Policy Title

Implementing Requirements

1. Winthrop University prohibits the use of a person's SSN as a publicly visible identification number for University related transactions, unless specifically required by law or business necessity.
2. For computer access or sign-in purposes University students, faculty, staff, and others will utilize a system assigned electronic identifier, the username, to be used in combination with a password. The username will be used as the standard identifier for most computer resource authentication purposes.
3. SSNs will not be used for identification purposes unless required by law or internal University business necessity. For business processes that require an SSN, the last four digits of the SSN may be used to confirm the identity of an individual. In accordance with federal law that allows a state to use a person’s SSN for the purpose of establishing his/her identification (42 U.S.C. 405-c-2-C-i) please note that an SSN is required on all applications for a Winthrop ID card, whether for a new, reissued, or guest card. The SSN is required as a secondary quantifier in the ID system to confirm a unique and valid identity.
4. Academic records, such as grades, and other pieces of personal information will not be publicly posted or displayed with the SSN or any portion of the SSN.
5. Systems developed or purchased by the University after the effective date of this policy shall comply with the provisions of this policy. Such systems will not collect SSNs, or display SSNs visually, whether on monitors, printed forms, hardcopy reports, or other system output, unless required by law or business necessity.
6. When a business process requires the SSN, it must be stored in a secure manner. The SSN shall not be stored on devices that are not secured (e.g., laptops, PDAs, CDs, or any other transportable data). However, the University notes that there may be a very limited number of legitimate reasons for storing SSNs on transportable storage devices. In those cases, prior permission to store SSNs on transportable data must be requested and received in writing from the department head in your area.
7. Any transmission of data containing SSNs must be encrypted over any communication network.  
8. Any University department, office, student, or employee that collects and/or maintains an individual's SSN in either paper or electronic media must:
9. Insure that the number is stored in a secure and confidential environment, as described in this policy;
10. Properly control and restrict access to SSNs to prevent unauthorized disclosure; and
11. Properly erase or destroy the storage devices or printed documents that contain SSNs to ensure the information cannot be recovered or reconstructed in conjunction with the University IT department.
12. Prohibit the display of an SSN, or any derivative of that number, on any check issued for payment by the University.
13. Adhere to federal and state laws and regulations, and all applicable University policies and procedures regarding proper access and security of data.

Related Laws, Regulations and Policies

A variety of federal and state laws and regulations address the use of the SSN. These include the Privacy Act of 1974, the Family Education Rights and Privacy Act (FERPA), Gramm-Leach-Bliley Act, Health Insurance Portability and Accountability Act (HIPAA), the Social Security Number Protection Act of 2010, and South Carolina Code of Laws, Title 1, Chapter 11, Par. 490. All of these regulations contain some protections for the confidentiality of citizens Social Security numbers. The University recognizes its obligations under these regulations.

Approved Uses for Social Security Numbers (SSN)

The SSN is required for certain legal activities and to ensure the accuracy of inter-institutional data exchanges and communications between institutions involved in those activities. Approved uses of the SSN by the University are listed but not limited to:

· Employment: The SSN is required for a variety of employment matters such as proof of citizenship, tax withholding, FICA, or Medicare.

· Application and Receipt of Financial Aid: Students applying for student aid using the federal Free Application For Student Assistance (FAFSA) are required to provide SSNs. Students are also required to provide SSNs when applying for student education loans.

· Tuition Remission: The SSN is required for state reporting of taxable tuition remission benefits received by employees, their spouses and dependents, and by graduate assistants.

· Benefits Administration: The SSN is often required for verifying enrollment, processing, and reporting on various benefit programs, such as medical benefits, health insurance claims and veterans' programs.

· IRS Reporting: The SSN is used for federally required reporting to the IRS. For example, the University reports the value of all taxable and non-taxable scholarships and grants awarded to non-resident aliens to the IRS.

· Student Information Exchange: Many institutions, including postsecondary educational institutions, use the SSN as a student identifier. The SSN may be used for the exchange of information from student academic records between appropriate institutions, including other colleges and universities or certification and licensure programs.

· The University reserves the right to use a SSN for any purpose legal under state and federal law.

Data Breach Notification

No single federal law or regulation governs the security of all types of sensitive personal information. In the absence of a comprehensive federal data breach notification law, the majority of states have passed bills or introduced legislation to require businesses and/or government agencies to notify persons affected by breaches involving their sensitive personal information, and in some cases to implement information security programs to protect the security, confidentiality, and integrity of data. South Carolina has passed legislation regarding this area. 

SC Code §1-11-490, effective January 1, 2009 requires notice of the security of computerized, unencrypted and unredacted personal information, or encrypted information with a key that has also been compromised, when illegal use of the information has occurred or is reasonably likely to occur or use of the information creates a "material risk of harm" to the consumer. Notice under this section is not required if entity maintains its own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this section. The University acknowledges its rights and responsibilities under this statute.

Disciplinary Actions

An employee or student who has substantially breached the confidentiality of Social Security numbers may be subject to disciplinary action or sanctions up to and including discharge or dismissal in accordance with University faculty, staff and student policies, and the regulations and statutes of the federal government and the State of South Carolina.

*Portions adapted with permission from Kansas State University’s Policies and Procedures Manual, Chapter 3495, Collection, Use and Protection of Social Security Numbers. Permission granted on November 15, 2010 by Mr. Ken Stafford, Chief Information Officer, Kansas State University.

This section was intentionally left blank.

This section was intentionally left blank.