Data Exchange and Privacy

Privacy Information

The privacy of all personal information SSA maintains is protected by a number of laws and regulations, including the Privacy Act of 1974, as amended; section 1106 of the Social Security Act, as amended; the E-Government Act of 2002, as amended; section 6103 of the Internal Revenue Code; related Social Security regulations and policies; and other federal statutes, rules, and regulations.

The Privacy Act and related legal authorities noted above allow SSA to disclose information from its program records to federal, state, and local agencies for certain "routine uses." These routine uses, defined in the Privacy Act at 5 U.S.C. 552a(a)(7), are permissive uses of information collected by SSA that, "with respect to the disclosure of a record, the use of such record for a purpose which is compatible with the purpose for which it was collected."

For additional information about the Privacy Act and SSA’s privacy policies, please visit SSA’s Privacy page.

When a federal, state, or local agency requests data from SSA, the agency must ensure:

  • The purpose of the request is compatible with administration of its own programs.
  • Compatibility is established when the federal, state, or local agency is requesting data to assist in the administration of programs under the Social Security Act and other federal, state, and local health and income maintenance programs concerning determinations related to eligibility, benefit amounts or benefit status.
  • SSA's Office of Privacy and Disclosure (located in the Office of the General Counsel) evaluates all requests to ensure that compatibility is established and that a specific routine use is present in the applicable Privacy Act system of records (from which data will be disclosed).

The Computer Matching and Privacy Protection Act of 1988 (CMPPA) (and its amendments in 1990), 5 U.S.C 552a (a)(8)-(13), (3)(12), (o), (p), (q), (r), & (u), establishes requirements that federal agencies must follow when matching information on individuals with information held by other federal, state or local agencies.  The CMPPA, as interpreted by the Office of Management and Budget, also states certain guidelines for computer matches related to verification, notification, data accuracy, etc., to ensure that the federal government conducts computer matches uniformly and provides protections to the individual as provided under the Privacy Act.

In addition, matches covered under the CMPPA must meet certain stringent requirements. Generally, if a match will have an adverse effect on an individual or can reveal personally identifiable information, then certain provisions of the CMPPA will govern the content, format, processing, administration, and length of the life of the match. Certain administrative or enforcement actions that require specific information such as medical records or involve other confidential information may require the consent of the individual.

The Privacy Act regulates the “‘collection, maintenance, use, and dissemination of information’” about individuals by federal agencies. It “authorizes civil suits by individuals . . . whose Privacy Act rights are infringed,” and provides for criminal penalties against federal officials who willfully disclose a record in violation of the Act, 5 U.S.C. § 552a(i)(1) Criminal Penalties.

Criminal Penalties

Any officer or employee of an agency, who by virtue of his employment or official position, has possession of, or access to, agency records which contain individually identifiable information the disclosure of which is prohibited by this section or by rules or regulations established thereunder, and who knowing that disclosure of the specific material is so prohibited, willfully discloses the material in any manner to any person or agency not entitled to receive it, shall be guilty of a misdemeanor and as described below.

  • Any officer or employee of any agency who willfully maintains a system of records without meeting the notice requirements of subsection (e)(4) of this section shall be guilty of a misdemeanor and fined not more than $5,000.
  • Any person who knowingly and willfully requests or obtains any record concerning an individual from an agency under false pretenses shall be guilty of a misdemeanor and fined not more than $5,000.