SOCIAL SECURITY ADMINISTRATION
PRIVACY IMPACT ASSESSMENT
· Name of project.
LENEL Security Access System
· Unique project identifier.
016-00-SSA/PSS-G-003
· Privacy Impact Assessment Contact.
Director
Office of Protective Security Services
Office of Facilities Management
Social Security Administration
· Describe the information to be collected, why the information is being collected, the intended use of the information and with whom the information will be shared.
LENEL Security Access System (LSAS) is a Social Security Administration (SSA) certified and accredited
General Support System consisting of several sub-systems that monitor and
control access/egress to all areas of the National Computer Center (NCC) and
adjacent utility building. In addition,
LSAS monitors sector security, annunciates alarms, and generates reports in the
LSAS contains the name, badge number, employer name, access level, and unique 4 or 5-digit number (Card PIN) of employees, vendors and contractors with a legitimate need for authorized entry to the secured Automated Data Processing (ADP) areas in the NCC, and adjacent building. LSAS determines that the correct Card PIN was entered for the card presented to the card reader and that the individual is authorized access to that area. The system records (and/or sounds an alarm in designated areas) unauthorized attempts to enter a protected zone or attempts to tamper with security sensors.
LSAS is used to safeguard personal and sensitive records about individuals, and restrict access to SSA's computer facility and other secured areas which house the records. LSAS collects information to verify individuals’ access to a given secured area and to provide a record of those individuals authorized to access various areas of the NCC and adjacent building when they do so. In addition to ensuring the security of the computer facility and secured areas, data in the system is also used for management purposes to ensure and to verify time and attendance when employee fraud or abuse is suspected.
This information is disclosed only as necessary to management officials and employees responsible for ensuring the appropriate individuals have authorized entry to secured ADP areas, and to undertake investigations of or other corrective measures against individuals gaining entrance without authorization, or as authorized by Federal law. LSAS is not accessible to members of the public or to the general SSA community.
· Describe the administrative and technological controls that are in place or that are planned to secure the information being collected.
LSAS has undergone authentication and security risk analyses. The latter includes an evaluation of security and audit controls proven to be effective in protecting the information collected, stored, processed, and transmitted by our information systems. These include technical, management, and operational controls that permit access to those users who have an official “need to know.” Audit mechanisms are in place to record sensitive transactions as an additional measure to protect information from unauthorized disclosure or modification
We protect the information in LSAS by requiring individuals who are authorized to access the information system to use a unique Personal Identification Number. In addition, we store the computerized records in secure areas that are accessible to those employees who require the information to perform their official duties. Furthermore, all of the individuals who have access to our information systems that maintain personal information must sign a sanction document annually that acknowledges penalties for unauthorized access to, or disclosure of, such information.
· Describe the impact on individuals’ privacy rights.
Are individuals afforded an opportunity to decline to provide information?
We collect information only where we have specific legal authority to do so in order to administer our responsibilities under the Social Security Act. When we collect personal information from individuals, including employees and contractors, we advise them of our legal authority for requesting the information, the purposes for which we will use and disclose the information, and the consequences of their not providing any or all of the requested information. The individuals can then make informed decisions as to whether or not they should provide the information.
Are individuals afforded an opportunity to consent to only particular uses of the information?
When we collect information from individuals, including employees and contractors, we advise them of the purposes for which we will use the information. We further advise them that we will disclose this information without their prior written consent only when we have specific legal authority to do so (e.g., the Privacy Act).
· Does the collection of this information require a new system of records under the Privacy Act (5 U.S.C. § 552a) or an alteration to an existing system of records?
No. LSAS is covered by existing system of records, Record of Individuals Authorized Entry to Secured Automated Data Processing Area (60-0210), and it does not require any alterations.
PIA CONDUCTED BY PRIVACY OFFICER, SSA:
September 8, 2008__
SIGNATURE DATE
PIA REVIEWED BY SENIOR AGENCY PRIVACY OFFICIAL, SSA:
/s/ David F. Black________ September 11, 2008__
SIGNATURE DATE