Information Security Policy and Standards: Secure Handling of Social Security Numbers

Audience:

  • All faculty, staff and students
  • All employees, both permanent and temporary
  • All contractors, vendors and any others (including 3rd parties) entrusted with SSN information.

Definition:

It is Northwestern University's intent to protect the personal information of its students, staff, faculty and other individuals associated with the University from unauthorized access or disclosure, and possible misuse or abuse. This policy is designed to establish awareness and provide guidance on the proper handling of Social Security Number (SSN) information maintained by or on behalf of Northwestern University.

Policy Statement:

Social Security Numbers may not be captured, retained, communicated, transmitted, displayed or printed in whole or in part, except where required or permitted by law, and in accordance with the standards outlined in this policy.

Background Issues:

Scope

The policy applies to the SSN whether maintained, used or displayed wholly or in part, and in any data format, including but not limited to oral or written words, screen display, electronic transmission, stored media, printed material, facsimile or other medium as determined.

Policy Owner

NUIT Information and Systems Security/Compliance (ISS/C)

References

  • Illinois Personal Information Protection Act (PIPA)
  • Gramm-Leach-Bliley Act (GLBA)
  • Family Educational Rights and Privacy Act (FERPA)
  • Health Insurance Portability and Accountability Act (HIPAA)

Definitions

  1. Social Security Number (SSN) may be interpreted to include Taxpayer Identity Number (TIN).
  2. Individual Workstations: Includes but is not limited to desktops, laptops, tablets, smart phones and PDAs.
  3. Removable or Transportable Media: Includes but is not limited to paper forms, reports, cassettes, CDs, USB tokens, flash drives, hard drives and zip drives.
  4. Data Steward: NOTE - A coordinated effort is underway to establish this and other relevant definitions. The policy statement will be updated as the definition is established.
  5. Enterprise Systems: The term is applicable to any infrastructure as a means of describing its importance to the University's mission and how it should be administered, protected and funded. From a functional viewpoint, an Enterprise System will be either (a) the only delivery platform for an essential service, or (b) a platform for a service to a very broad constituency spanning organizational boundaries. An enterprise system is most frequently administered and protected by an institutional unit with expertise in both the technology and the business functions delivered.
    "Enterprise System Status," January 2006, T.E. Board/ISA

Standards

  1. Going forward, the University does not permit the use of a SSN as the primary identifier for any person or entity in any system, except where the SSN is required or permitted by law, and permitted by University policy.
  2. Where permitted by law and University policy, the SSN may be stored as a confidential attribute associated with an individual or may be used as an optional key to identify individuals for whom a primary identifier is not known.
  3. Individuals shall not be required to provide their Social Security number, verbally or in writing, at any point of service, nor shall they be denied access to those services should they refuse to provide a SSN, except where the collection of SSN is required by law or otherwise permitted by University policy. Individuals may volunteer their Social Security number if they wish, as an alternate means for locating a record.
  4. Except where the SSN is required by law, the University ID (EMPLID) replaces use of the SSN and will be used in all future electronic and paper data systems and processes to identify, track, and service individuals associated with the University. The University ID will be permanently and uniquely associated with the individual to whom it is originally assigned.
  5. All newly developed or acquired application software will not store SSN as a data element until a business requirement is submitted and approved by the Data Steward and/or other authorities as deemed appropriate.
  6. Servers housing databases or records containing SSNs should be of single purpose, with access restricted to system administrators, protected by an approved firewall appliance, and should not be used by individuals to access the Internet or access e-mail.
  7. Where possible, all records containing an SSN should be stored on network drives with access limited to those individuals or entities that require access to perform a legitimate University job function. Individual workstations, laptops and other personal computers (PDAs) should not be used to store records containing SSNs.
  8. All removable or transportable media (e.g., paper forms, reports, cassettes, CDs, USB drives, etc.) containing SSNs must be secured when not in use. Reasonable security measures depend on the circumstances, but may include locked file rooms, desks and cabinets.
  9. Subject to applicable document retention policies or unless required by law, when no longer required, paper documents and electronic media containing SSNs will be destroyed or disposed of using methods designed to prevent subsequent use or recovery of information.
  10. SSNs will be released to entities outside the University only where permitted or required by law, or with the express written permission of the individual or entity, or where approved by Office of General Counsel.
  11. The University will limit access to records containing SSN to those individuals requiring access as determined by job function. Individuals permitted access to SSN will be instructed on the appropriate handling and protection of this data by their management or designated representative.

Procedure

Individual business units are responsible for the development, documentation and implementation of applicable procedures to effectuate this policy. Procedures are subject to review by ISS/C and the Audit Department.

Compliance

All parties as delineated under Audience are required to comply with this policy no later than sixty days after approval (see "Date Effective.") Individuals who discover or strongly suspect the unauthorized release of SSN or related information, or a violation of this policy must promptly notify their management and any of the following:

Exception Process

Any request for exception to this policy should be submitted to Information and Systems Security/Compliance (ISS/C) using the form described in Exception Request - Appendix A DOC ISS/C will coordinate requests for exception to this policy and contact the respective policy owner, data steward and other authorities as deemed appropriate for consideration and discussion of the exception request. Request forms must be completed fully; incomplete forms will be returned without processing. Requestors will be provided with a decision within ten (10) working days from receipt of the completed request.

Approved Uses of SSN

University offices may not collect SSNs for purposes other than those noted in Section 9, Standards. Any office intending other use of SSN data must request an exception to the policy (see Section 13, Exception Process).

The primary uses and reasons for the continued capture, storage, retention and processing of SSN data are identified and documented in the Approved Uses of SSNs - Appendix B PDF. Typically, processes that access historical SSN data, or require or permit continued use of SSN data, are described here. Additional processes may be added to the appendix by contacting ISS/C.

Last Review Date:

December 2013

Original Issue Date:

June 2006

Revision Dates:

July 2012

August 2011
March 2009