|
|
|
Guidance On The Protection of Social Security Numbers
Social Security Numbers (SSN's) are considered protected
information under both
GLB and the Family
Educational Rights and Privacy Act (FERPA). By necessity,
student Social Security Numbers still remain in the
University Student Information System and departmental
databases. The University urges great care when maintaining
Social Security Numbers in these systems. Generally, you
should not collect and retains SSN's unless you have a valid
business purpose to do so. If you think you have a valid
purpose, the following guidance should be used when
collecting, storing, and using such data.
Awareness
The protection of SSN's is required by following federal and
state law/regulations. Those who are entrusted with this
information must take care to ensure that SSN's is not
publicly available.
Access
Access to SSN's shall be limited to those
who need to use SSN's for the performance of their job
responsibilities.
Transmission
Sending SSN's over the Internet or by email is prohibited
unless done in a secure manner. Appropriate measures must be
taken to ensure the confidentiality of fax and paper
transmissions containing SSN's.
- All electronic transactions and transmissions
containing SSN's must be encrypted.
- When SSN's are shared with a third party, a written
agreement must be entered into to protect the
confidentiality of the SSN's.
- SSN's should not be included in email text or
attachments unless it is encrypted.
- SSN's should be removed from paper forms and faxes
unless required by law or determined to be necessary by
the appropriate data steward.
- When SSN's are exchanged on paper, steps must be taken
so the numbers are not revealed. The SSN's must not appear
in an envelope window.
- Fax transmissions over phone lines (fax to fax) are
secure if appropriate safeguards exist when faxing SSN's
to make sure the recipient's fax number is correct and
the recipient does not leave the fax in an unsecured
area. Fax transmissions involving computer networks (fax
to computer, computer to fax, computer to computer) are
not secure and should not include SSN's.
Storage
Organizational units must actively work to remove SSN's from
electronic files, databases, images, and paper documents.
Historical files, databases, documents, and images
containing SSN's may be maintained provided access to them is
limited and secure.
- SSN's should not be stored on a local workstation,
laptop, floppy disk, CD/DVD, personal digital assistant
(PDA), USB flash drive, or any other portable storage
device. If storing SSN's on such a device is necessary,
the information must be encrypted and the device must be
physically secured.
- Computer applications requiring SSN's must store the
SSN's on a secure network server with up-to-date patches.
Encryption adds another layer of security.
- Servers, tapes, disks, back-ups, and other
electronic storage devices containing SSN's must reside in
secure physical locations.
- Documents and forms containing SSN's must be stored in
secure drawers/cabinets with appropriate security.
- Anyone working with paper that contains SSN's must
take steps to secure that information.
Disposal
As SSN's are eliminated from the normal course of business,
organizational units must follow these standards for secure
disposal.
- Prior to disposal, steps must be taken to destroy
portable electronic storage devices, floppy disks, and
CD/DVDs containing SSN's.
- Prior to recycling or disposal, desktop, laptop, and
server disks containing SSN's must be erased (scrubbed)
using degauss device.
- Paper documents containing SSN's should be shredded
locally.
|
