IRM-014: Protection and Use of Social Security NumbersDate: 12/05/2007 Status: Final
This policy assists the University in its commitment to safeguard personal and confidential information by protecting the privacy and legal rights of the University community, reducing the use of the SSN for identification purposes, and promoting confidence by students, employees, patients, and others that SSNs are handled in a confidential manner.
Highly Sensitive Data:
Includes those data that require restrictions on access under the law or that the University decides to restrict in accord with the provisions of the Virginia Freedom of Information Act or other applicable law or regulation.
A way of storing, disseminating, or organizing records either electronically or in paper form.
Any document, file, computer program, database, image, recording, or other means of expressing information in either electronic or non-electronic form.
The University of Virginia collects and maintains SSNs of students, faculty, staff, alumni, patients, applicants for admission, vendors, visitors and other constituencies in approved business processes and as required by law. The University classifies SSNs as highly sensitive data and will:
- handle this information with a high degree of security and confidentiality and in compliance with University policies, regulations, and laws;
- collect and store SSNs only when they are essential for approved business processes (see Procedures section for approval process) or to meet legal requirements, such as the generation of W-2 tax forms;
- inform individuals who are asked to supply SSNs whether they are legally required, or may refuse, to supply the SSN, and also of any specific consequences of providing or not providing the information. [see examples ]
- display SSNs on online screens, reports, and other forms of presentation, or otherwise provide copies of SSNs, only to those authorized to view this information and only when needed for an approved purpose (see Procedures section for approval process);
- authorize the fewest number of people possible to access SSNs in both electronic and non-electronic form;
- maintain an accurate inventory of records that contain SSNs;
- dispose of electronic and non-electronic records containing SSNs in a responsible manner that minimizes the risk of unauthorized access, in accordance with University policies IRM-004, Electronic Data Removal and IRM-017, Records Management, e.g., shred paper records on which SSNs are printed;
The University will NOT:
- print SSNs on identification cards or badges or include SSNs in magnetic strips or bar codes;
- use SSNs as the account numbers or identifiers for individuals in new electronic or non-electronic records or record systems unless needed for an approved purpose or required by law (see Procedures section for approval process).
Phased Compliance Strategy – Effective immediately all newly created records and record systems must comply with this policy. Because of the magnitude of effort, the University of Virginia has adopted a phased approach for implementing this policy for pre-existing records and record systems. An SSN Initiative is underway to provide guidance and coordinate efforts to comply with this policy.
All schools, departments, divisions, and business units are responsible for implementing required record and record system modifications. Key milestones for remediation work follows.
- By July 1, 2008 each school, department, division, and business unit must identify all records and record systems under their purview that use SSNs, develop a remediation plan, and obtain approval of the plan from the SSN Initiative Team. Any requests to continue using SSNs must be sent to the SSN Initiative Team, which will engage the appropriate University officials in evaluating and approving or denying the requests.
- By July 1, 2009 each school, department, division, and business unit must complete implementation of its approved remediation plan.
Earlier completion dates will be necessary for centrally maintained records and record systems, such as ISIS interfaces, that prevent schools, departments, divisions, and business units from moving forward with their SSN remediation plans. Department heads should consult the SSN Initiative website and seek further assistance as needed from the SSN Initiative Team before beginning the modification of their systems and processes.