UI policy offers guidelines for using Social Security numbers
By Sharita Forrest, Assistant Editor 217-244-1072; slforres@illinois.edu
Because the UI collects and maintains private information on students and employees, it is important that faculty and staff members understand the specific laws and university policies that are in place to protect people’s privacy, say Mike Corn, director of security services and information privacy at Campus Information Technologies and Educational Services, and Carole Livingstone, associate provost and director of management information. Corn, who is the SSN coordinator for university administration, and Livingstone, the SSN coordinator for the Urbana campus, conducted two workshops recently to update members of the Urbana campus community about university policy and state and federal legislation applicable to information privacy. For years Social Security numbers provided a convenient means of identifying people and were a number that people could remember easily, Livingstone said. However, the proliferation of identity-theft crimes has heightened the importance of safeguarding people’s personal information and, in Illinois, is spurring legislation that would require prompt notification of victims when privacy is breached. Several major companies and educational institutions in the U.S. – including the University of Kansas and the University of California at San Diego – made headlines recently when personal data from these schools was leaked to unauthorized entities or obtained by hackers, putting consumers and students at risk for identity theft. Well ahead of many of its peer institutions, the UI adopted a policy on the use and protection of Social Security numbers in January 2000. Since then, other institutions have used the UI’s policy as a model for creating their own guidelines. The primary goal of the UI’s SSN policy is “to ensure that university employees and students comply with both the letter and the spirit of the Family Educational Rights to Privacy Act and the Privacy Act of 1974.” FERPA mandated that student ID numbers and Social Security numbers be treated as confidential components of students’ educational records, just like their grades and transcripts. The university’s SSN policy established the university ID number as the permanent universitywide identifier to be used in place of students’ and employees’ SSNs, and as of spring 2005, all university units are required to replace SSNs with UINs as the primary identifiers in all their systems. And while asking people to provide their SSNs used to be a matter of routine for many types of transactions, compelling a person to provide their SSN, except in circumstances mandated by state or federal law, is now a felony punishable by up to five years in prison. While people can voluntarily provide their SSNs to conduct transactions or access records, they cannot be forced to provide that information except in certain circumstances where SSNs are required by law – such as applications for federal student aid or Civil Service employment, upon hiring and when compensation such as wages, stipends or honoraria are paid. While staff members can refuse service to people who decline to provide their UINs, the Privacy Act of 1974 states that federal, state and local government agencies cannot refuse service to people who will not disclose their SSNs, Corn said. The exceptions to the privacy act are circumstances where an SSN is mandatory, such as attaining employment or student aid. However, staff members may indicate that failure to provide an SSN may delay service or require additional steps to complete transactions. When university staff members ask students, employees or other people to disclose their SSNs – whether over the phone, on paper or electronic forms or in person – they must provide people with disclosure statements that indicate (a) whether divulging an SSN is mandatory or voluntary (b) by what statutory or other authority the SSN is solicited (c) how the information will be used and (d) the consequences of not providing an SSN. Units should keep in mind that the SSN coordinators – Corn and Livingstone – must approve all disclosure statements before use. University units must examine the points of service, forms and applications in which SSNs are requested and determine if SSNs are mandatory. When they are not mandatory, staff members need to indicate which alternative identifiers – UINs, netIDs or birthdates, for example – will suffice. This may mean revising existing forms, databases or procedures. While the university will continue to obtain SSNs for all employees and most students, access to and use of SSNs will be limited to faculty and staff members who demonstrate that they must have SSNs to do business. In Banner, the primary ID number is the UIN; SSNs, if collected, are stored in the database but can only be accessed with a separate, restricted screen. Select units that must have SSNs, such as the Office of Admissions and Records, will have an alternative search mechanism that uses SSNs. Three conversion utilities have been developed by the University Office of i-card Programs and the University Office of Business Systems in the University Office of Business and Financial Services that can be helpful to other units. The i-card query is an interface to the i-card database that allows a user to enter a name, UIN, SSN or network ID and locate a person’s name, student or employee status, UIN and network ID, address and fees paid. The database also contains digital photos of i-card holders, which may be used in limited circumstances to authenticate a person’s identity when they request services but do not have an acceptable form of identification. The UIN2SSN Web application allows users to enter a person’s UIN and obtain an SSN and digital photo. UIN2SSN can be used at points of service to confidentially convert a UIN to an SSN. It is a highly secure application and access requires approval from the SSN coordinators. The SSN2UIN bulk-conversion utility enables units to convert lists of SSNs to lists of UINs or to convert one record at a time. The i-card office grants access to the application. Staff members should check with their technical support people to ensure that they have no legacy systems that could potentially expose information to unauthorized users or that use SSNs in ways that violate university policy or legal guidelines, Corn said. “University policy requires you to know what computers in your office have confidential data on them,” Corn said. Corn said that one university unit at Urbana inadvertently exposed employees’ personal information with a legacy Web site. Staff had not kept access rights to the site up to date and had not protected the site from Google indexing, potentially allowing Web users to access the site’s reports, which provided employees’ SSNs and payment information. Faculty and staff members should be aware that files containing SSNs cannot be placed on open file servers, whole or partial SSNs cannot be used as passwords, and files containing SSNs cannot be transmitted by means of non-secure FTP. Just as faculty and staff members should secure paper forms and shred them when they are no longer needed, they should secure electronic information by limiting access to databases and shredding CDs containing files with personal information. Ideally, SSNs should be encrypted in databases that contain them. Web applications should use secure servers and encryption – that is, site addresses that begin with https, not http – and user-authentication should be required to access data. Mishandling or unauthorized releases of SSNs can expose the university to possible civil suits from victims and the loss of federal funding from the Department of Education, which must be notified when unauthorized releases of SSNs occur. The Illinois Senate is considering a bill, HB1633, which would amend the Consumer Fraud and Deceptive Practices Act and require organizations to notify Illinois residents promptly when a breach of personal information occurs. “If a unit believes that there’s been an unauthorized release of SSNs, they should get in touch with me or Mike right away,” Livingstone said. “We’ll work with them to identify the source of the problem and who’s been affected. We’ll also work with them and legal counsel to develop appropriate notification.”
More information on SSN use Additional information on the university’s Social Security number policy and the conversion utilities is available at www.ssn.uillinois.edu. If university units have questions about whether their use of SSNs or disclosure statements complies with university policy or legal guidelines, contact the SSN coordinators, Carol Livingstone (333-3551) or Mike Corn (265-0588). In June, all legacy mainframe systems will be turned off and there will be no need for widespread access to SSNs to access them. Departments who have maintained “shadow systems” should no longer need SSNs in those systems and will need to contact Corn or Livingstone to obtain permission to store SSNs. The enterprise data warehouse will carry SSNs but access will be limited. However, SSNs should not be used in reports or in any Web or computer applications built using the enterprise data warehouse unless permission has been granted. If permission is granted, the user should use appropriate security in the application, including guarding their password.
Back to Index