SOCIAL SECURITY ADMINISTRATION
PRIVACY IMPACT ASSESSMENT
· Name of project.
Electronic Freedom of Information Act System
· Unique project identifier.
P2105
· Privacy Impact Assessment Contact.
eFOIA Project Officer
Information Technology Resource Management Staff
Office of the General Counsel
· Describe the information to be collected, why the information is being collected, the intended use of the information, and with whom the information will be shared.
Electronic Freedom of Information Act (eFOIA) System
The eFOIA System is a Social Security Administration (SSA) web-based system we use for processing electronic and paper requests for information under the Freedom of Information Act (FOIA). We process initial requests and appeals of denials in eFOIA. The eFOIA System is comprised of two applications. The public may access the first application via our eFOIA Internet Website, and it contains electronic forms they can use to request information under the FOIA. Once a person submits an online request form, the system generates an acknowledgement screen, which includes a case number and a telephone number should that person need to check on the status of his or her request. The system then transfers the request to the eFOIA Case Processing System (CPS), which is the second application where we store it for development and response. We scan all paper requests into the eFOIA CPS. The eFOIA CPS automatically assigns the paper request a case number, generates an acknowledgement letter, and stores the request for development and response. The public does not have access to the eFOIA CPS.
In order to process some requests received under the eFOIA System, our employees may access some existing agency systems to obtain the sought records. For example, if a person seeks the Social Security record of a deceased person, an employee may access the agency system that maintains the record of all Social Security numbers (SSN) to find the corresponding record. In addition, persons are able to make secure online credit card payments for certain types of requests that require us to charge a fee via the Department of Treasury’s Pay.gov service. The eFOIA System transmits a record of all fees collected daily to our financial system for accounting purposes.
The eFOIA System allows us to keep current with the growing FOIA workload and more fully comply with the provisions of the Electronic Freedom of Information Act Amendments of 1996, the OPEN Government Act of 2007, and the President’s FOIA memorandum dated January 21, 2009. The eFOIA System provides us with an efficient mechanism to manage, track, and control the FOIA workload, and respond to the requests as required under the FOIA. We store records in the eFOIA System in accordance with our records retention schedule.
Collection of Information
In the eFOIA System, we collect and maintain information that is necessary to process FOIA requests. For example, we collect the person’s name, address, telephone number, and the subject of the request, including any identifying information.
We will disclose this information only as necessary to our management officials and employees who require the information in performing their official duties, to the person who made the request under the FOIA, or as otherwise permitted by Federal law. Although the public is permitted to access the applications in the eFOIA System to submit electronic FOIA requests, the information that we collect and maintain in the eFOIA System is not directly accessible to members of the public.
· Describe the administrative and technological controls that are in place or that are planned to secure the information being collected.
Reducing Potential Risks to Individuals’ Privacy and Protecting Information Being Collected
Persons using the eFOIA System to make FOIA requests complete the online forms. The system then transfers the requests to the eFOIA CPS. Once the transfer of data occurs, the information entered in the forms is no longer accessible to the persons who made the electronic FOIA requests, or to other external users of the system. If persons make follow-up requests, their initial information will not be displayed on the screen.
Administrative and Technological Controls that are in Place
We have performed authentication and security risk analyses on the eFOIA System. The latter includes an evaluation of security and audit controls proven to be effective in protecting the information collected, stored, processed, and transmitted by our information systems. These include technical, management, and operational controls that permit access only to persons with an official “need to know.”
We secure the electronic information in the eFOIA System by requiring the use of access codes to enter the computer system that will house the data. This process requires employees authorized to access the eFOIA System to use a unique Personal Identification Number. We permit only our authorized employees who require the information to perform their official duties to access the eFOIA System. We limit users’ access to only the information they need to perform their job functions. We annually provide appropriate security awareness and training to all our employees and contractors that include reminders about the need to protect personally identifiable information and the criminal penalties that apply to unauthorized access to, or disclosure of, personally identifiable information. See 5 U.S.C. § 552a(i)(1). Furthermore, employees and contractors with access to databases maintaining personally identifiable information annually must sign a sanction document, acknowledging their accountability for inappropriately accessing or disclosing such information.
· Describe the impact on individuals’ privacy rights.
Are individuals afforded an opportunity to decline to provide information?
We collect information only when we have specific legal authority to do so to administer our responsibilities under the Social Security Act and the FOIA. When we collect personal information from persons, we advise them of our legal authority for requesting the information, the purposes for which we will use and disclose the information, and the consequences of not providing any or all of the requested information. The persons can then make informed decisions as to whether or not they should provide the information.
Use of our eFOIA Internet Website to make a FOIA request is voluntary. Persons who choose to use the service must provide all the requested data elements necessary so that we can respond to their requests for information or records. Persons may elect not to use our eFOIA Internet Website to make an electronic FOIA request. However, we will control and maintain all FOIA requests we receive either in paper or electronic form within the eFOIA System.
Are individuals afforded an opportunity to consent to only particular uses of the information?
When we collect information from persons, we advise them of the purposes for which we will use the information. We further advise them that we will disclose this information without their prior written consent only when we have specific legal authority to do so (e.g., the Privacy Act).
· Does the collection of this information require a new system of records under the Privacy Act (5 U.S.C. § 552a) or an alteration to an existing system of records?
No. An existing system of records, the Electronic Freedom of Information Act (eFOIA) System (60-0340), covers the eFOIA System and it does not require any changes. The eFOIA System may also use information that is collected and maintained for purposes related to other business processes already covered by existing Privacy Act systems of records. For example, the SSNs of deceased persons are covered by system of records, Master Files of SSN Number Holders and SSN Applications (60-0058); and the agency’s financial accounting records, which record the fees collected for FOIA requests, are covered by system of records, Financial Transactions of SSA Accounting and Finance Offices (60-0231).
PIA CONDUCTED BY PRIVACY OFFICER, SSA:
/s/ Dawn S. Wiggins________________ 11/03/09____ SIGNATURE DATE
PIA REVIEWED BY SENIOR AGENCY PRIVACY OFFICIAL, SSA:
/s/ David F. Black_________________ 11/18/09____ SIGNATURE DATE