Privacy Home / Privacy Impact Assessments (PIAs) / Personal Identity Verification /Homeland Security Presidential Directive 12

Personal Identity Verification /Homeland Security Presidential Directive 12

·         Name of Project

      Personal Identity Verification /Homeland Security Presidential Directive 12

·         Unique Project Identifier

016-00-SSA/PSS-G-003

·         Privacy Impact Assessment Contact

Office of Physical Security Services

Office of Facilities Management

Office of Budget, Finance, and Management

Social Security Administration
6401 Security Boulevard
Baltimore, MD 21235

·         Background

Homeland Security Presidential Directive 12 (HSPD-12) requires us to establish a common identification standard for Federal employees and contractors.  HSPD-12 directs the use of a mandatory common Federal identification credential for access to all federally controlled facilities and information systems. 

HSPD-12 requires us to establish a Federal credential that is secure and reliable and that meets the following criteria:

o   Is issued based on sound criteria for verifying an individual's identity;

o   Is strongly resistant to identity fraud, tampering, counterfeiting, and terrorist

            exploitation;

o   Can be rapidly authenticated electronically; and

o   Is issued only by providers whose reliability has been established by an

            official accreditation process.

In response to HSPD-12, the National Institute of Standards and Technology (NIST) created the Federal Information Processing Standard (FIPS) 201, entitled, Personal Identity Verification of Federal Employees and Contractors.  FIPS 201 satisfies the requirements of HSPD-12 by improving the identification and authentication of Federal employees and contractors for access to federally controlled facilities and information systems. 

The FIPS 201 Personal Identity Verification (PlV) credential is for both physical (e.g., entry into building) and logical access (e.g., interconnecting networks known as Virtual Private Networks), and other applications as determined by the individual agencies.  Our Office of Facilities Management/Office of Protective Security Services handles identity management pursuant to HSPD-12 and FIPS 201 and issues our PIV cards. 

We issue the PIV identification cards to the following persons:

o   Employees who work in any Agency facilities;

o   Contractors requiring access to Agency facilities and systems;

o   Volunteers and temporary employees; and

o   Other persons who are visiting Agency facilities who possess PIV cards issued from other Federal agencies.

  We do not issue the PIV identification cards to occasional visitors or short-term guests. 

·         Describe the information we plan to collect, why we will collect the information, how we intend to use the information, and with whom we will share the information.

We will collect and maintain the following personally identifiable information (PII), as required by FIPS 201, Form 1-9 (OMB No. 115-0316, Employment Eligibility Verification  http://www.uscis.gov/files/form/i-9.pdf), and for completing the PIV card registration and issuance process that is necessary for obtaining a PIV card:

o   Name (Last, First, and middle initial)

o   Date of birth

o   Social Security Number

o   Place of birth

o   Organizational affiliation

o   Employee affiliation (e.g., Contractor, Active Duty, Civilian)

o   Biometric identifiers (e.g., fingerprint, voiceprint)

o   Electronic signature

o   Digital photograph

o   Personal Identification Number

o   PIV authentication key

o   Cardholder unique identifier

o   Signed PIV requests

o   Signed Standard Form 86a (or equivalent) http://www.fbijobs.gov/employment/SF86A.pdf

o   Results of background check

o   PIV Registrar approval (digital signature)

o   PIV card expiration date

o   Agency card serial number

o   Copies of identity source documents

We will disclose information, which we collect and maintain relating to the registering and issuance of PIV cards, only to our employees and contractors who require the information to perform their official duties; to the subject of the record; and to other persons pursuant to an applicable routine use provision as authorized by the Privacy Act of 1974, or as otherwise permitted by Federal law.  For example, under a routine use, we can disclose information to contractors, as necessary, to assist us in efficiently administering our programs.

We will not disclose any information defined as “return or return information” under

26 U.S.C. § 6103 of the Internal Revenue Code (IRC) unless authorized by statute, the IRC, the Internal Revenue Service (IRS), or IRS regulations.

·         Describe the administrative and technological controls we have in place or that we plan to use to secure the information we will collect.

Our security includes technical, management, and operational controls that permit access to our information only to persons with an official “need to know.”  For example, we enforce the use of access codes (personal identification number and password) to enter our computer systems that house the data.  We maintain electronic files with personal identifiers in secure storage areas.  We utilize audit mechanisms to record sensitive transactions as an additional measure to protect information from unauthorized disclosure or modification.

We annually provide appropriate security awareness training to all our employees and contractors that includes reminders about the need to protect PII and the criminal penalties that apply to unauthorized access to, or disclosure of, PII.  See 5 U.S.C. § 552a(i)(1).  Furthermore, employees and contractors            with access to databases maintaining PII must annually sign a sanction document that acknowledges their accountability for inappropriately accessing or disclosing such information.

·         Describe the impact on persons’ privacy rights.  Do we afford people an opportunity to decline to provide information? 

Yes.  We have legal authority to collect this information to administer our responsibilities under the Social Security Act.  When we collect information from users wishing to conduct business with us through our electronic services, we use our Privacy Act Statement to advise them of our legal authority for requesting the information and explain the possible effects if they choose not to provide the information.  Users can then make an informed decision whether or not to provide the information.

·         Do we afford people an opportunity to consent to only particular uses of the information?

No.  When we collect a person’s information, we advise that person of the purposes for which we will use the information.  We further advise the person that we will disclose the information without written prior consent only when we have specific legal authority to do so (e.g., the Privacy Act of 1974).  We do not otherwise offer persons an opportunity to determine how and with whom we share their information.

·         Does the collection of this information require a new system of records under the Privacy Act (5 U.S.C. § 552a) or an alteration to an existing system of records?

No.  We have an established Privacy Act system of records entitled, the Identity Management System (60-0361), that explains how we store, manage, and maintain information related to issuing and maintaining PIV credentials to Federal employees and contractors, and to verify and authenticate their access to Federal resources. 

PIA CONDUCTED BY ACTING SSA PRIVACY OFFICER:

/S/ Mary Ann Zimmerman                                      7/31/2012 

SIGNATURE                                                          DATE

PIA REVIEWED BY SSA SENIOR AGENCY PRIVACY OFFICIAL:

/S/ David F. Black                                                  8/01/2012

SIGNATURE                                                          DATE