SUPPLEMENTARY INFORMATION:

I. Background

The Privacy Act of 1974, as amended, (“Privacy Act”), serves to safeguard public interest in informational privacy by delineating the duties and responsibilities of Federal agencies that collect, store, and disseminate personal information about individuals.^[1] The Privacy Act defines an individual to encompass U.S. citizens and lawful permanent residents.^[2]

The Secretary of Homeland Security (“Secretary”) has authority under 5 U.S.C. 301, 552, 552a, and 6 U.S.C. 112(e) to issue Privacy Act regulations. The Secretary has delegated that authority to the Chief Privacy Officer of the Department.^[3]

In 2017, Congress enacted the Social Security Number Fraud Prevention Act of 2017 (“SSN Fraud Prevention Act”).^[4] This law restricts agencies from including the Social Security number (“SSN”) of an individual on any document sent by mail unless the agency head determines inclusion is necessary.^[5] It requires DHS to promulgate rules that will: (1) specify the circumstances under which inclusion of an SSN on a document sent by mail is necessary; (2) instruct components on the partial redaction of SSNs where feasible; and (3) require that SSNs not be visible on the outside of any package sent by mail.^[6] DHS issued a privacy policy in 2019 that required all new and legacy DHS Information Technology systems, programs, and forms to use a unique alternative identifier to SSNs, which minimized the use of SSN in documents.^[7] The policy provides that if there are technological, legal, or regulatory limitations to eliminating the use of SSNs, then privacy-enhancing SSN alternatives must be utilized, such as masking, redacting, or truncating SSNs in digital and hard copy formats.^[8]

In 2022, DHS published a final rule updating its procedures implementing the Privacy Act, 5 U.S.C. 552a., at 6 CFR part 5, subpart B.^[9] The rule, among other things, amended 6 CFR 5.33(c) to state that DHS cannot include individuals' SSNs on any document sent by mail unless the Secretary determines inclusion of the number on the document is necessary.^[10] This partially met the requirements of the SSN Fraud Prevention Act.

DHS now proposes to further amend 6 CFR 5.33(c) to define the circumstances when it would be necessary to include the SSN on a document. This change would fully comply with the requirements of the SSN Fraud Prevention Act and the 2019 DHS privacy policy. In general, DHS proposes to specify that DHS may only include an SSN on a document sent by mail when necessary, in other words when a DHS component would be unable to comply, in whole or in part, with a legal, regulatory, or policy requirement if prohibited from mailing the full SSN.

II. Discussion of Proposed Changes

This rule proposes amendments to the DHS regulations on the use and collection of SSN to meet the requirements of the SSN Fraud Prevention Act.^[11] As stated above, DHS previously amended 6 CFR 5.33(c) consistent with some requirements in the SSN Fraud Prevention Act. DHS proposes to further amend 6 CFR 5.33(c) to codify additional requirements as mandated by the SSN Fraud Prevention Act and the 2019 DHS privacy policy.

Specifically, DHS proposes to specify that DHS will not generally include an individual's full SSN on a document sent by mail and will only do so if the Secretary or the Secretary's designee determines that the SSN's inclusion is necessary. As stated previously, the proposed rule would explain that the inclusion of an SSN would only be necessary in those circumstances in which a component would be unable to comply, in whole or in part, with a legal, regulatory, or policy requirement if prohibited from mailing the full SSN. On the other hand, the proposed rule would explain that including a full SSN ( print page 2643) is not necessary if the DHS component can either redact the SSN, such as by using no more than the last four digits of the account number, or entirely strike the SSN and still comply with all relevant legal, regulatory, or policy requirements.

However, if the use of the full SSN on a document sent by mail ^[12] is necessary, the DHS component sending the document shall implement appropriate administrative, technical, and physical safeguards to ensure a reasonable level of security against unauthorized access to, and use, disclosure, disruption, modification, or destruction of, the documents sent by mail. Finally, this proposed rule would specify that in all cases the component will ensure that no part of an SSN is visible on the outside of any package or envelope sent by mail.

Overall, this proposed rule would codify procedures in the regulations to ensure compliance with the SSN Fraud Prevention Act, but DHS does not expect it to have a significant impact on the current operations of the Department. As discussed further below in section III, DHS has already eliminated all DHS forms that contain SSN fields and are mailed through the United States Postal Service (“USPS”).

However, should circumstances change such that a DHS component must include an individual's full SSN on printed mail in order to comply with all of the component's legal, regulatory, or policy obligations, then this proposed rule would provide a durable framework to ensure that the SSN is only used when it is truly necessary and that the component applies all possible and appropriate safeguards.

III. Regulatory Analyses

Executive Orders 12866, 14094, and 13563—Regulatory Review

Executive Order 12866 (Regulatory Planning and Review), as amended by Executive Order 14094 (Modernizing Regulatory Review) and 13563 (Improving Regulation and Regulatory Review), directs agencies to assess the costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects, distributive impacts, and equity). Executive Order 13563 emphasizes the importance of quantifying costs and benefits, reducing costs, harmonizing rules, and promoting flexibility. The Office of Management and Budget (OMB) has not designated this proposed rule a significant regulatory action under section 3(f) of Executive Order 12866, as amended by Executive Order 14094. Accordingly, OMB has not reviewed this regulatory action.

DHS has considered the costs and benefits of this proposed rule. The benefits and costs of a regulation are generally measured against a no-action baseline, which is a reasonable forecast of the way the world would look absent the regulatory action being assessed.^[13] This proposed rule would not introduce new regulatory mandates on the public. In compliance with the statutory requirements in the SSN Fraud Prevention Act, this proposed rule describes the circumstances in which DHS would include SSN on documents that DHS sends via mail. This proposed rule would also clarify that DHS Components and Headquarters Offices should undertake technical and physical safeguards when mailing documents with SSNs, or implement alternatives to full SSN, such as truncation, when feasible and legally permissible.

DHS reported in its Social Security Number Fraud Prevention Act Final Report to Congress in June of 2023 that it successfully met the requirements of the Act in 2019 by eliminating all 69 DHS forms that contained fields for SSNs and were mailed through the USPS.^[14] All DHS Components and Headquarters Offices confirmed that there remained no DHS-specific forms containing fields for SSNs that are mailed through the USPS.^[15]

In addition, as noted above, DHS issued a privacy policy in 2019 that required all new and legacy DHS Information Technology systems, programs, and forms to use a unique alternative identifier to SSNs and that provides that components must utilize privacy-enhancing SSN alternatives if there are technological, legal, or regulatory limitations to eliminating the use of SSNs.^[16] If, in future circumstances, DHS determined there would be a need to include SSN in mailed documents, DHS components have already taken appropriate steps to implement safeguards for securing SSN in mailed documents in compliance with DHS-wide policy in effect since 2019. Therefore, the proposed rule would provide clarification benefits but would not result in cost impacts to DHS or the public, because DHS has already eliminated SSNs in DHS forms that are mailed. Further, in the potential circumstance where DHS would mail documents with SSNs, since 2019, DHS implemented safeguards that would be required by this proposed rule.

Unfunded Mandates Reform Act of 1995

Title II of the Unfunded Mandates Reform Act of 1995 (UMRA), Public Law 104-4, establishes requirements for Federal agencies to assess the effects of their regulatory actions on State, local, and Tribal governments and the private sector. This proposed rule would not contain a Federal mandate that results in the expenditure by State, local, and Tribal governments, in the aggregate, or by the private sector, of $100,000,000 or more in any one year, and it would not significantly or uniquely affect small governments. Therefore, DHS deemed a written statement was not necessary under the provisions of the UMRA.

Regulatory Flexibility Act

Under the Regulatory Flexibility Act of 1980 (RFA), 5 U.S.C. 601-612, and section 213(a) of the Small Business Regulatory Enforcement Fairness Act of 1996, 5 U.S.C. 601 note, agencies must consider the impact of their rulemakings on “small entities” (small businesses, small organizations, and local governments). The term “small entities” comprises small businesses, not-for-profit organizations that are independently owned and operated and are not dominant in their fields, and governmental jurisdictions with populations of less than 50,000.

DHS certifies that this regulation would not have a significant economic impact on a substantial number of small entities. The factual basis for this certification is due to the requirements only applying to the Federal Government (DHS Components and Headquarter Offices). The proposed rule governs only the possible circumstances under which DHS would include SSNs in documents mailed by DHS. However, as previously discussed and reported to Congress, DHS has eliminated the SSN on all DHS forms. DHS does not believe small entities would have new compliance requirements or costs as a direct result of this proposed rule. ( print page 2644)

Paperwork Reduction Act

This regulatory action would not impose a collection of information requirement subject to review and approval by OMB, as it does not include any reporting or recordkeeping requirements, under the Paperwork Reduction Act of 1995 (PRA) (44 U.S.C. 3501 et seq.).

National Environmental Policy Act

Section 102 of the National Environmental Policy Act of 1969 (NEPA), Public Law 91-190, 83 Stat. 852 (Jan. 1, 1970) (42 U.S.C. 4321 et seq.), as amended, requires Federal agencies to evaluate the impacts of a proposed major Federal action that may significantly affect the human environment, consider alternatives to the proposed action, provide public notice and opportunity to comment, and properly document its analysis. DHS and its agency components analyze proposed actions to determine whether NEPA applies to them and, if so, what level of documentation and analysis is required.

DHS Directive 023-01, Rev. 01 and DHS Instruction Manual 023-01-001-01, Rev. 01 (Instruction Manual) establish the policies and procedures DHS and its component agencies use to comply with NEPA and the Council on Environmental Quality regulations for implementing NEPA codified in 40 CFR parts 1500 through 1508. The CEQ regulations allow Federal agencies to establish, in their implementing procedures, with CEQ review and concurrence, categories of actions (“categorical exclusions”) that experience has shown do not, individually or in the aggregate, have a significant effect on the human environment and, therefore, do not require preparation of an environmental assessment or environmental impact statement. 40 CFR 1501.4, 1507.3(e)(2)(ii). Appendix A of the Instruction Manual lists the DHS categorical exclusions.

Under DHS NEPA implementing procedures, for an action to be categorically excluded, it must satisfy each of the following three conditions: (1) the entire action clearly fits within one or more categorical exclusions; (2) the action is not a piece of a larger action; and (3) no extraordinary circumstances exist that create the potential for a significant environmental effect.

DHS is not aware of any significant impact on the environment, or any change in environmental effect that will result from this proposed rule. DHS finds promulgation of the rule clearly fits within categorical exclusion A3, established in the Department's NEPA implementing procedures.

This proposed rule is a standalone rule and is not part of any larger action. This proposed rule would not result in any major Federal action that would significantly affect the quality of the human environment. Furthermore, DHS has determined that no extraordinary circumstances exist that would create the potential for significant environmental effects. Therefore, this proposed rule is categorically excluded from further NEPA review and documentation.

For the reasons stated in the preamble, DHS proposes to amend 6 CFR part 5 as follows:

1. The authority citation for part 5 continues to read as follows:

Authority: 6 U.S.C. 101 et seq.;Pub. L. 107-296, 116 Stat. 2135; 5 U.S.C. 301; 6 U.S.C. 142; DHS Del. No. 13001, Rev. 01 (June 2, 2020).

Subpart A also issued under 5 U.S.C. 552.

Subpart B also issued under 5 U.S.C. 552a and 552 note.

2. Amend § 5.33 by revising paragraph (c) to read as follows: