Anti-Fraud Enterprise Solution
· Name of project
Anti-Fraud Enterprise Solution (AFES)
· Unique project identifier
1226
· Privacy Impact Assessment Contact
Chief Fraud Prevention Officer
Social Security Administration
Office of Analytics, Review, and Oversight
Office of Anti-Fraud Programs
Robert M. Ball Building
6401 Security Boulevard
Baltimore, MD 21235
· System background description or purpose.
AFES is a Social Security Administration (SSA) certified and accredited Major System.
We will use AFES to detect, prevent, mitigate, and track the likelihood of fraudulent activity in SSA’s programs and operations. We will also use AFES to identify patterns of fraud and to improve data-driven anti-fraud activities and real-time analysis. We may use the results of these data analysis activities, including fraud leads and vulnerabilities, in our fraud investigations and other activities to support program and operational improvements.
· Describe the information we collect, why we collect the information, how we use the information, and with whom we share the information.
We will use AFES to collect information on individuals relevant to suspicious or potentially fraudulent activities connected with Social Security programs and operations, including but not limited to the subjects of an investigation, Social Security beneficiaries, representative payees, appointed representatives, complainants, key witnesses, and current or former employees, contractors, or agents.
We obtain information in this system from individuals (i.e., the public and SSA staff), other government agencies, and private entities. The largest record sources for AFES is information the agency collects and maintains for purposes related to other business processes that have established systems of records. The primary record sources for AFES are the following: Master Beneficiary Record (60-0090); the Claims Folders Systems (60-0089); the Supplemental Security Income Record and Special Veterans Benefits (60-0103); the Central Repository of Electronic Authentication Data Master File (60-0373); and the Personal Identification Number File (60-0214). AFES may pull relevant information from any SSA system of records. For a full listing of our systems of records notices that could provide information to AFES, please see the Privacy Program section of SSA’s website, www.ssa.gov/privacy.
As we mention above, AFES may include records on information that we obtain from the individual or from other SSA systems of records such as:
Enumeration Information: This information may include name, Social Security number (SSN), date of birth, parent name(s), address, and place of birth.
Earnings Information: This information may include yearly earnings and quarters of coverage information.
Social Security Benefit Information: This may include information on disability status, benefit payment amount, and data relating to the computation of benefit payment amounts.
Representative Payee Information: This information may include names, SSNs, and addresses of representative payees and relationship with the beneficiary.
Persons Conducting Business with Us Through Electronic Services: This information may include name, address, date of birth, SSN, knowledge-based authentication data, and blocked accounts.
Employee Information: This information may include personal identification numbers (PIN), employee name, job title, SSNs about our employees, contractors, or agents.
The primary goal of AFES is to implement a dynamic and flexible enterprise-wide anti-fraud solution that employs advanced data analytics to identify patterns indicative of fraud, improve the functionality for data-driven fraud activations, conduct real-time risk analysis, and integrate developing technology into our anti-fraud business processes.
We will collect and maintain information in connection with our review of all suspicious or potentially fraudulent activities in Social Security programs and operations. Our review could also involve external data breach information provided to us from our business or government investigative partners.
AFES does not presently have any interconnections to other organizations or other systems outside of the SSA firewall for sharing information resources. AFES is not accessible to members of the public.
· Describe the administrative and technological controls we have in place to secure the information we collect.
AFES security includes technical, management, and operational controls that permit access to information only to persons with an official “need to know.” For example, AFES enforces the use of the personal identity verification (PIV) credential to enter computer systems that house the data. We maintain electronic files with personal identifiers in secure storage areas. We use audit mechanisms to record sensitive transactions as an additional measure to protect information from unauthorized disclosure or modification.
Additionally, we require that AFES users authenticate to the SSA network using their SSA issued 6-digit PIN and password or their PIV credential. The user must also hold the necessary Top Secret profiles to be granted authorization to the AFES system.
In addition to authentication and access controls, AFES uses audit and security review mechanisms to record and review sensitive transactions as an additional measure to protect information from unauthorized disclosure or modification.
Overall, AFES inherits the use of the technical controls in place for the Enterprise network and the Agency Cloud Infrastructure system boundary.
The Office of Anti-Fraud Programs provides annual security awareness training to all appropriate employees and contractors that includes reminders about the need to protect personally identifiable information (PII) and the criminal penalties that apply to unauthorized access to, or disclosure of, PII. See 5 U.S.C. § 552a(i)(1). Furthermore, employees and contractors with access to databases maintaining PII must annually sign a sanctions document that acknowledges their accountability for inappropriately accessing or disclosing such information.
· Describe the impact on individuals’ privacy rights.
We collect information when we have specific legal authority to do so in order to administer our responsibilities under the Social Security Act. When we collect personal information from individuals, we advise them of our legal authority for requesting the information, the purposes for which we will use and disclose the information, and the consequences of their not providing any or all of the requested information. The individuals can then make an informed decision as to whether or not they want to provide the information.
· Do we afford individuals an opportunity to consent to only particular uses of the information?
When we collect information from individuals, we advise them of the purposes for which we will use the information. We further advise them that we will disclose this information without their prior written consent only when we have specific legal authority to do so (e.g., the Privacy Act). We do not otherwise offer individuals an opportunity to determine how and with whom we share their information.
· Does the collection of this information require a new system of records under the Privacy Act (5 U.S.C. § 552a) or an alteration to an existing system of records?
We are currently developing a new Privacy Act system of records notice, entitled Anti-Fraud Enterprise Solution (AFES) (60-0388), which we will publish in the Federal Register and on the Privacy Program section of SSA’s website, www.ssa.gov/privacy, upon its completion.
PIA CONDUCTED BY PRIVACY OFFICER, SSA:
__/signed/___________ 4/18/2018_______
Mary Ann Zimmerman DATE
Acting Executive Director
Office of Privacy and Disclosure
PIA REVIEWED BY THE SENIOR AGENCY PRIVACY OFFICIAL, SSA:
Daniel F. Callahan
/signed for/ 4/18/2018______
Asheesh Agarwal DATE
General Counsel
Senior Agency Official for Privacy