Records, Computers and the Rights of Citizens. Constraints on Use and Dissemination of Social Security Numbers


Recommendations (8)-(10) below are designed to limit uses of the SSN to those necessary to carry out Federal government purposes for which there is a legal requirement that the SSN be obtained and recorded, and to discourage all practices that substantially increase the circulation of individual SSNs together with the names of their holders.

Recommendation (8) is intended to constrain the behavior of organizations and persons that are legally required to obtain and record the SSN for Federal purposes, but which use the SSN in other ways that constitute virtual public dissemination of SSNs along with names of the individuals to whom they belong. Among the many uses of the SSN that this recommendation is designed to abate are its use as an employee identification number, a patient identification number, a student identification number, a customer identification number, a driver identification number, and as the primary organizing element in the record-keeping system of any non-Federal organization. Although such uses may be convenient, they are not necessary. Under present circumstances, moreover, they increase the circulation of SSNs, thereby inviting unconstrained linking of record-keeping systems. Accordingly, we recommend

(8) That any organization or person required by Federal law to obtain or record the SSN of any individual be prohibited from making any use or disclosure of the SSN without the informed consent of the individual, except as may be necessary to the Federal government purposes for which it was required to be obtained and recorded. This prohibition should be established by a specifc and preemptive act of Congress.

This recommendation stems in part from observing that the Social Security Administration treats the SSN with the same confidentiality as the data in its records of Social Security accounts. Access to Social Security data is governed by Section 1106 of the Social Security Act and Regulation No. 1 of the Social Security Administration. The result is that the Social Security Administration will disclose an individual's SSN only to those third persons and organizations permitted by law to obtain SSA record data. The Social Security Administration and the Internal Revenue Service each require organizations to obtain and use the SSNs of individuals for various Federal program purposes. In principle these agencies should require such organizations to treat the SSN with the same confidentiality as the Social Security Administration does. Regrettably, however, there appears to be no legal authority to support the imposition of such a requirement. Recommendation (8) would establish such authority.

Recommendation (8), coupled with recommendations (1) and (3) (pp. 125-126, above), would also diminish the risk of nuisance, frustration, and possible serious disadvantage resulting from the use of an individual's SSN to impersonate him. One use of the SSN that appears to be proliferating is as a password, or authenticator of identity, when an individual's name alone is thought insufficient; e.g., in credit-card purchasing and check-cashing. Such use is not necessary, just convenient, and can be risky, since the widespread circulation of SSNs makes them increasingly ascertainable by anyone wishing to impersonate another.

An example from our own experience will illustrate the problem. We met on a Saturday in a conference room in a government facility. Security procedures required us to give names and SSNs from a telephone located outside the locked main entrance to a guard who was out of sight inside the building. The guard had earlier been furnished with a list of our names and SSNs. Given the wide dissemination of SSNs, we were impressed by how easily someone could have impersonated any one of us to gain admittance to the building.

One may treat this example lightly, but the principle is important. As long as the SSN of an individual can be easily obtained (some organizations list the SSNs of their employees or members in published rosters), both individuals and the organizations that use it as a password are vulnerable to whatever harm may result from impersonation.

Recommendations (9) and (10) are intended to constrain the provision of "SSN services" by the Social Security Administration. The phrase, "SSN services," is defined in the Social Security Number Task Force Report as including

enumeration, or issuing numbers to individuals who do not have them; validation, or confirming that the number an organization has on file for an individual is the same as the number that appears for him in SSA records; correction, or supplying the proper number from SSA files when an individual has alleged an incorrect number; and identification, or supplying a number from SSA's files to match a particular name, a name to match a number, or vice-versa [sic].3

The Task Force report recommends that SSN services be provided by the Social Security Administration (i) "to public and private organizations using the SSN for health, welfare, or educational purposes" and (ii) to facilitate research activities.

Although we recognize the spirit of cooperation that prompted the Task Force position, we believe that the effect of the recommendations would unnecessarily spread use of the SSN. Our recommendations limit SSN services even more narrowly than the Task Force recommendations.

We recommend

(9) That the Social Security Administration provide "SSN services" to aid record keeping only to organizations or persons that are required by Federal law to obtain or record the SSN, and then only as necessary to fulfill the purposes for which the SSN is required to be obtained or recorded; and

(10) That the Social Security Administration provide "SSN services" to aid research activities only when it can assure that the provision of such services will not result in the use of the SSN for record-keeping and reporting activities beyond those permitted under recommendation (9), and then only provided that rigid safeguards to protect the confidentiality of personal data, including the SSN, are incorporated into the research design.

These recommendations distinguish between use of the SSN for record-keeping purposes and its use for research activities. SSN services must not be provided to aid an organization's record keeping, except to the extent necessary to enable the organization to fulfill requirements associated with its Federally imposed obligations to collect and record the number. Our recommendation (8) would prohibit organizations from using the SSN beyond this limit, and the Social Security Administration would be obliged to refrain from providing SSN services in cooperation with a violation of the prohibition. As an interim measure, the Social Security Administration should limit SSN services as though recommendation (8) were in force. The limitation must apply to all cases, including requests from organizations that provide health, education, and welfare services.

The effect of our recommendations may be illustrated by a case discussed in the Social Security Number Task Force Report.4 A State mental health service requested SSN services from the Social Security Administration to enable it to use the SSN as the patient identification number in a new computerized record-keeping system. It evidently wanted to use the number for general administrative record keeping; such a use is not legally required for any Federal program purpose. The mental health service is obligated to, use the SSN to report the earnings and income taxes of its own employees; it might also need to obtain and use the SSNs of some of its patients to comply with record-keeping requirements of Federal benefit programs mandated by the Social Security Act, e.g., Medicare. However, its Federally required SSN uses do not extend to using the SSN for all patient record keeping, and the mental health service can clearly create its own identification code to track patients.

If the SSN Task Force recommendations were to be followed in this case, the Social Security Administration would provide SSN services to the mental health service for all its patient record keeping (to simplify the service's reporting of unduplicated patient counts to HEW'S National Institute of Mental Health). Under our recommendation, by contrast, the Social Security Administration would not provide SSN services, and the SSN would, therefore, not be spread by various uses of mental health service records and thus become available for still other uses.

Recommendation (10) recognizes the interest in providing SSN services in support of various kinds of evaluation and research activities. There is no reason why this cannot be done without adding to the unnecessary spread of the SSN for record-keeping and data processing activities or to SSN dissemination of the sort we wish to curtail.

In the case discussed above, suppose that the State mental health service proposes to conduct studies of the effectiveness of its services, and that knowing the SSNs of its patients, and having SSN services, might help in some way. Lacking any Federal requirement to use the SSN for evaluation research, the mental health service could not compel disclosure of patients' SSNs for that purpose. However, for all patients' SSNs voluntarily disclosed with informed consent, our recommendation (10) would permit the Social Security Administration to provide SSN services.