Supporting Statement for
Request for Internet Services & 800# Automated Telephone Services
Knowledge-Based Authentication (RISA-KBA)
20 CFR 401.45
OMB No. 0960-0596
A. Justification
Introduction / Authoring Laws and Regulations
The Social Security Administration (SSA) collects this information by authority of the Privacy Act of 1974 at 5 U.S.C., Sub-section 552A (e)(10), which requires agencies to establish appropriate administrative, technical, and physical safeguards to ensure the security and confidentiality of records. Sub-sections 552A (f)(2) & (3) require agencies to establish requirements for identifying an individual who requests a record, or information pertaining to that individual, and to establish procedures for disclosure of personal information. SSA promulgated Privacy Act rules in the Code of Federal Regulations, Subpart B. Procedures for verifying identity are at 20 CFR 401.45. Authority to collect this information is also contained in Section 205(a) of the Social Security Act.
Description of Collection
The Request for Internet Services and 800# Automated Telephone Services (RISA), one of SSA’s authentication methods, allows individuals to access their personal information through our Internet and Automated Telephone Services. SSA asks individuals and third parties who seek personal information from SSA records, or who register to participate in SSA’s online business services, to provide certain identifying information. As an extra measure of protection, SSA asks requestors who use the Internet and telephone services to provide additional identifying information unique to those services, so SSA can authenticate their identities before releasing personal information.
Electronic and automated telephone applications allow the public to establish their identity with SSA, prior to allowing them access to personal information through screens over the Internet and through automated voice responses over the telephone. SSA verifies the requester’s identity by obtaining Social Security Number (SSN), Date of Birth (DOB), and usually name (first, middle initial, last, suffix). We may also request other knowledge-based information such as mother’s maiden name, place of birth, gender, and other last name (if any). We then compare the answers to these questions to the information we have in our records.
With the exception of the gender field, we use the information we collect exclusively to verify the identity of the requester. For most of these applications, the field for other last names is optional; we use this to help us match the person in cases where the person has changed their name (e.g., marriage) and not notified SSA. We collect information on gender for management information purposes and it is optional.
SSA established a
process for verifying the identity of individuals who use the
Internet to request information from SSA records; to make changes to
SSA records; or to register with SSA to participate in SSA’s
online business services. Successful verification of the individual
gives access to services such as:
Retirement Estimator
Registration of Appointed Representatives
Special Notice Options
Block Electronic and Automated Telephone Access
SSA established a process for verifying the identity of individuals who use the 800# automated telephone services to request information from SSA records, or to make changes to SSA records, such as:
Benefit Verification (Proof of Income – POI Letter)
Request a Medicare Replacement Card
Replacement Benefit Statements (SSA-1099/1042S)
Block Electronic and Automated Telephone Access
The respondents are current beneficiaries who request personal information from SSA; general members of the public who go online to use our calculator to estimate their retirement benefits; and individuals and third parties who register for SSA’s online business services. Respondents authenticate themselves by answering Knowledge-Based Authentication (KBA) questions each time they call the Automated Telephone Services to access these applications.
Use of Information Technology to Collect the Information
In accordance with the agency’s Government Paperwork Elimination Act plan, SSA created an electronic KBA process to provide our customers access to our Internet and Automated Telephone applications. The Internet version of this collection is an automated process where the requesters’ key in identifying information, transmit it over the Internet to SSA, and the system compares the information to our existing electronic records in real time. If the information matches SSA records, the system allows the requesters to proceed to additional screens, to make their specific request. The telephone version of this collection is also an automated process, which follows a similar process to the Internet version.
Why We Cannot Use Duplicate Information
The information we collect through these electronic processes is information we already collected and posted to SSA’s master electronic records, but we ask for it again for comparison and verification.
Minimizing Burden on Small Respondents
This collection does not significantly affect small businesses or other small entities.
Consequence of Not Collecting Information or Collecting it Less Frequently
If we did not use RISA, we would not be able to identify and authenticate individuals who ask us to release their personal information. Because we only collect the information on an as needed basis, we cannot collect this information less frequently. There are no technical or legal obstacles to burden reduction.
Special Circumstances
There are no special circumstances that would cause SSA to conduct this information collection in a manner inconsistent with 5 CFR 1320.5.
Solicitation of Public Comment and Other Consultations with the Public
The 60-day advance Federal Register Notice published on May 9, 2018 at 83 FR 21328, and we received no public comments. The 30-day FRN published on July 26, 2018 at 83 FR 35526. If we receive any comments in response to this Notice, we will forward them to OMB.
Payment or Gifts to Respondents
SSA does not provide payments or gifts to the respondents.
Assurances of Confidentiality
SSA protects and holds confidential the information it collects in accordance with 42 U.S.C. 1306, 20 CFR 401 and 402, 5 U.S.C. 552 (Freedom of Information Act), 5 U.S.C. 552a (Privacy Act of 1974), and OMB Circular No. A-130.
The Privacy Act of 1974 protects the information we collect. In addition, our Privacy Policy protects the information SSA collects for Internet Services that ensures the confidentiality of all information provided by the requester. Our Internet privacy policy is:
You do not need to give us personal information to visit our site.
We collect personally identifiable information (such as name, SSN, or DOB) only if specifically, and knowingly provided by you.
We use personally identifying information you provide will be used only in conjunction with services you request as described at the point of collection.
We sometimes perform statistical analyses of user behavior to measure customer interest in the various areas of our site. We will disclose this information to third parties only in aggregate form.
We do not give, sell, or transfer any personal information to a third party.
We implement Tier 1 (Single session) and Tier 2 (Multi-session without PII) technologies using the text-based “cookie” technology. We use Tier 2 technology to help us analyze site use by identifying you as a new or returning visitor; this does nothing other than distinguish whether you have been to our site before. Our web measurement applications compare the behavior of new and returning visitors in the aggregate to help us identify work flows and trends, and also resolve common problems on our site. We do not use this technology to identify you or any other person. We use Tier 2 web measurement technology to improve our website and provide a better user experience for our customers. This technology anonymously tracks how visitors interact with socialsecurity.gov, including where they came from, what they did on the site, and whether they completed any pre-determined tasks while on the site. SSA also uses Tier 2 technology to obtain feedback and data on visitors’ satisfaction with the SSA website.
Additionally, SSA ensures the confidentiality of the requester’s personal information in several ways:
All electronic requests use the Secure Socket Layer (SSL) security protocol to encrypt information. SSL encryption prevents a third party from reading the transmitted data even if intercepted. This protocol is an industry standard and is used for Internet banking by banks such as Wells Fargo and Bank of America.
The requester will be given adequate warnings that the Internet is an open system, and there is no absolute guarantee that others will not intercept and decrypt the personal information they have entered. They will be advised of alternative methods of requesting personal information, i.e., a personal visit to a field office or a call to the 800 number.
Only upon verification of identity will the system allow access to additional screens that allow requests for personal information from SSA, or which allow the individual to make changes to personal information, or to register personal or business information.
Justification for Sensitive Questions
This information collection does not contain any questions of a sensitive nature, other than those described in Item 2.
Estimates of Public Reporting Burden
Modality of Completion
|
Number of Respondents |
Frequency of Response |
Average Burden per Response (minutes) |
Estimated Total Annual Burden (hours) |
Internet Requestors |
2,903,902 |
1 |
2.5 |
120,996 |
Telephone Requestors |
9,795,655 |
1 |
4 |
653,044 |
*Change of Address (on hold) |
1 |
|
|
1 |
*Screen Splash (on hold) |
1 |
|
|
1 |
Totals |
12,699,559 |
|
|
774,042 |
*We previously reduced the burden to a one-hour placeholder for Screen Splash and Change of Address because we are not currently using these automated telephone applications. We are working on ways to strengthen and secure our online and automated telephone services, to streamline service delivery, and to improve customer service by not duplicating verification data.
The total burden for this ICR is 774,042 hours. We based these figures on current management information data. We did not calculate a separate cost burden.
Annual Cost to the Respondents (Other)
This collection does not impose a known cost burden on the respondents.
Annual Cost to Federal Government
The annual cost to the Federal Government is approximately $8,255,973. This estimate accounts for costs from the following areas: (1) SSA employee (e.g., field office, 800 number, DDS staff) information collection and processing time; and (2) systems development, updating, and maintenance costs.
Program Changes or Adjustments to the Information Collection Request
When we last cleared this collection in 2015, the burden was 545,807 hours. Currently, we are reporting a burden of 774,042 hours. This change stems an increase in the number of responses from 12,077,286 to 12,699,559. There is no change to the burden time per response. Although the number of responses changed, SSA did not take any actions to cause this change. However, there are ongoing efforts to migrate existing automated applications from knowledge-based access to our Public Credentialing Registration and Authentication process (OMB# 0960‑0789), which provides access to our my Social Security online services.
Plans for Publication of Information Collection Results
SSA will not publish the results of the information collection.
Displaying the OMB Approval Expiration Date
SSA is not requesting an exception to the requirement to display the OMB approval expiration date.
Exceptions to Certification Statement
SSA is not requesting an exception to the certification requirements in 5 CFR 1320.9 and related provisions in 5 CFR 1320.8(b)(3).
B. Collection of Information Employing Statistical Methods
SSA does not use statistical methods for this information collection.
File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
File Title | February 11, 2003 |
Author | Bruce Carter |
File Modified | 0000-00-00 |
File Created | 2021-01-21 |