Identity Protection Policy
The Illinois Department of Revenue (Department) adopts this Identity-Protection Policy (“Policy”) pursuant to the Identity Protection Act (5 ILCS 179/1 et seq.). The Identity Protection Act requires each local and State government agency to draft, approve, and implement an Identity-Protection Policy to ensure the confidentiality and integrity of Social Security numbers agencies collect, maintain, and use. It is important to safeguard Social Security numbers (“SSNs”) against unauthorized access because SSNs can be used to facilitate identity theft. One way to better protect SSNs is to limit the widespread dissemination of those numbers. The Identity Protection Act was passed in part to require local and State government agencies to assess their personal information collection practices, and to make necessary changes to those practices to ensure confidentiality.
While the Identity Protection Act provides prohibitions on the collection, use, and disclosure of social security numbers by a governmental agency and its employees and contractors, it does provide certain exceptions from these prohibitions that would apply to the Department, such as when an agency uses SSNs for internal verification or administrative purposes or to collect a State debt. Further, the Act does not apply to an agency’s collection, use, or disclosure of social security numbers as required by State or federal law, rule, or regulation. Therefore, the Identity Protection Act does not prohibit the Department from collecting, using, and disclosing social security numbers for its administrative and debt collection purposes and does not prohibit the Department from disclosing such information to the federal government, state agencies, and other entities when used for such purposes.
Requirement to Provide Statement of Purpose:
Whenever an individual is asked to provide the Department with a SSN for reasons other than for the Department’s tax administration purposes, the Department shall provide that individual with a statement of the purpose or purposes for which the Department is collecting and using the Social Security number. The Department shall also provide the statement of purpose upon request of the individual. That Statement of Purpose is also available by clicking here.
Prohibitions on transmitting, printing, posting, or displaying Social Security numbers. As provided by the Identity Protection Act, the Department shall not:
- Publicly post or publicly display in any manner an individual’s Social Security number. “Publicly post” or “publicly display” means to intentionally communicate or otherwise intentionally make available to the general public.
- Print an individual’s Social Security number on any card required for the individual to access products or services provided by the Department.
- Require an individual to transmit a Social Security number over the Internet, unless the connection is secure or the Social Security number is encrypted.
- Print an individual’s Social Security number on any materials that are mailed to the individual, through the U.S. Postal Service, any private mail service, electronic mail, or any similar method of delivery, unless State or federal law requires the Social Security number to be on the document to be mailed. However, SSNs may be included in applications and forms sent by mail, including, but not limited to, any material mailed in connection with the administration of the Unemployment Insurance Act, any material mailed in connection with any tax administered by the Department of Revenue, and documents sent as part of an application or enrollment process or to establish, amend, or terminate an account, contract, or policy or to confirm the accuracy of the Social Security number. A Social Security number that is permissibly mailed will not be printed, in whole or in part, on a postcard or other mailer that does not require an envelope or be visible on an envelope without the envelope having been opened.
- Prohibitions on the collection, use, or disclosure of Social Security numbers. With limited exceptions1, the Department shall not:
- Collect, use, or disclose a Social Security number from an individual, unless:
- required to do so under State or federal law, rules, or regulations, or the collection, use, or disclosure of the Social Security number is otherwise necessary for the performance of the Department’s duties and responsibilities;
- the need and purpose for the Social Security number is documented before collection of the Social Security number; and
- the Social Security number collected is relevant to the documented need and purpose.
- Require an individual to use his or her Social Security number to access an Internet website, unless the connection is secure or your SSN is encrypted.
- Use the Social Security number for any purpose other than the purpose for which it was collected.
Redaction of Social Security Numbers:
When collecting Social Security numbers, the Department shall request each SSN in a manner that makes the SSN easily redacted. “Redact” means to alter or truncate data so that no more than five sequential digits of a Social Security number are accessible.
The Department shall comply with the provisions of any law with respect to allowing the public inspection and copying of information or documents containing all or any portion of an individual’s Social Security number. The Department shall redact social security numbers from the information or documents before allowing the public inspection or copying of the information or documents.
Restricted Access by Employees to Social Security Numbers:
Only Department employees who are required to use or handle information or documents that contain SSNs will have access. All employees who have access to SSNs will be trained to protect the confidentiality of SSNs prior to the granting of such access.
1These prohibitions do not apply in the following circumstances:
- The disclosure of Social Security numbers to agents, employees, contractors, or subcontractors of a governmental entity or disclosure by a governmental entity to another governmental entity or its agents, employees, contractors, or subcontractors if disclosure is necessary in order for the entity to perform its duties and responsibilities; and, if disclosing to a contractor or subcontractor, prior to such disclosure, the governmental entity must first receive from the contractor or subcontractor a copy of the contractor's or subcontractor's policy that sets forth how the requirements imposed under this Act on a governmental entity to protect an individual's Social Security number will be achieved.
- The disclosure of Social Security numbers pursuant to a court order, warrant, or subpoena.
- The collection, use, or disclosure of Social Security numbers in order to ensure the safety of: State and local government employees; persons committed to correctional facilities, local jails, and other law-enforcement facilities or retention centers; wards of the State; and all persons working in or visiting a State or local government agency facility.
- The collection, use, or disclosure of Social Security numbers for internal verification or administrative purposes.
- The disclosure of Social Security numbers by a State agency to any entity for the collection of delinquent child support or of any State debt or to a governmental agency to assist with an investigation or the prevention of fraud.
- The collection or use of Social Security numbers to investigate or prevent fraud, to conduct background checks, to collect a debt, to obtain a credit report from a consumer reporting agency under the federal Fair Credit Reporting Act, to undertake any permissible purpose that is enumerated under the federal Gramm Leach Bliley Act, or to locate a missing person, a lost relative, or a person who is due a benefit, such as a pension benefit or an unclaimed property benefit.