87 Information Technology: Social Security Numbers

Policy Statement:

The Board is committed to maintaining the confidentiality of sensitive and personal information. This policy applies to all individuals and area units that collect, use, store, and transmit Social Security Numbers (SSNs).

  1. Objectives:
    1. Increase awareness of the confidential nature of SSNs and the risk of identity theft related to unauthorized disclosure and reduce collection of SSNs except where authorized by law or approved administrative exceptions.
      1. Laws governing the authorized use and storage of SSNs are listed under Section 4 of this policy.
      2. Exceptions for the use and storage of SSNs are listed in Section 5 of this policy.
    2. Reduce the use of SSNs in records and information systems, including display screen and printed reports, and reduce electronic storage of SSNs to a minimum number of locations with the goal being one location.
    3. Create procedures regarding the collection, storage, use, and disclosure of SSNs throughout the College and increase the confidence of students, employees, and affiliates/guests that their SSNs are handled in a confidential manner.
  2. Procedure:
    1. The MSC Information Technology department (IT) has the oversight responsibility for the use of SSNs.
    2. Every MSC department that collects, stores, or transmits SSNs must report that use to the IT department. A centralized inventory will be maintained for all approvals and exception requests.  Systems that collect or store social security numbers, which have not been approved by the IT department, will be in violation of this policy.
    3. All electronic systems requiring a unique MSC system-wide identifier for faculty, staff, and students must use the campus-wide identifier (CWID) as assigned by the enterprise administrative system. Therefore, the collection and use of SSNs will be limited to what is authorized by law or administrative exception.  No one should ever access a data file that contains SSNs without a legitimate business purpose.
    4. Any system using SSNs requires authentication for system access, masking or encryption for transmission, and encryption for storage. Temporary exceptions may be granted only if the data owner adheres to alternative security measures.  Zip files will suffice for the encryption but they must be password protected.
    5. New purchases or development of software systems that necessitate the use of SSNs require prior approval from the IT department.
    6. Social Security Numbers should never be stored on auxiliary storage devices such as thumb drives and CDs or sent in plain text via e-mail.
    7. All security breaches and inappropriate disclosers of SSNs will be reported to the IT department.
    8. Approval: All approval requests for new and/or continued use of SSN’s must be reviewed by the IT department.
    9. Conversion: Systems currently using SSNs as primary identifiers that do not fall under the exception section must convert to CWID
    10. Annual Review: The IT department will conduct an annual review of all production systems authorized to use SSNs.
    11. Access and Transmission:
      1. If the network is accessed remotely, a virtual private network (VPN) is required.
      2. Social Security Numbers are not to be transmitted over the network/Internet unless they are encrypted or the connection is secure.
      3. Departments that fall in the exception category must ensure that the SSNs are encrypted and only stored on MSC-owned computers/servers.
      4. Mobile devices, laptop computers, PDAs, etc. that house SSNs must employ a whole-disk encryption solution, such as that offered by the IT department.
    12. Responsibilities: All employees are tasked with keeping sensitive and personal information confidential.
    13. Assistance: Please contact IT support personnel or the IT Help Desk for assistance with any of the preceding security measures.
  3. Related Laws, Regulations, and Policies:
    1. Federal: Privacy Act of 1974; Family Education Rights and Privacy Act (FERPA); Gramm-Leach-Bliley Act (GLB-A); and the Health Insurance Portability and Accountability Act (HIPAA).
    2. State: Oklahoma Law:  Title 74, Chapter 49, Section 3113.1, “Disclosure of Security Breach of Personal Computer Data – Notice to Owner or Licensee of Personal Data – Exception;” Oklahoma Law:  Title 74, Chapter 49, Section 3111, “Use of Social Security Numbers by State or Subdivisions Prohibited – Exceptions;” Oklahoma Law:  Title 40, Chapter 5, Section 173.1, “Employees’ Social Security Numbers;” and Oklahoma Law:  Title 85, Chapter 2, Section 26, “Workers Compensation.”
  4. Exceptions:
    1. While the collection and use of SSNs may be required for certain legal and business activities, approved use does not include retention of this information by departments without specific approval as required within this policy. Approved uses of the SSN by the College, which may be limited to specific departments, are listed below.
      1. Admissions Process: Information systems used by the College admissions process is permitted to use SSNs.
      2. Employment: Social Security Numbers are required for a variety of employment matters, such as proof of citizenship, tax withholding, FICA, or Medicare.
      3. Application and Receipt of Financial Aid: Students applying for student aid using the federal Free Application for Student Assistance (FAFSA) are required to provide SSNs.  Students must also provide SSNs when applying for student education loans.
      4. Tuition Remission: Social Security Numbers are required for state reporting of taxable tuition remission benefits received by employees, their spouses and dependents, and by graduate assistants.
      5. Accounts Receivable Management: The College maintains contractual agreements with accounts receivable management entities. These entities require SSNs to perform their activities for the College.
      6. Benefits Administration: Social Security Numbers are often required for verifying enrollment, processing and reporting on various benefit programs, such as medical benefits, health insurance claims, and veterans’ programs.
      7. Internal Revenue Service (IRS) Reporting: Social Security Numbers are used for federally required reporting to the IRS.  For example, the College reports the value of all taxable and non-taxable scholarships and grants awarded to non-resident aliens to the IRS.
      8. Student Information Exchange: Social Security Numbers may be used for the exchange of information from student academic records between appropriate institutions, including other colleges and universities or certification and licensure programs.
      9. The IT department is authorized to possess SSNs for law enforcement requests, internal investigations, and security breaches.


Murray State College Institutional Policies and Procedures Copyright © by Murray State College. All Rights Reserved.

Share This Book