Privacy Home / Privacy Impact Assessments (PIAs) / Internet Social Security Benefits Application (ISBA) Third Party Enhancements (Third Party ISBA)

Internet Social Security Benefits Application (ISBA) Third Party Enhancements (Third Party ISBA)

Name of project.

Internet Social Security Benefits Application (ISBA) Third Party Enhancements (Third Party ISBA)

Unique project identifier.

RAS-2091 3PISBA

Contact name and telephone number.

Team Leader, Center for Internet Customer Service

Office of Electronic Services

Social Security Administration

6401 Security Blvd.

Baltimore, MD 21235

(410) 965-8707

Describe the information to be collected, why the information is being collected, the intended use of the information and with whom the information will be shared.

The Social Security Administration (SSA) is taking an innovative approach to prepare the Agency for the growing retirement workload generated from the baby boomers as they become eligible for retirement beginning in January 2008.  The overarching project that  will provide the platform for automating the adjudication of retirement applications is known as Ready Retirement. The initial phase of the Ready Retirement initiative will include enhancements to the Internet Social Security Benefits Application (ISBA) to allow third parties (Third Party ISBA) to provide Social Security Retirement, Disability and Spouse’s benefit information electronically to SSA. 

When the implementation of SSA’s signature proxy process mandated the use of electronic signatures for online applications, third parties (companies or individuals) who helped others file for SSA benefits lost the ability to use the ISBA application.  ISBA enhancements for third parties will restore third parties’ ability to provide application information electronically to SSA.  Third parties will have the ability to help individuals file an application for benefits while still meeting legal requirements to obtain a proper signature.  Providing third parties with the ability to assist the claimant in the application process will reduce the number of paper applications that require manual processing in field offices, helping save SSA resources.  Making ISBA accessible for third parties will in turn support SSA’s efforts to increase electronic service delivery options for the public.

How Third Party ISBA Works

Third Party ISBA will automate the application process for third parties filing on the claimant’s behalf.  To begin the process, the third party filer accesses SSA’s online retirement benefit application.  The third party filer will then check the requisite choice for application routes and will be directed to provide Personally Identifiable Information (PII) relating to him/her.  After providing his/her PII, the third party filer will begin completing the application for benefits on the claimant’s behalf.  If the third party filer is unable to complete the entire application all at once, he/she may sign off of the application.  At that point, the third party filer will be provided with a re-entry number that will permit him/her to sign back on to the application and complete it at a later date. 

In order for the third party filer to re-enter the application, he/she will need to provide the re-entry number and the claimant’s Social Security Number (SSN).  Once the third party filer submits the claimant’s benefit application to SSA, the re-entry number is no longer valid.  The third party filer will not be able to check the status of the claim once it has been submitted to SSA.  Each time a third party filer begins a new application, he/she will be provided with a re-entry number to be used in combination with an individual’s SSN to regain access to the application. 

Collection of Information from Third Party Individuals Who Use ISBA

SSA will collect and maintain PII from each third party filer.  This information will include the third party filer’s name, relationship to the claimant, company name, address and day time telephone number.  Initially, the information will be stored in the ISBA data base.  The information will remain in this database until the application is completed.  (If the filer does not return to the application in a timely manner, SSA will only retain the information on an incomplete application for six months.)  Once the application is completed, the third party filer’s PII will be stored in the Remarks section of the Modernized Claims System (MCS).  PII data in the MCS is covered by our Privacy Act system of records entitled, Claims Folder System (60-0089).

The third party filer’s PII cannot be retrieved without the associated PII of the claimant for whom he/she filed the application.  We generally will use the third party filer’s PII only as necessary for administrative purposes related to the claimant’s application or when we have specific authority as authorized by routine uses or other Privacy Act disclosure exceptions that allow the disclosure of the information in the applicable Privacy Act system of records.

Describe the administrative and technological controls that are in place or that are planned to secure the information being collected.

Reducing Potential Risks to Individuals’ Privacy and Protecting Information Being Collected

The third party filer must protect the confidentiality of the re-entry number and the claimant’s SSN during the application process.  To provide further protection, once the application is completed, SSA deactivates the re-entry number.  The third party filer will not be able to access the application again, as a first party filer may in order to obtain a status on the application.  The information in an incomplete application is not part of any SSA Privacy Act system of records. 

None of the information contained in the incomplete application comes from an SSA database nor is any information from SSA Privacy Act systems of records disclosed to the third party filer or applicant during the online application process.  The ISBA for third party filers is strictly a data entry process.  Additionally, access to the third party filer’s PII can only be achieved by accessing an individual claimant’s file.  The system lacks the capability to independently query a third party filer’s PII.

It is conceivable that someone having personal knowledge of the claimant’s SSN and the randomly generated re-entry number could fraudulently access an incomplete application and thereby gain access to the third party PII and the claimant’s PII.  However, we make an earnest effort to protect access to and prevent unauthorized disclosure of our records.  To reduce those vulnerabilities and discourage individuals from accessing PII in an incomplete application, we notify the third party filer that he/she should keep the re-entry number confidential.  The SSN is not provided on the page with the re-entry number.  At no time does SSA provide the claimant’s SSN to the third party filer.  The third party filer enters the claimant’s SSN and SSA verifies that it is a valid SSN. 

Any effort to obtain personal information about another individual from us under false pretenses, or without the express consent of the subject of the record, is an unauthorized access and violates the Privacy Act of 1974. Any individual who misuses the Third Party ISBA service could be punished by a fine, imprisonment, or both. 

Administrative and Technological Controls that are in Place

The ISBA Third Party enhancements application has undergone authentication and security risk analyses.  The latter includes an evaluation of security and audit controls proven to be effective in protecting the information collected, stored, processed, and transmitted by Agency information systems.  This includes a 30 minute session time out due to inactivity by the third party filer.  If the SSN and date of birth do not match after three tries, the record is locked for 24 hours and the user cannot access the claim.  There are also technical, management, and operational controls that permit access to our information only to those employees who have an official “need to know”, and the minimum amount of access that allows them to perform their job functions.  We have audit mechanisms in place to record sensitive transactions as an additional measure to protect information from unauthorized disclosure or modification.

SSA employees accessing the data in the ISBA system have Top Secret PINs which provide audit trails related to their use.  Only SSA employees who have a need to access the information in order to perform their official duties will have access to the information relating to the Third Party ISBA application.  The system lacks the ability to query an individual third party filer by his/her PII.  In order to access the third party filer’s PII, an SSA employee would need to know the individual claimant’s PII for whom the third party submitted an application. 

Describe the impact on individuals’ privacy rights.

Are individuals afforded an opportunity to decline to provide information?

We collect information only where we have specific legal authority to do so to administer our responsibilities under the Social Security Act.  When we collect information from the third party filer, we advise them of our legal authority for requesting the information, the purpose(s) for which we will use and disclose the information, and the consequences of not providing any or all of the requested information.  The third party filer can then make an informed decision whether or not to provide the information. 

Are individuals afforded an opportunity to consent to only particular uses of the information?

When third party filers access SSA’s Retirement Benefit Application page, they are afforded the opportunity to review SSA’s statements relating to the collection of information from them and the purposes for which we will use the information.  A third party filer cannot proceed with the application until he/she has acknowledged reviewing the Privacy Act statement.  We further advise them that we will disclose this information without their prior written consent only when we have specific authority in Federal statute (e.g., the Privacy Act) to do so. 

Does the collection of this information require a new system of records under the Privacy Act (5 U.S.C. § 552a) or an alteration to an existing system of records?

No, a new system of records is not required for the Third Party enhancements to ISBA.  However, an amendment to the Claims Folder System (60-0089) system of records will be needed in order to maintain the PII relating to the third party filers.  Development of this amendment to the system of records is underway. 

PIA CONDUCTED BY PRIVACY OFFICER, SSA:

/s/ Vincent Dormarunno                                                                8/27/08                                               

SIGNATURE                                                                                                DATE

      PIA REVIEWED BY SENIOR AGENCY PRIVACY OFFICIAL, SSA:

 /s/ David F. Black                                                                        9/8/08                                                

        SIGNATURE                                                                                                DATE