Given the varying approaches that agencies have taken to determining whether proposed or actual collections and uses of SSNs are necessary, it is doubtful whether the goal of eliminating unnecessary collection and use of SSNs is being implemented consistently across the federal government. OMB has not subsequently provided criteria for determining “unnecessary collection and use” of SSNs. OMB staff in the Office of Information and Regulatory Affairs stated that they had not developed a precise definition of “unnecessary collection and use” because the circumstances of collection and use of SSNs varied across agencies. However, developing guidance for agencies in the form of criteria for making decisions about what types of collections and uses of SSNs are unnecessary need not be narrowly prescriptive. Until such criteria are established, agency efforts to reduce the unnecessary use of SSNs will likely continue to vary, and, as a result, the risk of unnecessarily exposing SSNs to identity theft may not be mitigated as thoroughly as it could be.
Annual updates submitted by the 24 agencies from fiscal year 2013 through 2015 did not always include up-to-date information about agency efforts and results achieved, making it difficult to monitor whether progress had been made. For example, in each of its reports over this period, the Department of State indicated that it had a review of over 100 systems underway, with little description of whether any progress had been made. Similarly, the Department of Transportation stated in each of its reports that privacy officials continue to work with departmental components to justify, and as appropriate, reduce holdings of PII across systems and business processes. However, none of the reports indicated whether these efforts had been completed or what the results were. Small Business Administration’s updates for all three years consisted of the same document, dated August 2013. OMB staff from the Office of Information and Regulatory Affairs agreed that some agencies had provided the same information year after year in their annual updates, arguing that it was acceptable to do so if all reduction efforts had been completed. However, this was not the case with any of the three agencies, which all indicated that reduction efforts were still underway.
Further, other than its initial review in 2008, OMB has only recently begun monitoring agency efforts to reduce SSNs. Specifically, staff from the Office of Information and Regulatory Affairs reported that they performed a review in 2015 and determined that agency efforts had been largely successful. While they did not set specific criteria for measuring performance, they noted that the agencies with the most robust and mature SSN reduction efforts had developed inventories for their SSN collections, defined unnecessary use, and established processes to continue assessing whether SSN collections were necessary over time. However, the OMB staff were unable to provide any documentation of their review.