Identity Management System (IDMS)
System number:
60-0361.
System name:
Identity Management System (IDMS).
Security classification:
None.
System location:
Individuals who require regular, ongoing access to Agency facilities,
information technology systems, or information classified in the interest of
national security, including applicants for employment or contracts, Federal
employees, contractors, students, interns, volunteers, affiliates, and
individuals formerly in any of these positions. The system also includes
individuals authorized to perform or use services provided in Agency facilities
(e.g., Credit Union,
The system does not apply to occasional visitors or short-term guests to whom
SSA will issue temporary identification and credentials.
Records maintained on individuals issued credentials by SSA include the
following data fields: full name, Social Security number (SSN); date of birth;
signature; image (photograph); fingerprints; hair color; eye color; height;
weight; organization/office of assignment; company name; telephone number; copy
of background investigation form; PIV card issue and expiration dates; personal
identification number (PIN); results of background investigation; PIV request
form; PIV registrar approval signature; PIV card serial number; emergency
responder designation; copies of documents used to verify identification or
information derived from those documents such as document title, document
issuing authority, document number, document expiration date, document other
information; level of national security clearance and expiration date; computer
system user name; user access and permission rights, authentication
certificates; and digital signature information.
Records maintained on card holders entering SSA facilities or using SSA systems
include: name, PIV Card serial number; date, time, and location of entry and
exit; company name; level of national security clearance and expiration date;
fingerprints; digital signature information; computer networks/applications/data
accessed.
Authority for maintenance of the system:
5 U.S.C.
301; Federal Information Security Act (Pub. L. 104-106, section
5113); Electronic Government Act (Pub. L. 104-347, section 203); the Paperwork
Reduction Act of 1995 (44
U.S.C. 3501); and the Government Paperwork Elimination Act (P.L.
105-277, 44 U.S.C. 3504); Homeland Security Presidential Directive (HSPD) 12,
Policy for a Common Identification Standard for Federal Employees and
Contractors, August 27, 2004; Federal Property and Administrative Act of 1949,
as amended.
Purpose:
The primary purposes of the system are: (a) To ensure the safety and security of
SSA facilities, systems, or information, and its'occupants and users; (b) to
verify that all persons entering Federal facilities, using Federal information
resources, are authorized to do so; and (c) to track and control PIV cards
issued to persons entering and exiting the facilities or using systems.
Note: Disclosures within SSA of data obtained from the IDMS that pertain to date
and time of entry and exit of an agency employee working in the District of
Columbia may not be made to supervisors, managers or any other persons (other
than the individual to whom the information applies) to verify employee time and
attendance records for personnel actions because 5 U.S.C.
6106 prohibits Federal Executive agencies (other than the Bureau of
Engraving and Printing) from using a recording clock within the District of
Columbia, unless used as a part of a flexible schedule program under 5 U.S.C.
6120 et seq.
Routine uses of records maintained in the system, including categories of users
and the purposes of such uses:
Information may be disclosed for routine uses as indicated below:
1. To the Office of the President for the purpose of responding to an individual
pursuant to an inquiry received from that individual or from a third party on
his or her behalf.
2. To a congressional office in response to an inquiry from that office made at
the request of the subject of a record.
3. To the Department of Justice (DOJ), a court or other tribunal, or another
party before such tribunal when:
(a) The Social Security Administration (SSA), or any component thereof; or
(b) any SSA employee in his/her official capacity; or
(c) any SSA employee in his/her individual capacity where DOJ (or SSA where it
is authorized to do so) has agreed to represent the employee; or
(d) the United States or any agency thereof where SSA determines that the
litigation is likely to affect the operation of SSA or any of its components, is
a party to litigation or has an interest in such litigation, and SSA determines
that the use of such records by DOJ, a court or other tribunal, or another party
before such tribunal, is relevant and necessary to the litigation, provided,
however, that in each case SSA determines that such disclosure is compatible
with the purpose for which the records were collected.
4. To student volunteers, individuals working under a personal services
contract, and other individuals performing functions for SSA but technically not
having the status of agency employees, if they need access to the records in
order to perform their assigned agency functions.
5. To the appropriate public authority whether a Federal, foreign, State, local
or tribal agency, except as noted on Forms SF 85, 85-P, and 86, when a record on
its face, or in conjunction with other records, indicates a violation or
potential violation of law, whether civil, criminal, or regulatory in nature,
and whether arising by general statute or particular program statute, or by
regulation, rule, or order issued pursuant thereto, for enforcing, investigating
or prosecuting such violation or charged with enforcing or implementing the
statute, or rule, regulation, or order issued pursuant thereto, if the
information disclosed is relevant to any enforcement, regulatory, investigative
or prosecutorial responsibility of the receiving entity.
6. To a Federal State, local, foreign, or tribal or other public authority the
fact that this system of records contains information relevant to the retention
of an employee, the retention of a security clearance, the letting of a
contract, or the issuance or retention of a license, grant, or other benefit.
The other agency or licensing organization may then make a request supported by
the written consent of the individual for the entire record if it so chooses. No
disclosure will be made unless the information has been determined to be
sufficiently reliable to support a referral to another office within the agency
or to another Federal agency for criminal, civil, administrative personnel or
regulatory action.
7. To a Federal, State, or local agency, or other appropriate entities or
individuals, or through established liaison channels to selected foreign
governments, in order to enable an intelligence agency to carry out its
responsibilities under the National Security Act of 1947 as amended, the CIA Act
of 1949 as amended, Executive Order 12333 or any successor order, applicable
national security directives, or classified implementing procedures approved by
the Attorney General and promulgated pursuant to such statutes, orders or
directives.
8. To notify another Federal agency when, or verify whether, a PIV card is no
longer valid.
9. To the Equal Employment Opportunity Commission when requested in connection
with investigations into alleged or possible discriminatory practices in the
Federal sector, examination of Federal affirmative employment programs,
compliance by Federal agencies with the Uniform Guidelines on Employee Selection
Procedures, or other functions vested in the Commission.
10. To the Federal Labor Relations Authority, the Office of the Special Counsel,
the Federal Mediation and Conciliation Service, the Federal Service Impasses
Panel, or an arbitrator when information is requested in connection with the
investigations of allegations of unfair practices, matters before an arbitrator
or the Federal Service Impasses Panel.
11. To the Merit Systems Protection Board or the Office of Special Counsel in
connection with appeals, special studies of the civil service and other merit
systems, review of rules and regulations, investigation of alleged or possible
prohibited personnel practices, and other such functions promulgated in 5 U.S.C.
Chapter 12, or as may be authorized by law.
12. To contractors and other Federal agencies, as necessary, for the purpose of
assisting Social Security Administration (SSA) in the efficient administration
of its programs. We will disclose information under this routine use only in
situations in which SSA may enter a contractual or similar agreement with a
third party to assist in accomplishing an agency function relating to this
system of records.
13. To Federal, State, and local law enforcement agencies and private security
contractors, as appropriate, information necessary: (a) To enable them to
protect the safety of SSA employees and the public, the security of the SSA
workplace, and the operation of SSA facilities; or (b) to assist investigations
or prosecutions with respect to activities that affect such safety and security
or activities that disrupt the operation of SSA facilities.
14. To the National Archives and Records Administration or to the General
Services Administration for records management inspections conducted under 44 U.S.C.
2904 and 2906.
15. We may disclose information to appropriate Federal, State, and local agencies, entities, and persons when (1) we suspect or confirm that the security or confidentiality of information in this system of records has been compromised; (2) we determine that as a result of the suspected or confirmed compromise there is a risk of harm to economic or property interests, identity theft or fraud, or harm to the security or integrity of this system or other systems or programs of SSA that rely upon the compromised information; and (3) we determine that disclosing the information to such agencies, entities, and persons is necessary to assist in our efforts to respond to the suspected or confirmed compromise and prevent, minimize, or remedy such harm. SSA will use this routine use to respond only to those incidents involving an unintentional release of its records.
Policies and practices for storing, retrieving, accessing, retaining and
disposing of records in the system: Storage:
Records are stored in electronic media and in paper files.
Retrievability:
Records are retrievable by name, SSN, other ID number, PIV card serial number,
image (photograph), fingerprint.
Safeguards:
Paper records are kept in locked cabinets in secure facilities and access to
them is restricted to individuals whose role requires use of the records. The
computer servers in which records are stored are located in a secure environment
within SSA's
An audit trail is maintained and reviewed periodically to identify unauthorized
access. Persons given roles in the PIV process must complete training specific
to their roles to ensure they are knowledgeable about how to protect
individually identifiable information.
Records relating to persons' access covered by this system are retained in
accordance with General Records Schedule (GRS) 18, Item 17 approved by the
National Archives and Records Administration (NARA). Records will be maintained
indefinitely until
All other records relating to individuals under this system are retained and
disposed of in accordance with GRS 18, item 22a, approved by
In accordance with HSPD-12, PIV cards are deactivated within 18 hours of
cardholder separation, loss of card, or expiration. The information on PIV cards
is maintained in accordance with GRS 11, Item 4. PIV cards are destroyed by
cross-cut shredding no later than 90 days after deactivation.
HSPD-12 Project Manager, SSA, Room 1300 Dunleavy Bldg.,
An individual can determine if this system contains a record pertaining to
him/her by sending a signed, written request to the system manager at the above
address. When requesting notification of or access to records covered by this
Notice, an individual should provide his/her full name, date of birth, Agency
name, and work location. An individual requesting notification of records in
person must provide identity documents sufficient to satisfy the custodian of
the records that the requester is entitled to access, such as a
government-issued photo ID. Individuals requesting notification via mail or
telephone must furnish, at minimum, name, date of birth, SSN, and home address
in order to establish identity. These procedures are in accordance with SSA
Regulations (20 CFR 401.40(c)).
Records access procedures:
Same as notification procedures. Requesters should also reasonably specify the
record contents being sought. These procedures are in accordance with SSA
Regulations (20 CFR 401.40(c)). If additional information or assistance is
required, contact the system manager at the above address. SSA may withhold from
a record in this system of records from access by the subject of the record
pursuant to subsection (d)(5) of the Privacy Act (5
U.S.C. 552a(d)(5)) in certain situations (e.g, a record that may
relate to a civil action or proceeding).
Contesting record procedures:
Same as notification procedures. Requesters should also reasonably identify the
record, specify the information they are contesting, state the corrective action
sought and the reasons for the correction along with supporting justification
showing why the record is not accurate, timely, relevant, or complete. These
procedures are in accordance with SSA Regulations (20 CFR 401.40(c)). If
additional information or assistance is required, contact the system manager at
the above address.
Record source categories:
Employee, contractor, or applicant; sponsoring agency; former sponsoring agency;
other Federal agencies; contract employer; former employer.
System exempted from certain provisions of the Privacy Act:
None.