Social Security Numbers
PurposeWinthrop University ("the University") is committed to protecting the privacy and confidentiality of personal information related to students, faculty, staff, and other individuals associated with the University. This policy governs the collection, storage, use, and disclosure of Social Security Numbers (SSNs) at the University, consistent with federal and state laws and regulations and the increasing need to protect personal identity data. This policy also authorizes the creation of alternative methods of identification that will reduce reliance on the SSN, allow for easy identification of a person for University transactions, and provide for linking an individual's personal information and records in various University information systems. ScopeThis policy applies to all University colleges, departments, administrative units, and affiliated organizations. For the purposes of this policy, affiliated organization refers to any organization associated with the University that uses University computer network resources to create, maintain, or store data to perform their business functions.ObjectivesIn issuing this policy, the University is guided by the following objectives: Broader awareness of the confidential nature of the SSN and the risk of identity theft related to unauthorized disclosure.Reduced collection of SSNs except where authorized by law.Reduced use of the SSN in records and information systems, including display screens and printed reports.Reduced electronic storage of SSNs to a minimum number of locations with the goal being one location when that is possible.Consistent policies regarding the collection, storage, use, and disclosure of SSNs throughout the University.Increased confidence by students, employees, and affiliates/guests that their SSNs are handled in a confidential manner.Responding to any breach regarding SSNs in accordance with state and federal regulations.
PolicyThe use of the SSN as an identifier has been discontinued, except where authorized for employment, IRS reporting, federal student financial aid processing, and state and federal reporting requirements. While the SSN will continue to be collected and retained as authorized by law, it will not be used for routine identification or authentication purposes. A unique eight digit University identification number called the Campus Wide ID number (CWID) will be permanently assigned to each individual associated with the University as a personal identifier alternative to the SSN. However, the CWID is not printed on Winthrop ID cards. ID cards contain a fourteen digit number informally known as the barcode number, which is linked to the CWID as a changeable number to be used when ID cards are lost or destroyed. For computer access, individuals also have a unique electronic identification to be used in combination with a password. Implementing Requirements Winthrop University prohibits the use of a person's SSN as a publicly visible identification number for University related transactions, unless specifically required by law or business necessity. For computer access or sign-in purposes University students, faculty, staff, and others will utilize a system assigned electronic identifier, the username, to be used in combination with a password. The username will be used as the standard identifier for most computer resource authentication purposes.SSNs will not be used for identification purposes unless required by law or internal University business necessity. For business processes that require an SSN, the last four digits of the SSN may be used to confirm the identity of an individual. In accordance with federal law that allows a state to use a person’s SSN for the purpose of establishing his/her identification (42 U.S.C. 405-c-2-C-i) please note that an SSN is required on all applications for a Winthrop ID card, whether for a new, reissued, or guest card. The SSN is required as a secondary quantifier in the ID system to confirm a unique and valid identity.Academic records, such as grades, and other pieces of personal information will not be publicly posted or displayed with the SSN or any portion of the SSN.Systems developed or purchased by the University after the effective date of this policy shall comply with the provisions of this policy. Such systems will not collect SSNs, or display SSNs visually, whether on monitors, printed forms, hardcopy reports, or other system output, unless required by law or business necessity. When a business process requires the SSN, it must be stored in a secure manner. The SSN shall not be stored on devices that are not secured (e.g., laptops, PDAs, CDs, or any other transportable data). However, the University notes that there may be a very limited number of legitimate reasons for storing SSNs on transportable storage devices. In those cases, prior permission to store SSNs on transportable data must be requested and received in writing from the department head in your area.Any transmission of data containing SSNs must be encrypted over any communication network. Any University department, office, student, or employee that collects and/or maintains an individual's SSN in either paper or electronic media must: Insure that the number is stored in a secure and confidential environment, as described in this policy; Properly control and restrict access to SSNs to prevent unauthorized disclosure; and Properly erase or destroy the storage devices or printed documents that contain SSNs to ensure the information cannot be recovered or reconstructed in conjunction with the University IT department.Prohibit the display of an SSN, or any derivative of that number, on any check issued for payment by the University.Adhere to federal and state laws and regulations, and all applicable University policies and procedures regarding proper access and security of data.Related Laws, Regulations and PoliciesA variety of federal and state laws and regulations address the use of the SSN. These include the Privacy Act of 1974, the Family Education Rights and Privacy Act (FERPA), Gramm-Leach-Bliley Act, Health Insurance Portability and Accountability Act (HIPAA), the Social Security Number Protection Act of 2010, and South Carolina Code of Laws, Title 1, Chapter 11, Par. 490. All of these regulations contain some protections for the confidentiality of citizens Social Security numbers. The University recognizes its obligations under these regulations.Approved Uses for Social Security Numbers (SSN)The SSN is required for certain legal activities and to ensure the accuracy of inter-institutional data exchanges and communications between institutions involved in those activities. Approved uses of the SSN by the University are listed but not limited to:· Employment: The SSN is required for a variety of employment matters such as proof of citizenship, tax withholding, FICA, or Medicare.· Application and Receipt of Financial Aid: Students applying for student aid using the federal Free Application For Student Assistance (FAFSA) are required to provide SSNs. Students are also required to provide SSNs when applying for student education loans.· Tuition Remission: The SSN is required for state reporting of taxable tuition remission benefits received by employees, their spouses and dependents, and by graduate assistants. · Benefits Administration: The SSN is often required for verifying enrollment, processing, and reporting on various benefit programs, such as medical benefits, health insurance claims and veterans' programs. · IRS Reporting: The SSN is used for federally required reporting to the IRS. For example, the University reports the value of all taxable and non-taxable scholarships and grants awarded to non-resident aliens to the IRS.· Student Information Exchange: Many institutions, including postsecondary educational institutions, use the SSN as a student identifier. The SSN may be used for the exchange of information from student academic records between appropriate institutions, including other colleges and universities or certification and licensure programs.· The University reserves the right to use a SSN for any purpose legal under state and federal law.Data Breach NotificationNo single federal law or regulation governs the security of all types of sensitive personal information. In the absence of a comprehensive federal data breach notification law, the majority of states have passed bills or introduced legislation to require businesses and/or government agencies to notify persons affected by breaches involving their sensitive personal information, and in some cases to implement information security programs to protect the security, confidentiality, and integrity of data. South Carolina has passed legislation regarding this area. SC Code §1-11-490, effective January 1, 2009 requires notice of the security of computerized, unencrypted and unredacted personal information, or encrypted information with a key that has also been compromised, when illegal use of the information has occurred or is reasonably likely to occur or use of the information creates a "material risk of harm" to the consumer. Notice under this section is not required if entity maintains its own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this section. The University acknowledges its rights and responsibilities under this statute.Disciplinary ActionsAn employee or student who has substantially breached the confidentiality of Social Security numbers may be subject to disciplinary action or sanctions up to and including discharge or dismissal in accordance with University faculty, staff and student policies, and the regulations and statutes of the federal government and the State of South Carolina. *Portions adapted with permission from Kansas State University’s Policies and Procedures Manual, Chapter 3495, Collection, Use and Protection of Social Security Numbers. Permission granted on November 15, 2010 by Mr. Ken Stafford, Chief Information Officer, Kansas State University.
Office of the President