Regulations last checked for updates: Nov 25, 2024

Title 20 - Employees' Benefits last revised: Sep 30, 2024
§ 401.30 - Privacy Act and other responsibilities.

(a) Policy. Our policy is to protect the privacy of individuals to the fullest extent possible while nonetheless permitting the exchange of records required to fulfill our administrative and program responsibilities, and responsibilities for disclosing records which the general public is entitled to have under the Freedom of Information Act, 5 U.S.C. 552,and.

(b) Maintenance of records. We will maintain no record unless:

(1) It is relevant and necessary to accomplish an SSA function which is required to be accomplished by statute or Executive Order;

(2) We obtain the information in the record, as much as it is practicable, from the subject individual if we may use the record to determine an individual's rights, benefits or privileges under Federal programs;

(3) We inform the individual providing the record to us of the authority for our asking him or her to provide the record (including whether providing the record is mandatory or voluntary, the principal purpose for maintaining the record, the routine uses for the record, and what effect his or her refusal to provide the record may have on him or her). Further, the individual agrees to provide the record, if the individual is not required by statute or Executive Order to do so.

(c) First Amendment rights. We will keep no record which describes how an individual exercises rights guaranteed by the First Amendment unless we are expressly authorized:

(1) By statute,

(2) By the subject individual, or

(3) Unless pertinent to and within the scope of an authorized law enforcement activity.

(d) Privacy Officer. The Privacy Officer is an advisor to the Agency on all privacy policy and disclosure matters. The Privacy Officer coordinates the development and implementation of Agency privacy policies and related legal requirements to ensure Privacy Act compliance, and monitors the coordination, collection, maintenance, use and disclosure of personal information. The Privacy Officer also ensures the integration of privacy principles into information technology systems architecture and technical designs, and generally provides to Agency officials policy guidance and directives in carrying out the privacy and disclosure policy.

(e) Senior Agency Official for Privacy. The Senior Agency Official for Privacy assumes overall responsibility and accountability for ensuring the agency's implementation of information privacy protections as well as agency compliance with federal laws, regulations, and policies relating to the privacy of information, such as the Privacy Act. The compliance efforts also include reviewing information privacy procedures to ensure that they are comprehensive and up-to-date and, where additional or revised procedures may be called for, working with the relevant agency offices in the consideration, adoption, and implementation of such procedures. The official also ensures that agency employees and contractors receive appropriate training and education programs regarding the information privacy laws, regulations, polices and procedures governing the agency's handling of personal information. In addition to the compliance role, the official has a central policy-making role in the agency's development and evaluation of legislative, regulatory and other policy proposals which might implicate information privacy issues, including those relating to the collection, use, sharing, and disclosure of personal information.

(f) Privacy Impact Assessment. In our comprehensive Privacy Impact Assessment (PIA) review process, we incorporate the tenets of privacy law, SSA privacy regulations, and privacy policy directly into the development of certain Information Technology projects. Our review examines the risks and ramifications of collecting, maintaining and disseminating information in identifiable form in an electronic information system and identifies and evaluates protections and alternate processes to reduce the risk of unauthorized disclosures. As we accomplish the PIA review, we ask systems personnel and program personnel to resolve questions on data needs and data protection prior to the development of the electronic system.

[62 FR 4143, Jan. 29, 1997, as amended at 72 FR 20939, Apr. 27, 2007]
§ 401.35 - Your right to request records.

The Privacy Act gives you the right to direct access to most records about yourself that are in our systems of records. Exceptions to this Privacy Act right include—

(a) Special procedures for access to certain medical records (see 5 U.S.C. 552a(f)(3) and § 401.55);

(b) Unavailability of certain criminal law enforcement records (see 5 U.S.C. 552a(k), and § 401.85); and

(c) Unavailability of records compiled in reasonable anticipation of a court action or formal administrative proceeding.

Note to § 401.35:

The Freedom of Information Act (see 20 CFR part 402) allows you to request information from SSA whether or not it is in a system of records.

§ 401.40 - How to get your own records.

(a) Your right to notification and access. Subject to the provisions governing medical records in § 401.55, you may ask for notification of or access to any record about yourself that is in an SSA system of records. If you are a minor, you may get information about yourself under the same rules as for an adult. Under the Privacy Act, if you are the parent or guardian of a minor, or the legal guardian of someone who has been declared legally incompetent, and you are acting on his or her behalf, you may ask for information about that individual. You may be accompanied by another individual of your choice when you request access to a record in person, provided that you affirmatively authorize the presence of such other individual during any discussion of a record to which you are requesting access.

(b) Identifying the records. At the time of your request, you must specify which systems of records you wish to have searched and the records to which you wish to have access. You may also request copies of all or any such records. Also, we may ask you to provide sufficient particulars to enable us to distinguish between records on individuals with the same name. The necessary particulars are set forth in the notices of systems of records which are published in the Federal Register.

(c) Requesting notification or access. To request notification of or access to a record, you may visit your local social security office or write to the manager of the SSA system of records. The name and address of the manager of the system is part of the notice of systems of records. Every local social security office keeps a copy of the Federal Register containing that notice. That office can also help you get access to your record. You do not need to use any special form to ask for a record about you in our files, but your request must give enough identifying information about the record you want to enable us to find your particular record. This identifying information should include the system of records in which the record is located and the name and social security number (or other identifier) under which the record is filed. We do not honor requests for all records, all information, or similar blanket requests. Before granting notification of or access to a record, we may, if you are making your request in person, require you to put your request in writing if you have not already done so.

§ 401.45 - Verifying your identity.

(a) When required. Unless you are making a request for notification of or access to a record in person, and you are personally known to the SSA representative, you must verify your identity in accordance with paragraph (b) of this section if:

(1) You make a request for notification of a record and we determine that the mere notice of the existence of the record would be a clearly unwarranted invasion of privacy if disclosed to someone other than the subject individual; or,

(2) You make a request for access to a record which is not required to be disclosed to the general public under the Freedom of Information Act, 5 U.S.C. 552,and.

(b) Manner of verifying identity—(1) Request in person. If you make a request to us in person, you must provide at least one piece of tangible identification such as a driver's license, passport, alien or voter registration card, or union card to verify your identity. If you do not have identification papers to verify your identity, you must certify in writing that you are the individual who you claim to be and that you understand that the knowing and willful request for or acquisition of a record pertaining to an individual under false pretenses is a criminal offense.

(2) Request by telephone. If you make a request by telephone, you must verify your identity by providing identifying particulars which parallel the record to which notification or access is being sought. If we determine that the particulars provided by telephone are insufficient, you will be required to submit your request in writing or in person. We will not accept telephone requests where an individual is requesting notification of or access to sensitive records such as medical records.

(3) Electronic requests. If you make a request by computer or other electronic means, e.g., over the Internet, we require you to verify your identity by using identity confirmation procedures that are commensurate with the sensitivity of the information that you are requesting. If we cannot confirm your identity using our identity confirmation procedures, we will not process the electronic request. When you cannot verify your identity through our procedures, we will require you to submit your request in writing.

(4) Electronic disclosures. When we collect or provide personally identifiable information over open networks such as the Internet, we use encryption in all of our automated online transaction systems to protect the confidentiality of the information. When we provide an online access option, such as a standard e-mail comment form on our Web site, and encryption is not being used, we alert you that personally identifiable information (such as your social security number) should not be included in your message.

(5) Requests not made in person. Except as provided in paragraphs (b)(2) of this section, if you do not make a request in person, you must submit a written request to SSA to verify your identify or you must certify in your request that you are the individual you claim to be. You must also sign a statement that you understand that the knowing and willful request for or acquisition of a record pertaining to an individual under false pretenses is a criminal offense.

(6) Requests on behalf of another. If you make a request on behalf of a minor or legal incompetent as authorized under § 401.40, you must verify your relationship to the minor or legal incompetent, in addition to verifying your own identity, by providing a copy of the minor's birth certificate, a court order, or other competent evidence of guardianship to SSA; except that you are not required to verify your relationship to the minor or legal incompetent when you are not required to verify your own identity or when evidence of your relationship to the minor or legal incompetent has been previously given to SSA.

(7) Medical records—additional verification. You need to further verify your identity if you are requesting notification of or access to sensitive records such as medical records. Any information for further verification must parallel the information in the record to which notification or access is being sought. Such further verification may include such particulars as the date or place of birth, names of parents, name of employer or the specific times the individual received medical treatment.

[62 FR 4143, Jan. 29, 1997, as amended at 72 FR 20939, Apr. 27, 2007]
§ 401.50 - Granting notification of or access to a record.

(a) General. Subject to the provisions governing medical records in § 401.55 and the provisions governing exempt systems in § 401.85, upon receipt of your request for notification of or access to a record and verification of your identity, we will review your request and grant notification or access to a record, if you are the subject of the record.

(b) Our delay in responding. If we determine that we will have to delay responding to your request because of the number of requests we are processing, a breakdown of equipment, shortage of personnel, storage of records in other locations, etc., we will so inform you and tell you when notification or access will be granted.

§ 401.55 - Access to medical records.

(a) General. You have a right to access your medical records, including any psychological information that we maintain.

(b) Medical records procedures—(1) Notification of or access to medical records. (i) You may request notification of or access to a medical record pertaining to you. Unless you are a parent or guardian requesting notification of or access to a minor's medical record, you must make a request for a medical record in accordance with this section and the procedures in §§ 401.45 through 401.50 of this part.

(ii) When you request medical information about yourself, you must also name a representative in writing. The representative may be a physician, other health professional, or other responsible individual who will be willing to review the record and inform you of its contents. Following the discussion, you are entitled to your records. The representative does not have the discretion to withhold any part of your record. If you do not designate a representative, we may decline to release the requested information. In some cases, it may be possible to release medical information directly to you rather than to your representative.

(2) Utilization of the designated representative. You will be granted direct access to your medical record if we can determine that direct access is not likely to have an adverse effect on you. If we believe that we are not qualified to determine, or if we do determine, that direct access to you is likely to have an adverse effect, the record will be sent to the designated representative. We will inform you in writing that the record has been sent.

(c) Medical records of minors—(1) Request by the minor. You may request access to your own medical records in accordance with paragraph (b) of this section.

(2) Requests on a minor's behalf; notification of or access to medical records to an individual on a minor's behalf. (i) To protect the privacy of a minor, we will not give to a parent or guardian direct notification of or access to a minor's record, even though the parent or guardian who requests such notification or access is authorized to act on a minor's behalf as provided in § 401.75 of this part.

(ii) A parent or guardian must make all requests for notification of or access to a minor's medical record in accordance with this paragraph and the procedures in §§ 401.45 through 401.50 of this part. A parent or guardian must at the time he or she makes a request designate a family physician or other health professional (other than a family member) to whom the record, if any, will be sent. If the parent or guardian will not designate a representative, we will decline to release the requested information.

(iii) Where a medical record on the minor exists, we will in all cases send it to the physician or health professional designated by the parent or guardian. The representative will review the record, discuss its contents with the parent or legal guardian, then release the entire record to the parent or legal guardian. The representative does not have the discretion to withhold any part of the minor's record. We will respond in the following similar manner to the parent or guardian making the request: “We have completed processing your request for notification of or access to _____'s (Name of minor) medical records. Please be informed that if any medical record was found pertaining to that individual, it has been sent to your designated physician or health professional.”

(iv) In each case where we send a minor's medical record to a physician or health professional, we will make reasonable efforts to inform the minor that we have given the record to the representative.

(3) Requests on behalf of an incapacitated adult. If you are the legal guardian of an adult who has been declared legally incompetent, you may receive his or her records directly.

[62 FR 4143, Jan. 29, 1997, as amended at 72 FR 20939, Apr. 27, 2007]
§ 401.60 - Access to or notification of program records about more than one individual.

When information about more than one individual is in one record filed under your social security number, you may receive the information about you and the fact of entitlement and the amount of benefits payable to other persons based on your record. You may receive information about yourself or others, which is filed under someone else's social security number, if that information affects your entitlement to social security benefits or the amount of those benefits.

[62 FR 4143, Jan. 29, 1997, as amended at 72 FR 20940, Apr. 27, 2007]
§ 401.65 - How to correct your record.

(a) How to request a correction. This section applies to all records kept by SSA (as described in § 401.5) except for records of earnings. (20 CFR 422.125 describes how to request correction of your earnings record.) You may request that your record be corrected or amended if you believe that the record is not accurate, timely, complete, relevant, or necessary to the administration of a social security program. To amend or correct your record, you should write to the manager identified in the notice of systems of records which is published in the Federal Register (see § 401.40(c) on how to locate this information). The staff at any social security office can help you prepare the request. You should submit any available evidence to support your request. Your request should indicate—

(1) The system of records from which the record is retrieved;

(2) The particular record which you want to correct or amend;

(3) Whether you want to add, delete or substitute information in the record; and

(4) Your reasons for believing that your record should be corrected or amended.

(b) What we will not change. You cannot use the correction process to alter, delete, or amend information which is part of a determination of fact or which is evidence received in the record of a claim in the administrative appeal process. Disagreements with these determinations are to be resolved through the SSA appeal process. (See subparts I and J of part 404, and subpart N of part 416, of this chapter.) For example, you cannot use the correction process to alter or delete a document showing a birth date used in deciding your social security claim. However, you may submit a statement on why you think certain information should be altered, deleted, or amended, and we will make this statement part of your file.

(c) Acknowledgment of correction request. We will acknowledge receipt of a correction request within 10 working days, unless we can review and process the request and give an initial determination of denial or compliance before that time.

(d) Notice of error. If the record is wrong, we will correct it promptly. If wrong information was disclosed from the record, we will tell all those of whom we are aware received that information that it was wrong and will give them the correct information. This will not be necessary if the change is not due to an error, e.g., a change of name or address.

(e) Record found to be correct. If the record is correct, we will inform you in writing of the reason why we refuse to amend your record and we will also inform you of your right to seek a review of the refusal and the name and address of the official to whom you should send your request for review.

(f) Record of another government agency. If you request us to correct or amend a record governed by the regulation of another government agency, e.g., Office of Personnel Management, Federal Bureau of Investigation, we will forward your request to such government agency for processing and we will inform you in writing of the referral.

§ 401.70 - Appeals of refusals to correct records or refusals to allow access to records.

(a) General. This section describes how to appeal decisions we make under the Privacy Act concerning your request for correction of or access to your records, those of your minor child, or those of a person for whom you are the legal guardian. This section describes how to appeal decisions made by SSA under the Privacy Act concerning your request for correction of or access to your records, those of your minor child, or those of a person for whom you are the legal guardian. We generally handle a denial of your request for information about another person under the provisions of the Freedom of Information Act (see part 402 of this chapter). To appeal a decision under this section, your request must be in writing.

(b) Appeal of refusal to correct or amend records. If we deny your request to correct an SSA record, you may request a review of that decision. As discussed in § 401.65(e), our letter denying your request will tell you to whom to write.

(1) We will review your request within 30 working days from the date of the receipt. However, for a good reason and with the approval of the Executive Director for the Office of Privacy and Disclosure, we may extend this time limit up to an additional 30 days. In that case, we will notify you about the delay, the reason for it and the date when the review is expected to be completed.

(2) If, after review, we determine that the record should be corrected, we will do so. However, if we refuse to amend the record as you requested, we will inform you that—

(i) Your request has been refused and the reason for the refusal;

(ii) The refusal is our final decision; and

(iii) You have a right to seek court review of our final decision.

(3) We will also inform you that you have a right to file a statement of disagreement with the decision. Your statement should include the reason you disagree. We will make your statement available to anyone to whom the record is subsequently disclosed, together with a statement of our reasons for refusing to amend the record. Also, we will provide a copy of your statement to individuals whom we are aware received the record previously.

(c) Appeals after denial of access. If, under the Privacy Act, we deny your request for access to your own record, those of your minor child or those of a person to whom you are the legal guardian, we will advise you in writing of the reason for that denial, the name and title or position of the person responsible for the decision and your right to appeal that decision. You may appeal the denial decision to the Office of the General Counsel, Office of Privacy and Disclosure, Social Security Administration, Attn: Executive Director, 6401 Security Boulevard, Baltimore, MD 21235, within 30 days after you receive notice denying all or part of your request, or, if later, within 30 days after you receive materials sent to you in partial compliance with your request.

(d) Filing your appeal. If you file an appeal, the Executive Director or his or her designee will review your request and any supporting information submitted and then send you a notice explaining the decision on your appeal. The time limit for making our decision after we receive your appeal is 30 working days. The Executive Director or his or her designee may extend this time limit up to 30 additional working days if one of the circumstances in 20 CFR 402.140 is met. We will notify you in writing of any extension, the reason for the extension and the date by which we will decide your appeal. The notice of the decision on your appeal will explain your right to have the matter reviewed in a Federal district court if you disagree with all or part of our decision.

[72 FR 20940, Apr. 27, 2007, as amended at 88 FR 1329, Jan. 10, 2023]
§ 401.75 - Rights of parents or legal guardians.

For purposes of this part, a parent or guardian of any minor or the legal guardian of any individual who has been declared incompetent due to physical or mental incapacity or age by a court of competent jurisdiction is authorized to act on behalf of a minor or incompetent individual. Except as provided in § 401.45, governing procedures for verifying an individual's identity, and § 401.55(c) governing special procedures for notification of or access to a minor's medical records, if you are authorized to act on behalf of a minor or legal incompetent, you will be viewed as if you were the individual or subject individual.

§ 401.80 - Accounting for disclosures.

(a) We will maintain an accounting of all disclosures of a record for five years or for the life of the record, whichever is longer; except that, we will not make accounting for:

(1) Disclosures under paragraphs (a) and (b) of § 401.110; and,

(2) Disclosures of your record made with your written consent.

(b) The accounting will include:

(1) The date, nature, and purpose of each disclosure; and

(2) The name and address of the person or entity to whom the disclosure is made.

(c) You may request access to an accounting of disclosures of your record. You must request access to an accounting in accordance with the procedures in § 401.40. You will be granted access to an accounting of the disclosures of your record in accordance with the procedures of this part which govern access to the related record. We may, at our discretion, grant access to an accounting of a disclosure of a record made under paragraph (g) of § 401.110.

§ 401.85 - Exempt systems.

(a) General policy. The Privacy Act permits certain types of specific systems of records to be exempt from some of its requirements. Our policy is to exercise authority to exempt systems of records only in compelling cases.

(b) Specific systems of records exempted. (1) Those systems of records listed in paragraph (b)(2) of this section are exempt from the following provisions of the Act and this part:

(i) 5 U.S.C. 552a(c)(3) and paragraph (c) of § 401.80 of this part which require that you be granted access to an accounting of disclosures of your record.

(ii) 5 U.S.C. 552a (d) (1) through (4) and (f) and §§ 401.35 through 401.75 relating to notification of or access to records and correction or amendment of records.

(iii) 5 U.S.C. 552a(e)(4) (G) and (H) which require that we include information about SSA procedures for notification, access, and correction or amendment of records in the notice for the systems of records.

(iv) 5 U.S.C. 552a(e)(3) and § 401.30 which require that if we ask you to provide a record to us, we must inform you of the authority for our asking you to provide the record (including whether providing the record is mandatory or voluntary, the principal purposes for maintaining the record, the routine uses for the record, and what effect your refusal to provide the record may have on you), and if you are not required by statute or Executive Order to provide the record, that you agree to provide the record. This exemption applies only to an investigatory record compiled by SSA for criminal law enforcement purposes in a system of records exempt under subsection (j)(2) of the Privacy Act to the extent that these requirements would prejudice the conduct of the investigation.

(2) The following systems of records are exempt from those provisions of the Privacy Act and this part listed in paragraph (b)(1) of this section:

(i) Pursuant to subsection (j)(2) of the Privacy Act, the Investigatory Material Compiled for Law Enforcement Purposes System, SSA.

(ii) Pursuant to subsection (k)(2) of the Privacy Act:

(A) The General Criminal Investigation Files, SSA;

(B) The Criminal Investigations File, SSA; and,

(C) The Program Integrity Case Files, SSA.

(D) Civil and Administrative Investigative Files of the Inspector General, SSA/OIG.

(E) Complaint Files and Log. SSA/OGC.

(F) Anti-Harassment & Hostile Work Environment Case Tracking and Records System, SSA.

(G) Social Security Administration Violence Evaluation and Reporting System, SSA.

(H) Anti-Fraud System, SSA.

(iii) Pursuant to subsection (k)(5) of the Privacy Act:

(A) Security and Suitability Files.

(B) [Reserved]

(iv) Pursuant to subsection (k)(6) of the Privacy Act, the Personnel Research and Merit Promotion Test Records, SSA/DCHR/OPE.

(c) Notification of or access to records in exempt systems of records. (1) Where a system of records is exempt as provided in paragraph (b) of this section, you may nonetheless request notification of or access to a record in that system. You should make requests for notification of or access to a record in an exempt system of records in accordance with the procedures of §§ 401.35 through 401.55.

(2) We will grant you notification of or access to a record in an exempt system but only to the extent such notification or access would not reveal the identity of a source who furnished the record to us under an express promise, and prior to September 27, 1975, an implied promise, that his or her identity would be held in confidence, if:

(i) The record is in a system of records which is exempt under subsection (k)(2) of the Privacy Act and you have been, as a result of the maintenance of the record, denied a right, privilege, or benefit to which you would otherwise be eligible; or,

(ii) The record is in a system of records which is exempt under subsection (k)(5) of the Privacy Act.

(3) If we do not grant you notification of or access to a record in a system of records exempt under subsections (k) (2) and (5) of the Privacy Act in accordance with this paragraph, we will inform you that the identity of a confidential source would be revealed if we granted you notification of or access to the record.

(d) Discretionary actions by SSA. Unless disclosure of a record to the general public is otherwise prohibited by law, we may at our discretion grant notification of or access to a record in a system of records which is exempt under paragraph (b) of this section. Discretionary notification of or access to a record in accordance with this paragraph will not be a precedent for discretionary notification of or access to a similar or related record and will not obligate us to exercise discretion to grant notification of or access to any other record in a system of records which is exempt under paragraph (b) of this section.

[62 FR 4143, Jan. 29, 1997, as amended at 82 FR 16510, Apr. 5, 2017; 83 FR 63416, Dec. 10, 2018; 84 FR 45901, Sept. 3, 2019; 87 FR 25141, Apr. 28, 2022]
§ 401.90 - Contractors.

(a) All contracts which require a contractor to maintain, or on behalf of SSA to maintain, a system of records to accomplish an SSA function must contain a provision requiring the contractor to comply with the Privacy Act and this part.

(b) A contractor and any employee of such contractor will be considered employees of SSA only for the purposes of the criminal penalties of the Privacy Act, 5 U.S.C. 552a(i), and the employee standards of conduct (see appendix A of this part) where the contract contains a provision requiring the contractor to comply with the Privacy Act and this part.

(c) This section does not apply to systems of records maintained by a contractor as a result of his management discretion, e.g., the contractor's personnel records.

§ 401.95 - Fees.

(a) Policy. Where applicable, we will charge fees for copying records in accordance with the schedule set forth in this section. We may only charge fees where you request that a copy be made of the record to which you are granted access. We will not charge a fee for searching a system of records, whether the search is manual, mechanical, or electronic. Where we must copy the record in order to provide access to the record (e.g., computer printout where no screen reading is available), we will provide the copy to you without cost. Where we make a medical record available to a representative designated by you or to a physician or health professional designated by a parent or guardian under § 401.55 of this part, we will not charge a fee.

(b) Fee schedule. Our Privacy Act fee schedule is as follows:

(1) Copying of records susceptible to photocopying—$.10 per page.

(2) Copying records not susceptible to photocopying (e.g., punch cards or magnetic tapes)—at actual cost to be determined on a case-by-case basis.

(3) We will not charge if the total amount of copying does not exceed $25.

(c) Other fees. We also follow §§ 402.155 through 402.165 of this chapter to determine the amount of fees, if any, we will charge for providing information under the FOIA and Privacy Act.

authority: Secs. 205, 702(a)(5), 1106, and 1141 of the Social Security Act (42 U.S.C. 405,902,1306,and; 5 U.S.C. 552 and 552a; 8 U.S.C. 1360; 26 U.S.C. 6103; 30 U.S.C. 923.
source: 62 FR 4143, Jan. 29, 1997, unless otherwise noted.
cite as: 20 CFR 401.40