Title: Social Security Number Use Policy
Approved by: Office of the President
Date approved by President or Board of Trustees: May 10, 2007
Effective date: May 10, 2007
Responsible Official: UTech Security and Policy
Responsible University Office: UTech Security and Policy
Revision History: 3
Related legislation and University policies: Acceptable Use of Information Technology Policy (AUP), Restricted Information
Review Period: 3 Years
Date of Last Review: July 26, 2024
Relates to: Faculty, Staff
Summary
This policy is to establish a university standard on approved use of Social Security Numbers (SSN) in ÐÇ¿Õ´«Ã½ (ÐÇ¿Õ´«Ã½) administrative processes, and procedures for the proper use, handling, and disclosure of SSNs. The objectives of the policy are:
- Eliminate the non-approved use of SSN as a publicly visible identifier in ÐÇ¿Õ´«Ã½ administrative processes and transactions
- Increase awareness of the restricted nature of the SSN with respect to information confidentiality
- Ensure consistent management of SSN use throughout the University
- Assure that SSNs are handled in an appropriate manner, increasing the confidence of faculty, staff, students, affiliates, and alumni in the stewardship of information by the University in accordance with the ÐÇ¿Õ´«Ã½ Acceptable Use Policy
Purpose
This policy applies to all administrative processes that support the educational, research, and service missions of the university. This policy applies to ÐÇ¿Õ´«Ã½ faculty, staff, students, and affiliated partners, including contractors, while conducting business with the university. In particular, all information technology systems that support ÐÇ¿Õ´«Ã½ administrative processes, whether operated by ÐÇ¿Õ´«Ã½ or by a third party, are covered by this policy. Disclosures of personally identifiable information brings about a risk of identity theft. ÐÇ¿Õ´«Ã½ formerly used the SSN as a student identifier for many years, and had many academic and administrative processes connected to its use. The University has implemented architectural and procedural changes to protect its constituents (faculty, students, staff, affiliates) from the risk of identity theft by reducing the exposure to loss or disclosure of SSNs.
Student
ÐÇ¿Õ´«Ã½ supports the use of alternate identifiers for students.
The SSN shall be required from all entering students for a permanent and lasting record. When feasible, an alternative number will be assigned and used by the University for all administrative processes which do not specifically require the SSN. ÐÇ¿Õ´«Ã½ is dedicated to assuring the privacy and proper handling of personal information pertaining to students.
ÐÇ¿Õ´«Ã½ will request that a student provide a SSN at the time of application to the University. In accordance with usage guidelines, the SSN shall not be used as the student ID number but will be provided to entities requiring SSN, including but not limited to the federal government for financial aid and Tax Relief Act (1997) reporting, Immigration and Naturalization Service, and as required by court order in accordance with the Family Educational Rights and Privacy Act.
Employee
ÐÇ¿Õ´«Ã½ will require that an employee provide a SSN at the time of employment. The SSN shall not be used as an Employee ID number for internal business uses, but will be provided to external entities requiring SSN, including but not limited to federal, state and local governments, insurance carriers, and retirement programs. If the university engages in financial transactions with non-employees who are affiliates or vendors, these individuals will be required to provide a SSN for mandated tax reporting purposes.
Use Guidelines
The use of SSN as an individual's primary identification number shall be discontinued, unless required or permitted by law.
Systems purchased or developed by ÐÇ¿Õ´«Ã½ shall not use SSNs as identifiers unless required by law or business necessity (as defined by the University Provost or their designated agent).
All ÐÇ¿Õ´«Ã½ employees, students and other individuals that require an identifying number, will be assigned a unique identification number that is not the same as, or derived from the individual’s SSN.
The University shall adopt a phased compliance transition strategy for all current administrative processes, systems, and applications with the goal of eliminating the use of SSNs according to a University SSN Transition Plan. Waivers may be granted by the VP of UTech/CIO, when a written project transition plan has been submitted and approved.
As part of the University’s phased compliance strategy, the University shall be entitled to take all reasonable steps to assess whether existing and/or legacy administrative processes, systems and applications are in compliance with this policy and the ÐÇ¿Õ´«Ã½ Acceptable Use Policy. Each individual subject to this policy has a responsibility to help with this assessment. This responsibility includes these elements:
Identification of any older data containing SSNs that were used in administrative or academic processes.
Isolation and purge of any non-essential files containing SSN data. Removal of these files shall be performed in a manner which eliminates the risk of disclosure or data loss.
Application of established security controls, known as Tier III Controls, to protect sensitive information such as SSN data when its preservation is warranted and sanctioned.
Mandatory reporting of security events, theft, or loss involving SSN data.
Providing notice to UTech when the individual needs assistance in determining whether they are in compliance with this policy, such as whether their legacy processes, systems, and applications still retain or store SSN.
Any individual violating this policy may be subject to disciplinary action in accordance with the applicable ÐÇ¿Õ´«Ã½ policy.
Systems purchased or developed by ÐÇ¿Õ´«Ã½ will use SSNs as data elements only, not as keys to databases, and in this case only when required or permitted by law.
Systems purchased or developed by ÐÇ¿Õ´«Ã½ will not display SSNs visually, whether on computer monitors, or on printed forms or other system output, unless required by law or business necessity.
Name and directory systems purchased or developed by ÐÇ¿Õ´«Ã½ will be tied to an individual's unique identification number, not SSN.
When databases require SSNs, the database will automatically cross-reference between the SSN and other information through the use of conversion tables with systems or other mechanical mechanisms.
No system or technology will be developed or purchased by ÐÇ¿Õ´«Ã½ unless it is compatible with these regulations.
All employees (faculty, staff) that use or have access to employee or student SSN data shall be held to the highest levels of accountability for data stewardship. SSN data or files shall not be conveyed to student employees.
SSNs are to be considered Restricted Information and systems that handle or store SSNs must be configured to the standard defined in “Case Information Security Requirements for Restricted Information to protect the information from the intentional or unintentional disclosure of Restricted information.
Violation of this policy will be considered a violation of the ÐÇ¿Õ´«Ã½ Acceptable Use Policy, and sanctions will be handled as described in that policy.