Use of Social Security Numbers

Return to: U of M Home

	myU \| One Stop \| Directories \| Search U of M

1-HELP

System Status

STANDARDS & GUIDELINES

GUIDELINE— Use of Social Security Number (SSN)

Responsible Office: Office of Information Technology
Responsible Officer: University Data Custodian (Chief Information Officer)

EFFECTIVE DATE: April 2005
VIEW HISTORY
RELATED POLICY/PROCEDURE:
Acceptable Use of Information Technology Resources

GUIDELINE
A guideline is highly recommended.

Introduction

The University of Minnesota recognizes the increased concern of individual privacy and the risk of identity theft. The Social Security Number (SSN) is classified as private data. The protection and confidentiality of the SSN is covered under Regents policy, federal law, and state law. However the SSN has been routinely requested to help identify and match records. This guideline is intended to specifically address issues related to the use of the SSN in University Systems, including self-service applications and departmentally administered systems.

Goals include:

Reduce the collection of the SSN except where required by law.
Reduce the use of SSN in data systems, including display pages and reports.
Require the use of a disclosure statement when collecting the SSN.
Increase awareness about the concern for privacy and the risk of identify theft related to the disclosure of the SSN.

Requirements

This guideline applies to all University systems.
The Social Security Number will not be collected or used in any new University system except where required by law. The SSN can be voluntarily provided to help match records.
University forms that request the SSN must indicate if it is voluntary or required. If required the form should include or be accompanied by a disclosure statement (see Implementation).
The Social Security Number can only be used for the purpose it was collected.
Access to SSN data will be restricted.
The Social Security Number will not be displayed in University computer systems except in modules where the SSN is required.
The Social Security Number will not be displayed on electronic or hard copy reports or documents except when required by law.
For business processes that require the SSN, the last 4 digits may be used in confirmation documents.
The Social Security Number will not be used as the primary key in databases.
The Social Security Number, like other private data, will be stored in a secure manner. The SSN should not be stored on portable storage devices that are not secured (e.g., laptops). Encryption will be required for transmitting SSN data.
An annual review of all systems using Social Security Numbers must be conducted to confirm that current security standards are being applied to protect the privacy of the data. (See Securing Private Data standard.)

Exceptions

The University is required to collect the SSN for a variety of legally mandated activities (e.g., income tax reporting, federally supported financial aid). All such cases, including existing systems, must be documented, reviewed, and approved by the University Data Custodian or designee.

Implementation

The collection and use of the SSN has been reduced. The University does not currently use the Social Security Number as the primary identification number in Enterprise Systems nor is it used or stored on the University ID Card.

(Note: the SSN has never been printed on the current U Card which was introduced in March 1995. The SSN was encoded in the mag stripe on U Cards issued prior to January 10, 2002. Anyone who still has one of these cards can request a free replacement from the U Card office.)

The collection of the Social Security Number must be accompanied by a disclosure statement that contains the following elements:

Whether disclosure of the SSN is mandatory or voluntary
The consequences of not providing the SSN
How the SSN will be used
The SSN will be disclosed within the institution only to those with a need to know or to others as provided by law
The use of the SSN will only be for the purpose identified when it is collected

The University has existing systems which currently use the SSN. Some of these are purchased systems where the University does not control the delivered application. It is expected to take considerable time and effort to convince the vendors to change their delivered applications or to make local modifications. As a first step, an inventory of existing Enterprise Systems will be created and a schedule developed for meeting the requirements of this standard. The goal is to complete the changes in 3-5 years and make annual progress. Departments should inventory their own systems and report to the University Data Custodian.

Reporting Violations

See “Reporting Violations of Security, Acceptable Use, Technology Resources, and Threats of Violence.”

Related Laws and Policies:

The following laws address the use of SSN: the Privacy Act of 1974, the Family Education Rights and Privacy Act (FERPA), Gramm-Leach-Bliley Act, Health Insurance Portability and Accountability Act (HIPAA).
University Administrative Policies: Acceptable Use of Information Technology Resources, Internal Access to University Information, Securing Private Data Standard
Minnesota Government Data Practices Act

© 2007 - 2008 Regents of the University of Minnesota. All rights reserved.	Contact U of M \| Privacy
The University of Minnesota is an equal opportunity educator and employer.	Last modified on 9/9/07 9:06 AM