20 CFR 401.30 - Privacy Act and other responsibilities.
(a) Policy. Our policy is to protect the privacy of individuals to the fullest extent possible while nonetheless permitting the exchange of records required to fulfill our administrative and program responsibilities, and responsibilities for disclosing records which the general public is entitled to have under the Freedom of Information Act, 5 U.S.C. 552, and 20 20 CFR part 402.
(b) Maintenance of records. We will maintain no record unless:
(1) It is relevant and necessary to accomplish an SSA function which is required to be accomplished by statute or Executive Order;
(2) We obtain the information in the record, as much as it is practicable, from the subject individual if we may use the record to determine an individual's rights, benefits or privileges under Federal programs;
(3) We inform the individual providing the record to us of the authority for our asking him or her to provide the record (including whether providing the record is mandatory or voluntary, the principal purpose for maintaining the record, the routine uses for the record, and what effect his or her refusal to provide the record may have on him or her). Further, the individual agrees to provide the record, if the individual is not required by statute or Executive Order to do so.
(c) First Amendment rights. We will keep no record which describes how an individual exercises rights guaranteed by the First Amendment unless we are expressly authorized:
(1) By statute,
(2) By the subject individual, or
(3) Unless pertinent to and within the scope of an authorized law enforcement activity.
(e) Senior Agency Official for Privacy. The Senior Agency Official for Privacy assumes overall responsibility and accountability for ensuring the agency's implementation of information privacy protections as well as agency compliance with federal laws, regulations, and policies relating to the privacy of information, such as the Privacy Act. The compliance efforts also include reviewing information privacy procedures to ensure that they are comprehensive and up-to-date and, where additional or revised procedures may be called for, working with the relevant agency offices in the consideration, adoption, and implementation of such procedures. The official also ensures that agency employees and contractors receive appropriate training and education programs regarding the information privacy laws, regulations, polices and procedures governing the agency's handling of personal information. In addition to the compliance role, the official has a central policy-making role in the agency's development and evaluation of legislative, regulatory and other policy proposals which might implicate information privacy issues, including those relating to the collection, use, sharing, and disclosure of personal information.