SSA makes protecting privacy a 'cornerstone'
Privacy protections have become part of the culture at SSA, Bill Gray says.
The Social Security Administration completed privacy impact assessments on eight of its systems long before the E-Government Act of 2002 required them.
'Privacy has always been a cornerstone of our endeavors,' said William Gray, SSA deputy commissioner for systems. 'We've always made an effort with any new system to put privacy people there.'
As part of its planning, SSA evaluates each of its Internet applications for privacy considerations. 'This early consideration allows us to design into our access controls the considerations that we raised in the early analysis, as well as to certify that assessments have been completed' in the agency's submission of Exhibit 300 business cases to the Office of Management and Budget, he said.
SSA solicits input from privacy experts on its handling of privacy and security risks of new applications. 'They do not relate directly to any OMB requirements, but we believe that they help us formulate our policies and our approaches to implementing those policies,' Gray said.
Among the privacy assessments SSA conducted for its December report was one for its new electronic disability claims processing system. The agency described the information it planned to collect, as well as why and with whom it would be shared. Then the agency listed its administrative and technological controls for securing the information. They included:
- Access control with denial by default
- Multilayer firewall architectures on LAN components
- Access rights only for users who can prove their need to know the information
- The ability to audit all sensitive transactions with individual accountability.
Users who prove their need to know use access codes to enter systems that maintain disability claims data. Paper records are kept in locked cabinets or otherwise secure areas. SSA employees who access databases maintaining personal information must annually sign a sanction document, in which they acknowledge their accountability for unauthorized access or disclosures.