Central Registry of Individuals Doing Business With SSA (Vendor File), Social Security Administration, Deputy Commissioner for Finance, Assessment and Management, Office of Financial Policy Operations

Effective Date: January 11, 2006

(71 F.R. 1849)

SOCIAL SECURITY ADMINISTRATION NOTICE OF SYSTEM OF RECORDS REQUIRED BY THE PRIVACY ACT OF 1974

SYSTEM NUMBER: 60-0232

System name:

    Central Registry of Individuals Doing Business With SSA (Vendor File), Social Security Administration, Deputy Commissioner for Finance, Assessment and Management, Office of Financial Policy Operations.

Security classification:

    None.

System Location:

            Social Security Administration

          Room 2-B-4 East Low Rise Building

          6401 Security Boulevard

          Baltimore, Maryland 21235

Categories of individuals covered by the system:

    Individuals who are the recipients of Federal Domestic Assistance Grants or of contracts awarded by the Social Security Administration (SSA).

Categories of records in the system:

    An index of names, addresses and Social Security numbers (SSN) of individuals or tax identification numbers (TIN) or employer identification numbers (EIN) of employer business entities doing business with SSA. The Central Registry (Vendor File) (VF) contains banking information, routing and transit numbers (RTAS) and deposit account numbers (DAN) for direct deposit payments for vendors. No other personally identifiable data are maintained. The index is termed public information since data relative to Federal Domestic Assistance and contracts are public information.

Authority for maintenance of the system:

    5 U.S.C. 301.

Purpose(s):

    This registry is maintained to provide a standard code to uniquely identify entities, including individuals, together with mailing address and other characteristic data, to all principal operating components, agencies, regional offices and staff offices of SSA. The use of a single code per entity in all SSA data systems enhances communications with an entity, as well as diminishing the need to maintain duplicative data and files at various locations. Major categories of entities in the central registry are those awarded contracts and grants under Federal Domestic Assistance programs. Only those persons in SSA with a

need to know” have access to the published registry and to the automated records. The Code Book provides a listing of data processing numbers for grant, contract and financial transactions. These numbers are used to access the name and address of the individual in the Automated Library (Central Registry). The information is used for check preparation, reports, mailings, etc.

Routine uses of records maintained in the system, including categories of users and the purposes of such uses:

    Disclosure may be made for routine uses as indicated below:

    1. To a congressional office in response to an inquiry from that office made at the request of the subject individual.

    2. To the Department of Justice (DOJ), a court or other tribunal, or another party before such tribunal, when:

    (a) The Social Security Administration (SSA), or any component thereof; or

    (b) Any SSA employee in his/her official capacity; or

    (c) Any SSA employee in his/her individual capacity where DOJ (or SSA, where it is authorized to do so) agreed to represent the employee; or

    (d) The United States or any agency thereof where SSA determines that the litigation is likely to affect SSA or any of its components, is a party to the litigation or has an interest in such litigation, and SSA determines that the use of such records by DOJ, a court or other

tribunal, or another party before such tribunal, is relevant and necessary to the litigation and would help in the effective representation of the governmental party, provided however, that in each case, SSA determines that such disclosure is compatible with the

purpose for which the records were collected.

    3. To the Department of Justice in the event the Social Security Administration deems it desirable or necessary, in determining whether particular records are required to be disclosed under the Freedom of Information Act for the purpose of obtaining its advice.

    4. To a Federal, State or local agency maintaining civil, criminal or other relevant enforcement records or other pertinent records, such as current licenses, if necessary to obtain a record relevant to an Agency decision concerning the hiring or retention of an employee, the issuance of a security clearance, the letting of a contract, or the

issuance of a license, grant or other benefit.

    5. To a Federal agency, in response to its request, in connection with the hiring or retention of an employee, the issuance of a security clearance, the reporting of an investigation of an employee, the letting of a contract, or the issuance of a license, grant, or other benefit by the requesting agency, to the extent that the record is relevant and necessary to the requesting agency's decision on the matter.

    6. To a Federal agency having the power to subpoena records, for example, the Internal Revenue Service or the Civil Rights Commission in response to a subpoena for information contained in this system of records.

    7. To officials of labor organizations recognized under 5 U.S.C. Chapter 71 when relevant and necessary to their duties of exclusive representation concerning personnel policies, practices, and matters affecting conditions of employment.

    8. To student volunteers, individuals working under a personal services contract, and other workers who technically do not have the status of Federal employees, when they are performing work for the Social Security Administration (SSA), as authorized by law, and they need access to personally identifiable information in SSA records in order to perform their assigned Agency functions.

    9. To the General Services Administration and the National Archives Records Administration (NARA) under 44 U.S.C. 2904 and 2906, as amended by the NARA Act of 1984, information which is not restricted from disclosure by Federal law for the use of those agencies in conducting records management studies.

    10. To contractors and other Federal agencies, as necessary, for the purpose of assisting the Social Security Administration (SSA) in the efficient administration of its programs. We will disclose information under this routine use only in situations in which SSA may enter into a contractual or similar agreement with a third party to assist in accomplishing an agency function relating to this system of records.

    11.  We may disclose information to appropriate Federal, State, and local agencies, entities, and persons when (1) we suspect or confirm that the security or confidentiality of information in this system of records has been compromised; (2) we determine that as a result of the suspected or confirmed compromise there is a risk of harm to economic or property interests, identity theft or fraud, or harm to the security or integrity of this system or other systems or programs of SSA that rely upon the compromised information; and (3) we determine that disclosing the information to such agencies, entities, and persons is necessary to assist in our efforts to respond to the suspected or confirmed compromise and prevent, minimize, or remedy such harm. SSA will use this routine use to respond only to those incidents involving an unintentional release of its records.

Policies and practices for storing, retrieving, accessing, retaining, and disposing of records in the system:

Storage:

    Records are maintained in automated form (e.g., disc packs and magnetic tapes) and in paper form (e.g., Hard copy code booklets) at central computer sites.

Retrievability:

    Records are retrieved by either name, SSN or other characteristic data.

Safeguards:

    Only specified employees have access to the vendor file database. A security profile is maintained in the computer system to limit and monitor access. Authorized employees must have a personal identification number (PIN) and password to access the system and

clearance for the proper security profile to access the vendor file. Certain functions, such as “Delete” or “Purge,” cannot be performed unless the vendor file systems administrator implements the function. Access http://www.socialsecurity.gov/foia/bluebook/ app--g.htm for additional information relating to SSA data security measures.

Retention and disposal:

    Records are purged from the automated file every two years; only persons actively dealing with SSA remain on file. Code Books are replaced each year. Inactive books are destroyed.

System manager(s) and address(es):

            Social Security Administration

          Office of Finance

          Division of Administrative Payments

          2-B-4 East Low Rise Building

          6401 Security Boulevard

          Baltimore, Maryland 21235

Notification procedures:

    An individual can determine if this system contains a record about him/her by writing to the system manager(s) at the above address and providing his/her name, SSN or other information that may be in the system of records that will identify him/her. An individual requesting notification of records in person should provide the same information, as well as provide an identity document, preferably with a photograph, such as a driver's license or some other means of identification. If an individual does not have any identification documents sufficient to establish his/her identity, the individual must certify in writing that he/she is the person claimed to be and that he/she understands that the knowing and willful request for, or acquisition of, a record pertaining to another individual under false pretenses is a criminal offense.    If notification is requested by telephone, an individual must verify his/her identity by providing identifying information that parallels information in the record to which notification is being requested. If it is determined that the identifying information provided by telephone is insufficient, the individual will be required

to submit a request in writing or in person. If an individual is requesting information by telephone on behalf of another individual, the subject individual must be connected with SSA and the requesting individual in the same phone call.

    SSA will establish the subject individual's identity (his/her name, SSN, address, date of birth and place of birth, along with one other piece of information, such as mother's maiden name) and ask for his/her consent in providing information to the requesting individual.

    If a request for notification is submitted by mail, an individual must include a notarized statement to SSA to verify his/her identity or must certify in the request that he/she is the person claimed to be and that he/she understands that the knowing and willful request for, or acquisition of, a record pertaining to another individual under false pretenses is a criminal offense. These procedures are in accordance with SSA Regulations (20 CFR 401.40(c)).

Record access procedures:

    Same as Notification procedures. Requesters should also reasonably specify the record contents being sought. These procedures are in accordance with SSA Regulations (20 CFR 401.40(c)).

Contesting record procedures:

    Same as Notification procedures. Also, requesters should reasonably identify the record, specify the information they are contesting and corrective action sought, and the reasons for the correction, with supporting justification showing how the record is incomplete,

inaccurate, untimely or irrelevant. These procedures are in accordance with SSA Regulations (20 CFR 401.65(a)).

Record source categories:

    Grant and Contract documents. Names, SSNs, TINs, RTAS, DANs and addresses are provided by the individual when applying for a grant or contract from the SSA.

Systems exempted from certain provisions of the Privacy Act:

    None.