Safeguarding Beneficiary Information

As payee for a large number of individuals, you maintain records containing personally identifiable information belonging to these individuals. Personally identifiable information includes a person’s name, date of birth, Social Security Number, bank account information, address, health records and Social Security benefit payment data.

Reminders:

  • You should have documented guidelines and procedures to protect personal information as described in the Guide for Organizational Representative Payees.
  • Be familiar with security, privacy and confidentiality practices.
  • Use beneficiary personal data only for purposes for which you have authorization.
  • Lock or logoff computer workstation/terminal prior to leaving it unattended. Act in an ethical, informed and trustworthy manner.
  • Protect sensitive electronic records.
  • Be alert to threats and vulnerabilities to your systems.
  • Ensure that employee screening for sensitive positions within your organization has occurred prior to any individual being authorized access to sensitive or critical applications.
  • Avoid leaving paper documents containing personal data lying unprotected on desktops.

Managers should be alert to employees who fail to adequately safeguard personally identifiable information by failing to secure it from theft, loss or inadvertent disclosure.

The responsibility to protect personally identifiable information applies at all times regardless of whether personnel are on duty at their duty station, another official work location or an alternate duty station. Anyone not on duty still has the responsibility to secure any personally identifiable information within their control.

We recommend that employees be required to have locking file cabinets or desk drawers for storage of confidential material.

Case files taken to an alternate duty station should be tracked to ensure their timely return to the office. Personnel should be required (e.g., through use of a locking device such as a briefcase or satchel) to ensure that all beneficiary personal records are safeguarded and protected from theft/damage while being transported.

Examples of Failing to Safeguard Personally Identifiable Information:

The following list provides examples of situations where personally identifiable information is not properly safeguarded:

  • Leaving an unprotected computer containing beneficiary information in an non-secure space (e.g., leaving the computer unattended in a public place, in an unlocked room, or in an unlocked car);
  • Leaving an unattended briefcase containing beneficiary information in a non-secure area, including any place in the office;
  • Storing electronic files containing beneficiary information on a computer or access device (flash drive, CD, etc.) that other people have access to (not password-protected);
  • Working from home with a file containing personally identifiable information, but not locking the file in a secure file cabinet when not being used.

This list does not encompass all failures to safeguard personally identifiable information but alerts employees to situations that must be avoided.

We must be vigilant in every way to make sure that an individual’s personal information remains secure. It is the responsibility of each of us to do all we can to maintain the security of the information entrusted to us by the American people. If you believe one of your clients has been a victim of identity theft, go to SSA’s online pamphlet, Identity Theft And Your Social Security Number (SSA Publication No. 05-10064, ICN 463270), and follow the instructions.

Thank you for your help in this important matter.