Last Revision Date: May 20, 2011
Approval Date: March 6, 2009
Approval Authority ITSPAC
Last Revision Date: Oct 15, 2009
Approval Date: May 10, 2007
Approval Authority: ITSPAC Executive Steering Committe
The purpose of this policy is to establish a university standard on approved use of Social Security Numbers (SSN) in Case Western Reserve University (Case) administrative processes, and procedures for the proper use, handling, and disclosure of SSNs. The objectives of the policy are:
This policy applies to all administrative processes that support the educational, research, and service missions of the university. This policy applies to Case faculty, staff, students, and affiliated partners, including contractors, while conducting business with the university. In particular, all information technology systems that support Case administrative processes, whether operated by Case or by a third party, are covered by this policy.
Disclosures of personally identifiable information brings about a risk of identity theft. Case has used the SSN as a student identifier for many years, and has had many academic and administrative processes connected to its use. The transition of the Student Information System from a mainframe environment to a database-driven architecture has afforded the University the opportunity to implement architectural and procedural changes to protect its constituents (faculty, students, staff, affiliates) from the risk of identity theft by reducing the exposure to loss or disclosure of SSNs.
Case supports the use of alternate identifiers for students.
The SSN shall be required from all entering students for a permanent and lasting record. When feasible, an alternative number will be assigned and used by the University for all administrative processes which do not specifically require the SSN. In no event shall grades be publicly posted by using the SSN, or any part of the SSN. Case is dedicated to assuring the privacy and proper handling of personal information pertaining to students.
Case will request that a student provide a SSN at the time of application to the University. In accordance with usage guidelines, the SSN shall not be used as the student ID number but will be provided to entities requiring SSN, including but not limited to the federal government for financial aid and Tax Relief Act (1997) reporting, Immigration and Naturalization Service, and as required by court order in accordance with the Family Educational Rights and Privacy Act.
Case will require that an employee provide a SSN at the time of employment. The SSN shall not be used as an Employee ID number for internal business uses, but will be provided to external entities requiring SSN, including but not limited to federal, state and local governments, insurance carriers, and retirement programs. If the university engages in financial transactions with non-employees who are affiliates or vendors, these individuals will be required to provide a SSN for mandated tax reporting purposes.
A. The use of SSN as an individual's primary identification number shall be discontinued, unless required or permitted by law.
B. Systems purchased or developed by Case shall not use SSNs as identifiers unless required by law or business necessity (as defined by the University Provost or their designated agent).
C. All Case employees, students and other individuals that require an identifying number, will be assigned a unique identification number that is not the same as, or derived from the individual’s SSN.
C.1 The University shall adopt a phased compliance transition strategy for all current administrative processes, systems, and applications with the goal of eliminating the use of SSNs according to a University SSN Transition Plan. Waivers may be granted by the VP of Information Technology Services/CIO, when a written project transition plan has been submitted and approved.
C.2 As part of the University’s phased compliance strategy, the University shall be entitled to take all reasonable steps to assess whether existing and/or legacy administrative processes, systems and applications are in compliance with this policy and the Case Acceptable Use Policy. Each individual subject to this policy has a responsibility to help with this assessment. This responsibility includes these elements:
C.2.1 Identification of any older data containing SSNs that were used in administrative or academic processes.
C.2.2 Isolation and purge of any non-essential files containing SSN data. Removal of these files shall be performed in a manner which eliminates the risk of disclosure or data loss.
C.2.3 Application of established security controls, known as Tier III Controls, to protect sensitive information such as SSN data when its preservation is warranted and sanctioned.
C.2.4 Mandatory reporting of security events, theft, or loss involving SSN data.
C.2.5 Providing notice to ITS when the individual needs assistance in determining whether they are in compliance with this policy, such as whether their legacy processes, systems, and applications still retain or store SSN.
Any individual violating this policy may be subject to disciplinary action in accordance with the applicable policy on Confidentiality (HR Policy I-12).
D. Systems purchased or developed by Case will use SSNs as data elements only, not as keys to databases, and in this case only when required or permitted by law.
E. Systems purchased or developed by Case will not display SSNs visually, whether on computer monitors, or on printed forms or other system output, unless required by law or business necessity.
F. Name and directory systems purchased or developed by Case will be tied to an individual's unique identification number, not SSN.
G. When databases require SSNs, the database will automatically cross-reference between the SSN and other information through the use of conversion tables with systems or other mechanical mechanisms.
H. No system or technology will be developed or purchased by Case unless it is compatible with these regulations.
I. All employees (faculty, staff) that use or have access to employee or student SSN data shall be held to the highest levels of accountability for data stewardship. SSN data or files shall not be conveyed to student employees.
J. Systems that use SSNs will be categorized as Tier III, hosting Restricted information, and shall be required to meet Tier III security controls to protect the information from the intentional or unintentional disclosure of Restricted information.
K. Violation of this policy will be considered a violation of the Case Acceptable Use Policy, and sanctions will be handled as described in that policy.
This policy will be reviewed every two years on the anniversary of the policy effective date, at a minimum. The policy may be reviewed on a more frequent basis depending on changes of risk exposure.