IRM-014: Protection and Use of Social Security Numbers

Date: 12/05/2007 Status: Final
Last Revised: 04/14/2011
Policy Type: University
Oversight Executive: Chief Information Officer
Applies To: Academic Division, the Medical Center, the College at Wise, and University-Related Foundations.
Table of Contents:

Policy Statement
Procedures

Reason for Policy:

This policy assists the University in its commitment to safeguard personal and confidential information by protecting the privacy and legal rights of the University community, reducing the use of the SSN for identification purposes, and promoting confidence by students, employees, patients, and others that SSNs are handled in a confidential manner.

Definition of Terms in Statement:
  • Highly Sensitive Data:

    Data that require restrictions on access under the law or that may be protected from release in accordance with applicable law or regulation, such as Virginia Code § 18.2-186.6. Breach of Personal Information Notification. Highly Sensitive data (HSD) currently include personal information that can lead to identity theft. HSD also includes health information that reveals an individual’s health condition and/or medical history.

    Specific examples include, but are not limited to:

    • Any store or file of passwords or user-ids and passwords on any multi-user system or computer.
    • Personal information that, if exposed, can lead to identity theft. This may include a personal identifier (e.g., name, date of birth) as well as one of the following elements:
      • Social security number;
      • Driver’s license number or state identification card number issued in lieu of a driver’s license number;
      • Passport number; or
      • Financial account number, or credit card or debit card number, including any cardholder data in any form on a payment card.

    Also considered HSD are any form of personally identifying information in combination with social security number (SSN), driver’s license number, passport number and/or financial account number. For example, computing ID and driver’s license number, or home address and SSN.

    Note that credit card numbers can never be stored either alone or in combination with any other identifiers.

    • Health information is any information that, if exposed, can reveal an individual’s health condition and/or history of health services use, including information defined by Health Insurance Portability and Accountability Act (HIPAA) as protected health information (PHI).
  • Record:

    Any document, file, computer program, database, image, recording, or other means of expressing information in either electronic or non-electronic form.

  • Record System:

    A way of storing, disseminating, or organizing records either electronically or in paper form.

Policy Statement:

The University of Virginia collects and maintains SSNs of students, faculty, staff, alumni, patients, applicants for admission, vendors, visitors and other constituencies in approved business processes and as required by law. The University classifies SSNs as highly sensitive data and will:

  • handle this information with a high degree of security and confidentiality and in compliance with University policies, regulations, and laws;
  • collect and store SSNs only when they are essential for approved business processes (see Procedures section for approval process) or to meet legal requirements, such as the generation of W-2 tax forms;
  • inform individuals who are asked to supply SSNs whether they are legally required, or may refuse, to supply the SSN, and also of any specific consequences of providing or not providing the information. [see examples ]
  • display SSNs on online screens, reports, and other forms of presentation, or otherwise provide copies of SSNs, only to those authorized to view this information and only when needed for an approved purpose (see Procedures section for approval process);
  • authorize the fewest number of people possible to access SSNs in both electronic and non-electronic form;
  • maintain an accurate inventory of records that contain SSNs;
  • dispose of electronic and non-electronic records containing SSNs in a responsible manner that minimizes the risk of unauthorized access, in accordance with University policies IRM-004, Electronic Data Removal and IRM-017, Records Management, e.g., shred paper records on which SSNs are printed;

The University will NOT:

  • print SSNs on identification cards or badges or include SSNs in magnetic strips or bar codes;
  • use SSNs as the account numbers or identifiers for individuals in new electronic or non-electronic records or record systems unless needed for an approved purpose or required by law (see Procedures section for approval process).
Procedures:

Phased Compliance Strategy – Effective immediately all newly created records and record systems must comply with this policy. Because of the magnitude of effort, the University of Virginia has adopted a phased approach for implementing this policy for pre-existing records and record systems. An SSN Initiative is underway to provide guidance and coordinate efforts to comply with this policy.

All schools, departments, divisions, and business units are responsible for implementing required record and record system modifications. Key milestones for remediation work follows.

  1. By July 1, 2008 each school, department, division, and business unit must identify all records and record systems under their purview that use SSNs, develop a remediation plan, and obtain approval of the plan from the SSN Initiative Team.  Any requests to continue using SSNs must be sent to the SSN Initiative Team, which will engage the appropriate University officials in evaluating and approving or denying the requests.
  2. By July 1, 2009 each school, department, division, and business unit must complete implementation of its approved remediation plan.

Earlier completion dates will be necessary for centrally maintained records and record systems, such as ISIS interfaces, that prevent schools, departments, divisions, and business units from moving forward with their SSN remediation plans. Department heads should consult the SSN Initiative website and seek further assistance as needed from the SSN Initiative Team before beginning the modification of their systems and processes.

Related Information:

Administrative Data Access

IRM-012, Information Technology Security Incident Reporting
IRM-014, Electronic Data Removal
IRM-017, Records Management
STU-002, Rights of Students at the University of Virginia Pursuant to the Family Educational Rights and Privacy Act

Medical Center Policy No. 0201, Patient Identification
Medical Center Policy No. 0253, Verification for Release of Patient Information

Federal regulations including but not limited to the following:

  • The Family Educational Rights and Privacy Act (“FERPA”, also referred to as the "Buckley Amendment"), 20 U.S.C. §1232g;
  • The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), Pub. L. 104-191 and implementing regulations issued by the U.S. Department of Health and Human Services including Standards for Privacy of Individually Identifiable Health Information, 45 CFR Parts 160 and 164 (“Privacy Rule”);
  • The Gramm-Leach-Bliley Act (“GLBA”) 15 U.S.C §6801 et seq, and implementing regulations issued by the Federal Trade Commission including Standards for Safeguarding Customer Information (the "Safeguards Rule”), 16 CFR Part 314; and The Privacy Act of 1974, 5 U.S.C. § 552a (2000).

Commonwealth of Virginia laws including but not limited to:

The Government Data Collection and Dissemination Practices Act §2.2-3800

Major Category: Information Resource Management
Approved by, Date: Executive Vice President and Chief Operating Officer, 12/05/2007
Revision History: 4/14/11 updated.