Privacy Act of 1974; Implementation

Issuing agencies

Abstract

The Department of Homeland Security (DHS or Department) is proposing to amend its regulations under the Privacy Act of 1974 consistent with the Social Security Number Fraud Prevention Act of 2017. In addition, DHS is proposing to amend the rules regarding including a Social Security number on physical mail only when necessary to further define "necessary" and provide instructions on redaction of social security numbers when feasible.

Full Text

<html>
<head>
<title>Federal Register, Volume 90 Issue 7 (Monday, January 13, 2025)</title>
</head>
<body><pre>
[Federal Register Volume 90, Number 7 (Monday, January 13, 2025)]
[Proposed Rules]
[Pages 2642-2644]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2024-31357]


========================================================================
Proposed Rules
                                                Federal Register
________________________________________________________________________

This section of the FEDERAL REGISTER contains notices to the public of 
the proposed issuance of rules and regulations. The purpose of these 
notices is to give interested persons an opportunity to participate in 
the rule making prior to the adoption of the final rules.

========================================================================


Federal Register / Vol. 90, No. 7 / Monday, January 13, 2025 / 
Proposed Rules

[[Page 2642]]



DEPARTMENT OF HOMELAND SECURITY

Office of the Secretary

6 CFR Part 5

[Docket No. DHS-2025-0002]
RIN 1601-AB04


Privacy Act of 1974; Implementation

AGENCY: Office of the Secretary, Department of Homeland Security.

ACTION:  Notice of proposed rulemaking.

-----------------------------------------------------------------------

SUMMARY: The Department of Homeland Security (DHS or Department) is 
proposing to amend its regulations under the Privacy Act of 1974 
consistent with the Social Security Number Fraud Prevention Act of 
2017. In addition, DHS is proposing to amend the rules regarding 
including a Social Security number on physical mail only when necessary 
to further define ``necessary'' and provide instructions on redaction 
of social security numbers when feasible.

DATES: Comments must be received by February 12, 2025.

ADDRESSES: You may submit comments, identified by docket number DHS-
2025-0002 through the Federal e-Rulemaking Portal: <a href="https://www.regulations.gov">https://www.regulations.gov</a>. Follow the instructions for submitting comments.
    Instructions: All submissions received must include the agency name 
and docket number for this notice. All comments received may be posted 
without change to <a href="https://www.regulations.gov">https://www.regulations.gov</a>, including any personal 
information provided.
    Docket: For access to the docket to read background documents or 
comments received, go to <a href="https://www.regulations.gov">https://www.regulations.gov</a>.

FOR FURTHER INFORMATION CONTACT: Deborah Fleischaker, Acting Chief 
Privacy Officer, Privacy Office, Department of Homeland Security, 
Washington, DC 20528, (202) 343-1717, <a href="/cdn-cgi/l/email-protection#b7e7c5dec1d6d4cef7dfc699d3dfc499d0d8c1"><span class="__cf_email__" data-cfemail="7626041f0017150f361e0758121e0558111900">[email&#160;protected]</span></a>.

SUPPLEMENTARY INFORMATION:

I. Background

    The Privacy Act of 1974, as amended, (``Privacy Act''), serves to 
safeguard public interest in informational privacy by delineating the 
duties and responsibilities of Federal agencies that collect, store, 
and disseminate personal information about individuals.\1\ The Privacy 
Act defines an individual to encompass U.S. citizens and lawful 
permanent residents.\2\
---------------------------------------------------------------------------

    \1\ See Public Law 93-579, 88 Stat. 1896, as amended; see also 5 
U.S.C. 552a.
    \2\ See 5 U.S.C. 552a(a)(2).
---------------------------------------------------------------------------

    The Secretary of Homeland Security (``Secretary'') has authority 
under 5 U.S.C. 301, 552, 552a, and 6 U.S.C. 112(e) to issue Privacy Act 
regulations. The Secretary has delegated that authority to the Chief 
Privacy Officer of the Department.\3\
---------------------------------------------------------------------------

    \3\ 6 U.S.C. 142 and DHS Del. No. 13001, Rev. 01 (June 2, 2020).
---------------------------------------------------------------------------

    In 2017, Congress enacted the Social Security Number Fraud 
Prevention Act of 2017 (``SSN Fraud Prevention Act'').\4\ This law 
restricts agencies from including the Social Security number (``SSN'') 
of an individual on any document sent by mail unless the agency head 
determines inclusion is necessary.\5\ It requires DHS to promulgate 
rules that will: (1) specify the circumstances under which inclusion of 
an SSN on a document sent by mail is necessary; (2) instruct components 
on the partial redaction of SSNs where feasible; and (3) require that 
SSNs not be visible on the outside of any package sent by mail.\6\ DHS 
issued a privacy policy in 2019 that required all new and legacy DHS 
Information Technology systems, programs, and forms to use a unique 
alternative identifier to SSNs, which minimized the use of SSN in 
documents.\7\ The policy provides that if there are technological, 
legal, or regulatory limitations to eliminating the use of SSNs, then 
privacy-enhancing SSN alternatives must be utilized, such as masking, 
redacting, or truncating SSNs in digital and hard copy formats.\8\
---------------------------------------------------------------------------

    \4\ Public Law 115-59, 131 Stat. 1152 (2017); codified at 42 
U.S.C. 405 note.
    \5\ Id.
    \6\ Id.
    \7\ DHS, Directive 047-01-010: Social Security Number Collection 
and Use Reduction (June 18, 2019), <a href="https://www.dhs.gov/sites/default/files/publications/047-01-010_ssn_collection_final_06-17-2019.pdf">https://www.dhs.gov/sites/default/files/publications/047-01-010_ssn_collection_final_06-17-2019.pdf</a>.
    \8\ Id.
---------------------------------------------------------------------------

    In 2022, DHS published a final rule updating its procedures 
implementing the Privacy Act, 5 U.S.C. 552a., at 6 CFR part 5, subpart 
B.\9\ The rule, among other things, amended 6 CFR 5.33(c) to state that 
DHS cannot include individuals' SSNs on any document sent by mail 
unless the Secretary determines inclusion of the number on the document 
is necessary.\10\ This partially met the requirements of the SSN Fraud 
Prevention Act.
---------------------------------------------------------------------------

    \9\ 87 FR 68599 (Nov. 16, 2022).
    \10\ See id.
---------------------------------------------------------------------------

    DHS now proposes to further amend 6 CFR 5.33(c) to define the 
circumstances when it would be necessary to include the SSN on a 
document. This change would fully comply with the requirements of the 
SSN Fraud Prevention Act and the 2019 DHS privacy policy. In general, 
DHS proposes to specify that DHS may only include an SSN on a document 
sent by mail when necessary, in other words when a DHS component would 
be unable to comply, in whole or in part, with a legal, regulatory, or 
policy requirement if prohibited from mailing the full SSN.

II. Discussion of Proposed Changes

    This rule proposes amendments to the DHS regulations on the use and 
collection of SSN to meet the requirements of the SSN Fraud Prevention 
Act.\11\ As stated above, DHS previously amended 6 CFR 5.33(c) 
consistent with some requirements in the SSN Fraud Prevention Act. DHS 
proposes to further amend 6 CFR 5.33(c) to codify additional 
requirements as mandated by the SSN Fraud Prevention Act and the 2019 
DHS privacy policy.
---------------------------------------------------------------------------

    \11\ See Public Law 115-59, 131 Stat. 1152 (2017); codified at 
42 U.S.C. 405 note.
---------------------------------------------------------------------------

    Specifically, DHS proposes to specify that DHS will not generally 
include an individual's full SSN on a document sent by mail and will 
only do so if the Secretary or the Secretary's designee determines that 
the SSN's inclusion is necessary. As stated previously, the proposed 
rule would explain that the inclusion of an SSN would only be necessary 
in those circumstances in which a component would be unable to comply, 
in whole or in part, with a legal, regulatory, or policy requirement if 
prohibited from mailing the full SSN. On the other hand, the proposed 
rule would explain that including a full SSN

[[Page 2643]]

is not necessary if the DHS component can either redact the SSN, such 
as by using no more than the last four digits of the account number, or 
entirely strike the SSN and still comply with all relevant legal, 
regulatory, or policy requirements.
    However, if the use of the full SSN on a document sent by mail \12\ 
is necessary, the DHS component sending the document shall implement 
appropriate administrative, technical, and physical safeguards to 
ensure a reasonable level of security against unauthorized access to, 
and use, disclosure, disruption, modification, or destruction of, the 
documents sent by mail. Finally, this proposed rule would specify that 
in all cases the component will ensure that no part of an SSN is 
visible on the outside of any package or envelope sent by mail.
---------------------------------------------------------------------------

    \12\ Consistent with the language of the Social Security Number 
Fraud Prevention Act, which discusses ``documents sent by mail'', 
the proposed rule would be limited to physical mail sent by DHS. 
Accordingly, the rule proposes to clarify that physical mail 
includes printed document or correspondence but does not include 
emails or other documents, correspondence, or communications 
transmitted by electronic means (e.g., via web portals).
---------------------------------------------------------------------------

    Overall, this proposed rule would codify procedures in the 
regulations to ensure compliance with the SSN Fraud Prevention Act, but 
DHS does not expect it to have a significant impact on the current 
operations of the Department. As discussed further below in section 
III, DHS has already eliminated all DHS forms that contain SSN fields 
and are mailed through the United States Postal Service (``USPS'').
    However, should circumstances change such that a DHS component must 
include an individual's full SSN on printed mail in order to comply 
with all of the component's legal, regulatory, or policy obligations, 
then this proposed rule would provide a durable framework to ensure 
that the SSN is only used when it is truly necessary and that the 
component applies all possible and appropriate safeguards.

III. Regulatory Analyses

Executive Orders 12866, 14094, and 13563--Regulatory Review

    Executive Order 12866 (Regulatory Planning and Review), as amended 
by Executive Order 14094 (Modernizing Regulatory Review) and 13563 
(Improving Regulation and Regulatory Review), directs agencies to 
assess the costs and benefits of available regulatory alternatives and, 
if regulation is necessary, to select regulatory approaches that 
maximize net benefits (including potential economic, environmental, 
public health and safety effects, distributive impacts, and equity). 
Executive Order 13563 emphasizes the importance of quantifying costs 
and benefits, reducing costs, harmonizing rules, and promoting 
flexibility. The Office of Management and Budget (OMB) has not 
designated this proposed rule a significant regulatory action under 
section 3(f) of Executive Order 12866, as amended by Executive Order 
14094. Accordingly, OMB has not reviewed this regulatory action.
    DHS has considered the costs and benefits of this proposed rule. 
The benefits and costs of a regulation are generally measured against a 
no-action baseline, which is a reasonable forecast of the way the world 
would look absent the regulatory action being assessed.\13\ This 
proposed rule would not introduce new regulatory mandates on the 
public. In compliance with the statutory requirements in the SSN Fraud 
Prevention Act, this proposed rule describes the circumstances in which 
DHS would include SSN on documents that DHS sends via mail. This 
proposed rule would also clarify that DHS Components and Headquarters 
Offices should undertake technical and physical safeguards when mailing 
documents with SSNs, or implement alternatives to full SSN, such as 
truncation, when feasible and legally permissible.
---------------------------------------------------------------------------

    \13\ See OMB Circular A-4, p. 11 (Nov. 9, 2023) (accessible at 
<a href="https://www.whitehouse.gov/wp-content/uploads/2023/11/CircularA-4.pdf">https://www.whitehouse.gov/wp-content/uploads/2023/11/CircularA-4.pdf</a>).
---------------------------------------------------------------------------

    DHS reported in its Social Security Number Fraud Prevention Act 
Final Report to Congress in June of 2023 that it successfully met the 
requirements of the Act in 2019 by eliminating all 69 DHS forms that 
contained fields for SSNs and were mailed through the USPS.\14\ All DHS 
Components and Headquarters Offices confirmed that there remained no 
DHS-specific forms containing fields for SSNs that are mailed through 
the USPS.\15\
---------------------------------------------------------------------------

    \14\ DHS, Social Security Number Fraud Prevention Act Final 
Report to Congress, 5 (June 2023), <a href="https://www.dhs.gov/sites/default/files/2023-07/SSN%20Fraud%20Prevention%20Act%20Final%20Report%20%282%29.pdf">https://www.dhs.gov/sites/default/files/2023-07/SSN%20Fraud%20Prevention%20Act%20Final%20Report%20%282%29.pdf</a>.
    \15\ Id.
---------------------------------------------------------------------------

    In addition, as noted above, DHS issued a privacy policy in 2019 
that required all new and legacy DHS Information Technology systems, 
programs, and forms to use a unique alternative identifier to SSNs and 
that provides that components must utilize privacy-enhancing SSN 
alternatives if there are technological, legal, or regulatory 
limitations to eliminating the use of SSNs.\16\ If, in future 
circumstances, DHS determined there would be a need to include SSN in 
mailed documents, DHS components have already taken appropriate steps 
to implement safeguards for securing SSN in mailed documents in 
compliance with DHS-wide policy in effect since 2019. Therefore, the 
proposed rule would provide clarification benefits but would not result 
in cost impacts to DHS or the public, because DHS has already 
eliminated SSNs in DHS forms that are mailed. Further, in the potential 
circumstance where DHS would mail documents with SSNs, since 2019, DHS 
implemented safeguards that would be required by this proposed rule.
---------------------------------------------------------------------------

    \16\ Id.
---------------------------------------------------------------------------

Unfunded Mandates Reform Act of 1995

    Title II of the Unfunded Mandates Reform Act of 1995 (UMRA), Public 
Law 104-4, establishes requirements for Federal agencies to assess the 
effects of their regulatory actions on State, local, and Tribal 
governments and the private sector. This proposed rule would not 
contain a Federal mandate that results in the expenditure by State, 
local, and Tribal governments, in the aggregate, or by the private 
sector, of $100,000,000 or more in any one year, and it would not 
significantly or uniquely affect small governments. Therefore, DHS 
deemed a written statement was not necessary under the provisions of 
the UMRA.

Regulatory Flexibility Act

    Under the Regulatory Flexibility Act of 1980 (RFA), 5 U.S.C. 601-
612, and section 213(a) of the Small Business Regulatory Enforcement 
Fairness Act of 1996, 5 U.S.C. 601 note, agencies must consider the 
impact of their rulemakings on ``small entities'' (small businesses, 
small organizations, and local governments). The term ``small 
entities'' comprises small businesses, not-for-profit organizations 
that are independently owned and operated and are not dominant in their 
fields, and governmental jurisdictions with populations of less than 
50,000.
    DHS certifies that this regulation would not have a significant 
economic impact on a substantial number of small entities. The factual 
basis for this certification is due to the requirements only applying 
to the Federal Government (DHS Components and Headquarter Offices). The 
proposed rule governs only the possible circumstances under which DHS 
would include SSNs in documents mailed by DHS. However, as previously 
discussed and reported to Congress, DHS has eliminated the SSN on all 
DHS forms. DHS does not believe small entities would have new 
compliance requirements or costs as a direct result of this proposed 
rule.

[[Page 2644]]

Paperwork Reduction Act

    This regulatory action would not impose a collection of information 
requirement subject to review and approval by OMB, as it does not 
include any reporting or recordkeeping requirements, under the 
Paperwork Reduction Act of 1995 (PRA) (44 U.S.C. 3501 et seq.).

National Environmental Policy Act

    Section 102 of the National Environmental Policy Act of 1969 
(NEPA), Public Law 91-190, 83 Stat. 852 (Jan. 1, 1970) (42 U.S.C. 4321 
et seq.), as amended, requires Federal agencies to evaluate the impacts 
of a proposed major Federal action that may significantly affect the 
human environment, consider alternatives to the proposed action, 
provide public notice and opportunity to comment, and properly document 
its analysis. DHS and its agency components analyze proposed actions to 
determine whether NEPA applies to them and, if so, what level of 
documentation and analysis is required.
    DHS Directive 023-01, Rev. 01 and DHS Instruction Manual 023-01-
001-01, Rev. 01 (Instruction Manual) establish the policies and 
procedures DHS and its component agencies use to comply with NEPA and 
the Council on Environmental Quality regulations for implementing NEPA 
codified in 40 CFR parts 1500 through 1508. The CEQ regulations allow 
Federal agencies to establish, in their implementing procedures, with 
CEQ review and concurrence, categories of actions (``categorical 
exclusions'') that experience has shown do not, individually or in the 
aggregate, have a significant effect on the human environment and, 
therefore, do not require preparation of an environmental assessment or 
environmental impact statement. 40 CFR 1501.4, 1507.3(e)(2)(ii). 
Appendix A of the Instruction Manual lists the DHS categorical 
exclusions.
    Under DHS NEPA implementing procedures, for an action to be 
categorically excluded, it must satisfy each of the following three 
conditions: (1) the entire action clearly fits within one or more 
categorical exclusions; (2) the action is not a piece of a larger 
action; and (3) no extraordinary circumstances exist that create the 
potential for a significant environmental effect.
    DHS is not aware of any significant impact on the environment, or 
any change in environmental effect that will result from this proposed 
rule. DHS finds promulgation of the rule clearly fits within 
categorical exclusion A3, established in the Department's NEPA 
implementing procedures.
    This proposed rule is a standalone rule and is not part of any 
larger action. This proposed rule would not result in any major Federal 
action that would significantly affect the quality of the human 
environment. Furthermore, DHS has determined that no extraordinary 
circumstances exist that would create the potential for significant 
environmental effects. Therefore, this proposed rule is categorically 
excluded from further NEPA review and documentation.

List of Subjects in 6 CFR Part 5

    Classified information, Courts, Freedom of information, Government 
employees, Privacy.

    For the reasons stated in the preamble, DHS proposes to amend 6 CFR 
part 5 as follows:

PART 5--DISCLOSURE OF RECORDS AND INFORMATION

0
1. The authority citation for part 5 continues to read as follows:

    Authority: 6 U.S.C. 101 et seq.; Pub. L. 107-296, 116 Stat. 
2135; 5 U.S.C. 301; 6 U.S.C. 142; DHS Del. No. 13001, Rev. 01 (June 
2, 2020).
    Subpart A also issued under 5 U.S.C. 552.
    Subpart B also issued under 5 U.S.C. 552a and 552 note.

0
2. Amend Sec.  5.33 by revising paragraph (c) to read as follows:


Sec.  5.33  Use and collection of Social Security numbers.

* * * * *
    (c) The following rules apply to physical mail:
    (1)(i) In general, DHS will not include the full Social Security 
number (SSN) of an individual on any document sent by physical mail. 
Physical mail includes printed documents or correspondence but does not 
include emails or any other documents, correspondence, or 
communications in electronic form.
    (ii) DHS will only include the SSN of an individual on any document 
sent by physical mail if the Secretary, or designee, determines that 
the inclusion of the SSN on the document is necessary.
    (iii) For purposes of paragraph (c)(1)(ii) of this section, 
necessary means required for a DHS component to comply, in whole or in 
part, with a legal, regulatory, or policy requirement.
    (iv) Including the SSN is not necessary under paragraph (c)(1)(ii) 
of this section if the DHS component can redact the SSN in accordance 
with paragraph (c)(2) of this section or strike the SSN entirely and 
still comply with all relevant legal, regulatory, or policy 
requirements.
    (2) Where feasible, DHS components should partially redact the 
Social Security account number on any document sent by physical mail by 
including no more than the last four digits of the Social Security 
account number. Components should prioritize technical methods to 
redact Social Security account numbers in accordance with this 
paragraph (c)(2).
    (3) In all cases, DHS components must ensure that no part of the 
SSN is visible from the outside of any package or envelope sent by 
physical mail.

Deborah Fleischaker,
Acting Chief Privacy Officer, Department of Homeland Security.
[FR Doc. 2024-31357 Filed 1-10-25; 8:45 am]
BILLING CODE 9110-9L-P


</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body>
</html>