CFR > Title 41 - Public Contracts and Property Management > SUBTITLE C—Federal Property Management Regulations System > CHAPTER 105—GENERAL SERVICES ADMINISTRATION (parts 105-1 to 105-74) > PART 105-64—GSA PRIVACY ACT RULES > SUBPART 105-64.1—Policies and Responsibilities (§105-64.101 to §105-64.111) > 105-64.105—When may Social Security Numbers (SSNs) be collected?

105-64.105—When may Social Security Numbers (SSNs) be collected?

GSA Heads of Services and Staff Offices and Regional Administrators are responsible for ensuring that all systems of records under their jurisdiction meet the provisions of the Privacy Act and these rules. System managers are responsible for the system(s) of records assigned to them. The GSA Privacy Act Officer oversees the GSA Privacy Program and establishes privacy-related policy and procedures for the agency under the direction of the GSA Senior Agency Official for Privacy.
No information contained in a Privacy Act system of records will be disclosed to third parties without the written consent of you, the individual of record, except under the conditions cited in § 105-64.501.
System managers must collect information that is used to determine your rights, benefits, or privileges under GSA programs directly from you whenever practical, and use the information only for the intended purpose(s).
When soliciting information from you or a third party for a system of records, system managers must: Cite the authority for collecting the information; say whether providing the information is mandatory or voluntary; give the purpose for which the information will be used; state the routine uses of the information; and describe the effect on you, if any, of not providing the information. This information is found in the Privacy Act Statement. Any form that asks for personal information will contain this statement.
(a) Statutory or regulatory authority must exist for collecting Social Security Numbers for record systems that use the SSNs as a method of identification. Systems without statutory or regulatory authority implemented after January 1, 1975, will not collect Social Security Numbers.
(b) In compliance with OMB M-07-16 (Safeguarding Against and Responding to the Breach of Personally Identifiable Information) collection and storage of SSN will be limited to systems where no other identifier is currently available. While GSA will strive to reduce the collection and storage of SSN and other PII we recognize that some systems continue to need to collect this information.
System managers will ensure that all Privacy Act records are accurate, relevant, necessary, timely, and complete. All GSA systems are reviewed annually. Those systems that contain Personally Identifiable Information (PII) are reviewed to ensure they are relevant, necessary, accurate, up-to-date, and covered by the appropriate legal or regulatory authority. A listing of GSA Privacy Act Systems can be found at the following link (http://www.gsa.gov/

Code of Federal Regulations

Portal/gsa/ep/

Code of Federal Regulations

contentView.do?contentType=

Code of Federal Regulations

GSA_BASIC&contentId=21567).
(a) Employees who design, develop, operate, or maintain Privacy Act record systems will protect system security, avoid unauthorized disclosure of information, both verbal and written, and ensure that no system of records is maintained without public notice. All such employees will follow the standards of conduct in 5 CFR part 2635, 5 CFR part 6701, 5 CFR part 735, and 5 CFR part 2634 to protect personal information.
(b) Employees who have access to privacy act records will avoid unauthorized disclosure of personal information, both written and verbal, and ensure they have met privacy training requirements. All such employees will follow GSA orders HCO 9297.1 GSA Data Release Policy, HCO 9297.2A GSA Information Breach Notification Policy, HCO 2180.1 GSA Rules of Behavior for Handling Personally Identifiable Information (PII), CIO P 2100.1E CIO P GSA Information Technology (IT) Security Policy, and CIO 2104.1 GSA Information Technology (IT) General Rules of Behavior.
(a) System managers will establish administrative, technical, and physical safeguards to ensure the security and confidentiality of records, protect the records against possible threats or hazards, and permit access only to authorized persons. Automated systems will incorporate security controls such as password protection, verification of identity of authorized users, detection of break-in attempts, firewalls, or encryption, as appropriate.
(b) System managers will ensure that employees and contractors who have access to personal information in their system will have the proper background investigation and meet all privacy training requirements.
In cases where GSA has either permanent or temporary custody of other agencies' records, system managers will coordinate with those agencies on any release of information. Office of Personnel Management (OPM) records that are in GSA's custody are subject to OPM's Privacy Act rules.