UVa Seal

Policy: Protection and Use of Social Security Numbers 


Date: 12/05/07 Policy ID: IRM-014 Status: Final

Policy Type: University
   
Contact Office: Information Security, Policy, and Records Office
   
Oversight Executive: Chief Information Officer
   
Applies To: Academic Division, the Medical Center, the College at Wise, and University-Related Foundations.
   
Table of Contents: 

Policy Statement
Procedures

   
Reason for Policy: 

This policy assists the University in its commitment to safeguard personal and confidential information by protecting the privacy and legal rights of the University community, reducing the use of the SSN for identification purposes, and promoting confidence by students, employees, patients, and others that SSNs are handled in a confidential manner.

   
Policy Summary: 
   
Definition of Terms in Statement: 

Highly Sensitive Data: Includes those data that require restrictions on access under the law or that the University decides to restrict in accord with the provisions of the Virginia Freedom of Information Act or other applicable law or regulation.  

Records: A record is any document, file, computer program, database, image, recording, or other means of expressing information in either electronic or non-electronic form.

Record Systems: A record system is a way of storing, disseminating, or organizing records either electronically or in paper form.
   
Policy Statement: 

The University of Virginia collects and maintains SSNs of students, faculty, staff, alumni, patients, applicants for admission, vendors, visitors and other constituencies in approved business processes and as required by law.  The University classifies SSNs as highly sensitive data and will:

  • handle this information with a high degree of security and confidentiality and in compliance with University policies, regulations, and laws;
  • collect and store SSNs only when they are essential for approved business processes (see Procedures section for approval process) or to meet legal requirements, such as the generation of W-2 tax forms;
  • inform individuals who are asked to supply SSNs whether they are legally required, or may refuse, to supply the SSN, and also of any specific consequences of providing or not providing the information. [see examples <link pending> ]
  • display SSNs on online screens, reports, and other forms of presentation, or otherwise provide copies of SSNs, only to those authorized to view this information and only when needed for an approved purpose (see Procedures section for approval process);
  • authorize the fewest number of people possible to access SSNs in both electronic and non-electronic form;
  • maintain an accurate inventory of records that contain SSNs;
  • dispose of electronic and non-electronic records containing SSNs in a responsible manner that minimizes the risk of unauthorized access, in accordance with the University’s policies on Electronic Data Removal and Records Management, e.g., shred paper records on which SSNs are printed;

The University will NOT:

  • print SSNs on identification cards or badges or include SSNs in magnetic strips or bar codes;
  • use SSNs as the account numbers or identifiers for individuals in new electronic or non-electronic records or record systems unless needed for an approved purpose or required by law (see Procedures section for approval process).

BACK TO TOP

   
Procedures: 

Phased Compliance Strategy – Effective immediately all newly created records and record systems must comply with this policy. Because of the magnitude of effort, the University of Virginia has adopted a phased approach for implementing this policy for pre-existing records and record systems. An SSN Initiative is underway to provide guidance and coordinate efforts to comply with this policy. 

All schools, departments, divisions, and business units are responsible for implementing required record and record system modifications. Key milestones for remediation work follows.

  1. By July 1, 2008 each school, department, division, and business unit must identify all records and record systems under their purview that use SSNs, develop a remediation plan, and obtain approval of the plan from the SSN Initiative Team.  Any requests to continue using SSNs must be sent to the SSN Initiative Team, which will engage the appropriate University officials in evaluating and approving or denying the requests.  
  2. By July 1, 2009 each school, department, division, and business unit must complete implementation of its approved remediation plan.

Earlier completion dates will be necessary for centrally maintained records and record systems, such as ISIS interfaces, that prevent schools, departments, divisions, and business units from moving forward with their SSN remediation plans.  Department heads should consult the SSN Initiative website and seek further assistance as needed from the SSN Initiative Team before beginning the modification of their systems and processes.

BACK TO TOP

   
Related Information: 

Administrative Data Access
Disclosure of University Records
Electronic Data Removal
Information Technology Security Incident Reporting
Records Management
Rights of Students at the University of Virginia Pursuant to the Family Educational Rights and Privacy Act
Medical Center Policy No. 0201 Patient Identification
Medical Center Policy No. 0253 Verification for Release of Patient Information

Federal regulations including but not limited to the following:

  • The Family Educational Rights and Privacy Act (“FERPA”, also referred to as the "Buckley Amendment"), 20 U.S.C. §1232g;
  • The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), Pub. L. 104-191 and implementing regulations issued by the U.S. Department of Health and Human Services including Standards for Privacy of Individually Identifiable Health Information, 45 CFR  Parts 160 and 164 (“Privacy Rule”);
  • The Gramm-Leach-Bliley Act (“GLBA”) 15 U.S.C §6801 et seq, and implementing regulations issued by the Federal Trade Commission including Standards for Safeguarding Customer Information (the "Safeguards Rule”), 16 CFR Part 314; and The Privacy Act of 1974, 5 U.S.C. § 552a (2000).

Commonwealth of Virginia laws including but not limited to:

The Government Data Collection and Dissemination Practices Act §2.2-3800

BACK TO TOP

   
Policy Background: 
   
Major Category: Information Resource Management
   
Category Cross Reference: 
   
   
Process: 
   
Next Scheduled Review: 12/05/14
   
Approved By, Date: Executive Vice President and Chief Operating Officer, 12/05/07
   
Revision History: 4/14/11 updated.
   
Supersedes (previous policy):