AGENCY:

Enterprise Data & Privacy Management Office (IDE), General Services Administration (GSA).

ACTION:

Final rule.

SUMMARY:

GSA is issuing a final rule amending our Privacy Act Rules to implement the Social Security Number Fraud Prevention Act of 2017. The revisions would clarify and update the language of procedural requirements pertaining to the inclusion of Social Security account numbers (SSNs) on documents that GSA sends by mail.

DATES:

Effective June 20, 2023.

FOR FURTHER INFORMATION CONTACT:

Mr. Richard Speidel, Chief Privacy Officer (General Services Administration), Enterprise Data & Privacy Management Office (IDE). Email address for the GSA Privacy Office is gsa.privacyact@gsa.gov. Telephone number is 202–969–5830 for clarification of content. For information pertaining to status or publication schedules, contact the Regulatory Secretariat Division at 202–501–4755 or GSARegSec@gsa.gov. Please cite GSPMR Case 2022–105–1.

SUPPLEMENTARY INFORMATION:

I. Background

GSA is issuing a final rule amending 41 CFR part 105–64, GSA Privacy Act Rules, to implement the Social Security Number Fraud Prevention Act of 2017. The proposed rule was published on October 7, 2022, at 87 FR 60955.

The Social Security Number Fraud Prevention Act of 2017 (the Act) (Pub. L. 115–59; 42 U.S.C. 405 note), which was signed on September 15, 2017, Start Printed Page 32139 restricts Federal agencies from including individuals' SSNs on documents sent by mail, unless the head of the agency determines that the inclusion of the SSN on the document is necessary (section 2(a) of the Act). The Act requires agency heads to issue regulations specifying the circumstances under which inclusion of a SSN on a document sent by mail is necessary. These regulations, which must be issued not later than five years after the date of enactment, shall include instructions for the partial redaction of SSNs where feasible, and shall require that SSNs not be visible on the outside of any package sent by mail (section 2(b) of the Act). This rule would revise the Agency regulations under the Privacy Act (41 CFR part 105–64), consistent with these requirements in the Act. The rule would clarify the language of procedural requirements pertaining to the inclusion of SSNs on documents that the Agency sends by mail. These revisions are necessary to implement the Social Security Number Fraud Prevention Act of 2017, which restricts the inclusion of Social Security account Numbers (SSNs) on documents sent by mail by the Federal Government.

II. Discussion of the Final Rule

A. Summary of Significant Changes

There are no significant changes, as the comments were supportive of the rule. GSA did change the regulatory text from the published proposed rule, but the changes are not substantive (merely reorganizing the prior content for readability and to avoid redundancy).

B. Analysis of Public Comments

GSA received two (2) comments from the public. GSA acknowledge the respondents' support for the rule. GSA did not change the regulatory text of the definition from the published proposed rule.

Comment: The proposed amendment by GSA is positively impacting US citizens' information security by protecting their personal information, specifically their social security number. This rule defines the requirement to not include a social security number unless determined necessary by the head of the agency. However, clarification is required on the process to obtain a determination by the head of the agency such that there is not an increased burden on business to understand this process. In addition, the rule states that social security numbers can only be included if required by law. It is the best interest of the people to identify which laws would require this information and validate that is still true. In general, this rule provides minimal economic impact to the people, provides increased information security and we are in support if the above items are clarified in the documentation. If no such clarification is provided, it could lead to confusion and economic impact for businesses trying to follow the rule. Finally, cyber security should be as important as mail fraud and this rule should also apply to electronic transmission of documents with social security numbers. As a US citizen I recommend applying this in both written and electronic communication since the fraud of my identity could mean substantial harm financially and emotionally for myself.

Response: Although the Comment requests more clarity around the process for determining which documents are on the Un-redacted SSN Mailed Document List, GSA finds that the rule as written provides appropriate flexibility to arrive at a list in implementation of the statute while involving necessary agency stakeholders such as GSA–IT and GSA Office of the General Counsel (OGC). Subsequent to the posting of the final rule, GSA intends to make available on the GSA publicly facing privacy page ( www.gsa.gov/​reference/​gsa-privacy-program) the specific documents for which the inclusion of the Social Security account number (SSN) is determined to be necessary to fulfill a compelling Agency business need. GSA will review on a regular basis the laws and authorities that would require an un-redacted social security number on mailed documents. GSA handles the transmission of electronic documents in accordance with the Privacy Act.

Comment: The proposed rule will provide members of government agencies with greater clarity. I believe providing a clear understanding pertaining to the inclusion of full Social Security numbers on documents sent via U.S. mail will provide confidence in senders and receivers of these correspondences. Many Americans have been victims of identity theft, the steps and feelings involved in the process are uncomforting and time consuming. After reviewing the proposed standards for agencies to follow I believe they are easy to comprehend and leave little room for question. I thank you for investing time and efforts into this proposed rule.

Response: GSA acknowledges this comment.

C. Expected Cost Impact to the Public

GSA does not expect the final rule to have a significant economic impact on a substantial number of small entities within the meaning of the Regulatory Flexibility Act, 5 U.S.C. 601, et seq. This rule does not impose a requirement for small businesses to report or keep records on any of the requirements contained in this rule.

III. Executive Orders 12866 and 13563

Executive Orders (E.O.s) 12866 and 13563 direct agencies to assess all costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects, distributive impacts, and equity). E.O. 13563 emphasizes the importance of quantifying both costs and benefits, of reducing costs, of harmonizing rules, and of promoting flexibility. OIRA has determined that this is not a significant regulatory action and, therefore, was not subject to review under Section 6(b) of Executive Order 12866, Regulatory Planning and Review, dated September 30, 1993.

IV. Congressional Review Act

OIRA has determined that this rule is not a “major rule” as defined by 5 U.S.C. 804(2). Subtitle E of the Small Business Regulatory Enforcement Fairness Act of 1996 (codified at 5 U.S.C. 801–808), also known as the Congressional Review Act or CRA, generally provides that before a “major rule” may take effect, the agency promulgating the rule must submit a rule report, which includes a copy of the rule, to each House of the Congress and to the Comptroller General of the United States. The General Services Administration will submit a report containing this rule and other required information to the U.S. Senate, the U.S. House of Representatives, and the Comptroller General of the United States. A major rule under the CRA cannot take effect until 60 days after it is published in the Federal Register .

V. Regulatory Flexibility Act

This final rule will not have a significant economic impact on a substantial number of small entities within the meaning of the Regulatory Flexibility Act, 5 U.S.C. 601, et seq. This rule does not impose a requirement for small businesses to report or keep records on any of the requirements contained in this rule. Therefore, a Final Regulatory Flexibility Analysis has not been performed.

VI. The Paperwork Reduction Act

The Paperwork Reduction Act does not apply because the changes to the GSPMR do not impose recordkeeping or Start Printed Page 32140 information collection requirements, or the collection of information from offerors, contractors, or members of the public that require the approval of the Office of Management and Budget (OMB) under 44 U.S.C. 3501, et seq.

List of Subjects in 41 CFR Part 105–64

• Privacy

For the reasons set forth in the preamble, GSA amends 41 CFR part 105–64 as set forth below:

PART 105–64—GSA PRIVACY ACT RULES

1. The authority citation for 41 CFR part 105–64 continues to read as follows:

Authority: 5 U.S.C. 552a.

2. Amend § 105–64.001 by adding in alphabetical order the definition “Un-redacted SSN Mailed Documents Listing” to read as follows:

3. Amend § 105–64.107 by adding paragraph (c) to read as follows: