Return to: U of M Home
Gold University of Minnesota M. Skip to main content.University of Minnesota. Home page.
One Stop | Directories | Search U of M 
 
Data Security

What's inside.

Access Request Form

Policies

Protect Your System Access

How to Keep Your Access Active

Sponsored Account Standards

Functional IDs & Sponsored Internet Accounts

Systems List

Key Contact List

Data Custodian Sites

Training Sites

Reporting Sites

Additional Security Info.

OIT Helpline

Contact Us

 
 

Search Data Security

 
 

Data Security Home
 
 

DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT

V 2.6, last updated 3/17/2005

Standard—Use of Social Security Number (SSN)

Responsible Office : Office of Information Technology

Responsible Officer: University Data Custodian (Chief Information Officer)

Related Policy : Acceptable Use of Information Technology Resources

 

Standard
A standard defines a level of quality that is required to be followed.

 

Introduction

The University of Minnesota recognizes the increased concern of individual privacy and the risk of identity theft. The Social Security Number (SSN) is classified as private data. The protection and confidentiality of the SSN is covered under Regents policy, federal law, and state law. However the SSN has been routinely requested to help identify and match records. This standard is intended to specifically address issues related to the use of the SSN in University Systems, including self-service applications and departmentally administered systems.

 

Goals include:

  • Reduce the collection of the SSN except where required by law.
  • Reduce the use of SSN in data systems, including display pages and reports.
  • Require the use of a disclosure statement when collecting the SSN.
  • Increase awareness about the concern for privacy and the risk of identify theft related to the disclosure of the SSN.

 

Requirements

  1. This standard applies to all University systems.
  2. The Social Security Number will not be collected or used in any new University system except where required by law. The SSN can be voluntarily provided to help match records.
  3. University forms that request the SSN must indicate if it is voluntary or required. If required the form should include or be accompanied by a disclosure statement (see Implementation).
  4. The Social Security Number can only be used for the purpose it was collected.
  5. Access to SSN data will be restricted.
  6. The Social Security Number will not be displayed in University computer systems except in modules where the SSN is required.
  7. The Social Security Number will not be displayed on electronic or hard copy reports or documents except when required by law.
  8. For business processes that require the SSN, the last 4 digits may be used in confirmation documents.
  9. The Social Security Number will not be used as the primary key in databases.
  10. The Social Security Number, like other private data, will be stored in a secure manner. The SSN should not be stored on portable storage devices that are not secured (e.g., laptops). Encryption will be required for transmitting SSN data.
  11. An annual review of all systems using Social Security Numbers must be conducted to confirm that current security standards are being applied to protect the privacy of the data. (See OIT Securing Private Data standard.)

 

Exceptions

The University is required to collect the SSN for a variety of legally mandated activities (e.g., income tax reporting, federally supported financial aid). All such cases, including existing systems, must be documented, reviewed, and approved by the University Data Custodian or designee.

 

Implementation

The collection and use of the SSN has been reduced. The University does not currently use the Social Security Number as the primary identification number in Enterprise Systems nor is it used or stored on the University ID Card.

(Note: the SSN has never been printed on the current U Card which was introduced in March 1995. The SSN was encoded in the mag stripe on U Cards issued prior to January 10, 2002. Anyone who still has one of these cards can request a free replacement from the U Card office.)

The collection of the Social Security Number must be accompanied by a disclosure statement that contains the following elements:

  • Whether disclosure of the SSN is mandatory or voluntary
  • The consequences of not providing the SSN
  • How the SSN will be used
  • The SSN will be disclosed within the institution only to those with a need to know or to others as provided by law
  • The use of the SSN will only be for the purpose identified when it is collected

The University has existing systems which currently use the SSN. Some of these are purchased systems where the University does not control the delivered application. It is expected to take considerable time and effort to convince the vendors to change their delivered applications or to make local modifications. As a first step, an inventory of existing Enterprise Systems will be created and a schedule developed for meeting the requirements of this standard. The goal is to complete the changes in 3-5 years and make annual progress. Departments should inventory their own systems and report to the University Data Custodian.

 

Reporting Violations

See “Security Incidents, Breaches, and Acceptable Use Violation Reporting.”

 

Related Laws and Policies

  • The following laws address the use of SSN: the Privacy Act of 1974, the Family Education Rights and Privacy Act (FERPA), Gramm-Leach-Bliley Act, Health Insurance Portability and Accountability Act (HIPAA).
  • University Administrative Policies: Acceptable Use of Information Technology Resources, Internal Access to University Information, Securing Private Data Standard
  • Minnesota Government Data Practices Act

 

 

 
©2005 Regents of the University of Minnesota. All rights reserved. Trouble seeing the text? | Contact U of M | Privacy
The University of Minnesota is an equal opportunity educator and employer.  Last modified on November 25, 2008