VR-SECY-19-0109, SRM-M200423: Enclosure 1 - Direct Final Rule - Social Security Number Fraud Prevention

From kanterella
Jump to navigation Jump to search
SRM-M200423: Enclosure 1 - Direct Final Rule - Social Security Number Fraud Prevention
ML20114E188
Person / Time
Issue date: 04/23/2020
From: Annette Vietti-Cook
NRC/SECY
To:
Shared Package
ML20114E171 List:
References
SECY-19-0109, VR-SECY-19-0109 M200423
Download: ML20114E188 (18)
v  d  e


Text

[7590-01-P]

NUCLEAR REGULATORY COMMISSION 10 CFR Parts 9, 20, 25, and 35

[NRC-2018-0303]

RIN 3150-AK27 Social Security Number Fraud Prevention AGENCY: Nuclear Regulatory Commission.

ACTION: Direct final rule.

SUMMARY

The U.S. Nuclear Regulatory Commission (NRC) is amending its regulations to implement that require written communications containing Social Security numbers to be sent to or received via mail by the NRC. This direct final rule implements the Social Security Number Fraud Prevention Act of 2017. The statute directed agencies to issue regulations that prohibit the inclusion of an individuals Social Security account number (Social Security number or SSN) on any document sent through the mail unless the head of the agency deems it necessary and the appropriate precautions are taken to protect the Social Security number(SSN). Applicants, licensees, and members of the public who are required to submit a form containing a Social Security number SSN may be affected.

DATES: This direct final rule is effective [INSERT DATE 75 DAYS AFTER DATE OF PUBLICATION IN THE FEDERAL REGISTER], unless significant adverse comments are received by [INSERT DATE 30 DAYS AFTER DATE OF PUBLICATION IN THE FEDERAL REGISTER]. If this direct final rule is withdrawn as a result of such

comments, timely notice of the withdrawal will be published in the Federal Register.

Comments received after this date will be considered if it is practical to do so, but the NRC is able to ensure consideration only for comments received on or before this date.

Comments received on this direct final rule will also be considered to be comments on a companion proposed rule published in the Proposed Rules section of this issue of the Federal Register.

ADDRESSES: Please refer to Docket ID NRC-2018-0303 when contacting the NRC about the availability of information for this action. You may obtain publicly-available information related to this action by any of the following methods:

  • Federal Rulemaking Web Site: Go to https://www.regulations.gov and search for Docket ID NRC-2018-0303. Address questions about NRC dockets to Carol Gallagher; telephone: 301-415-3463; e-mail: Carol.Gallagher@nrc.gov. For technical questions, contact the individual listed in the FOR FURTHER INFORMATION CONTACT section of this document.
  • NRCs Agencywide Documents Access and Management System (ADAMS): You may obtain publicly-available documents online in the ADAMS Public Documents collection at https://www.nrc.gov/reading-rm/adams.html. To begin the search, select Begin Web-based ADAMS Search. For problems with ADAMS, please contact the NRCs Public Document Room (PDR) reference staff at 1-800-397-4209, 301-415-4737, or by e-mail to pdr.resource@nrc.gov.
  • NRCs PDR: You may examine and purchase copies of public documents at the NRCs PDR, Room O1-F21, One White Flint North, 11555 Rockville Pike, Rockville, Maryland 20852.

2

FOR FURTHER INFORMATION CONTACT: Alexa Sieracki, Office of Nuclear Materials Safety and Safeguards, U.S. Nuclear Regulatory Commission, Washington DC 20555-0001; telephone: 301-415-7509, e-mail: Alexa.Sieracki@nrc.gov.

SUPPLEMENTARY INFORMATION:

TABLE OF CONTENTS:

I. Obtaining Information and Submitting Comments II. Procedural Background III. Discussion IV. Section-by-Section Analysis V. Regulatory Flexibility Certification VI. Regulatory Analysis VII. Backfitting and Issue Finality VIII. Plain Writing IX. Environmental Assessment and Final Finding of No Significant Environmental Impact.

X. Paperwork Reduction Act Statement XI. Congressional Review Act I. Obtaining Information and Submitting Comments A. Obtaining Information Please refer to Docket ID NRC-2018-0303 when contacting the NRC about the availability of information for this action. You may obtain publicly-available information related to this action by any of the following methods:

contact the NRCs Public Document Room (PDR) reference staff at 1-800-397-4209, 301-415-4737, or by e-mail to pdr.resource@nrc.gov.

  • NRCs PDR: You may examine and purchase copies of public documents at the NRCs PDR, Room O1-F21, One White Flint North, 11555 Rockville Pike, Rockville, Maryland 20852.

B. Submitting Comments Please include Docket ID NRC-2018-0303 in your comment submission.

The NRC cautions you not to include identifying or contact information that you do not want to be publicly disclosed in your comment submission. The NRC will post all comment submissions at https://www.regulations.gov as well as enter the comment submissions into ADAMS. The NRC does not routinely edit comment submissions to remove identifying or contact information.

If you are requesting or aggregating comments from other persons for submission to the NRC, then you should inform those persons not to include identifying or contact information that they do not want to be publicly disclosed in their comment submission. Your request should state that the NRC does not routinely edit comment submissions to remove such information before making the comment submissions available to the public or entering the comment into ADAMS.

II. Procedural Background Because the NRC anticipates that considers this action towill be non-controversial, the NRC is using the direct final rule procedure for this rule. The amendments to the rule will become effective on [INSERT DATE 75 DAYS AFTER DATE OF PUBLICATION IN THE FEDERAL REGISTER]. However, if the NRC 4

receives significant adverse comments on this direct final rule by [INSERT DATE 30 DAYS AFTER DATE OF PUBLICATION IN THE FEDERAL REGISTER], then the NRC will publish a document that withdraws this action and will subsequently address the comments received in a final rule as a response to the companion proposed rule published in the Proposed Rules section of this issue of the Federal Register. Absent significant modifications to the proposed revisions requiring republication, the NRC will not initiate a second comment period on this action.

A significant adverse comment is a comment where the commenter explains why the rule would be inappropriate, including challenges to the rules underlying premise or approach, or would be ineffective or unacceptable without a change. A comment is adverse and significant if it meets the following criteria:

1) The comment opposes the rule and provides a reason sufficient to require a substantive response in a notice-and-comment process. For example, a substantive response is required whenin the following circumstances:

a) The comment causes the NRC to reevaluate (or reconsider) its position or conduct additional analysis; b) The comment raises an issue serious enough to warrant a substantive response to clarify or complete the record; or c) The comment raises a relevant issue that was not previously addressed or considered by the NRC.

2) The comment proposes a change or an addition to the rule, and it is apparent that the rule would be ineffective or unacceptable without incorporation of the change or addition.
3) The comment causes the NRC to make a change (other than editorial) to the rule.

5

For detailed instructions on filing comments, please see the ADDRESSES section of this document.

III. Discussion The President signed into law the Social Security Number Fraud Prevention Act of 2017 (the Act) on September 15, 2017, to reduce the risk of identity theft by directing agencies to issue regulations specifying the circumstances under which inclusion of a social security account number on a document sent by mail is necessary.1 The Act restricts the inclusion of an Social Security number (SSN) on any document sent by mail unless the head of the agency determines that the inclusion of the [SSN] on the document is necessary.2 When the SSN is necessary, tThe Act directs agencies to issue regulations that specify when inclusion of an SSN is necessary, include instructions for the partial redaction of Social Security account numbers SSNs where feasible, and provide a requirement that Social Security account numbers SSNs not be visible on the outside of any package sent by mail.3 These regulations must be issued no later than 5 years after the date of enactment of the Act.

The NRC determined that rulemaking was necessary because the Act requires the NRC to amend its regulations. This effort could not be achieved through issuing guidance, as guidance documents are not legally binding and cannot be used to amend regulations. The NRCs rulemaking is narrowly tailored to address the requirements specifically set forth in the Act; therefore, the NRC determined that a direct final rule was appropriate, because the amendments are required by statute, expected to be non-1 Public Law 115-59, Section 2(b) 2 Public Law 115-59, Section 2(a) 3 Public Law 115-59, Section 2(b)(1)-(2) 6

controversial, and unlikely to invokeyield public comment resulting in a significant change to the NRCs proposal. A direct final rule is preferable over to a final rule because it allows for the opportunity for public comment, should there be any additional regulations that the public identifies as needing amendment or any additional considerations the NRC needs to evaluate to implement the Act.

To comply with the Act, the NRC examined whether SSNs are necessary in any of the regulatorily-required written communications to the NRC required by regulation. The Act only applies to written communications to be sent or received via mail by the NRC that include SSNs. The Act does not apply to regulations that only require a licensees to validate validation of an individuals SSN because the SSN would not be included in written communications with the NRC in those cases. If inclusion of SSNs is not necessary, then each associated regulation would need to be amended to remove the inclusion of the SSN in the required documents. If inclusion of SSNs is necessary, the NRC must consider whether partial redaction of the SSN is feasible and amend the regulations accordingly to meet the requirement that social security account numbers

[SSNs] not be visible on the outside of any package sent by mail.4 Based on its review, the agency has concluded that, in all instances where it requires full or partial SSNs to be included in written communications, this information is necessary for identity confirmation. Reasons for this include instances when individuals have similar or same names and cases where outside factors require the NRC to collect either a full or partial SSN. (fFor example, the collection may be required by law or by another agency). The NRC already requests SSNs to be partially redacted in documents sent by mail whenever feasible. Therefore, the NRC concluded that no minimal changes to its regulations are needed to reduce the inclusion of full or partial 4 Public Law 115-59, Section 2(b)(2) 7

SSNs. However, the agency determined that the following amendments are needed to fully implement the Act:did identify where clarifying language is needed to certain regulations to provide adequate instructions for ensuring SSNs are not visible on the outside of any package sent by mail. Specifically:

  • In § 9.1, a new Subpart E needs to be added concerning the use of SSNs in documents sent by mail.
  • In §§ 20.2203 and 25.17, language needs to be revised to ensure SSNs would not be visible on the outside of any package sent by mail.
  • In §§ 35.3045 and 35.3047, language needs to should be revised to replace social security number or identification number with identification number, to account for prioritize the use of identification numbers that may are not be SSNs when identifying patients.

In anticipation of the above revisions, all applicable NRC forms have been proactively modified to include language that SSNs must not be visible on the outside of any package sent by mail.

IV. Section-by-Section Analysis The following paragraphs describe the specific changes in this direct final rule.

Section 9.1 Scope and purpose.

This direct final rule adds new paragraph (e).

Subpart E - Social Security Number Fraud Prevention Act Requirements.

8

This direct final rule adds new subpart E - Social Security Number Fraud Prevention Act Requirements.

Section 20.2203 Reports of exposures, radiation levels, and concentrations of radioactive material exceeding the constraints or limits.

This direct final rule revises paragraph (b)(2) to require that SSNs not be visible on the outside of any package sent by mail.

Section 25.17 Approval for processing applicants for access authorization.

This direct final rule revises paragraph (b) to require that SSNs not be visible on the outside of any package sent by mail.

Section 35.3045 Report and notification of a medical event.

This direct final rule revises paragraph (g)(1)(ii) to replace social security number or identification number with identification number or if no other identification number is available, the social security number.

Section 35.3047 Report and notification of a dose to an embryo/fetus or a nursing child.

This direct final rule revises paragraph (f)(1)(ii) to replace social security number or identification number with identification number or if no other identification number is available, the social security number.

V. Regulatory Flexibility Certification 9

Under the Regulatory Flexibility Act (5 U.S.C. 605(b)), the NRC certifies that this rule will not, if issued, have a significant economic impact on a substantial number of small entities. This direct final rule affects a number of small entities as defined by the Regulatory Flexibility Act or the size standards established by the NRC (10 CFR 2.810).

However, as indicated in the regulatory analysis contained in this document, these amendments do not have a significant economic impact on the affected small entities.

VI. Regulatory Analysis The NRC has prepared a final regulatory analysis for this direct final rule. The analysis examines the costs and benefits of the alternatives considered by the NRC.

The key findings are as follows:

  • Benefits. This final rule ensures that the NRC is in compliance with the Act by doing the following:
1) Revising regulations in 10 CFR part 9, § 20.2203(b)(2), § 25.17(b),

§ 35.3045(g)(1)(ii), and § 35.3047(f)(1)(ii) to address the intent of the Act; and

2) Ensuring that NRC forms comply with the intent of the Act.

In accordance with the Act, the NRC requests that a SSN be included in documents sent by mail only when necessary and partially redacted whenever feasible. The redacted SSN should list only the number of digits necessary and must not be visible from the outside of packages sent to and from the NRC.

  • Cost to the Industry. This direct final rule results in no incremental costs to material or reactor licensees.
  • Cost to the Public. This direct final rule results in no incremental costs to the public.

10

  • Cost to the NRC. This direct final rule results in no incremental costs to the NRC beyond those necessary to prepare and issue this direct final rule and make conforming changes to NRC forms, which are considered costs that have already been incurred, cannot be recovered, and for which there is no value in some alternative use.

VII. Backfitting and Issue Finality This direct final rule modifies the NRC regulations to implement the requirements of the Act to use SSNs only where necessary and to partially redact SSNs to the extent practicable. These regulations relate solely to information collection and reporting requirements. The NRC has long taken the position that information collection and reporting requirements are not subject to the NRC's backfitting and issue finality regulations in 10 CFR 50.109, 10 CFR 70.76, 10 CFR 72.62, 10 CFR 76.76, and 10 CFR part 52. Therefore, the NRC has determined that the various backfitting and issue finality provisions do not apply to this final rule and has not prepared a backfit analysis.

VIII. Plain Writing The Plain Writing Act of 2010 (Pub. L. 111-274) requires Federal agencies to write documents in a clear, concise, and well-organized manner. The NRC has written this document to be consistent with the Plain Writing Act as well as the Presidential Memorandum, Plain Language in Government Writing, published June 10, 1998 (63 FR 31883).

11

IX. Environmental Assessment and Final Finding of No Significant Environmental Impact The Commission has determined under the National Environmental Policy Act of 1969, as amended, and the Commissions regulations in subpart A of 10 CFR part 51, that this direct final rule, if adopted, would not be a major Federal action significantly affecting the quality of the human environment and, therefore, an environmental impact statement is not required.

This direct final rule amends NRCs regulations in 10 CFR parts 9, 20, 25, and

35. These amendments are necessary to comply with the Social Security Number Fraud Prevention Act of 2017, which directed agencies to issue regulations that prohibit the inclusion of an individuals SSN on any document sent through the mail unless the head of the agency deems it necessary and the appropriate precautions are taken to protect the SSN. Clarifying the need for an individuals SSN to be sent to the NRC and requiring that SSNs must not be visible on the outside of any package sent by mail These amendments does not lead to any increase in the any effect on the environment.

The determination of this environmental assessment is that there will be no significant environmental impacts from this action.

X. Paperwork Reduction Act This direct final rule does not contain any new or amended collections of information subject to the Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et seq.). Existing collections of information were approved by the Office of Management and Budget, approval numbers 3150-0043, 3150-0014, 3150-0046, and 3150-0010.

12

Public Protection Notification The NRC may not conduct or sponsor, and a person is not required to respond to, a collection of information unless the document requesting or requiring the collection displays a currently valid OMB control number.

XI. Congressional Review Act This direct final rule is not a rule as defined in the Congressional Review Act (5 U.S.C. §§ 801-808).

List of Subjects 10 CFR Part 9 Administrative practice and procedure, Courts, Freedom of information, Government employees, Privacy, Reporting and recordkeeping requirements, Sunshine Act.

10 CFR Part 20 Hazardous waste, Nuclear energy, Nuclear power plants and reactors, Occupational safety and health, Packaging and containers, Penalties, Radiation protection, Reporting and recordkeeping requirements.

10 CFR Part 25 Classified information, Penalties, Reporting and recordkeeping requirements, Security measures.

13

10 CFR Part 35 Biologics, Drugs, Health facilities, Health professions, Labeling, Medical devices, Nuclear energy, Occupational safety and health, Penalties, Radiation protection, Reporting and recordkeeping requirements.

For the reasons set out in the preamble and under the authority of the Atomic Energy Act of 1954, as amended; the Energy Reorganization Act of 1974, as amended; and 5 U.S.C. 552 and 553, the NRC is adopting the following amendments to parts 9, 20, 25, and 35:

PART 9PUBLIC RECORDS

1. The authority citation for part 9 continues to read as follows:

Authority: Atomic Energy Act of 1954, sec. 161 (42 U.S.C. 2201); Energy Reorganization Act of 1974, sec. 201 (42 U.S.C. 5841); 44 U.S.C. 3504 note.

Subpart A also issued under 31 U.S.C. 9701.

Subpart B also issued under 5 U.S.C. 552a.

Subpart C also issued under 5 U.S.C. 552b.

2. In § 9.1, add paragraph (e) to read as follows:

§ 9.1 Scope and purpose.

(e) Subpart E implements the provisions of the Social Security Number Fraud Prevention Act of 2017, Pub. L. 115-59, concerning the use of Social Security account numbers in documents sent by mail.

3. Add subpart E to read as follows:

Subpart ESocial Security Number Fraud Prevention Act Requirements Sec.

14

9.300 Scope of subpart.

9.301 Social Security account numbers in documents sent by mail.

§ 9.300 Scope of subpart.

This subpart implements the Social Security Number Fraud Prevention Act of 2017, Pub. L. 115-59, with respect to the use of Social Security account numbers in documents sent by mail and requirements applicable to NRC personnel for redacting Social Security account numbers in documents sent by mail.

§ 9.301 Social Security account numbers in documents sent by mail.

(a) Social Security account numbers shall not be visible on the outside of any package sent by mail.

(b) A document sent by mail may only include the Social Security account number of an individual if it is determined by the head of the agency that the inclusion of a Social Security account number is necessary.

(c) The inclusion of a Social Security account number of an individual on a document sent by mail is necessary when (1) Required by law; or (2) Necessary to identify a specific individual and no adequate substitute is available.

(d) Social Security account numbers must be partially redacted in documents sent by mail whenever feasible.

PART 20STANDARDS FOR PROTECTION AGAINST RADIATION

4. The authority citation for part 20 continues to read as follows:

15

Authority: Atomic Energy Act of 1954, secs. 11, 53, 63, 65, 81, 103, 104, 161, 170H, 182, 186, 223, 234, 274, 1701 (42 U.S.C. 2014, 2073, 2093, 2095, 2111, 2133, 2134, 2201, 2210h, 2232, 2236, 2273, 2282, 2021, 2297f); Energy Reorganization Act of 1974, secs. 201, 202 (42 U.S.C. 5841, 5842); Low-Level Radioactive Waste Policy Amendments Act of 1985, sec. 2 (42 U.S.C. 2021b); 44 U.S.C. 3504 note.

5. In § 20.2203, revise paragraph (b)(2) to read as follows:

§ 20.2203 Reports of exposures, radiation levels, and concentrations of radioactive material exceeding the constraints or limits.

(b)* * *

(2) Each report filed pursuant to paragraph (a) of this section must include for each occupationally overexposed1 individual: the name, Social Security account number, and date of birth. The report must be prepared so that this information is stated in a separate and detachable part of the report and must be clearly labeled Privacy Act Information: Not for Public Disclosure. Social Security account numbers must not be visible on the outside of any package sent by mail.

1 With respect to the limit for the embryo/fetus (§ 20.1208), the identifiers should be those of the declared pregnant woman.

PART 25ACCESS AUTHORIZATION

6. The authority citation for part 25 continues to read as follows:

Authority: Atomic Energy Act of 1954, secs. 145, 161, 223, 234 (42 U.S.C.

2165, 2201, 2273, 2282); Energy Reorganization Act of 1974, sec. 201 (42 U.S.C.

5841); 44 U.S.C. 3504 note; E.O. 10865, 25 FR 1583, as amended, 3 CFR, 1959-1963 Comp., p. 398; E.O. 12829, 58 FR 3479, 3 CFR, 1993 Comp., p. 570; E.O. 13526, 75 FR 707, 3 CFR, 2009 Comp., p. 298; E.O. 12968, 60 FR 40245, 3 CFR, 1995 Comp., p.

391.

16

Section 25.17(f) and Appendix A also issued under 31 U.S.C. 9701; 42 U.S.C.

2214.

7. In § 25.17, revise paragraph (b) to read as follows:

§ 25.17 Approval for processing applicants for access authorization.

(b) The request must be submitted to the facility CSA. If the NRC is the CSA, the procedures in § 25.17(c) and (d) will be followed. If the NRC is not the CSA, the request will be submitted to the CSA in accordance with procedures established by the CSA.

The NRC will be notified of the request by a letter that includes the name, Social Security number and level of access authorization. Social Security account numbers must not be visible on the outside of any package sent by mail.

PART 35MEDICAL USE OF BYPRODUCT MATERIAL

8. The authority citation for part 35 continues to read as follows:

Authority: Atomic Energy Act of 1954, secs. 81, 161, 181, 182, 183, 223, 234, 274 (42 U.S.C. 2111, 2201, 2231, 2232, 2233, 2273, 2282, 2021); Energy Reorganization Act of 1974, secs. 201, 206 (42 U.S.C. 5841, 5846); 44 U.S.C. 3504 note.

9. In § 35.3045, revise paragraph (g)(1)(ii) to read as follows:

§ 35.3045 Report and notification of a medical event.

(g) * * *

(1) * *

  • 17

(ii) Identification number or if no other identification number is available, the social security number., if one has been assigned by the referring physician, of the individual who is the subject of the event; and

10. In § 35.3047, revise paragraph (f)(1)(ii) to read as follows:

§ 35.3047 Report and notification of a dose to an embryo/fetus or a nursing child.

(f) * * *

(1) * * *

(ii) Identification number or if no other identification number is available, the social security number, if one has been assigned by the referring physician, of the individual who is the subject of the event; and Dated at Rockville, Maryland, this xxth day of Xxxxx, 201X.

For the Nuclear Regulatory Commission.

Annette L. Vietti-Cook, Secretary of the Commission.

18

Retrieved from "https://kanterella.com/w/index.php?title=VR-SECY-19-0109,_SRM-M200423:_Enclosure_1_-_Direct_Final_Rule_-_Social_Security_Number_Fraud_Prevention&oldid=3475817"