Policy: Protection and Use of Social Security Numbers
|Date: 12/05/07||Policy ID: IRM-014||Status: Final|
|Contact Office:||Information Security, Policy, and Records Office|
|Oversight Executive:||Vice President and Chief Information Officer|
|Applies To:||Academic Division, the Medical Center, the College at Wise, and University-Related Foundations.|
|Table of Contents:|
|Reason for Policy:||
This policy assists the University in its commitment to safeguard personal and confidential information by protecting the privacy and legal rights of the University community, reducing the use of the SSN for identification purposes, and promoting confidence by students, employees, patients, and others that SSNs are handled in a confidential manner.
|Definition of Terms in Statement:||
Highly Sensitive Data: Includes those data that require restrictions on access under the law or that the University decides to restrict in accord with the provisions of the Virginia Freedom of Information Act or other applicable law or regulation.
Records: A record is any document, file, computer program, database, image, recording, or other means of expressing information in either electronic or non-electronic form.Record Systems: A record system is a way of storing, disseminating, or organizing records either electronically or in paper form.
The University of Virginia collects and maintains SSNs of students, faculty, staff, alumni, patients, applicants for admission, vendors, visitors and other constituencies in approved business processes and as required by law. The University classifies SSNs as highly sensitive data and will:
The University will NOT:
Phased Compliance Strategy – Effective immediately all newly created records and record systems must comply with this policy. Because of the magnitude of effort, the University of Virginia has adopted a phased approach for implementing this policy for pre-existing records and record systems. An SSN Initiative is underway to provide guidance and coordinate efforts to comply with this policy.
All schools, departments, divisions, and business units are responsible for implementing required record and record system modifications. Key milestones for remediation work follows.
Earlier completion dates will be necessary for centrally maintained records and record systems, such as ISIS interfaces, that prevent schools, departments, divisions, and business units from moving forward with their SSN remediation plans. Department heads should consult the SSN Initiative website and seek further assistance as needed from the SSN Initiative Team before beginning the modification of their systems and processes.
Administrative Data Access
Federal regulations including but not limited to the following:
Commonwealth of Virginia laws including but not limited to:
|Major Category:||Information Resource Management|
|Category Cross Reference:|
|Next Scheduled Review:||12/05/14|
|Approved By, Date:||Executive Vice President and Chief Operating Officer, 12/05/07|
|Revision History:||4/14/11 updated.|
|Supersedes (previous policy):|