AGENCY:
Office of the Secretary, Department of Commerce.
ACTION:
Final rule.
SUMMARY:
This final rule revises the Department of Commerce (Department) regulations under the Freedom of Information Act (FOIA) and the Privacy Act. The revisions clarify and update the language of procedural requirements pertaining to the inclusion of Social Security account numbers on documents that the Department sends by mail. These revisions are necessary to implement the Social Security Number Fraud Prevention Act of 2017 (the Act), which restricts the inclusion of Social Security numbers (SSNs) on documents sent by mail by the Federal government.
DATES:
Effective May 26, 2021.
ADDRESSES:
Departmental Privacy Act Officer, Office of Privacy and Open Government, Department of Commerce, 1401 Constitution Ave. NW, Mail Stop 61025, Washington, DC 20230.
FOR FURTHER INFORMATION CONTACT:
Departmental Privacy Act Officer, Office of Privacy and Open Government, Department of Commerce, (202) 482-1190, PrivacyAct@doc.gov.
SUPPLEMENTARY INFORMATION:
Background
The Act (Pub. L. 115-59; 42 U.S.C. 405 note), which was signed on September 15, 2017, restricts Federal agencies from including individuals' SSNs on documents sent by mail, unless the head of the agency determines that the inclusion of the SSN on the document is necessary (section 2(a) of the Act). The Act requires agency heads to issue regulations specifying the circumstances under which inclusion of a SSN on a document sent by mail is necessary. These regulations, which must be issued not later than five years after the date of enactment, shall include instructions for the partial redaction of SSNs where feasible, and shall require that SSNs not be visible on the outside of any package sent by mail (section 2(b) of the Act). This final rule revises the Department regulations under FOIA (subpart A, 15 CFR part 4) and the Privacy Act (subpart B, 15 CFR part 4), consistent with these requirements in the Act. This final rule also clarifies the language of procedural requirements pertaining to the inclusion of SSNs on documents that the Department sends by mail; makes clarifying updates by changing the term “Privacy Officer” to “Privacy Act Officer” where it occurs in Subpart B of 15 CFR part 4, and by changing the term “FOI Officer” to “FOIA Officer” in several places in Appendix B.; and updates an office name by changing the phrase “Assistant General Counsel for Employment, Litigation, and Oversight” to “Assistant General Counsel for Employment, Litigation, and Information” where it occurs in part 4.
Comments on the Proposed Rule
The Office of the Secretary received four general comments on the proposed rule from members of the public. The comments on the proposed rule can be viewed and downloaded at the following link: https://www.regulations.gov/document/DOC-2020-0001-0001. No changes have been made to the regulatory text of the proposed rule in response to these four comments. The following are our responses to the comments.
Comment 1: I haven't received my stimulus check. I want to check my information and update my information.
Response: This comment is not addressed, as it is not within the scope of this action to amend the Department's regulations in order to implement the Act.
Comment 2: Noting concerns about fraud and criminal activity, a commenter stated that SSNs should be allowed to be used only for social security. The commenter stated that a company wanting to do business with you should assign an account number to serve as your identification, rather than request and use your personal information, including your SSN, and that this needs to be put into law.
Response: The Act is a law that restricts the inclusion of SSNs on Federal documents sent by mail. This final rule implements the Act by making changes to the Department's regulations, which state that the collection of SSNs on Federal documents by mail must be required or authorized by law, or must be deemed by the agency to be necessary for fulfilling a compelling business need of the agency. To the extent that this comment addresses the enactment of laws or the conduct of businesses and other entities, the comment is not applicable to this action amending the Department's regulations.
Comment 3: Noting concerns about privacy and potential identity theft, another commenter agreed with the proposed rule, but requested the listing out of specific circumstances in which the inclusion of a SSN on a document is necessary. The commenter stated that the SSN should not appear on any document, because ensuring that the SSN does not appear on the envelope is not enough to guarantee that the information will not be stolen. The commenter also asked why the Act allows a five-year period for implementation, and notes that the Act should be implemented sooner.
Response: The Department has policies and procedures in place for justifying the collections, maintenance, and uses of SSNs, as well as for maintaining an inventory of forms collecting SSNs, and for safeguarding the SSNs. The Department also has policies and procedures in place for eliminating the unnecessary collections, maintenance, and uses of SSNs. The Act requires Federal agencies with Chief Financial Officers to issue regulations, and the rationale for such determination, not later than five years after enactment. We note that the question regarding the Congress' reasons for including a five-year implementation period in the Act is beyond the scope of this final rule. However, this final rule will fully implement the Act's requirements in advance of the prescribed statutory five-year period.
Comment 4: One commenter stated that protecting American's identities needs to be a high concern of the United States government. With the advancement of technology, it is becoming easier for individuals to engage in identity fraud through SSNs. Therefore, the SSN should not be sent by the Federal government through mail. Many citizens are awaiting their stimulus checks, and criminals may be looking to steal checks that are mailed.
Response: The Act requires Federal agencies with Chief Financial Officers to issue regulations specifying the circumstances under which the inclusion of the SSN is necessary on a mailed document. The regulations must include instructions for partial redaction of the SSN where feasible and a requirement that the SSN not be visible on the outside of any mail. The Department has policies and procedures in place for eliminating the unnecessary collections, maintenance, and uses of SSNs. The comment regarding the potential theft of stimulus checks is not addressed, as it is not within the scope of this action to amend the Department's regulations in order to implement the Act.
Changes Between the Proposed Rule and Final Rule
This final rule makes no changes to the regulatory text of the proposed rule.
Classification
This final rule has been determined to be not significant for purposes of review under Executive Order 12866. In accordance with the Regulatory Flexibility Act (5 U.S.C. 605(b)), the Chief Counsel for Regulation has reviewed this rule and certified that this regulation, if implemented, will not have a significant economic impact on a substantial number of small entities. This rule is largely procedural in nature, and, therefore, will not affect requesters. This regulation does not contain a collection of information as defined by the Paperwork Reduction Act, 44 U.S.C. 3501, et seq.
List of Subjects in 15 CFR Part 4
- Appeals
- Freedom of Information Act
- Information
- Privacy
- Privacy Act
Jennifer Goode,
Acting Director and Deputy Director of Open Government, and Departmental Privacy Officer.
For the reasons stated in the preamble, the Department of Commerce amends Subparts A and B of 15 CFR part 4 as follows:
PART 4—DISCLOSURE OF GOVERNMENT INFORMATION
1. The authority citation for part 4 continues to read as follows:
Authority: 5 U.S.C. 301; 5 U.S.C. 552; 5 U.S.C. 552a; 5 U.SC. 553; 31 U.S.C. 3717; 44 U.S.C. 3101; Reorganization Plan No. 5 of 1950; Pub. L. 115-59, 131 Stat. 1152 (42 U.S.C. 405, note).
Subpart A—Freedom of Information Act
2. In § 4.7, add paragraph (d) to read as follows:
(d) All responses shall be made subject to the provisions of § 4.25(b)(2)(iv).
Subpart B—Privacy Act
3. Amend subpart B by removing the words “Privacy Officer” wherever they appear and adding in their place the words “Privacy Act Officer”.
4. Amend § 4.22 by adding paragraph (b)(10) to read as follows:
(b) * * *
(10) Un-redacted SSN Mailed Documents Listing (USMDL) means the Department approved list, as posted at www.commerce.gov/privacy,, designating those documents for which the inclusion of SSN is determined to be necessary to fulfill a compelling Department business need when the documents are requested by individuals outside the Department or other Federal agencies, as determined jointly by the Senior Agency Official for Privacy and the Departmental Privacy Act Officer.
5. Amend § 4.25 by:
a. Adding paragraphs (a)(3) and (4); and
b. Revising paragraph (b)(2)(iii) and adding paragraphs (b)(2)(iv) and (v).
The additions and revisions read as follows:
(a) * * *
(3) Inclusion of SSNs on responsive documents.
(i) The Department shall redact SSNs from responsive documents provided to requesters where feasible. Where full redaction is not feasible, partial redaction to create a truncated SSN shall be preferred to no redaction. The following conditions must be met for the inclusion of an unredacted (full) SSN or partially redacted (truncated) SSN on a responsive document:
(ii) The inclusion of the full SSN or truncated SSN of an individual must be required or authorized by law,
(iii) The inclusion of the full SSN or truncated SSN of an individual must be determined by the Senior Agency Official for Privacy and Departmental Privacy Act Officer to be necessary to fulfill a compelling Department business need; and
(iv) The full SSN of an individual may be included only on documents listed on the USMDL.
(4) The following requirements apply when the Department mails or delivers responsive documents containing SSNs or truncated SSNs:
(i) The full SSN of an individual may be included only on documents listed on the USMDL.
(ii) For documents that are listed on the USMDL and that include the full SSN of an individual, the signature of the recipient is required upon delivery.
(iii) For documents that include the truncated form of the SSN of an individual, the signature of the recipient is required upon delivery.
(iv) The full SSN, the truncated SSN, any part of the SSN of an individual must not be visible from the outside of the envelope or package.
(b) * * *
(2) * * *
(iii) Copies of documents may be mailed at the request of the individual and may be subject to payment of the fees prescribed in §§ 4.25(a)(3) and 4.31. In the event that the Department, at its own initiative, elects to provide a copy by mail, no fee will be charged to the individual.
(iv) Copies of documents listed on the USMDL that include full SSNs and that are requested by an individual are subject to payment of the fees prescribed in § 4.31.
(v) Documents containing SSNs or truncated SSNs that are required to be returned by the individual to the Department will be mailed or delivered along with a prepaid mail or delivery service envelope at the expense of the Department.
Appendix B to Part 4 [Amended]
6. Amend Appendix B to part 4 by:
a. Adding the word “Act” after the phrase “Freedom of Information” wherever it appears in the introductory text, under “Office of the Secretary,” and under “Assistant Secretary for Administration”; and
b. Adding a semicolon after the term “Office of Privacy and Open Government: Director”.
[FR Doc. 2021-06823 Filed 4-23-21; 8:45 am]
BILLING CODE 3510-17-P