(a) Purpose and scope. This section contains the rules that the Department of Justice follows in handling Social Security account numbers in accordance with section 7 of the Privacy Act, and with the Social Security Fraud Prevention Act.
(b) Definitions. For the purposes of this section:
Mail means any physical package sent to entities or individuals outside the Department through the United States Postal Service or any other express mail carrier; and
Necessary includes only those circumstances in which a component would be unable to comply, in whole or in part, with a legal, regulatory, or policy requirement if prohibited from mailing the full Social Security account number. Including the full Social Security account number of an individual on a document sent by mail is not “necessary” if a legal, regulatory, or policy requirement could be satisfied by either partially redacting the Social Security account number in accordance with paragraph (d)(3) of this section, or entirely removing the Social Security account number.
(c) Denial of rights, benefits, or privileges. Components are prohibited from denying any right, benefit, or privilege provided by law to an individual because of such individual's refusal to disclose the individual's Social Security account number. This paragraph (c) shall not apply with respect to:
(1) Any disclosure that is required by Federal statute; or
(2) The disclosure of a Social Security account number to any Federal, State, or local agency maintaining a system of records in existence and operating before January 1, 1975, if such disclosure was required under statute or regulation adopted prior to such date to verify the identity of an individual.
(d) Restriction of Social Security account numbers on documents sent by mail. (1) A component shall not include the full Social Security account number of an individual on any document sent by mail, unless the inclusion of the Social Security account number on the document is necessary. Unless the Attorney General directs otherwise, the CPCLO is authorized to assist components in implementing this paragraph (d), including determining whether inclusion of the Social Security account number on a document sent by mail is necessary.
(2) If the use of the full Social Security account number on a document sent by mail is necessary, the component sending the document shall implement appropriate administrative, technical, and physical safeguards to ensure a reasonable level of security against unauthorized access to, and use, disclosure, disruption, modification, or destruction of, the documents sent by mail.
(3) Where feasible, components should partially redact the Social Security account number on any document sent by mail by including no more than the last four digits of the Social Security account number. Components should prioritize technical methods to redact Social Security account numbers.
(4) Components are prohibited from placing a Social Security account number, whether full or partially redacted, on the outside of any mail.
(e) Employee awareness. Each component shall ensure that employees authorized to collect Social Security account numbers are made aware of the following:
(1) The requirements of paragraphs (c) and (d) of this section;
(2) That individuals requested to provide their Social Security account numbers must be informed of:
(i) Whether providing Social Security account numbers is mandatory or voluntary;
(ii) Any statutory or regulatory authority that authorizes the collection of Social Security account numbers; and
(iii) The uses that will be made of the Social Security account numbers; and
(3) That the Department may have other regulations or polices regulating the use, maintenance, or disclosure of Social Security account numbers by which employees must abide.