20 C.F.R. Subpart B—The Privacy Act
Title 20 - Employees' Benefits
(a) Policy. Our policy is to protect the privacy of individuals to the fullest extent possible while nonetheless permitting the exchange of records required to fulfill our administrative and program responsibilities, and responsibilities for disclosing records which the general public is entitled to have under the Freedom of Information Act, 5 U.S.C. 552, and 20 CFR part 402. (b) Maintenance of records. We will maintain no record unless: (1) It is relevant and necessary to accomplish an SSA function which is required to be accomplished by statute or Executive Order; (2) We obtain the information in the record, as much as it is practicable, from the subject individual if we may use the record to determine an individual's rights, benefits or privileges under Federal programs; (3) We inform the individual providing the record to us of the authority for our asking him or her to provide the record (including whether providing the record is mandatory or voluntary, the principal purpose for maintaining the record, the routine uses for the record, and what effect his or her refusal to provide the record may have on him or her). Further, the individual agrees to provide the record, if the individual is not required by statute or Executive Order to do so. (c) First Amendment rights. We will keep no record which describes how an individual exercises rights guaranteed by the First Amendment unless we are expressly authorized: (1) By statute, (2) By the subject individual, or (3) Unless pertinent to and within the scope of an authorized law enforcement activity. The Privacy Act gives you the right to direct access to most records about yourself that are in our systems of records. Exceptions to this Privacy Act right include— (a) Special procedures for access to certain medical records (see 5 U.S.C. 552a(f)(3) and §401.55); (b) Unavailability of certain criminal law enforcement records (see 5 U.S.C. 552a(k), and §401.85); and (c) Unavailability of records compiled in reasonable anticipation of a court action or formal administrative proceeding. Note to §401.35: The Freedom of Information Act (see 20 CFR part 402) allows you to request information from SSA whether or not it is in a system of records.
Title 20: Employees' Benefits
PART 401—PRIVACY AND DISCLOSURE OF OFFICIAL RECORDS AND INFORMATION
Subpart B—The Privacy Act
§ 401.30 Privacy Act responsibilities.
§ 401.35 Your right to request records.
§ 401.40 How to get your own records.
(a) Your right to notification and access. Subject to the provisions governing medical records in §401.55, you may ask for notification of or access to any record about yourself that is in an SSA system of records. If you are a minor, you may get information about yourself under the same rules as for an adult. Under the Privacy Act, if you are the parent or guardian of a minor, or the legal guardian of someone who has been declared legally incompetent, and you are acting on his or her behalf, you may ask for information about that individual. You may be accompanied by another individual of your choice when you request access to a record in person, provided that you affirmatively authorize the presence of such other individual during any discussion of a record to which you are requesting access.
(b) Identifying the records. At the time of your request, you must specify which systems of records you wish to have searched and the records to which you wish to have access. You may also request copies of all or any such records. Also, we may ask you to provide sufficient particulars to enable us to distinguish between records on individuals with the same name. The necessary particulars are set forth in the notices of systems of records which are published in the
(c) Requesting notification or access. To request notification of or access to a record, you may visit your local social security office or write to the manager of the SSA system of records. The name and address of the manager of the system is part of the notice of systems of records. Every local social security office keeps a copy of the
§ 401.45 Verifying your identity.
(a) When required. Unless you are making a request for notification of or access to a record in person, and you are personally known to the SSA representative, you must verify your identity in accordance with paragraph (b) of this section if:
(1) You make a request for notification of a record and we determine that the mere notice of the existence of the record would be a clearly unwarranted invasion of privacy if disclosed to someone other than the subject individual; or,
(2) You make a request for access to a record which is not required to be disclosed to the general public under the Freedom of Information Act, 5 U.S.C. 552, and part 402 of this chapter.
(b) Manner of verifying identity—(1) Request in person. If you make a request to us in person, you must provide at least one piece of tangible identification such as a driver's license, passport, alien or voter registration card, or union card to verify your identity. If you do not have identification papers to verify your identity, you must certify in writing that you are the individual who you claim to be and that you understand that the knowing and willful request for or acquisition of a record pertaining to an individual under false pretenses is a criminal offense.
(2) Request by telephone. If you make a request by telephone, you must verify your identity by providing identifying particulars which parallel the record to which notification or access is being sought. If we determine that the particulars provided by telephone are insufficient, you will be required to submit your request in writing or in person. We will not accept telephone requests where an individual is requesting notification of or access to sensitive records such as medical records.
(3) Requests not in person. Except as provided in paragraph (b)(2) of this section, if you do not make a request in person, you must submit a notarized request to SSA to verify your identity or you must certify in your request that you are the individual you claim to be and that you understand that the knowing and willful request for or acquisition of a record pertaining to an individual under false pretenses is a criminal offense.
(4) Requests on behalf of another. If you make a request on behalf of a minor or legal incompetent as authorized under §401.40, you must verify your relationship to the minor or legal incompetent, in addition to verifying your own identity, by providing a copy of the minor's birth certificate, a court order, or other competent evidence of guardianship to SSA; except that you are not required to verify your relationship to the minor or legal incompetent when you are not required to verify your own identity or when evidence of your relationship to the minor or legal incompetent has been previously given to SSA.
(5) Medical records—additional verification. You need to further verify your identity if you are requesting notification of or access to sensitive records such as medical records. Any information for further verification must parallel the information in the record to which notification or access is being sought. Such further verification may include such particulars as the date or place of birth, names of parents, name of employer or the specific times the individual received medical treatment.
§ 401.50 Granting notification of or access to a record.
(a) General. Subject to the provisions governing medical records in §401.55 and the provisions governing exempt systems in §401.85, upon receipt of your request for notification of or access to a record and verification of your identity, we will review your request and grant notification or access to a record, if you are the subject of the record.
(b) Our delay in responding. If we determine that we will have to delay responding to your request because of the number of requests we are processing, a breakdown of equipment, shortage of personnel, storage of records in other locations, etc., we will so inform you and tell you when notification or access will be granted.
§ 401.55 Special procedures for notification of or access to medical records.
(a) General. In general, you have a right to notification of or access to your medical records, including psychological records, as well as to other records pertaining to you that we maintain. In this section, we set forth special procedures as permitted by the Privacy Act for notification of or access to medical records, including a special procedure for notification of or access to medical records of minors.
(b) Medical records procedures—(1) Notification of or access to medical records. (i) You may request notification of or access to a medical record pertaining to you. Unless you are a parent or guardian requesting notification of or access to a minor's medical record, you must make a request for a medical record in accordance with this section and the procedures in §§401.45 through 401.50 of this part.
(ii) When you request medical information about yourself, you must also name a representative in writing. The representative may be a physician, other health professional, or other responsible individual who would be willing to review the record and inform you of its contents at your representative's discretion. If you do not designate a representative, we may decline to release the requested information. In some cases, it may be possible to release medical information directly to you rather than to your representative.
(2) Utilization of the designated representative. You will be granted direct access to your medical record if we can determine that direct access is not likely to have an adverse effect on you. If we believe that we are not qualified to determine, or if we do determine, that direct access to you is likely to have an adverse effect, the record will be sent to the designated representative. We will inform you in writing that the record has been sent.
(c) Medical records of minors—(1) Requests by minors; notification of or access to medical records to minors. A minor may request notification of or access to a medical record pertaining to him or her in accordance with paragraph (b) of this section.
(2) Requests on a minor's behalf; notification of or access to medical records to an individual on a minor's behalf. (i) To protect the privacy of a minor, we will not give to a parent or guardian direct notification of or access to a minor's record, even though the parent or guardian who requests such notification or access is authorized to act on a minor's behalf as provided in §401.75 of this part.
(ii) A parent or guardian must make all requests for notification of or access to a minor's medical record in accordance with this paragraph and the procedures in §§401.45 through 401.50 of this part. A parent or guardian must at the time he or she makes a request designate a family physician or other health professional (other than a family member) to whom the record, if any, will be sent. If the parent or guardian will not designate a representative, we will decline to release the requested information.
(iii) Where a medical record on the minor exists, we will in all cases send it to the physician or health professional designated by the parent or guardian. If disclosure of the record would constitute an invasion of the minor's privacy, we will bring that fact to the attention of the physician or health professional to whom we send the record. We will ask the physician or health professional to consider the effect that disclosure of the record to the parent or guardian would have on the minor when the physician or health professional determines whether the minor's medical record should be made available to the parent or guardian. We will respond in substantially the following form to the parent or guardian making the request:
We have completed processing your request for notification of or access to ____'s (Name of minor) medical records. Please be informed that if any medical record was found pertaining to that individual, it has been sent to your designated physician or health professional.
(iv) In each case where we send a minor's medical record to a physician or health professional, we will make reasonable efforts to inform the minor that we have given the record to the representative.
(d) Requests on behalf of an incapacitated adult. If you are the legal guardian of an adult who has been declared legally incompetent, you may receive his or her records directly.
§ 401.60 Access or notification of program records about two or more individuals.
When information about two or more individuals is in one record filed under your social security number, you may receive the information about you and the fact of entitlement and the amount of benefits payable to other persons based on your record. You may receive information about yourself or others, which is filed under someone else's social security number, if that information affects your entitlement to social security benefits or the amount of those benefits.
§ 401.65 How to correct your record.
(a) How to request a correction. This section applies to all records kept by SSA (as described in §401.5) except for records of earnings. (20 CFR 422.125 describes how to request correction of your earnings record.) You may request that your record be corrected or amended if you believe that the record is not accurate, timely, complete, relevant, or necessary to the administration of a social security program. To amend or correct your record, you should write to the manager identified in the notice of systems of records which is published in the
(1) The system of records from which the record is retrieved;
(2) The particular record which you want to correct or amend;
(3) Whether you want to add, delete or substitute information in the record; and
(4) Your reasons for believing that your record should be corrected or amended.
(b) What we will not change. You cannot use the correction process to alter, delete, or amend information which is part of a determination of fact or which is evidence received in the record of a claim in the administrative appeal process. Disagreements with these determinations are to be resolved through the SSA appeal process. (See subparts I and J of part 404, and subpart N of part 416, of this chapter.) For example, you cannot use the correction process to alter or delete a document showing a birth date used in deciding your social security claim. However, you may submit a statement on why you think certain information should be altered, deleted, or amended, and we will make this statement part of your file.
(c) Acknowledgment of correction request. We will acknowledge receipt of a correction request within 10 working days, unless we can review and process the request and give an initial determination of denial or compliance before that time.
(d) Notice of error. If the record is wrong, we will correct it promptly. If wrong information was disclosed from the record, we will tell all those of whom we are aware received that information that it was wrong and will give them the correct information. This will not be necessary if the change is not due to an error, e.g., a change of name or address.
(e) Record found to be correct. If the record is correct, we will inform you in writing of the reason why we refuse to amend your record and we will also inform you of your right to seek a review of the refusal and the name and address of the official to whom you should send your request for review.
(f) Record of another government agency. If you request us to correct or amend a record governed by the regulation of another government agency, e.g., Office of Personnel Management, Federal Bureau of Investigation, we will forward your request to such government agency for processing and we will inform you in writing of the referral.
§ 401.70 Appeals of refusals to correct or amend records.
(a) Which decisions are covered. This section describes how to appeal a decision made under the Privacy Act concerning your request for correction of a record or for access to your records, those of your minor child, or those of a person for whom you are the legal guardian. We generally handle a denial of your request for information about another person under the provisions of the FOIA (see part 402 of this chapter). This section applies only to written requests.
(b) Appeal of refusal to amend or correct a record. (1) If we deny your request to correct a record, you may request a review of that decision. As discussed in §401.65(e), our letter denying your request will tell you to whom to write.
(2) We will review your request within 30 working days from the date of receipt. However, for a good reason and with the approval of the Commissioner, or designee, this time limit may be extended up to an additional 30 days. In that case, we will notify you about the delay, the reason for it, and the date when the review is expected to be completed. If, after review, we determine that the record should be corrected, the record will be corrected. If, after review, we also refuse to amend the record exactly as you requested, we will inform you—
(i) That your request has been refused and the reason;
(ii) That this refusal is SSA's final decision;
(iii) That you have a right to seek court review of this request to amend the record; and
(iv) That you have a right to file a statement of disagreement with the decision. Your statement should include the reason you disagree. We will make your statement available to anyone to whom the record is subsequently disclosed, together with a statement of our reasons for refusing to amend the record. Also, we will provide a copy of your statement to individuals whom we are aware received the record previously.
(c) Appeals after denial of access. If, under the Privacy Act, we deny your request for access to your own record, those of your minor child, or those of a person for whom you are the legal guardian, we will advise you in writing of the reason for that denial, the name and title or position of the person responsible for the decision, and your right to appeal that decision. You may appeal the denial decision to the Commissioner of Social Security, 6401 Security Boulevard, Baltimore, MD 21235, within 30 days after you receive the notice denying all or part of your request, or, if later, within 30 days after you receive materials sent to you in partial compliance with your request. If we refuse to release a medical record because you did not designate a representative (§401.55) to receive the material, that refusal is not a formal denial of access and, therefore, may not be appealed to the Commissioner. If you file an appeal, either the Commissioner or a designee will review your request and any supporting information submitted and then send you a notice explaining the decision on your appeal. We must make our decision within 20 working days after we receive your appeal. The Commissioner or a designee may extend this time limit up to 10 additional working days if one of the circumstances in 20 CFR 402.140 is met. We will notify you in writing of any extension, the reason for the extension, and the date by which we will decide your appeal. The notice of the decision on your appeal will explain your right to have the matter reviewed in a Federal district court if you disagree with all or part of our decision.
§ 401.75 Rights of parents or legal guardians.
For purposes of this part, a parent or guardian of any minor or the legal guardian of any individual who has been declared incompetent due to physical or mental incapacity or age by a court of competent jurisdiction is authorized to act on behalf of a minor or incompetent individual. Except as provided in §401.45, governing procedures for verifying an individual's identity, and §401.55(c) governing special procedures for notification of or access to a minor's medical records, if you are authorized to act on behalf of a minor or legal incompetent, you will be viewed as if you were the individual or subject individual.
§ 401.80 Accounting for disclosures.
(a) We will maintain an accounting of all disclosures of a record for five years or for the life of the record, whichever is longer; except that, we will not make accounting for:
(1) Disclosures under paragraphs (a) and (b) of §401.110; and,
(2) Disclosures of your record made with your written consent.
(b) The accounting will include:
(1) The date, nature, and purpose of each disclosure; and
(2) The name and address of the person or entity to whom the disclosure is made.
(c) You may request access to an accounting of disclosures of your record. You must request access to an accounting in accordance with the procedures in §401.40. You will be granted access to an accounting of the disclosures of your record in accordance with the procedures of this part which govern access to the related record. We may, at our discretion, grant access to an accounting of a disclosure of a record made under paragraph (g) of §401.110.
§ 401.85 Exempt systems.
(a) General policy. The Privacy Act permits certain types of specific systems of records to be exempt from some of its requirements. Our policy is to exercise authority to exempt systems of records only in compelling cases.
(b) Specific systems of records exempted. (1) Those systems of records listed in paragraph (b)(2) of this section are exempt from the following provisions of the Act and this part:
(i) 5 U.S.C. 552a(c)(3) and paragraph (c) of §401.80 of this part which require that you be granted access to an accounting of disclosures of your record.
(ii) 5 U.S.C. 552a (d) (1) through (4) and (f) and §§401.35 through 401.75 relating to notification of or access to records and correction or amendment of records.
(iii) 5 U.S.C. 552a(e)(4) (G) and (H) which require that we include information about SSA procedures for notification, access, and correction or amendment of records in the notice for the systems of records.
(iv) 5 U.S.C. 552a(e)(3) and §401.30 which require that if we ask you to provide a record to us, we must inform you of the authority for our asking you to provide the record (including whether providing the record is mandatory or voluntary, the principal purposes for maintaining the record, the routine uses for the record, and what effect your refusal to provide the record may have on you), and if you are not required by statute or Executive Order to provide the record, that you agree to provide the record. This exemption applies only to an investigatory record compiled by SSA for criminal law enforcement purposes in a system of records exempt under subsection (j)(2) of the Privacy Act to the extent that these requirements would prejudice the conduct of the investigation.
(2) The following systems of records are exempt from those provisions of the Privacy Act and this part listed in paragraph (b)(1) of this section:
(i) Pursuant to subsection (j)(2) of the Privacy Act, the Investigatory Material Compiled for Law Enforcement Purposes System, SSA.
(ii) Pursuant to subsection (k)(2) of the Privacy Act:
(A) The General Criminal Investigation Files, SSA;
(B) The Criminal Investigations File, SSA; and,
(C) The Program Integrity Case Files, SSA.
(D) Civil and Administrative Investigative Files of the Inspector General, SSA/OIG.
(E) Complaint Files and Log. SSA/OGC.
(iii) Pursuant to subsection (k)(5) of the Privacy Act:
(A) The Investigatory Material Compiled for Security and Suitability Purposes System, SSA; and,
(B) The Suitability for Employment Records, SSA.
(iv) Pursuant to subsection (k)(6) of the Privacy Act, the Personnel Research and Merit Promotion Test Records, SSA/DCHR/OPE.
(c) Notification of or access to records in exempt systems of records. (1) Where a system of records is exempt as provided in paragraph (b) of this section, you may nonetheless request notification of or access to a record in that system. You should make requests for notification of or access to a record in an exempt system of records in accordance with the procedures of §§401.35 through 401.55.
(2) We will grant you notification of or access to a record in an exempt system but only to the extent such notification or access would not reveal the identity of a source who furnished the record to us under an express promise, and prior to September 27, 1975, an implied promise, that his or her identity would be held in confidence, if:
(i) The record is in a system of records which is exempt under subsection (k)(2) of the Privacy Act and you have been, as a result of the maintenance of the record, denied a right, privilege, or benefit to which you would otherwise be eligible; or,
(ii) The record is in a system of records which is exempt under subsection (k)(5) of the Privacy Act.
(3) If we do not grant you notification of or access to a record in a system of records exempt under subsections (k) (2) and (5) of the Privacy Act in accordance with this paragraph, we will inform you that the identity of a confidential source would be revealed if we granted you notification of or access to the record.
(d) Discretionary actions by SSA. Unless disclosure of a record to the general public is otherwise prohibited by law, we may at our discretion grant notification of or access to a record in a system of records which is exempt under paragraph (b) of this section. Discretionary notification of or access to a record in accordance with this paragraph will not be a precedent for discretionary notification of or access to a similar or related record and will not obligate us to exercise discretion to grant notification of or access to any other record in a system of records which is exempt under paragraph (b) of this section.
§ 401.90 Contractors.
(a) All contracts which require a contractor to maintain, or on behalf of SSA to maintain, a system of records to accomplish an SSA function must contain a provision requiring the contractor to comply with the Privacy Act and this part.
(b) A contractor and any employee of such contractor will be considered employees of SSA only for the purposes of the criminal penalties of the Privacy Act, 5 U.S.C. 552a(i), and the employee standards of conduct (see appendix A of this part) where the contract contains a provision requiring the contractor to comply with the Privacy Act and this part.
(c) This section does not apply to systems of records maintained by a contractor as a result of his management discretion, e.g., the contractor's personnel records.
§ 401.95 Fees.
(a) Policy. Where applicable, we will charge fees for copying records in accordance with the schedule set forth in this section. We may only charge fees where you request that a copy be made of the record to which you are granted access. We will not charge a fee for searching a system of records, whether the search is manual, mechanical, or electronic. Where we must copy the record in order to provide access to the record (e.g., computer printout where no screen reading is available), we will provide the copy to you without cost. Where we make a medical record available to a representative designated by you or to a physician or health professional designated by a parent or guardian under §401.55 of this part, we will not charge a fee.
(b) Fee schedule. Our Privacy Act fee schedule is as follows:
(1) Copying of records susceptible to photocopying—$.10 per page.
(2) Copying records not susceptible to photocopying (e.g., punch cards or magnetic tapes)—at actual cost to be determined on a case-by-case basis.
(3) We will not charge if the total amount of copying does not exceed $25.
(c) Other fees. We also follow §§402.155 through 402.165 of this chapter to determine the amount of fees, if any, we will charge for providing information under the FOIA and Privacy Act.
Browse Previous | Browse Next
