtained. Agencies must publish their routine
uses in the Federal Register. SSA relies on the routine use exception
to disclose information to law enforcement when fraud or other
violations are suspected in SSA's programs and other similar federal
income or health maintenance programs.
SSA's Policy Is More Restrictive than the Policies of Most Federal
Agencies, with the Exception of IRS and Census:
SSA's disclosure policy[Footnote 9] is more restrictive than the
disclosure policies of most major federal agencies, with IRS and the
Census Bureau, being exceptions. However, unlike SSA's disclosure
policy, the policies of the IRS and Census are specifically provided in
statute. Most major federal agencies' policies allow for disclosures to
law enforcement agencies under the law enforcement or the routine use
exceptions of the Privacy Act.[Footnote 10]
The law enforcement exception of the Privacy Act permits all federal
agencies to disclose personal information to law enforcement agencies
upon written request from the law enforcement agency. Twenty of the 24
major federal agencies have issued regulations that reference that
disclosure authority.[Footnote 11] In addition, OMB guidance permits
agencies to disclose personal information covered by the Privacy Act to
law enforcement agencies under the routine use exception of the Privacy
Act. The routine use exception permits federal agencies, at their own
initiative, to disclose personal information without consent if the use
is compatible with the purpose for which the information was collected.
OMB guidance permits such a disclosure to a law enforcement agency when
a violation of law is suspected, provided that such disclosure has been
established in advance as a "routine use" and the misconduct is related
to the purposes for which the information is collected and
maintained.[Footnote 12] Fourteen of the 24 major federal agencies have
established law enforcement routine use exceptions that are generally
applicable to their systems of records. Some agencies alternatively
only apply the law enforcement routine use exception to specific
systems of records.[Footnote 13] Accordingly, under the Privacy Act,
disclosure of personal information to law enforcement agencies may be
permitted, depending on the agency and the circumstances, either by the
law enforcement exception or the routine use exception. SSA, however,
does not permit such disclosures from SSA program records under either
exception. As already discussed, SSA requires considerations above and
beyond the requirements in the Privacy Act. (See app. II for a list of
federal agencies' rules referencing the Privacy Act law enforcement
disclosure authority and those authorizing a general law enforcement
routine use exception.):
Although SSA's disclosure policy for law enforcement is restrictive
relative to most other federal agencies, IRS and Census also have
restrictive disclosure requirements, which are outlined in these
agencies' statutes. IRS's disclosures of tax returns and return
information are governed by Internal Revenue Code Section 6103, which
prohibits disclosures unless specifically authorized in statute. This
statutory restriction serves to protect the confidentiality of personal
and financial information in IRS's possession and ensure compliance
with tax laws. A court order is generally required to open tax returns
or other tax information to federal law enforcement officials
investigating a federal nontax crime or preparing for a grand jury or
other judicial proceeding, without the knowledge or consent of the
taxpayer involved. The Attorney General, the Deputy Attorney General,
and other Justice Department officials specifically named in the
statute, are permitted to seek a court order. To obtain a court order,
the requester has to demonstrate that:
* reasonable cause exists to believe that a specific criminal act has
been committed and tax return information is or may be relevant to a
matter relating to the commission of the criminal act;
* the information being sought will be used exclusively in a federal
criminal investigation concerning the criminal act; and cannot be
reasonably obtained, under the circumstances, from another source.
Information federal law enforcement obtains from IRS generally cannot
be shared with state and local law enforcement. However, the Victims of
Terrorism Tax Relief Act of 2001 permits federal law enforcement
agencies involved in terrorist investigations/intelligence gathering
to redisclose this information to officers and employees of state and
local law enforcement who are directly engaged in investigating or
analyzing intelligence concerning the terrorist incidents, threats, or
activities.
The disclosure authority for Census is spelled out in statute under
Title 13 of the United States Code. The Census statute prohibits the
disclosure of any individual's Census data other than for use by the
Census, making information that the Bureau of the Census collects and
maintains immune from the legal process. Unlike IRS, a court order will
not permit the Census Bureau to disclose information to law enforcement
agencies or any other entities that may request an individual's
personal information. Regulations provide that a person's individual
census information may not be disclosed to the public for 72 years from
the decennial census for which the information was collected and the
fine for wrongful disclosure of confidential census information is
imprisonment of up to 5 years or a fine up to $250,000, or
both.[Footnote 14] The statute further restricts the use of
individuals' Census data to the Secretary of Commerce, or bureau and
agency employees. Additionally, Census data for individuals may only be
(1) used for statistical purposes for which it was supplied; (2)
published in a manner so that an individual's information cannot be
identified; and (3) examined by persons who have been sworn as officers
or employees of the Department of Commerce, or the Bureau of the
Census. The statute even protects from compulsory disclosure, copies of
Census information that an individual may have retained for their own
personal use. Accordingly, "no department, bureau, agency, officer, or
employee of the government, except the Secretary of Commerce in
carrying out the statutory duties of the agency, shall require copies
of information an individual may have retained." An individual's
personal retained copies of census forms are immune from the legal
process and cannot be admitted as evidence in any action, suit, or
other judicial or administrative proceeding without the individual's
consent.
SSA Views Restrictions as Integral to Carrying Out Its Mission:
SSA maintains that it must have a restrictive disclosure policy to
protect individuals' personal information, even from law enforcement
requests, because much of the information the agency collects is
especially personal and was initially obtained under the pledge of
confidentiality. SSA officials told us that they try to limit
disclosure because the agency has no control over the extent to which
information will be safeguarded once disclosed. In addition, Social
Security has universal coverage and an individual cannot refuse to be
assigned an SSN. The Social Security Act requires that SSA compile wage
and employment data for each individual. According to an SSA official,
individuals cannot receive Social Security benefits without having an
SSN. In SSA's disclosure policy, the agency recognizes that its rules
for disclosure are more restrictive than the Privacy Act and cites
several reasons why. According to SSA, it seldom has records that are
useful to law enforcement agencies and information from tax returns--
such as addresses or employment information--cannot be disclosed. Also,
SSA contends that its resources should not be diverted for nonprogram
purposes. Finally, SSA says that it has a long-standing pledge to the
public to maintain the confidentiality of its records.
SSA Has Provided Information to Law Enforcement Officials, but
Confusion about the Disclosure Policy May Cause Inconsistent
Application:
Although SSA's policy supports sharing limited information with law
enforcement under certain conditions, we found evidence that some SSA
field office staff are confused about the policy that could result in
staff applying it inconsistently. Information provided to law
enforcement is generally limited to the verification of a name and SSN,
though more information may be provided under certain circumstances.
Information obtained through our selected site visits and survey
results indicated that SSA field offices might have denied law
enforcement requests when they could have provided information and
instances in which offices might have provided more information than
was permitted under SSA's policy. Because SSA is not required to and
therefore, does not maintain aggregated data showing what requests were
made, whether they were approved, and what information was given to
fulfill them, we could not determine the extent to which these
inconsistencies occurred.
Information SSA Provided to Law Enforcement Often Limited to Name and
SSN Verification:
Information provided to law enforcement is routinely limited to the
verification of a name and SSN, though more information may be provided
under certain circumstances. When law enforcement provides SSA with the
name and SSN of an indicted or convicted criminal, SSA can conduct a
search on the SSN to determine if it is valid and if it matches the
name provided by law enforcement. If the name and the SSN do not match,
SSA will not usually identify to whom the SSN actually belongs, though
they will tell law enforcement that there was no match. Except to
identify and locate illegal aliens, SSA generally will not provide any
information if law enforcement only provides an SSN and wants to know
to whom it is assigned. Under certain circumstances, such as when SSA's
OIG conducts a joint investigation with other law enforcement agencies
involving fraud against one of SSA's programs, the OIG is allowed to
provide any information available in SSA's data system, short of IRS
data.
SSA's Disclosure Policy Confuses Staff and May Not Be Consistently
Applied across SSA Field Offices:
SSA tries to ensure that its disclosure policy is consistently
implemented in all field offices. SSA takes various steps to ensure the
consistent applications of its disclosure policy. For example, SSA has
taken steps to educate its staff about its disclosure policy. SSA
managers indicated that SSA staff is given disclosure policy training
when they start employment and such training is refreshed as needed.
Additionally, SSA posts the policy on its internal Web site and on
Compact Disc-Read-Only Memory (CD-ROM) for staff reference.
Furthermore, a regional "privacy coordinator" is available to answer
staff questions about proper disclosure procedures. One SSA regional
office provided a chart to all SSA field offices within its "program
circle"[Footnote 15] that briefly summarizes SSA's policy on access and
disclosure without consent. Although this chart had not been updated
since July 1996, it was viewed by the manager we talked with as a handy
guide for what could be disclosed and also provided references to the
location of a more thorough explanation of SSA's policy in their POMS.
In addition, to ensure that disclosure procedures are followed, field
office managers told us that they usually handle information requests
from law enforcement officials rather than leaving this duty to staff.
However, we noted in our survey and during selected site visits, a
limited number of instances where SSA's disclosure policy appears to
have been inconsistently applied. In some instances, law enforcement
might have received more information than permitted under SSA's policy.
For example, one SSA OIG office we visited provided a law enforcement
agency with the name, SSN, date of birth, place of birth, and parents'
name when it seemed that only the name and SSN verification results
should have been provided. In another case, an SSA official reported
that a state law enforcement officer stopped an individual and
telephoned SSA requesting information to verify the SSN, date of birth,
place of birth, and sex and was provided the results over the
telephone. Although SSA's policy permits the verification of the name
and SSN, such requests are required to be in writing. In other
instances, requests that should have been approved might have been
turned down. For example, one SSA field office manager told us that
nothing could be disclosed to law enforcement if the request for
information pertained to an individual suspected of misusing an SSN
because the individual had not been indicted or convicted of this
crime. However, SSA's policy would appear to permit disclosure in this
situation. Another SSA field office manager told us that office would
not disclose any information without consent from the individual for
whom the information is being requested.
Several possible reasons exist for the inconsistent application of
SSA's disclosure policy. Although our survey showed that most SSA field
offices receive requests for information from law enforcement, SSA
field officials we spoke with said that they do not receive requests
frequently. For example, several officials told us that they received
fewer than 10 requests in 2002. Because requests are infrequent, staff
must often consult the policy to help them to respond properly.
However, many staff members consider the policy confusing. For example,
one field office manager said that, "We have doubts as to what
information should be provided to U.S. Border Patrol." Similarly, a
manager in another field office said, "SSA['s] disclosure policy should
be written in "Plain English" to make it easy to understand by all
readers." A different field office manager commented, "[SSA's]
Disclosure policy is still frequently confusing for much of our staff."
This lack of clarity leads to confusion about what should be disclosed.
For example, one manager said, "[SSA's policy] is quite confusing. It's
hard to know what you can disclose." Another manager commented, "I
think the policy should be clearer than it is. There's too much—'if
this, then that, but not this and so on.'":
In addition, SSA's responsibilities to both assist law enforcement and
protect individuals' privacy may be exacerbating the confusion and
inconsistent application of the agency's policy. For example, officials
at SSA headquarters said that they want to help law enforcement as much
as possible, but they believed they must also protect the privacy of
the information in their systems of records in order to perform SSA's
primary mission. Some managers in SSA field offices believed that the
agency should provide information to law enforcement. However, several
field office managers expressed their concerns and reluctance about
sharing information with law enforcement agencies. Employees who
provide information to an individual inappropriately could be subject
to a penalty, including suspension or termination from SSA. Therefore,
rather than risk disclosing information inappropriately, some officials
might err on the side of caution and not disclose information even when
it is permitted under the agency's disclosure policy.
SSA Field Offices Do Not Maintain Aggregated Data, but OIG Does:
Consistent application of SSA's disclosure policy cannot be assessed
because, according to OMB guidelines, SSA is not required to maintain
aggregated data showing what requests were made, whether they were
approved, and what information was given to fulfill them.[Footnote 16]
According to SSA, disclosures of individuals' personal information are
kept in individuals' files. While SSA policy does not stipulate that
field offices must keep track of requests made by a law enforcement
agency, our survey revealed some information about these requests. For
example, we estimate that 82 percent of SSA field offices indicated
that they had received requests for personal information from law
enforcement agencies. However, 71 percent of SSA's field offices do not
maintain a record of requests made by law enforcement agencies.
While the majority of SSA field offices do not maintain records of law
enforcement requests, results from our survey showed that 90 percent of
the SSA OIG offices maintain these data for disclosures the OIG made.
The SSA OIG is required to report to the SSA Commissioner aggregated
data annually on disclosures made. According to the OIG, it also keeps
a hard copy of requests made by law enforcement agencies for at least 1
year. On the basis of these aggregated data, between fiscal years 2000
and 2002, SSA OIG regional divisions fulfilled almost 30,000 requests
from law enforcement agencies for name and SSN verification. Table 2
shows the number of verifications fulfilled by SSA OIG regional
divisions and headquarters. However, no numbers are kept on denied law
enforcement requests. According to SSA OIG officials, in most cases,
law enforcement officers contact OIG offices by telephone before
submitting a request so no written record exists if the OIG does not
grant the request for information.
Table 2: Number of Information Requests Granted to Law Enforcement by
OIG Field Divisions and Headquarters in Fiscal Years 2000 through 2002:
Field divisions and headquarters: Atlanta; Fiscal year 2000: D - NC[A];
Fiscal year 2001: 198; Fiscal year 2002: 1,660; Total: 1,858.
Field divisions and headquarters: Boston; Fiscal year 2000: D - NC;
Fiscal year 2001: 391; Fiscal year 2002: 1,072; Total: 1,463.
Field divisions and headquarters: New York; Fiscal year 2000: 52;
Fiscal year 2001: 307; Fiscal year 2002: 2,202; Total: 2,561.
Field divisions and headquarters: Philadelphia; Fiscal year 2000: D -
NC; Fiscal year 2001: 405; Fiscal year 2002: 1,748; Total: 2,153.
Field divisions and headquarters: Chicago; Fiscal year 2000: D - NC;
Fiscal year 2001: 2,872; Fiscal year 2002: 7,289; Total: 10,161.
Field divisions and headquarters: Dallas; Fiscal year 2000: 320; Fiscal
year 2001: 439; Fiscal year 2002: 1,767; Total: 2,526.
Field divisions and headquarters: St. Louis; Fiscal year 2000: 237;
Fiscal year 2001: 894; Fiscal year 2002: 1,467; Total: 2,598.
Field divisions and headquarters: Denver; Fiscal year 2000: 176; Fiscal
year 2001: 173; Fiscal year 2002: 1,184; Total: 1,533.
Field divisions and headquarters: Los Angeles; Fiscal year 2000: 400;
Fiscal year 2001: 553; Fiscal year 2002: 2,353; Total: 3,306.
Field divisions and headquarters: Seattle; Fiscal year 2000: D - NC;
Fiscal year 2001: 520; Fiscal year 2002: 282; Total: 802.
Field divisions and headquarters: Headquarters; Fiscal year 2000: --;
Fiscal year 2001: --; Fiscal year 2002: 838; Total: 838.
Field divisions and headquarters: Totals; Fiscal year 2000: 1,185;
Fiscal year 2001: 6,752; Fiscal year 2002: 21,862; Total: 29,799.
Source: SSA OIG data.
[A] D - NC - Records destroyed; no counts available. Prior to fiscal
year 2000, law enforcement verifications were conducted by Allegation
Management Division (OIG Hotline), and records no longer exist for
those verifications. In April 2002, the Office of Investigations began
using the code "LEVER" when conducting law enforcement verifications in
the SSA system. The use of "LEVER" will provide OIG with an automated
retrieval of the count, and manual counts will no longer be used
effective fiscal year 2003.
[End of table]
While Some Law Enforcement Officers Were Unfamiliar with the Policy,
Most Were Generally Satisfied with the Information Shared:
While some law enforcement officials we spoke with were unfamiliar with
SSA's disclosure policies, most were generally satisfied with the
information provided by SSA, though most would like more. Some law
enforcement agencies at the state and local level were unfamiliar with
the process for obtaining information and expressed frustration with
their attempts to obtain information from SSA. Law enforcement
officials indicated that the SSN and name verification SSA provided was
often helpful to their investigations. However, most wanted SSA to
provide additional information such as address, date of birth, and
employer or family information. SSA officials have several concerns
about expanding SSA's disclosure policy.
Many State and Local Law Enforcement Officers Were Unfamiliar with
SSA's Disclosure Policy and Procedures:
Findings from site visits indicated that some law enforcement officers
at the state and local level, who generally request information from
SSA field offices, are unfamiliar with the process for obtaining
information from SSA offices. Because SSA does not have written
procedures on its disclosure policy available to law enforcement, some
officers find out how to obtain information virtually by trial and
error. For example, one officer told us that after having his initial
request for information, which was not in writing turned down because
he had not followed proper procedures, he obtained a search warrant to
obtain the information from SSA. The officer said that no one at SSA
explained to him the procedures for obtaining information until he got
the search warrant. It is unclear when or if SSA officials let law
enforcement officers know what procedures need to be followed to get
information. Federal law enforcement agencies, on the other hand, more
often understood the Privacy Act's procedures. Further, most federal
law enforcement agencies we spoke with submitted their requests to
SSA's OIG--itself, a federal law enforcement agency. Our survey results
indicated that on average in 2002, 46 percent of the requests made to
OIG offices came from federal law enforcement agencies while 27 percent
of the requests made to SSA field offices on average came from federal
law enforcement agencies.
While details on SSA's disclosure policy are available in their POMS
and other SSA documents that summarize this information, it is not
readily available to law enforcement. A summary of the policy can be
found on SSA's Web site under the caption "Code of Federal Regulations
for Social Security." However, it is not easy to find and provides
little detail on what SSA will provide to law enforcement. Further, the
Web site does not provide law enforcement with instructions on what
they need to do to get the information.
Most Law Enforcement Officials Found Shared Information Useful but Many
Believed More Information Was Needed:
Officials from federal, state, and local law enforcement agencies we
spoke with were generally satisfied with the information provided by
SSA although most would like more information on individuals. Law
enforcement officials indicated that, although in most cases SSA only
verified a name and SSN, the information received was useful to their
investigations and, in some cases, was enough to help convict an
individual of a crime. The information received from SSA was considered
by law enforcement as the most accurate and up-to-date information
available to help in their investigations.
Law enforcement was also satisfied with the time in which SSA provided
the information. In many cases, law enforcement officers we spoke with
indicated that SSA provided the information very quickly. In addition,
one SSA OIG official told us that when procedures are followed
correctly, the OIG can reply back in 24 hours or less, depending on the
information requested. SSA confirmed the timeliness of its responses to
law enforcement requests. We estimate that over 90 percent of both SSA
field office and OIG respondents reported that it took 24 hours or less
to fulfill a request. Our survey results showed that 40 percent of SSA
field offices and 21 percent of SSA OIG offices reported that it took
less than an hour to fulfill a request from a law enforcement agency.
Although most of the law enforcement officials we spoke with were
satisfied with information provided by SSA, several believed the
information provided was insufficient. Several of these law enforcement
officials believed that the name and SSN verification was not enough to
help with their investigations. These individuals generally wanted
additional information such as the suspect's wage information, address,
employer, and date of birth. In documents provided to us, SSA's OIG
listed the following situations in which the OIG could not provide
information to law enforcement.
When the official:
* provides the SSN and wants to know to whom it is assigned;
* wants information to locate witnesses or suspects in high profile
cases or missing persons;
* wants information on individuals with Alzheimer's disease who are
lost,
* wants information on next of kin;
* wants information to locate a fugitive who may be receiving benefits
under SSA's Old-Age and Survivors Insurance program and its Disability
Insurance program;
* wants information to make identifications in child pornography cases;
* wants information to determine if there has been any activity on a
Social Security account in a custodial interference case;[Footnote 17]
and:
* wants information on SSNs related to non-SSA-related fraud cases or
counterfeit cases.
Some law enforcement officials were unhappy with SSA's refusal to
provide such information, especially because they believed that SSA
could easily provide it in a short period of time. For example, one
federal officer who investigates nonviolent felony crimes said that SSA
seems more concerned about someone committing fraud against one of its
programs than about identity theft involving the use of someone's SSN.
He also said that SSA would not provide him with any information on the
person whose identity was being stolen. Another officer said that
because he could not get necessary information from SSA, he had
resorted to other means of gathering the information needed. The
officer said that depending on resources available, it could take up to
3 weeks to get someone's SSN through other sources. Furthermore, the
officer said that while he could make the case without the SSA
information, the information SSA can provide would be invaluable to
helping fully prosecute a case.
Many SSA officials in the field and OIG offices agreed that SSA's
disclosure policy is too restrictive. Many believed that, for
legitimate investigations, the policy should allow for disclosures to
law enforcement officials of whatever information they need. One SSA
OIG official said that, as a law enforcement officer, he believed that
he should be able to provide information to another law enforcement
officer especially when he knew that doing so would help with a case
and also because law enforcement officers would be more willing to
share information with the OIG. While the SSA Commissioner can invoke
ad hoc authority for certain specific cases to disclose information, as
was done in response to the disclosure requests related to the
September 11 terrorist attacks, SSA officials said that the use of this
authority must be limited. SSA headquarters officials believe that
expanding its disclosure policy would hamper its ability to ensure that
individuals' personal information is protected and that resources are
not diverted from administering Social Security benefit programs.
Conclusions:
Protecting individuals' privacy and providing information to law
enforcement that could be helpful in solving crimes or ensuring
national security are two important yet sometimes seemingly conflicting
policy objectives. SSA places a high priority on privacy, and its
policy for disclosure to law enforcement agencies goes beyond the
requirements of the Privacy Act. SSA's disclosure policy attempts to
preserve its pledge to maintain individuals' privacy while cooperating
with law enforcement and complying with applicable statutes. The end
result is a complex policy that is more restrictive than the Privacy
Act requirements and those of most federal agencies and more like the
policies of IRS and Census, agencies that maintain personal information
whose requirements are embodied in statute.
In addition, some SSA field office staff and local law enforcement
officers find SSA's policy confusing and sometimes frustrating. As a
possible consequence of SSA staff and local law enforcement's confusion
about SSA's policy, law enforcement may be denied requested information
even though SSA's policy permits its disclosure or law enforcement may
receive information that SSA's policy does not permit. Although we
could not assess the overall level of consistency in the application of
SSA's policy, we believe eliminating or reducing confusion about the
agency's policy would help ensure consistent application, and that this
can be achieved with relatively modest actions on SSA's part.
Recommendations:
To help ensure consistent application of SSA's disclosure policy for
law enforcement in all of its offices and to better assist law
enforcement agencies making disclosure requests, we recommend that the
Commissioner of SSA do the following:
* Take steps to eliminate confusion about the agency's disclosure
policy. These steps could include clarifying SSA's policy; providing
additional or refresher training to staff; or delegating decision-
making authority for law enforcement requests to specified locations
such as the OIG, regional privacy coordinators, or other units that SSA
determines would have expertise in this area.
* Provide law enforcement with information on SSA's disclosure policy
and procedures. For example, this information could be provided on its
Web site, in informational pamphlets, or some other written format.
Agency Comments and Our Evaluation:
We obtained written comments on a draft of this report from the
Commissioner of SSA. SSA's comments are reproduced in appendix III. SSA
also provided technical comments, which we incorporated in the report
as appropriate. We also provided a draft of this report to the
Departments of Commerce, Justice, and Treasury for review and comment.
These three agencies reported that they had no comments.
SSA stated that our draft report accurately reflected the importance of
SSA's disclosure policy to the agency's mission but it presents an
incomplete description of both the statutory basis for and rationale
behind the policy. Further, SSA stated that the draft report does not
take into account the statutory basis for the nondisclosure of tax
information or the statutory support for the agency's long-standing
confidentiality pledge; therefore, SSA believes that our findings and
recommendations are "overbroad." We are aware of SSA's obligation under
the IRC and took this into consideration during our review of SSA's
disclosure policy; however, we have revised the report, where
appropriate, to clarify that our observations about SSA's disclosure
policy relative to the Privacy Act do not extend to SSA's disclosure of
tax information. Disclosure of tax information is controlled by section
6103 of the IRC. We also provided additional reference to the statutory
basis and rationale behind SSA's disclosure policy.
SSA also commented that 42 U.S.C. 1306 provided an independent basis
for nondisclosures, apart from the Privacy Act. The report recognizes
that 42 U.S.C. 1306 provides the basis for SSA's disclosure policy and
we have added a citation for this authority. Section 1306 provides SSA
authority to regulate the dissemination of information in its custody
as otherwise permitted by federal law. Other federal law includes the
Privacy Act. Our report merely points out that SSA has used this
authority to regulate in a more restrictive fashion than the Privacy
Act requires.
SSA stated that it believed that our characterizing the agency's policy
as more restrictive than most federal agencies does SSA a disservice
because many federal agencies have little interaction with the public
at large. SSA states that the only two agencies of SSA's size and scope
with respect to gathering information from the public to accomplish
their missions are IRS and Census, which have more restrictive
disclosure policies and statutes that prohibit disclosures. We believe
that our comparison and characterization of SSA's disclosure policy is
fair. We compared SSA's disclosure policy to those of the other 23
agencies covered by the Chief Financial Officers' Act. We decided also
to compare SSA's policy to those of IRS and Census because they are
similar in size and scope of data maintained on individuals. All of the
agencies we compared are subject to the Privacy Act. As we reported,
SSA's disclosure policy, as well as those of IRS and the Census Bureau
is more restrictive than most federal agencies.
SSA agreed in part with our recommendation that the Commissioner take
steps to eliminate confusion that may cause inconsistent application of
the policy. SSA acknowledged that the policy is complex and could lead
to occasional inconsistent application. However, SSA stated that it
provides extensive instructions in its POMS for employees and the
instructions refer staff to experts in regional and central offices for
assistance when needed. SSA also stated that its regional offices have
provided employees access to Intranet sites that clarify disclosure
policy, but the agency will consider providing additional refresher
training as appropriate. In addition, SSA stated it is currently
reviewing improvements to the POMS sections that address law
enforcement disclosures that the agency believes will address our
concerns. SSA expressed concern about the option to consider delegating
"decision-making authority for law enforcement requests to specified
locations such as the OIG.." SSA stated that the Inspectors General
Act of 1978 prohibits agencies from transferring programmatic functions
to the Inspector General.
We acknowledge in our report that SSA provides guidance on its
disclosure policy in its POMS. While we found that employees were aware
of this guidance, SSA staff told us that they found SSA's policy
confusing. We believe additional training as well as improvements to
the POMS that clarify or simplify SSA's policy should help ensure
consistent application.
With respect to SSA's concern about our recommendation to consider
delegating decision-making authority for law enforcement requests to
specified locations such as the OIG, regional privacy officers, or
other units that SSA determines would have expertise in this area, we
did not intend to imply that programmatic functions be transferred to
the OIG. Our recommendation was aimed at directing disclosure requests
to units that currently perform this function and that appear to have
expertise in SSA's disclosure policy. We simply intended to provide
options for SSA to better utilize the resources they already have in
place to determine whether law enforcement requests are permitted under
SSA's disclosure policy. The OIG, who currently responds to law
enforcement requests as authorized under an MOU with SSA, was only one
of the units we suggested as an option. We continue to believe that
delegating authority to handle disclosure requests to specified units
with expertise in SSA's disclosure policy would be a plausible option
for helping to ensure consistent application of SSA's policy. This
option could reduce or eliminate the need for SSA field office
officials who receive sporadic requests from law enforcement to relearn
SSA's disclosure policy.
SSA agreed with our recommendation that the Commissioner of SSA should
provide law enforcement with information on SSA's disclosure policy and
procedures and SSA believes the agency has done so. However, SSA stated
it would review its Web site and other public informational materials
to see if additional material or formatting changes would be helpful.
We acknowledged in our report that SSA's policy can be found on the
Internet, but noted that it is not easily found and does not clearly
explain how law enforcement could obtain information. Although SSA
officials told us that they provided limited discussion of the agency's
disclosure policy and procedures at law enforcement conferences, these
officials did not indicate the number of conferences attended or
whether these conferences involved federal, state, or local law
enforcement. Some of the local law enforcement officials we spoke with
were unfamiliar with how to obtain information from SSA. Therefore, we
continue to believe that information that clearly defines SSA's
disclosure policy and procedures would be helpful to law enforcement.
Further, we believe that our findings and recommendations are central
to many concerns expressed by both SSA and law enforcement officials
and we view the steps that SSA indicated that it plans to consider, or
already has in process to ensure consistent application of its
disclosure policy and law enforcement's understanding of how to obtain
information from SSA as appropriate steps toward correcting the
concerns expressed.
We are sending copies of this report to the Commissioner of Social
Security; the Secretaries of Commerce, Treasury, and Homeland Security;
the U.S. Attorney General; appropriate congressional committees; and
other interested parties. We will also make copies of this report
available to others on request. In addition, the report will be
available at no charge on GAO's Web site at http://www.gao.gov.
If you or your staffs have questions about this report, please call me
on (202) 512-7215. Other GAO contacts and staff acknowledgments are
listed in appendix IV.
Barbara D. Bovbjerg
Director, Education, Workforce, and Income Security Issues:
Signed by Barbara D. Bovbjerg:
[End of section]
Appendix I: Scope and Methodology:
To attain our objectives for this assignment, we reviewed and compared
the Social Security Administration's (SSA) disclosure policy for law
enforcement and the Privacy Act. We also compared SSA's disclosure
policy with that of the Internal Revenue Service (IRS) and the Bureau
of the Census because SSA officials believe that these agencies are
comparable with SSA. Additionally, we compared SSA's disclosure policy
with the general law enforcement disclosure policies for the other 23
Chief Financial Officers' (CFO) Act agencies.
To help determine how SSA's disclosure policy affects information
sharing with law enforcement, we conducted site visits and detailed
interviews at SSA field offices and SSA's Office of the Inspector
General (OIG), as well as nearby field offices for federal, state, and
local law enforcement agencies in Los Angeles, California; Chicago,
Illinois; and Dallas, Texas. We also administered an electronic survey
to all SSA OIG field offices[Footnote 18] and a stratified random
sample of SSA field offices.
We interviewed SSA officials in both headquarters and field offices and
law enforcement officials at the federal, state, and local levels of
government about their experiences with sharing individuals' personal
information. At the headquarters level, we interviewed SSA officials
responsible for disclosure policy in the Office of General Counsel and
the SSA OIG, Baltimore, Maryland. We interviewed law enforcement
officials from the Departments of Justice and Treasury, including the
Federal Bureau of Investigation (FBI); Bureau of Immigration and
Customs Enforcement, formerly Immigration and Naturalization Service
(INS) and Customs; Executive Office for United States' Attorneys; Drug
Enforcement Agency; United States Marshals Service; Secret Service;
Internal Revenue Service (IRS); and Alcohol, Tobacco and Fire Arms,
headquartered in Washington, D.C. During the course of our review,
several of these law enforcement agencies merged into the Department of
Homeland Security, or were otherwise reorganized.[Footnote 19] We also
interviewed OIG officials for investigation at the Departments of
Education and Housing and Urban Development in Washington, D.C. Our
site visits included interviews with the Bureau of Immigration and
Customs Enforcement, at Dallas, Texas, and law enforcement officials of
the Arlington Police Department, Arlington, Virginia.
We surveyed SSA offices in order to: (1) estimate the type and volume
of law enforcement requests for personal information received by SSA;
(2) determine the distribution of these requests across federal, state,
and local law enforcement agencies; and (3) gain some understanding of
the bases for the granting and denial of these requests. Our working
definition of a personal information request is an instance for which a
law enforcement agency requested the personal information of one or
more individuals between fiscal years 1999 and 2002. For example, if a
law enforcement agency requested addresses for two people in a single
instance, this would count as one personal information request. We were
specifically interested in law enforcement agencies' requests for
personal information, such as social security numbers, names,
addresses, birth dates, and income.
We designed an Internet-based survey and organized it into multiple
sections that included the following areas: receipt of law enforcement
requests, response time for fulfilling law enforcement requests, and
methods for handling law enforcement requests. We selected a stratified
random sample of 335 SSA field offices to participate in the survey.
This number was based on an expected response rate as well as a
precision level. The sample was stratified by 10 regional locations and
taken from a listing of 1,286 field offices that SSA provided. The
original list contained 1,336 locations. Fifty locations that are not
considered field offices and, therefore, do not receive law enforcement
agency requests were excluded from the sampling frame. All 31 SSA
Inspector General offices were surveyed since these sites routinely
accept law enforcement agencies' requests for personal information. The
survey was mailed electronically to the manager in charge at SSA and
Inspector General field offices. Both office types received the same
on-line survey. Survey data were collected between February 25, 2003,
and March 21, 2003. The overall response rate was 90 percent; with 97
percent of the Inspector General's field offices and 90 percent of
SSA's field offices responding. Regional response rates in the sample
ranged from 86 percent to 95 percent across 10 regional locations.
To provide some indication of the reliability of the survey results,
standard errors were calculated. The sample was weighted in the
analysis to statistically account for the sample design and
nonresponse. We are 95 percent certain that the survey estimates
provided in this report are within plus or minus 10 percentage points
of those estimates that would have been obtained had all SSA offices
been captured.
To minimize some of the potential biases of other errors that could
figure into the survey results, we conducted pretests that included
both the SSA Inspector General and SSA field offices. Four pretest
sites were SSA field offices located in Wheaton, Maryland; Washington,
D.C. (Anacostia); Seattle, Washington; and Chicago, Illinois. One
pretest site was an SSA Inspector General office located in Washington,
D.C. The pretests were conducted either through teleconferences or
face-to-face interviews, and were completed between December 2002 and
January 2003.
We conducted our audit work between August 2002 and July 2003 in
accordance with generally accepted government auditing standards.
[End of section]
Appendix II: Chief Financial Officers' Act Agencies' Rules on
Disclosure of Records to Law Enforcement:
Federal agencies: Agriculture; Rule referencing Privacy Act disclosure
authority: 7 CFR 1.119; General routine use exception of Privacy Act
permits disclosure to law enforcement[A]: [Empty].
Federal agencies: Commerce; Rule referencing Privacy Act disclosure
authority: 15 CFR 4.30(a)(5)(vii); General routine use exception of
Privacy Act permits disclosure to law enforcement[A]: 46 FR 63501 (12/
31/81).
Federal agencies: Defense; Rule referencing Privacy Act disclosure
authority: 32 CFR 310.41; General routine use exception of Privacy Act
permits disclosure to law enforcement[A]: 32 CFR 310 App. C.
Federal agencies: Education; Rule referencing Privacy Act disclosure
authority: 34 CFR 5b.9(b)(7); General routine use exception of Privacy
Act permits disclosure to law enforcement[A]: 34 CFR 5b. App. B.
Federal agencies: Energy; Rule referencing Privacy Act disclosure
authority: 10 CFR 1008.17(b)(7); General routine use exception of
Privacy Act permits disclosure to law enforcement[A]: [Empty].
Federal agencies: Health and Human Services; Rule referencing Privacy
Act disclosure authority: 45 CFR 5b.9(b)(7); General routine use
exception of Privacy Act permits disclosure to law enforcement[A]: 45
CFR 5b. App. B.
Federal agencies: Housing and Urban Development; Rule referencing
Privacy Act disclosure authority: 24 CFR 16.11(a)(5); General routine
use exception of Privacy Act permits disclosure to law enforcement[A]:
2001 Privacy Act Issuance.
Federal agencies: Interior; Rule referencing Privacy Act disclosure
authority: 43 CFR 2.56(b)(5); General routine use exception of Privacy
Act permits disclosure to law enforcement[A]: [Empty].
Federal agencies: Justice; Rule referencing Privacy Act disclosure
authority: [Empty]; General routine use exception of Privacy Act
permits disclosure to law enforcement[A]: [Empty].
Federal agencies: Labor; Rule referencing Privacy Act disclosure
authority: [Empty]; General routine use exception of Privacy Act
permits disclosure to law enforcement[A]: 67 FR 16816 (4/8/02).
Federal agencies: State; Rule referencing Privacy Act disclosure
authority: [Empty]; General routine use exception of Privacy Act
permits disclosure to law enforcement[A]: 2001 Privacy Act Issuance.
Federal agencies: Transportation; Rule referencing Privacy Act
disclosure authority: 49 CFR 10.35(a)(7); General routine use exception
of Privacy Act permits disclosure to law enforcement[A]: 2001 Privacy
Act Issuance.
Federal agencies: Treasury; Rule referencing Privacy Act disclosure
authority: 31 CFR 1.24(a)(7); General routine use exception of Privacy
Act permits disclosure to law enforcement[A]: [Empty].
Federal agencies: Veterans Affairs; Rule referencing Privacy Act
disclosure authority: 38 CFR 1.576(b)(7); General routine use exception
of Privacy Act permits disclosure to law enforcement[A]: [Empty].
Federal agencies: Environmental Protection Agency; Rule referencing
Privacy Act disclosure authority: 40 CFR 16.10; General routine use
exception of Privacy Act permits disclosure to law enforcement[A]: 67
FR 8246 (2/22/02).
Federal agencies: National Aeronautics and Space Administration; Rule
referencing Privacy Act disclosure authority: 14 CFR 1212.203(f)(7);
General routine use exception of Privacy Act permits disclosure to law
enforcement[A]: 2001 Privacy Act Issuance.
Federal agencies: Agency for International Development; Rule
referencing Privacy Act disclosure authority: 22 CFR 215.10(c)(7);
General routine use exception of Privacy Act permits disclosure to law
enforcement[A]: 2001 Privacy Act Issuance.
Federal agencies: Federal Emergency Management Agency; Rule referencing
Privacy Act disclosure authority: 44 CFR 6.20(g); General routine use
exception of Privacy Act permits disclosure to law enforcement[A]: 67
FR 3193 (1/23/02).
Federal agencies: General Services Administration; Rule referencing
Privacy Act disclosure authority: 41 CFR 105-64.201(g); General routine
use exception of Privacy Act permits disclosure to law enforcement[A]:
[Empty].
Federal agencies: National Science Foundation; Rule referencing Privacy
Act disclosure authority: [Empty]; General routine use exception of
Privacy Act permits disclosure to law enforcement[A]: [Empty].
Federal agencies: Nuclear Regulatory Commission; Rule referencing
Privacy Act disclosure authority: 10 CFR 9.80(a)(7); General routine
use exception of Privacy Act permits disclosure to law enforcement[A]:
67 FR 63774 (10/15/02).
Federal agencies: Office of Personnel Management; Rule referencing
Privacy Act disclosure authority: 5 CFR 293.401(g) & 406; General
routine use exception of Privacy Act permits disclosure to law
enforcement[A]: 60 FR 63075 (12/8/95).
Federal agencies: Small Business Administration; Rule referencing
Privacy Act disclosure authority: 13 CFR 102.22(h); General routine use
exception of Privacy Act permits disclosure to law enforcement[A]:
[Empty].
Federal agencies: Social Security Administration; Rule referencing
Privacy Act disclosure authority: 20 CFR 401.110 plus more stringent
requirements; General routine use exception of Privacy Act permits
disclosure to law enforcement[A]: [Empty].
Source: GAO analysis, Office of General Counsel data.
[A] Agencies may also have provisions for routine use disclosures for
law enforcement for specific systems of records. The 2001 Compilation
of Privacy Act Issuances provides examples of specific systems of
records to which the law enforcement routine used is applied: for
example, Department of Agriculture, Agricultural Marketing Service,
Employment History Records for Licensed Nonfederal Employees (USDA/AMS-
1); General Services Administration, Employee-related files (GSA/
Agency-1); Small Business Administration, Audit Reports (SBA 015); and
Department of the Treasury, Treasury Integrated Management Information
Systems (Treasury/DO .002). The Privacy Act Issuances are available on-
line from the Government Printing Office (www.gpo.gov).
[End of table]
[End of section]
Appendix III: Comments from the Social Security Administration:
SOCIAL SECURITY:
The Commissioner:
August 29, 2003:
Ms. Barbara D. Bovbjerg Director, Education, Workforce and Income
Security Issues U.S. General Accounting Office Washington, D.C. 20548:
Dear Ms. Bovbjerg:
Thank you for the opportunity to review and comment on the draft report
"The Social Security Administration's (SSA) Disclosure Policy for Law
Enforcement Allows Information Sharing, But SSA Needs to Ensure
Consistent Application" (GAO-03-919). Our comments on the report are
enclosed.
If you have any questions, please have your staff contact Laura Bell at
(410) 965-2636.
Sincerely,
Jo Anne B. Barnhart:
Signed by Jo Anne B. Barnhart:
Enclosure:
SOCIAL SECURITY ADMINISTRATION BALTIMORE MD 21235-0001:
COMMENTS ON THE GENERAL ACCOUNTING OFFICE (GAO) DRAFT REPORT "THE
SOCIAL SECURITY ADMINISTRATION'S (SSA) DISCLOSURE POLICY FOR LAW
ENFORCEMENT ALLOWS INFORMATION SHARING, BUT SSA NEEDS TO ENSURE
CONSISTENT APPLICATION" (GAO-03-919):
Thank you for the opportunity to review and comment on the draft
report. We are concerned that the draft report presents an incomplete
description of both the statutory basis for and the rationale behind
our disclosure policy. Because the draft report does not take into
account either SSA's statutory authority or its obligations under the
Internal Revenue Code (IRC), we believe that GAO's findings and
recommendations are over-broad. In addition, we are providing relevant
information on our policy that we think should also be included in the
draft report because it affects the GAO conclusions that suggest that
our disclosure policy is too restrictive, confusing, and that we could
cooperate with law enforcement more.
General Comments:
The report accurately reflects that SSA considers its disclosure policy
to be an integral part of the Agency's mission. Our mission is to
"advance the economic security of the nation's people through
compassionate and vigilant leadership in shaping and managing America's
social security programs." To ensure proper service delivery to the
public and to enhance program stewardship, we must have access to a
great deal of personal information, including medical, earnings,
identity, and employment information. Given the very personal nature of
the information, it is imperative that members of the public trust that
we will maintain and use it in a private and secure manner. We have
always stressed the importance of protecting the privacy of such
information; we demonstrated our commitment to protect the privacy of
such information as early as 1937 when we issued our first regulation
concerning the privacy of information. It has been our experience that
the general population provides us with accurate and timely records,
knowing that their information will be safeguarded as promised.
Our responsibility to protect individuals' personal information
provides a natural tension with our commitment to be responsive to law
enforcement as we seek to balance those sometimes competing interests.
However, we are concerned that the report gives the impression that SSA
is not cooperative with law enforcement agencies. This may have been
unintentional, as the table in the report clearly shows multiple
examples of cooperation between SSA and the law enforcement community.
We have included some additional examples of cooperation below that
were not included in the draft report.
We believe that characterizing our policy as more restrictive than
"most Federal Agencies," many of which have little interaction with the
public at large, does SSA a disservice. We believe the report should be
presented in the context of how dependent our mission is on being able
to safeguard the personal information given to us on a daily basis. In
other words, SSA should be compared only to organizations whose
operations
are equally dependent on private data. Other agencies, whose missions
may not rely on safeguarding the personal information in their records
or may not maintain much personal information at all, may not need to
protect information to the same degree as SSA. To compare agencies that
have little interaction with the public at large with an agency like
SSA that interacts with nearly every person at some point in his or her
life is not a fair or useful comparison.
The only two agencies of SSA's size and scope with respect to gathering
information from the public to accomplish their missions --the Internal
Revenue Service (IRS) and the Bureau of the Census --are more
restrictive in their disclosure policies, and have statutes that
prohibit disclosure. SSA has an independent statutory basis for its
disclosure policy, a basis which the report does not acknowledge. In
addition to the Privacy Act, SSA records are protected by section 1106
of the Social Security Act. See 42 U.S.C. 1306. This statute prohibits
the release of any information obtained by any employee of the Social
Security Administration at any time, except as permitted by the
Commissioner's regulations and as otherwise permitted by federal law.
Id. Because of the highly sensitive data kept by the Agency in its
systems of records, Congress has granted the Commissioner additional
authority in statute, aside from that granted by the Privacy Act, to
determine whether such discretionary disclosures are appropriate.
Under section 1106, if a disclosure is not permitted under the
Commissioner's regulations, there are far more serious consequences for
the individual responsible for the disclosure than would be possible
under the Privacy Act. Specifically, under the Privacy Act, if an
employee improperly releases information, the individual whose records
were disclosed may bring a civil action against the agency for
injunctive relief and damages. 5 U.S.C. 552a(g). Damages will only be
awarded, however, if the agency acted willfully or intentionally.
Similarly, the Privacy Act's criminal penalties only apply if the
employee acted willfully. 5 U.S.C. 552a(i). However, under section
1106, the Social Security Act has a far lower threshold, as any person
who unlawfully discloses information protected by section 1106 (which
is all information possessed by SSA), regardless of intent, is guilty
of a felony, and may be fined up to $10,000, sent to prison for up to 5
years, or both.
Moreover, the report overlooks our ownership of and accountability for
information that falls under the Internal Revenue Code (IRC). A great
deal of data in our possession is considered tax return information,
and subject to the strict limitations on disclosure contained in the
IRC. See 26 U.S.C. 6103. Specifically, we obtain tax return information
to help administer our programs and to cooperate with IRS in combined
annual wage reporting. See 26 U.S.C. 6103(1). The IRC clearly states
that no one may disclose tax return information except as permitted in
that section. See 26 U.S.C. 6103(a). SSA works closely with the IRS on
disclosures of tax return information, especially in the law
enforcement context. Like the IRS, however, SSA must comply with the
provisions of the IRC that limit disclosure in the law enforcement
context. See 26 U.S.C. 6103(1). In several parts of the report, GAO
states that SSA does not disclose employer, wage, earnings, and address
information to law enforcement, and that law enforcement would like
this information. In most cases, however, disclosing this information
would be a
violation of the requirements of the IRC, and subject the employee to
felony criminal sanctions and immediate dismissal as outlined in the
IRC. See 26 U.S.C. 7213, 7213A.
The report does not explain that we often must deny requests because
requesters are seeking tax return information, and that the disclosure
of tax return information in the manner described is prohibited by law.
See 26 U.S.C. 6103. To the extent that GAO attributes such denials to
SSA's policy discretion, the report is fundamentally flawed. We believe
it would be more consistent with the stated purpose of the report to
consider only those requests that were not seeking tax return
information and thus were made exclusively under the SSA regulatory
scheme. Similarly, GAO should compare SSA to other agencies that use
and possess tax return information to determine whether SSA's
disclosure policy with respect to disclosure of tax return information
is consistent with those agencies' policies. Some of these agencies
include the Departments of Veterans Affairs, Health and Human Services,
Labor, Treasury, Commerce, and Justice. Finally, we are concerned that
the report contains several statements and recommendations based not on
survey findings, but on statements from individuals and on anecdotal
findings. Specifically, the report cites "a limited number of instances
where SSA's disclosure policy appears to have been inconsistently
applied" which is the basis for recommendation number one, while GAO's
survey data indicates a general satisfaction and understanding of the
policy. For this reason, GAO's conclusions are not supported by the
text of the report.[NOTE 1]
Our responses to the specific recommendations are provided below and we
have included technical comments that should be made to enhance the
accuracy of the report.
Recommendation 1:
The Commissioner of SSA should take steps to eliminate confusion about
the Agency's disclosure policy.
Comment:
We are pleased that the report acknowledges that, with few cited
exceptions, SSA employees follow appropriate disclosure policies and
that the law enforcement community generally understands and is
satisfied with the information shared.
Regarding the conclusion that the policy is confusing and that it may
not be consistently applied, we agree in part. While we acknowledge
that the policy is somewhat complex, we provide extensive instructions
in our Program Operations Manual System (POMS) for all employees. These
instructions are also available to the public and law enforcement
authorities. We recognize that some offices do not deal with law
enforcement disclosures
on a regular basis, which may lead to occasional inconsistent
application. However, our instructions refer staff to experts in
regional and central offices for assistance when needed.
With respect to the additional steps GAO identified that include
clarifying the policy and providing additional or refresher training to
staff, our regional offices have provided employees access to Intranet
sites that clarify disclosure policy. We will consider providing
additional refresher training as appropriate. In addition, we are
currently reviewing improvements to the POMS sections that address law
enforcement disclosures that we believe will address GAO's concerns.
SSA's field offices and SSA's regional disclosure coordinators already
have authority to respond to a proper law enforcement request. Our
field office employees use specific instructions in our POMS to respond
quickly as requests come in. They may also consult with our regional
disclosure coordinators located in each region, should additional
questions arise. However, we have concerns about the recommendation to
delegate "decision-making authority for law enforcement requests to
specified locations such as the OIG...." As mentioned in the report,
pursuant to the existing MOU between the Commissioner and the Inspector
General (IG), the IG has administrative authority to make limited
disclosures, which is different from decision-making authority. Under
the Inspector General Act of 1978, agencies are expressly prohibited
from transferring programmatic functions to Inspectors General. 5
U.S.C. app. 3 § 9(a)(2). In our view, delegation to the OIG of
decision-making authority would not be permitted by the IG Act.
Recommendation 2:
The Commissioner of SSA should provide law enforcement with information
on SSA's disclosure policy and procedures.
Comment:
We agree and we believe we have done so. As stated above, our POMS and
privacy policies are available to the law enforcement community and the
public. We note that the survey data indicates that most law
enforcement entities are pleased by our service. However, we will
review our Web site and other public informational materials to see if
additional material or formatting changes would be helpful.
NOTES:
[1] Our privacy practices were also referenced as a good example by GAO
in the July 2003 report titled "Privacy Act: Office of Management and
Budget Leadership Needed to Improve Agency Compliance" (GAO-03-304).
That report examined the application of the Privacy Act in 25 Federal
agencies. During our interaction with OMB on that report, GAO staff
complimented us on the thoroughness of our privacy policies and asked
for our advice on several issues such as "routine uses" and "systems of
records.":
[End of section]
Appendix IV: GAO Contacts and Staff Acknowledgments:
GAO Contacts:
Shelia Drake (202) 512-7172 (drakes@gao.gov) Jacqueline Harpp (202)
512-8380 (harppj@gao.gov):
Staff Acknowledgments:
In addition to those named above, Margaret Armen, Richard Burkard,
Malcolm Drewery, Kevin Jackson, Corinna Nicolaou, and David Plocher
made key contributions to this report. Barbara Hills, Theresa Mechem,
and Mimi Nguyen provided assistance with graphics.
FOOTNOTES
[1] This statute is codified at 42 U.S.C. 1306.
[2] FOIA provided the public a right of access to federal agency
records unless they are protected from disclosure by nine stated
exemptions.
[3] Generally applicable privacy-related requirements are also found in
the FOIA, the Paperwork Reduction Act of 1995, and the E-Government Act
of 2002, among others.
[4] The Privacy Act defines a system of records as a group of records
containing information about individuals under the control of the
agency from which information is retrieved by the name of the
individual or by some identifying number, symbol, or other identifier
assigned to the individual, such as an SSN.
[5] Agencies are required to publish notices in the Federal Register
concerning the establishment and revision of systems of records and to
ensure the security and confidentiality of the information in those
systems.
[6] Under implementing OMB guidance, disclosures may also be made to
state and local government law enforcement agencies, as well as to
federal agencies. "Responsibilities for the Maintenance of Records
About Individuals by Federal Agencies," Office of Management and
Budget, 40 FR 28948, 28955 (July 9, 1975). OMB found support for its
guidance regarding law enforcement disclosures in congressional floor
statements made regarding the Privacy Act legislation.
[7] Railroad Retirement benefits are authorized under the Railroad
Retirement Act and provide income protection to railroad workers and
their families during old age, times of disability, or the death of
qualified workers.
[8] As noted in figure 1, SSA's policy usually prohibits the disclosure
of individuals' personal information to law enforcement agencies when
the person whose information is requested is only suspected of a crime.
However, in this case, the Commissioner made the decision that it was
appropriate to give information on individuals suspected of the
criminal activity and the families of the victims.
[9] SSA's disclosure policy for nontax information is the subject of
this report since disclosure of tax information is only permitted by
the IRC.
[10] Components of some agencies have a disclosure policy that differs
from the disclosure policy of the agency of which they are a part. For
example, the Department of Commerce uses the Privacy Act to guide its
disclosures, while Census, which is a component of Commerce, has its
own statute. Similarly, IRS, which is a component of Treasury, has its
own statute.
[11] We identify the major federal agencies as the 24 agencies covered
by the Chief Financial Officers' Act of 1990 and 1994 legislation
designating SSA as an independent agency requiring a Chief Financial
Officer.
[12] 40 Fed. Reg. 28948, 28953, and 28955, July 9, 1975.
[13] The 2001 Compilation of Privacy Act Issuances provides examples of
specific systems of records to which the law enforcement routine used
is applied: for example, Department of Agriculture, Agricultural
Marketing Service, Employment History Records for Licensed Nonfederal
Employees (USDA/AMS-1); General Services Administration, Employee-
related files (GSA/Agency-1); Small Business Administration, Audit
Reports (SBA 015); and Department of the Treasury, Treasury Integrated
Management Information Systems (Treasury/DO .002). The Privacy Act
Issuances are available on-line from the Government Printing Office
(www.gpo.gov).
[14] The decennial census occurs every 10 years, in the years ending in
"0," to count the population and housing units for the entire United
States.
[15] The "program circle" consisted of 12 SSA field offices within the
area of this particular regional office.
[16] OMB guidance requires that agencies be able to reconstruct an
accurate and complete accounting of disclosures. However, we did not
request that SSA reconstruct the accounting of disclosures to law
enforcement agencies because it was beyond the scope of this
assignment, and according to SSA, such a request would involve a huge
undertaking.
[17] A custodial interference case usually involves the actions of one
spouse who kidnaps a child from the spouse who has custody of the
child. The Social Security account can provide information that could
help to locate the spouse who kidnapped the child.
[18] SSA OIG officials identified 31 field offices of its 60 locations
as the universe of field offices to survey. According to the officials,
the remaining locations are satellite offices that report to the 31
offices identified.
[19] Effective January 2003, the Bureau of Alcohol, Tobacco and
Firearms reorganized with the law enforcement functions transferred to
the Department of Justice, but the tax and trade functions remained in
the Department of the Treasury. Effective March 2003, the Secret
Service, Customs, and Immigration and Naturalization Service were
merged into the newly created Department of Homeland Security.
GAO's Mission:
The General Accounting Office, the investigative arm of Congress,
exists to support Congress in meeting its constitutional
responsibilities and to help improve the performance and accountability
of the federal government for the American people. GAO examines the use
of public funds; evaluates federal programs and policies; and provides
analyses, recommendations, and other assistance to help Congress make
informed oversight, policy, and funding decisions. GAO's commitment to
good government is reflected in its core values of accountability,
integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains
abstracts and full-text files of current reports and testimony and an
expanding archive of older products. The Web site features a search
engine to help you locate documents using key words and phrases. You
can print these documents in their entirety, including charts and other
graphics.
Each day, GAO issues a list of newly released reports, testimony, and
correspondence. GAO posts this list, known as "Today's Reports," on its
Web site daily. The list contains links to the full-text document
files. To have GAO e-mail this list to you every afternoon, go to
www.gao.gov and select "Subscribe to e-mail alerts" under the "Order
GAO Products" heading.
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. General Accounting Office
441 G Street NW,
Room LM Washington,
D.C. 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov
Automated answering system: (800) 424-5454 or (202) 512-7470:
Public Affairs:
Jeff Nelligan, managing director, NelliganJ@gao.gov (202) 512-4800 U.S.
General Accounting Office, 441 G Street NW, Room 7149 Washington, D.C.
20548:
