Privacy Act Statement
This Privacy Act Statement explains how GSA and identity proofing vendors handle the Personally Identifiable Information (PII) that you provide during recruitment, eligibility screening, and participation in the Equity Study. PII includes information that is personal in nature and which may be used to identify you. The PII you provide in this Equity Study will only be used for the purpose of this study and future Equity Studies if applicable. GSA will protect your information consistent with the principles of the Privacy Act of 1974, the E-Government Act of 2002, and the Federal Records Act.
The GSA “Equity Study on Remote Identity Proofing” will assess the impact of ethnicity, race, gender, income, and other demographic factors on the multiple components of identity proofing, which is the process of verifying that a person is who they say they are. GSA will test remote identity-proofing tools that include both biometric checks using facial-verification technology as well as non-biometric methods like mobile-device account ownership and validating personal information through consumer reporting agencies. NIST’s SP 800-63-3A guidelines for remote one-to-one identity proofing serve as a framework for the study.
To conduct this study, GSA is partnering with identity-proofing vendors that are compatible with the study architecture and can meet GSA’s compliance requirements. The study will assess if and how demographic factors affect the vendors’ remote identity proofing software’s identity-proofing decisions.
What Information does GSA need?
- For recruitment, GSA needs your name and email address.
- For eligibility and to evaluate the equitable performance of technologies, GSA needs your demographic information, such as your race and ethnicity.
- For authentication, GSA needs your phone number to validate that you are an authorized user of the phone account and are in possession of the mobile device.
- To mitigate fraud, GSA will also analyze the device used to access the study, and collect different device identifiers as well as measures of behavior such as how you interact with forms on the page.
Identity proofing helps establish a person is who they claim to be and thus requires more sensitive information. One step in identity proofing involves PII validation, which will require the collection of the following data elements by multiple vendors:
- Participants’ Full Name,
- Social Security Number,
- Date of Birth,
- Phone Number,
- Physical Address,
- the data printed or encoded (barcode) on your Government Identification card (e.g. driver’s license)
GSA will facilitate the collection and transfer of this personally identifiable information (PII) to the following vendors, and you may review their privacy policies at the following hyperlinks:
- Socure Products and Services Privacy Statement - Socure
For a detailed description of the information collected, its uses and protection, review the Equity Study’s Privacy Impact Assessment.
In this study, GSA will also collect certain biometric information from you with the help of several vendors. This includes the following information used to identify you:
- Biological characteristics derived from a picture of your face (a “selfie”); and
- Biological characteristics derived from a photo of your identity document, which also contains a photo of you.
Vendors will collect this information and send it to GSA after assessing it as part of the identity-verification process. The vendors verify the identity document and match your photo from the document with your live selfie. The software will then validate your PII.
For more information on each provider’s privacy policies, see the vendor’s specific Privacy Policies.
- GSA | Incode
- Jumio’s Privacy Notice - Jumio: End-to-End ID, Identity Verification and AML Solutions
- Socure Products and Services Privacy Statement - Socure
- TransUnion LLC Privacy Notice | TransUnion
NOTE: The privacy policies above apply to the vendors’ general commercial services, your data will be only retained and used in accordance with this GSA Privacy Act Statement.
After the third party vendors determine whether you pass or fail their identity proofing, the vendors will share their results with GSA. GSA will group this data with your demographic information, remove any Personally Identifying Information (e.g. name, Date of birth, SSN), and share this report with the Study Evaluator. The Study Evaluator will help GSA perform a statistical analysis of the data, analyze failure cases and reasons and develop reports based on the Study’s findings and data. All data will be securely stored in a GSA-licensed Google Drive. GSA will only transfer de-identified data to the Study evaluator through secure means like SFTP, file share, or read-only Google Drive file share.
This study and the associated reports will assist GSA in making informed decisions regarding commercially-available identity-verification capabilities and enable GSA to provide equitable access to diverse populations that need to verify their identity to access government services.
Retention of Data
GSA will instruct all vendors providing identity proofing services for this study to discard any information collected within 24 hours of collection. GSA will retain records of this study in accordance with GSA’s retention schedule for Customer Research and Reporting Records [PDF, 8 Pages] and any other applicable federal records schedules.
Recruitment Partner/Participant Outreach Service Vendors will retain the data for 90 days after the Equity Study and then delete the data. No PII will be retained by the vendors at the conclusion of this study.
The Study Evaluator will not collect or store PII for the Final Report, except that, with your consent, your images may be included in the Final Report to explain proofing failures; if included (with your consent), images of identity documents will be deidentified to the greatest extent possible in the report.
Additional Information Sharing
There may be circumstances where GSA is required to share certain data. For example: if the information is relevant and necessary for an authorized law enforcement purpose; in order to respond to a breach; or to assist another agency as it responds to a breach. For additional information, see the system of record notice number GSA/TTS-1 that GSA’s Technology Transformation Service (TTS) published on November 21, 2022.
Routine Uses - With whom will the information be shared?
To third-party identity proofing services and fraud prevention services when participating in studies commissioned by the GSA to evaluate the equitable performance of new technologies and guide service improvements. Please refer to the System of Records Notice, GSA/TTS-1, for the full list of routine uses, which represent the authorized entities GSA may disclose the information to, as determined relevant and necessary.
Consent - How can you control what information is shared?
Participants in this study have consented to the collection and use of the information as described in the Rules of Use, Privacy Act Statement, Consent Forms, Privacy Impact Assessment, and SORN. If at any time prior to the completion of the study should you no longer agree to these conditions, contact firstname.lastname@example.org or (202) 969-0772.
Records - Where can you find more information?
Please see the GSA System of Records Notice, GSA/TTS-1.
Website Analytics – Other data GSA collects
Other data, like the pages you visit and the length of your session, are aggregated into reports to help us better understand how the site is being used and how GSA can make it more helpful. The data is anonymized. No personally identifying user information is tied to this data and it is only shared anonymously with the GSA team.
Privacy Impact Assessment
View all GSA privacy impact assessments at www.gsa.gov/PIA.
OMB No: 3090-0328
Paperwork Reduction Act Statement - This information collection meets the requirements of 44 U.S.C. § 3507, as amended by section 2 of the Paperwork Reduction Act of 1995. You do not need to answer these questions unless we display a valid Office of Management and Budget (OMB) control number. The OMB control number for this collection is 3090-0328. We estimate that it will take up to 45 minutes to read the instructions, gather the facts, and answer the questions. Send only comments relating to our time estimate, including suggestions for reducing this burden, or any other aspects of this collection of information to: General Services Administration, Regulatory Secretariat Division (MVCB), ATTN: Lois Mandell/IC 3090-0297, 1800 F Street, NW, Washington, DC 20405.