Supporting Statement for Integrated Registration Services (IRES) System
20 CFR 401.45
OMB No. 0960-0626
A. Justification
Introduction/Authoring Laws and Regulations
The Integrated Registration Services (IRES) system is an electronic authentication process by which the Social Security Administration (SSA) registers and authenticates users of our online business services.
SSA will eventually include IRES as part of the SSA’s Public Credentialing and Authentication Process (OMB Clearance No. 0960-0789); however, we are not, yet, ready to begin migration. SSA collects the information for the IRES authentication under the authority of Section 5 USC 552a (e)(10) of the Privacy Act of 1974 which requires agencies to establish appropriate administrative, technical, and physical safeguards to ensure the security and confidentiality of records. Also, Section 5 USC 552a (f)(2)&(3) require agencies to establish requirements for identifying an individual who requests a record or information pertaining to that individual, and to establish procedures for disclosure of personal information. SSA promulgated Privacy Act rules in the Code of Federal Regulations, Subpart B. Procedures for verifying identity are at 20 CFR 401.45.
Description of Collection
SSA uses the information from this collection to verify the identity of individuals, businesses, organizations, entities and government agencies who use our secured Internet and telephone applications for requesting and exchanging business data with SSA. We collect the personal information one time only when the individual registers to use our online business services.
IRES is an internet-based application that replaced the handwritten paper-based signature with a user identification number (User ID) and a password. IRES provides registration, authentication and authorization gateway services for Business-to-Government (B2G) suites of services, including, but not limited to:
Business Services Online (BSO)
Electronic Wage Reporting (EWR)
Third party Bulk Filing
Verification of Social Security Numbers (SSNVS)
Claimant Representative Services
Representative Payee Services
Government Services Online (GSO) (OMB#0960-0757)
Office of Child Support Enforcement (OCSE) Services
Secure exchange of information between SSA and third parties in support of SSA and other federal government-supported programs
Customer Support Application (CSA)
CSA provides customer support service for IRES. CSA allows users to complete the registration process via a telephone interview with a Social Security customer service representative.
To register for an IRES User ID, we first need to verify the user’s identity. We ask the user to give us some personal information, such as:
Name
Date of birth
Social Security Number
Home address
Home telephone number
Email address
Once we verify this information, we issue the respondents a User ID. In addition, we ask the user to create a password, select security questions and answers for password reset.
Respondents are individuals who wish to register to use our online business services. Respondents may be:
Employers,
Employees,
Third parties working on behalf of a business,
Appointed representatives,
Representative payees, and
Other government agencies wishing to exchange data with our agency in support of our programs.
Use of Information Technology to Collect the Information –
This is an electronic information collection. The respondent keys and transmits their identifying information to SSA over the Internet or by telephone, then SSA compares the information in real time to existing electronic records. If the information keyed and transmitted matches with that in SSA records, we provide the respondent with a User ID and password.
Why We Cannot Use duplicate Information
Most of the information we collect through these screens, we already collected and posted to SSA’s master electronic records; however, SSA asks for it again for comparison and verification. Currently, there is no existing alternative means for the agency to verify identity electronically through use of a User ID and password when the request to access our BSO is user-initiated over the internet or by telephone.
Minimizing Burden on Small Respondents
This collection does not significantly affect small businesses or other small entities.
Consequence of Not Collecting Information or Collecting it Less Frequently
Failure to verify the respondent’s identity would result in SSA’s not being able to respond to these Internet or telephone requests. Making this service available electronically saves the respondents the effort of mailing their forms to SSA, phoning an SSA TeleService Center, or visiting an SSA field office to obtain name or SSN information. In addition, it saves SSA staff time. Since SSA only requests this information on an as needed basis, we cannot collect the information less frequently. There are no technical or legal obstacles to burden reduction.
Special Circumstances
There are no special circumstances that would cause SSA to conduct this information collection in a manner that is not consistent with 5 CFR 1320.5.
Solicitation of Public Comment and other Consultations with the Public
The 60-day advance Federal Register Notice published on July 29, 2015, at 80 FR 45265, and we received no public comments. The 30-day FRN published on September 25, 2015, at 80 FR 57907. If we receive any comments to this Notice, we will forward them to OMB. We did not consult with the public in the maintenance of this collection.
Payment or Gifts to Respondents
SSA does not provide payment or gift to the respondents.
Assurances of Confidentiality
SSA protects and holds the information it collects in accordance with 42 U.S.C. 1306, 20 CFR 401 and 402, 5 U.S.C. 552 (Freedom of Information Act), 5 U.S.C. 552a (Privacy Act of 1974) and OMB Circular No. A130.
In addition, our Privacy Policy protects information collected by SSA for internet services that ensures the confidentiality of all information provided by the requester. Our internet privacy policy is:
You do not need to give us personal information to visit our site.
We collect personally identifiable information (name, SSN, DOB or E-mail) only if specifically and knowingly provided by you.
We will use personally identifying information you provide only in conjunction with services you request as described at the point of collection.
We sometimes perform statistical analyses of user behavior in order to measure customer interest in the various areas of our site. We will disclose this information to third parties only in aggregate form.
We do not give, sell, or transfer any personal information to a third party.
We implement Tier 1 (Single session) and Tier 2 (Multi-session without PII) technologies using the text-based “cookie” technology. We use Tier 2 technology to help us analyze site use by identifying you as a new or returning visitor; this does nothing other than distinguish whether you have been to our site before. Our web measurement applications compare the behavior of new and returning visitors in the aggregate to help us identify work flows and trends and also resolve common problems on our site. We do not use this technology to identify you or any other person. We use Tier 2 web measurement technology to improve our website and provide a better user experience for our customers. This technology anonymously tracks how visitors interact with socialsecurity.gov, including where they came from, what they did on the site, and whether they completed any pre-determined tasks while on the site. The Social Security Administration also uses Tier 2 technology to obtain feedback and data on visitors’ satisfaction with the SSA website.
Additionally, SSA ensures the confidentiality of the requester’s personal information in several ways:
The Secure Socket Layer (SSL) security protocol encrypts all electronic requests. SSL encryption prevents a third party from reading the transmitted data even if intercepted. This protocol is an industry standard, and is used by banks such as Wells Fargo and Bank of America for Internet banking.
IRES gives the requester adequate warnings that the Internet is an open system and there is no absolute guarantee that others will not intercept and decrypt the personal information they have entered. SSA advises them of alternative methods of requesting personal information, i.e., personal visit to a field office or a call to the 800 number.
Only upon verification of identity does IRES allow the requester access to additional screens, which allow requests for personal information from SSA.
Justification for Sensitive Questions
We are asking questions of a sensitive nature in this Information Collection. The requester supplies basic information, for example, name, SSN, DOB, and address information. For authorization purposes, we collect the EIN during the employer registration, and we ask appointed representatives using IRES in support of beneficiaries to submit additional information. We ask the responder some “shared secret” questions. Before we ask for any information, the responders must read and agree to our “User Registration Attestation,” which serves to acknowledge and indicate their consent to provide us with sensitive information. The “User Registration Attestation” explains SSA’s legal authority for collecting the information.
We collect shared secrets from the individual to use as password reset questions to improve customer service, and reduce workloads and costs. We ask the individual to select and answer five password reset questions. If the individual loses or forgets the password, we ask three questions randomly selected from the five we established with the individual during account setup when that individual originally created the User ID. The individual must provide correct answers, consistent with the answers on record to all three questions.
Estimates of Public Reporting Burden
For FY 2014, there were 662,102 successful registrations through the IRES Internet system. In addition to new registrations for FY 2014, there were 9,209,489 logins (which may include users who registered in a prior FY or users accessing the system subsequent to registering). We estimate that it takes an average of 5 minutes to register, obtain a credential and authenticate with SSA through IRES, for an annual reporting burden of 55,175 hours. We estimate that for a subsequent login to authenticate with SSA takes an average of 2 minutes, for an annual reporting burden of 306,983 hours. For FY 2014, there were 23,562 registrations through the IRES CS (CSA) system. We estimate that it takes an average of 11 minutes to register, obtain a credential and authenticate with SSA through IRES CS (CSA), for an annual reporting burden of 4,320 hours. The following chart shows the breakdown per modality of completion for FY 2015 (based on our FY 2014 data):
Modality of Completion |
Number of Respondents |
Frequency of Response |
Average Burden Per Response (minutes) |
Estimated Total Annual Burden (hours) |
IRES Internet Registrations |
662,102 |
1 |
5 |
55,175 |
IRES CS (CSA) Registrations |
23,562 |
1 |
11 |
4,320 |
IRES Internet Requestors |
9,209,489 |
1 |
2 |
306,983 |
Totals |
9,895,153 |
|
|
366,478 |
The total burden for this ICR is 366,478 hours. This figure represents burden hours, and we did not calculate a separate cost burden.
Annual Cost to the Respondents (Other)
This collection does not impose a known cost burden to the basic IRES or CSA respondents. However, there may be some cost to Appointed Representatives who access services which require extra security. Each time the responder logs in to access SSA’s secured online services that require the extra security feature, we send a text message to the responder’s cell phone; which the responder must then enter on the web page.
Storage Management Subsystem (SMS) cost – code sent via text message from SMS to the individual user.
For the user who receives the SMS code and does not have a text plan, the current cost could range from 10 cents to 20 cents per message.
For the user who has a limited text plan, the cost would just be included as part of the plan. We have no way to estimate this cost.
For the user who has an unlimited text plan, there would be no charge. The user would have paid for this service as part of the plan. We have no way to estimate cost.
Annual Cost to the Federal Government
The estimated cost to the Federal Government to collect the information is negligible. Because the cost of maintaining the system which collects this information is accounted for within the cost of maintaining all of SSA’s automated systems, it is not possible to calculate the cost associated with just one internet application.
Program Changes or Adjustments to the Information Collection Request
The increase in burden stems from the increase in the number of Internet requestors who logged into the system to request information. While we show a decrease in new registrations for IRES, the number of Internet requestors increased, as expected with any increase in registration. See #12 above for updated burden figures.
Plans for Publication Information Collection Results
SSA will not publish the results of the information collection.
Displaying the OMB Approval Expiration Date
SSA is not requesting an exception to the requirement to display the OMB approval expiration date.
Exceptions to Certification Statement
SSA is not requesting an exception to the certification requirements at 5 CFR 1320.9 and related provisions at 5 CFR 1320.8(b)(3).
B. Collections of Information Employing Statistical Methods
SSA does not use statistical methods for this information collection.
| File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
| File Title | Supporting Statement for Form SSA-1021 |
| Author | Diane Swift |
| File Modified | 0000-00-00 |
| File Created | 2021-01-24 |