[Federal Register Volume 87, Number 194 (Friday, October 7, 2022)]
[Proposed Rules]
[Pages 60955-60956]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2022-21506]


=======================================================================
-----------------------------------------------------------------------

GENERAL SERVICES ADMINISTRATION

41 CFR Part 105-64

[GSPMR Case 2022-105-1; Docket No. GSA-GSPMR-2022-0017; Sequence No. 1]
RIN 3090-AK62


General Services Administration Property Management Regulations, 
(GSPMR), Enterprise Data & Privacy Management Office (IDE); Social 
Security Number Fraud Prevention

AGENCY: Enterprise Data & Privacy Management Office (IDE), General 
Services Administration (GSA).

ACTION: Proposed rule.

-----------------------------------------------------------------------

SUMMARY: The General Service Administration (GSA) is proposing to amend 
GSA's regulations under the Privacy Act. The revisions would clarify 
and update the language of procedural requirements pertaining to the 
inclusion of Social Security account numbers (SSNs) on documents that 
GSA sends by mail. These revisions are necessary to implement the 
Social Security Number Fraud Prevention Act of 2017, which restricts 
the inclusion of Social Security account Numbers (SSNs) on documents 
sent by mail by the Federal Government.

DATES: Interested parties should submit written comments to the 
Regulatory Secretariat Division at the address shown below on or before 
December 6, 2022 to be considered in the formation of the final rule.

ADDRESSES: Submit comments in response to GSA-IDE case 2202-001 to: 
Regulations.gov: https://www.regulations.gov. Submit comments via the 
Federal eRulemaking portal by searching for ``GSPMR Case 2022-105-1''. 
Select the link ``Comment Now'' that corresponds with GSPMR Case 2022-
105-1. Follow the instructions provided at the ``Comment Now'' screen. 
Please include your name, company name (if any), and ``GSPMR Case 2022-
105-1'' on your attached document. If your comment cannot be submitted 
using https://www.regulations.gov, call or email the points of contact 
in the FOR FURTHER INFORMATION CONTACT section of this document for 
alternate instructions.
    Instructions: Please submit comments only and cite GSA-IDE Case 
2202-001, in all correspondence related to this case. Comments received 
generally will be posted without change to https://www.regulations.gov, 
including any personal and/or business confidential information 
provided. To confirm receipt of your comment(s), please check https://www.regulations.gov, approximately two to three days after submission 
to verify posting.

FOR FURTHER INFORMATION CONTACT: Laura Gerhardt, Privacy Office, 
Enterprise Data & Privacy Management Office (IDE), General Services 
Administration, at 202-322-8246 or email [email protected] for 
clarification of content. For information pertaining to status or 
publication schedules, contact the Regulatory Secretariat Division at 
202-501-4755 or [email protected]. Please cite GSPMR Case 2022-105-1.

SUPPLEMENTARY INFORMATION:

I. Background

    The Social Security Number Fraud Prevention Act of 2017 (the Act) 
(Pub. L. 115-59; 42 U.S.C. 405 note), which was signed on September 15, 
2017, restricts Federal agencies from including individuals' SSNs on 
documents sent by mail, unless the head of the agency determines that 
the inclusion of the SSN on the document is necessary (section 2(a) of 
the Act). The Act requires agency heads to issue regulations specifying 
the circumstances under which inclusion of a SSN on a document sent by 
mail is necessary. These regulations, which must be issued not later 
than five years after the date of enactment, shall include instructions 
for the partial redaction of SSNs where feasible, and shall require 
that SSNs not

[[Page 60956]]

be visible on the outside of any package sent by mail (section 2(b) of 
the Act). This proposed rule would revise the Agency regulations under 
the Privacy Act (41 CFR part 105-64), consistent with these 
requirements in the Act. The proposed revisions would clarify the 
language of procedural requirements pertaining to the inclusion of SSNs 
on documents that the Agency sends by mail.

II. Executive Orders 12866 and 13563

    Executive Orders (E.O.s) 12866 and 13563 direct agencies to assess 
all costs and benefits of available regulatory alternatives and, if 
regulation is necessary, to select regulatory approaches that maximize 
net benefits (including potential economic, environmental, public 
health and safety effects, distributive impacts, and equity). E.O. 
13563 emphasizes the importance of quantifying both costs and benefits, 
of reducing costs, of harmonizing rules, and of promoting flexibility. 
This is not a significant regulatory action and, therefore, was not 
subject to review under section 6(b) of E.O. 12866, Regulatory Planning 
and Review, dated September 30, 1993.

III. Congressional Review Act

    The Office of Information and Regulatory Affairs (OIRA) has 
determined that this rule is not a major rule under 5 U.S.C. 804(2). 
Subtitle E of the Small Business Regulatory Enforcement Fairness Act of 
1996 (codified at 5 U.S.C. 801-808), also known as the Congressional 
Review Act or CRA, generally provides that before a ``major rule'' may 
take effect, the agency promulgating the rule must submit a rule 
report, which includes a copy of the rule, to each House of the 
Congress and to the Comptroller General of the United States. The 
General Services Administration will submit a report containing this 
rule and other required information to the U.S. Senate, the U.S. House 
of Representatives, and the Comptroller General of the United States. A 
major rule under the CRA cannot take effect until 60 days after it is 
published in the Federal Register.

IV. Regulatory Flexibility Act

    GSA does not expect this proposed rule to have a significant 
economic impact on a substantial number of small entities within the 
meaning of the Regulatory Flexibility Act, 5 U.S.C. 601, et seq. This 
rule does not impose a requirement for small businesses to report or 
keep records on any of the requirements contained in this rule.
    Therefore, an Initial Regulatory Flexibility Analysis has not been 
performed. GSA invites comments from small business concerns and other 
interested parties on the expected impact of this rule on small 
entities.
    GSA will also consider comments from small entities concerning the 
existing regulations in subparts affected by the rule in accordance 
with 5 U.S.C. 610. Interested parties must submit such comments 
separately and should cite 5 U.S.C. 610 (GSPMR Case 2022-105-1), in 
correspondence.

V. Paperwork Reduction Act

    The Paperwork Reduction Act does not apply because the changes to 
the GSA-IDE do not impose recordkeeping or information collection 
requirements, or the collection of information from offerors, 
contractors, or members of the public that require the approval of the 
Office of Management and Budget (OMB) under 44 U.S.C. 3501, et seq.

List of Subjects in 41 CFR Part 105-64

    Privacy.

Laura Gerhardt,
Acting Chief Privacy Officer, Office of the Deputy Chief Information 
Officer, General Services Administration.

    Therefore, GSA proposes to amend 41 CFR part 105-64 as set forth 
below:

PART 105-64-GSA PRIVACY ACT RULES

0
1. The authority citation for 41 CFR part 105-64 continues to read as 
follows:

    Authority:  5 U.S.C. 552a.

0
2. Amend Sec.  105-64.001 by adding in alphabetical order the 
definition ``Un-redacted SSN Mailed Documents Listing'' to read as 
follows:


Sec.  105-64.001   What terms are defined in this part?

* * * * *
    Un-redacted SSN Mailed Documents Listing (USMDL) means the Agency 
approved list, as posted at [GSA PRIVACY WEBSITE], designating those 
documents for which the inclusion of the Social Security account number 
(SSN) is determined to be necessary to fulfill a compelling Agency 
business need when the documents are requested by individuals outside 
the Agency or other Federal agencies, as determined by the 
Administrator or their designee.
0
3. Amend Sec.  105-64.107 by adding paragraph (c) to read as follows:


Sec.  105-64.107   What standards of conduct apply to employees with 
privacy-related responsibilities?

* * * * *
    (c) In all documents sent by mail, employees shall redact SSNs if 
such redaction is permissible. Where full redaction is not possible due 
to agency requirements, partial redaction to create a truncated SSN 
shall be preferred to no redaction. The following conditions must be 
met for the inclusion of an unredacted (full) SSN or partially redacted 
(truncated) SSN on any document sent by mail on behalf of the agency:
    (1) The inclusion of the full SSN or truncated SSN of an individual 
must be required or authorized by law;
    (2) The inclusion of the full SSN or truncated SSN of an individual 
must be determined by the Administrator or their designee to be 
necessary to fulfill a compelling Administration business need;
    (3) The full SSN of an individual may be included only on documents 
listed on the USMDL; and
    (4) The full SSN, the truncated SSN, or any part of the SSN of an 
individual must not be visible from the outside of the envelope or 
package.

[FR Doc. 2022-21506 Filed 10-6-22; 8:45 am]
BILLING CODE 6820-34-P