Date Approved: May 10, 2007
Effective Date: May 10, 2007
Responsible Official: Chief Information Security Officer
Responsible Office: [U]Tech Information Security Office
Revision History: Version 2.0; Previous Version 1.4 dated May 20, 2011
Related legislation and University policies: <as referenced in the policy>
Review Period: 5 Years
Date of Last Review: May 20, 2011
Related to: Faculty, Staff, Students
Purpose
The purpose of this policy is to establish a university standard on approved use of Social Security Numbers (SSN) in Case Western Reserve University (CWRU) administrative processes, and procedures for the proper use, handling, and disclosure of SSNs. The objectives of the policy are:
- Eliminate the non-approved use of SSN as a publicly visible identifier in CWRU administrative processes and transactions
- Increase awareness of the restricted nature of the SSN with respect to information confidentiality
- Ensure consistent management of SSN use throughout the University
- Assure that SSNs are handled in an appropriate manner, increasing the confidence of faculty, staff, students, affiliates, and alumni in the stewardship of information by the University in accordance with the CWRU Acceptable Use Policy
Scope
This policy applies to all administrative processes that support the educational, research, and service missions of the university. This policy applies to CWRU faculty, staff, students, and affiliated partners, including contractors, while conducting business with the university. In particular, all information technology systems that support CWRU administrative processes, whether operated by CWRU or by a third party, are covered by this policy.
Background
Disclosures of personally identifiable information brings about a risk of identity theft. CWRU has used the SSN as a student identifier for many years, and has had many academic and administrative processes connected to its use. The transition of the Student Information System from a mainframe environment to a database-driven architecture has afforded the University the opportunity to implement architectural and procedural changes to protect its constituents (faculty, students, staff, affiliates) from the risk of identity theft by reducing the exposure to loss or disclosure of SSNs.
Cancellation
Not applicable.
Policy Statement
Student
CWRU supports the use of alternate identifiers for students.
The SSN shall be required from all entering students for a permanent and lasting record. When feasible, an alternative number will be assigned and used by the University for all administrative processes which do not specifically require the SSN. In no event shall grades be publicly posted by using the SSN, or any part of the SSN. CWRU is dedicated to assuring the privacy and proper handling of personal information pertaining to students.
CWRU will request that a student provide a SSN at the time of application to the University. In accordance with usage guidelines, the SSN shall not be used as the student ID number but will be provided to entities requiring SSN, including but not limited to the federal government for financial aid and Tax Relief Act (1997) reporting, Immigration and Naturalization Service, and as required by court order in accordance with the Family Educational Rights and Privacy Act.
Employee
CWRU will require that an employee provide a SSN at the time of employment. The SSN shall not be used as an Employee ID number for internal business uses, but will be provided to external entities requiring SSN, including but not limited to federal, state and local governments, insurance carriers, and retirement programs. If the university engages in financial transactions with non-employees who are affiliates or vendors, these individuals will be required to provide a SSN for mandated tax reporting purposes.
Use Guidelines
A. The use of SSN as an individual's primary identification number shall be discontinued, unless required or permitted by law.
B. Systems purchased or developed by CWRU shall not use SSNs as identifiers unless required by law or business necessity (as defined by the University Provost or their designated agent).
C. All CWRU employees, students and other individuals that require an identifying number, will be assigned a unique identification number that is not the same as, or derived from the individual’s SSN.
C.1 The University shall adopt a phased compliance transition strategy for all current administrative processes, systems, and applications with the goal of eliminating the use of SSNs according to a University SSN Transition Plan. Waivers may be granted by the VP of UTech/CIO, when a written project transition plan has been submitted and approved.
C.2 As part of the University’s phased compliance strategy, the University shall be entitled to take all reasonable steps to assess whether existing and/or legacy administrative processes, systems and applications are in compliance with this policy and the CWRU Acceptable Use Policy. Each individual subject to this policy has a responsibility to help with this assessment. This responsibility includes these elements:
C.2.1 Identification of any older data containing SSNs that were used in administrative or academic processes.
C.2.2 Isolation and purge of any non-essential files containing SSN data. Removal of these files shall be performed in a manner which eliminates the risk of disclosure or data loss.
C.2.3 Application of established security controls, known as Tier III Controls, to protect sensitive information such as SSN data when its preservation is warranted and sanctioned.
C.2.4 Mandatory reporting of security events, theft, or loss involving SSN data.
C.2.5 Providing notice to UTech when the individual needs assistance in determining whether they are in compliance with this policy, such as whether their legacy processes, systems, and applications still retain or store SSN.
Any individual violating this policy may be subject to disciplinary action in accordance with the applicable policy on Confidentiality (HR Policy I-12).
D. Systems purchased or developed by CWRU will use SSNs as data elements only, not as keys to databases, and in this case only when required or permitted by law.
E. Systems purchased or developed by CWRU will not display SSNs visually, whether on computer monitors, or on printed forms or other system output, unless required by law or business necessity.
F. Name and directory systems purchased or developed by CWRU will be tied to an individual's unique identification number, not SSN.
G. When databases require SSNs, the database will automatically cross-reference between the SSN and other information through the use of conversion tables with systems or other mechanical mechanisms.
H. No system or technology will be developed or purchased by CWRU unless it is compatible with these regulations.
I. All employees (faculty, staff) that use or have access to employee or student SSN data shall be held to the highest levels of accountability for data stewardship. SSN data or files shall not be conveyed to student employees.
J. Systems that use SSNs will be categorized as Tier III, hosting Restricted information, and shall be required to meet Tier III security controls to protect the information from the intentional or unintentional disclosure of Restricted information.
K. Violation of this policy will be considered a violation of the CWRU Acceptable Use Policy, and sanctions will be handled as described in that policy.