Social Security Numbers:
Government Benefits from SSN Use but Could Provide Better Safeguards
GAO-02-352: Published: May 31, 2002. Publicly Released: May 31, 2002.
The Social Security number (SSN) was created in 1936 to track workers' earnings and eligibility for Social Security benefits. Because SSNs are unique identifiers and do not change, the numbers provide a convenient and efficient way to manage records. Government agencies are taking some steps to safeguard the number, but some protections are not uniformly in place at any level of government. Many of the state and county agencies responding to GAO's survey maintain records that contain SSNs; federal agencies maintain public records less frequently. At the state and county levels, some offices, such as state professional licensing agencies and county recorders' offices, have traditionally been repositories for public records that may contain SSNs. Some government agencies are trying to better safeguard the SSN by trying innovative approaches to protect them from public display. For example, some agencies and courts are modifying their processes or their forms so that they can collect SSNs but prevent the number from becoming part of the publicly available record. The most far-reaching efforts took place in states with a statewide initiative that established a policy and procedures designed to protect individuals' personal information, including SSNs, in all circumstances where they collect, store, and use it.
Matter for Congressional Consideration
Status: Closed - Not Implemented
Comments: Congress has not taken action on this recommendation to date.
Matter: To address SSN security and display issues in state and local government and in public records, including those maintained by the judicial branch of government at all levels, Congress may wish to convene, in consultation with the president, a representative group of federal, state and local officials including, for example, state attorneys general, county recorders, and state and local chief information officers, selected members of Congress, and state or local elected officials, to develop a unified approach to safeguarding SSNs used in all levels of government and particularly those displayed in public records. This approach could include recommendations for congressional consideration. GAO could assist in identifying representative participants in convening the group.
Recommendations for Executive Action
Status: Closed - Implemented
Comments: In response to GAO's recommendation, in early 2004 at a meeting whose attendees included federal privacy officials, OMB discussed federal agencies' practices for safeguarding individuals' personal information and providing the information required under Section 7 of the Privacy Act. Based on the feedback it received, OMB officials decided that, beyond this discussion, they could best assist federal agencies on an ad hoc basis at their request rather than disseminate additional guidance to all federal agencies.
Recommendation: The Privacy Act and other federal laws prescribe actions federal departments and agencies must take to assure the security of SSNs and other personal information. Because these requirements may not be uniformly observed, the administrator, Office of Information and Regulatory Affairs, Office of Management and Budget (OMB), should direct federal agencies to review their practices for securing SSNs and providing required information. As part of this effort, agencies should also review their practices for displaying SSNs.
Agency Affected: Executive Office of the President: Office of Management and Budget: Office of Information and Regulatory Affairs
Status: Closed - Implemented
Comments: In consideration of GAO's recommendation, in June 2004 OMB officials discussed requirements under Section 7 of the Privacy Act with officials representing the National Association of Attorney Generals, National Conference of State Legislatures, States CIOs, and federal and state privacy offices. Based on input from these groups, OMB officials said they believe this discussion was sufficient; however, they will continue to provide additional guidance on an ad hoc basis as requested by state and local governments.
Recommendation: To better inform state and local governments of their responsibility under section 7 of the Privacy Act, the Administrator, Office of Information and Regulatory Affairs, OMB, should direct his staff to augment the Privacy Act guidance by specifically noting that section 7 applies to all federal, state and local government agencies that request SSNs, or take other appropriate steps.
Agency Affected: Congress