· Name of project.
· Unique project identifier.
· Privacy Impact Assessment Contact.
Center for Internet Customer
Office of Electronic Services
Social Security Administration
· Describe the information to be collected, why the information is being collected, the intended use of the information and with whom the information will be shared.
Retirement Estimator (RE) System
RE is an online system that allows individuals to calculate an estimate of their retirement benefit in real-time based on their Social Security earnings records. After a secure log-in during which their identity is authenticated, users can perform a number of “what if” scenarios based on information they will provide to create retirement benefit estimates. The RE system cannot produce actual retirement benefit amounts. For those amounts, a user must file an application.
Users must input personal data
elements in order to produce retirement benefit estimates based on their
scenario(s). The RE system will provide
information comparable to that on the annual Social Security Statement. Users should request retirement benefit estimates only from their earnings record. Users who already receive retirement benefits
based on their earnings are not eligible to use the RE system.
Collection of information
SSA will collect information that the users will provide (i.e., name, Social Security number (SSN), date of birth (DOB)). SSA needs this information to authenticate the identity of the user and then associate the authenticated identity information with the appropriate SSA records required under the electronic process. SSA will also collect information such as the user’s most recent prior year’s earnings. Users can perform
“what if” scenarios based on the age when they will stop working and anticipated future earnings. SSA will collect only that information necessary to authenticate the user’s identity, estimated earnings, and, as necessary, the age when the user expects to stop working.
The information that SSA collects will be linked with information previously collected when the user filed for an SSN. Once the user’s identity is authenticated, the information the user enters about prior year’s earnings or projected earnings will link with the user’s earnings record. The RE system will then calculate and produce a retirement benefit estimate that the user may print out. Although the RE application will link to the user’s earnings record, at no time will the user’s earnings record be displayed during the process. Further, the RE system will not maintain any of the data elements input by the user. The retirement benefit estimate that is produced will be shared only with the individuals inputting the required information.
· Describe the administrative and technological controls that are in place or that are planned to secure the information being collected.
Reducing Potential Risks to Individuals’ Privacy and Protecting Information Being Collected
Users of this system should request retirement benefit estimates only from earnings records on which they are the actual subject of the record. It is conceivable that someone other than the user could have knowledge of the identity data elements that we require for using the RE system (i.e., name, SSN, DOB). However, any effort to obtain personal information about another individual from SSA under false pretenses, or without the express consent of the subject of the record, is an unauthorized access and violates the Privacy Act of 1974. SSA makes an earnest effort to protect access to and prevent unauthorized disclosure of records. To reduce those vulnerabilities and to discourage individuals from unauthorized access to the RE system (i.e., under false pretenses), all users must agree that they have not misrepresented their true identities to obtain information from SSA records by selecting “I Agree” on the application’s Acknowledgement Page. Individuals who misrepresent their identity could be punished by a fine, imprisonment, or both. As a further effort to protect the users’ personal information, at no time does the RE system display identity information other than what the users input, and no actual earnings records will be displayed for the users’ retirement benefit scenario(s). In addition, individuals who want to prevent access to their personal information via the online RE system, as well as from other online or automated telephone systems, can block access to their personal information by contacting SSA.
Administrative and Technological controls that are in place
The RE system has undergone authentication and security risk analysis. The latter includes an evaluation of security and audit controls proven to be effective in protecting the information collected, stored, processed, and transmitted by Agency information systems. These include technical, management, and operational controls that permit access to Agency information only to individuals with a “need to know”, and the minimum amount of access to individuals to perform their job functions. Audit mechanisms are in place to record sensitive transactions as an additional measure to protect information from unauthorized disclosure or modification.
Access to RE information will be given only to authorized SSA personnel who have a need for the information in the performance of their official duties. We will protect the information by requiring employees’ use of unique Personal Identity Numbers to access the information systems that will maintain the data, and we will store computerized records in secure areas that are accessible only to employees who require the information performance of their official duties. Furthermore, if SSA employees have access to SSA information systems that maintain personal information, they must sign a sanction document annually that acknowledges penalties should they gain unauthorized access to or make an unauthorized disclosure of such information.
· Describe the impact on individuals’ privacy rights.
Are individuals afforded an opportunity to decline to provide information?
We collect information only where we have specific legal authority to do so and this information is collected primarily to administer our responsibilities under the Social Security Act. When we collect information from individuals, we advise them of our legal authority for requesting the information and explain how they may be affected if they choose not to provide the information. The individuals can then make an informed decision whether or not to provide the information.
Use of the RE system is voluntary. Individuals who choose to use this service must provide all the requested data elements necessary to authenticate their identity in order to produce retirement benefit estimates. If individuals do not want the RE system to be available to provide a retirement benefit estimate from their earnings record, the individuals may ask SSA not to allow the use of their SSN for SSA’s online or automated telephone service.
Are individuals afforded an opportunity to consent to only particular uses of the information?
When we collect information from individuals, we advise them of the purposes for which we will use the information. We further advise them that we will disclose this information without their prior written consent only when we have specific authority in Federal statute (e.g., the Privacy Act) to do so.
The identity information that is requested from users of the RE system is already maintained in Agency records as it was collected at the time the user filed for a SSN. None of the retirement scenario information entered by the user in order to produce a retirement benefit estimate will be maintained in the RE system, and thus it will not be disclosed to anyone other than the user.
· Does the collection of this information require a new system of records under the Privacy Act (5 U.S.C. § 552a) or an alteration to an existing system of records?
The Retirement Estimator (RE) system is not a Privacy Act system of records. The RE system will disseminate retirement benefit estimates to users, but will not maintain any of the information that it collects from or disseminates to users. Identification information provided by the user (name, SSN and DOB) will be authenticated against data elements already covered by existing system of records, Master Files of SSN Number Holders, and SSN Applications (60-0058). Authenticated identity data and earnings estimate information that the user provides will link with existing system of records Earnings Recording and Self-Employment Income System (60-0059).
PIA CONDUCTED BY PRIVACY OFFICER, SSA:
______________________________ _ 02/26/07____
PIA REVIEWED BY
SENIOR AGENCY PRIVACY OFFICIAL, SSA:
_____/S/ Thomas W. Crawley _____ __02/28/07____