The privacy of all personal information SSA maintains in its databases is protected and controlled by a number of federal statutes, including section 1106 of the Social Security Act, (Disclosure of any return or portion of a return filed with the Internal Revenue Service), the Privacy Act of 1974, section 6103 of the Internal Revenue Code, and related Social Security regulations and policies.
The Privacy Act and related legal authority noted above allows SSA to disclose information from its program records to federal, state, and local agencies for certain "routine uses." These routine uses, defined in the Privacy Act at 5 U.S.C. 552a(a)(7), are permissive uses of information collected by SSA that, "with respect to the disclosure of a record, the use of such record for a purpose which is compatible with the purpose for which it was collected."
Thus, when a federal, state, or local agency requests data from SSA, the agency must ensure:
- The purpose of the request is compatible with administration of its own programs.
- Compatibility is established when the federal, state, or local agency requester is asking for data to assist in the administration of programs under the Social Security Act and other federal, state, and local health and income maintenance programs concerning determinations related to eligibility, benefit amounts or benefit status.
- SSA's Office of Public Disclosure (located in the Office of the General Counsel) evaluates all requests to ensure that compatibility is established and that a specific routine use is present in the applicable Privacy Act system of records (from which data will be disclosed).
The Computer Matching and Privacy Protection Act of 1988 (CMPPA) (and its amendments in 1990), 5 U.S. Code 552a (a)(8)-(13), (3)(12), (o), (p), (q), (r), & (u), sets requirements that federal agencies must follow when matching information on individuals with information held by other federal, state or local agencies.
Matches covered under the CMPPA must meet certain stringent requirements. Generally, if a match will have an adverse effect on an individual or can reveal personally identifiable information (PII), then certain provisions of the CMPPA come into play and govern the content, format, processing, administration, and length of the life of the match. Certain administrative or enforcement actions that require specific information such as medical records or involve other confidential information may require the consent of the individual.
The CMPPA, as interpreted by OMB, provides certain guidelines for computer matches related to verification, notification, data accuracy, etc., to ensure that computer matches are performed uniformly throughout the federal government and provide protections to the individual as provided under the Privacy Act.
The Privacy Act regulates the “‘collection, maintenance, use, and dissemination of information’” about individuals by federal agencies. It “authorizes civil suits by individuals . . . whose Privacy Act rights are infringed,” and provides for criminal penalties against federal officials who willfully disclose a record in violation of the Act, 5 U.S.C. Â§ 552a(i)(1) Criminal Penalties.
Any officer or employee of an agency, who by virtue of his employment or official position, has possession of, or access to, agency records which contain individually identifiable information the disclosure of which is prohibited by this section or by rules or regulations established thereunder, and who knowing that disclosure of the specific material is so prohibited, willfully discloses the material in any manner to any person or agency not entitled to receive it, shall be guilty of a misdemeanor and as described below.
- Any officer or employee of any agency who willfully maintains a system of records without meeting the notice requirements of subsection (e)(4) of this section shall be guilty of a misdemeanor and fined not more than $5,000.
- Any person who knowingly and willfully requests or obtains any record concerning an individual from an agency under false pretenses shall be guilty of a misdemeanor and fined not more than $5,000.